github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Removing OWASP CRS copy.

Browse Source
This commit is contained in:
Greg Wroblewski 2013-02-05 16:52:00 -08:00
parent c1ba71ab16
commit 1ead2f6312
133 changed files with 0 additions and 33443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
iis/ModSecurityIIS/owasp_crs/.gitignore vendored
View File

@ -1,2 +0,0 @@
*.swp
*.swo

816
iis/ModSecurityIIS/owasp_crs/CHANGELOG
View File

@ -1,816 +0,0 @@
== OWASP ModSecurity Core Rule Set (CRS) JIRA CHANGELOG ==
* https://www.modsecurity.org/tracker/browse/CORERULES
== Version 2.2.6 - 09/14/2012 ==
Improvements:
* Started rule formatting update for better readability
* Added maturity and accuracy action data to each rule
* Updated rule revision (rev) action
* Added rule version (ver) action
* Added more regression tests (util/regression_tests/)
* Modified Rule ID 960342 to block large file attachments in phase:1
* Removed all PARANOID rule checks
* Added new Session Fixation rules
Bug Fixes:
* Fixed missing ending double-quotes in XSS rules file
* Moved SecDefaultAction setting from phase:2 to phase:1
* Fixed Session Hijacking SessionID Regex
https://www.modsecurity.org/tracker/browse/CORERULES-79
* Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME
https://www.modsecurity.org/tracker/browse/CORERULES-78
== Version 2.2.5 - 06/14/2012 ==
Improvements:
* Renamed main config file to modsecurity_crs_10_setup.conf
* Updated the rule IDs to start from CRS reserved range: 900000
* Updated rule formatting for readibility
* Updated the CSRF rules to use UNIQUE_ID as the token source
* Added the zap2modsec.pl script to the /util directory which converts
OWASP ZAP Scanner XML data into ModSecurity Virtual Patches
* Updated the Directory Traversal Signatures to include more obfuscated data
* Added Arachni Scanner Integration Lua script/rules files
Bug Fixes:
* Added forceRequestBodyVariable action to rule ID 960904
* Updated the anomaly scoring value for rule ID 960000 to critical
(Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
* Updated Content-Type check to fix possible evasion with @within
(Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
== Version 2.2.4 - 03/14/2012 ==
Improvements:
* Added Location and Set-Cookie checks to Response Splitting rule ID 950910
* Added a README file to the activated_rules directory
* Consolidate a number of SQL Injection rules into optimized regexs
* Removed multiMatch and replaceComments from SQL Injection rules
* Updated the SQLi regexs for greediness
* Updated the SQLi setvar anomaly score values to use macro expansion
* Removed PARANOID mode rules
Bug Fixes:
* Fixed missing comma before severity action in rules 958291, 958230 and 958231
* Fixed duplidate rule IDs
== Version 2.2.3 - 12/19/2011 ==
Improvements:
* Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file
http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies
* Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
* Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
http://websecuritytool.codeplex.com/wikipage?title=Checks#header
Bug Fixes:
* Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to
rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs).
* Updated the regex and added tags for RFI rules.
== Version 2.2.2 - 09/28/2011 ==
Improvements:
* Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points
* Added new Range header detection checks to prevent Apache DoS
* Added new Security Scanner User-Agent strings
* Added example script to the /util directory to convert Arachni DAST scanner
XML data into ModSecurity virtual patching rules.
* Updated the SQLi Character Anomaly Detection Rules
* Added Host header info to the RESOURCE collection key for AppSensor profiling rules
Bug Fixes:
* Fixed action list for XSS rules (replaced pass,nolog,auditlog with block)
* Fixed Request Limit rules by removing & from variables
* Fixed Session Hijacking IP/UA hash captures
* Updated the SQLi regex for rule ID 981242
== Version 2.2.1 - 07/20/2011 ==
Improvements:
* Extensive SQL Injection signature updates as a result of the SQLi Challenge
http://www.modsecurity.org/demo/challenge.html
* Updated the SQL Error message detection in reponse bodies
* Updated SQL Injection signatures to include more DB functions
* Updated the WEAK SQL Injection signatures
* Added tag AppSensor/RE8 to rule ID 960018
Bug Fixes:
* Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches
https://www.modsecurity.org/tracker/browse/CORERULES-70
* Fixed Session Hijacking rules to properly capture IP address network hashes.
* Added the multiMatch action to the SQLi rules
* Fixed a false negative logic flaw within the advanced_filter_converter.lua script
* Fixed missing : in id action in DoS ruleset.
* Updated rule ID 971150 signature to remove ;
== Version 2.2.0 - 05/26/2011 ==
Improvements:
* Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2)
http://www.apache.org/licenses/LICENSE-2.0.txt
* Created new INSTALL file outlining quick config setup
* Added a new rule regression testing framework to the /util directory
* Added new activated_rules directory which will allow users to place symlinks pointing
to files they want to run. This allows for easier Apache Include wild-carding
* Adding in new RULE_MATURITY and RULE_ACCURACY tags
* Adding in a check for X-Forwarded-For source IP when creating IP collection
* Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset)
http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
* Added new AppSensor rules to experimental_dir
https://www.owasp.org/index.php/AppSensor_DetectionPoints
* Added new Generic Malicious JS checks in outbound content
* Added experimental IP Forensic rules to gather Client hostname/whois info
http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
* Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules
http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
* Global collection in the 10 file now uses the Host Request Header as the collection key.
This allows for per-site global collections.
* Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties.
This includes both converted web rules from Emerging Threats (ET) and from SLR Team.
* Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB
* Added experimental rules for detecting Open Proxy Abuse
http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html
* Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API
http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html
* Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227)
* Added new SQLi detection rules (959070, 959071 and 959072)
* Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data
https://www.modsecurity.org/tracker/browse/CORERULES-64
Bug Fixes:
* Assigned IDs to all active SecRules/SecActions
* Removed rule inversion (!) from rule ID 960902
* Fixed false negative issue in Response Splitting Rule
* Fixed false negative issue with @validateByteRange check
* Updated the TARGETS lising for rule ID 950908
* Updated TX data for REQBODY processing
* Changed the pass action to block in the RFI rules in the 40 generic file
* Updated RFI regex to catch IP address usage in hostname
https://www.modsecurity.org/tracker/browse/CORERULES-68
* Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods.
* Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions.
They will now inherit the settings from the SecDefaultAction
== Version 2.1.2 - 02/17/2011 ==
Improvements:
* Added experimental real-time application profiling ruleset.
* Added experimental Lua script for profiling the # of page scripts, iframes, etc..
which will help to identify successful XSS attacks and planting of malware links.
* Added new CSRF detection rule which will trigger if a subsequent request comes too
quickly (need to use the Ignore Static Content rules).
Bug Fixes:
* Added missing " in the skipAfter SecAction in the CC Detection rule set
== Version 2.1.1 - 12/30/2010 ==
Bug Fixes:
* Updated the 10 config conf file to add in pass action to User-Agent rule
* Updated the CSRF ruleset to conditionally do content injection - if the
csrf token was created by the session hijacking conf file
* Updated the session hijacking conf file to only enforce rules if a SessionID
Cookie was submitted
* Fixed macro expansion setvar bug in the restricted file extension rule
* Moved the comment spam data file into the optional_rules directory
== Version 2.1.0 - 12/29/2010 ==
Improvements:
* Added Experimental Lua Converter script to normalize payloads. Based on
PHPIDS Converter code and it used with the advanced filters conf file.
* Changed the name of PHPIDS converted rules to Advanced Filters
* Added Ignore Static Content (Performance enhancement) rule set
* Added XML Enabler (Web Services) rule set which will parse XML data
* Added Authorized Vulnerability Scanning (AVS) Whitelist rule set
* Added Denial of Service (DoS) Protection rule set
* Added Slow HTTP DoS (Connection Consumption) Protection rule set
* Added Brute Force Attack Protection rule set
* Added Session Hijacking Detection rule set
* Added Username Tracking rule set
* Added Authentication Tracking rule set
* Added Anti-Virus Scanning of File Attachments rule set
* Added AV Scanning program to /util directory
* Added Credit Card Usage Tracking/Leakage Prevention rule set
* Added experimental CC Track/PAN Leakage Prevention rule set
* Added an experimental_rules directory to hold new BETA rules
* Moved the local exceptions conf file back into base_rules dirctory however
it has a ".example" extension to prevent overwriting customized versions
when upgrading
* Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to
the experimental_rules directory
* Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will
help to make collections a bit more unique
== Version 2.0.10 - 11/29/2010 ==
Improvements:
* Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS
is running in traditional mode.
Bug Fixes:
* Moved all skipAfter actions in chained rules to chain starter SecRules
https://www.modsecurity.org/tracker/browse/MODSEC-159
* Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs
== Version 2.0.9 - 11/17/2010 ==
Improvements:
* Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that
it will not overwrite existing config settings. Users should rename this file to activate
it.
* Traditional detection mode is now the current default
* Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode
by editing the modsecurity_crs_10_config.conf file
* Updated the disruptive actions in most rules to use "block" action instead of "pass". This
is to allow for the toggling between traditional vs. anomaly scoring modes.
* Removed logging actions from most rules so that it can be controlled from the SecDefaultAction
setting in the modsecurity_crs_10_config.conf file
* Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match
what is used in the PHPIDS rules. These still have the same factor of severity even though
the numbers themselves are smaller.
* Updated the 49 and 59 blocking rules to include the matched logdata
* Updated the TAG data to further classify attack/vuln categories.
* Updated the SQL Injection filters to detect more boolean logic attacks
* Moved some files to optional_rules directory (phpids, Emerging Threats rules)
Bug Fixes:
* Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote
https://www.modsecurity.org/tracker/browse/CORERULES-63
* Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher)
https://www.modsecurity.org/tracker/browse/MODSEC-159
* Fixed restricted file extension bug with macro expansion
https://www.modsecurity.org/tracker/browse/CORERULES-60
* Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that
it matches what is being set in the sql injection conf file
* Fixed typo in SQL Injection regexs - missing backslash for word boundary (b)
https://www.modsecurity.org/tracker/browse/CORERULES-62
== Version 2.0.8 - 08/27/2010 ==
Improvements:
* Updated the PHPIDS filters
* Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
* Updated the SQL Injection fitlers to account for different quotes
* Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
* Added Rule ID 950109 to detect multiple URL encodings
* Added two experimental rules to detect anomalous use of special characters
Bug Fixes:
* Fixed Encoding Detection RegEx (950107 and 950108)
* Fixed rules-updater.pl script to better handle whitespace
https://www.modsecurity.org/tracker/browse/MODSEC-167
* Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
https://www.modsecurity.org/tracker/browse/CORERULES-55
* Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
https://www.modsecurity.org/tracker/browse/CORERULES-54
* Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives
https://www.modsecurity.org/tracker/browse/CORERULES-29
== Version 2.0.7 - 06/4/2010 ==
Improvements:
* Added CSRF Protection Ruleset which will use Content Injection to add javascript to
specific outbound data and then validate the csrf token on subsequent requests.
* Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie
flags
* Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied
data being echoed back to user unchanged.
* Added rules-updater.pl script and configuration file to allow users to automatically
download CRS rules from the CRS rules repository.
* Added new SQLi keyword for ciel() and reverse() functions.
* Updated the PHPIDS filters
Bug Fixes:
* Fixed false positives for Request Header Name matching in the 30 file by
adding boundary characters.
* Added missing pass actions to @pmFromFile prequalifier rules
* Added backslash to SQLi regex
https://www.modsecurity.org/tracker/browse/CORERULES-41
* Fixed hard coded anomaly score in PHPIDS filter file
https://www.modsecurity.org/tracker/browse/CORERULES-45
* Fixed restricted_extension false positive by adding boundary characters
== Version 2.0.6 - 02/26/2010 ==
Bug Fixes:
* Added missing transformation functions to SQLi rules.
https://www.modsecurity.org/tracker/browse/CORERULES-32
* Fixed duplicate rule IDs.
https://www.modsecurity.org/tracker/browse/CORERULES-33
* Fixed typo in @pmFromFile in the Comment SPAM rules
https://www.modsecurity.org/tracker/browse/CORERULES-34
* Added macro expansion to Restricted Headers rule
https://www.modsecurity.org/tracker/browse/CORERULES-35
* Fixed misspelled SecMarker
https://www.modsecurity.org/tracker/browse/CORERULES-36
* Fixed missing chain action in Content-Type header check
https://www.modsecurity.org/tracker/browse/CORERULES-37
* Update phpids filters to use pass action instead of block
== Version 2.0.5 - 02/01/2010 ==
Improvements:
* Removed previous 10 config files as they may conflict with local customized Mod configs.
* Added a new 10 config file that allows the user to globally set TX variables to turn on/off
PARANOID_MODE inspection, set anomaly score levels and http policies.
Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators.
* Added Rule Logic and Reference links to rules descriptions.
* Added Rule IDs to all rules.
* Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification
* Removed Apache limit directives from the 23 file
* Added macro expansion to 23 file checks.
* Added @pmFromFile check to 35 bad robots file
* Added malicious UA strings to 35 bad robots check
* Created an experimental rules file
* Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection
* Removed TX inspections for generic attacks and reverted to standard ARGS inspection
https://www.modsecurity.org/tracker/browse/MODSEC-120
* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other
variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA)
* Moved converted ET Snort rules to the /optional_rules directory
* Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the
request headers.
* Updated Inbound blocking conf file to use macro expansion from the 10 config file settings
* Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking.
* Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators.
* Updated the SPAMMER RBL check rules logic to only check once per IP/Day.
* Added new outbound malware link detection rules.
* Added PHP "call_user_func" to blacklist
Identified by SOGETI ESEC R&D
Bug Fixes:
* Removed Non-numeric Rule IDs
https://www.modsecurity.org/tracker/browse/CORERULES-28
* Updated the variable list on SQLi rules.
* Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring
and blocking
== Version 2.0.4 - 11/30/2009 ==
Improvements:
* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
* Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found
then search more generically in request_body|request_uri_raw
* Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean
exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the
anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate
alerts for any variable matches that exist.
Bug Fixes:
* Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of
phase:4 which would allow for blocking based on information leakage issues.
== Version 2.0.3 - 11/05/2009 ==
Improvements:
* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
* Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php)
* Added new rules to identify multipart/form-data bypass attempts
* Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts
Bug Fixes:
* Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives
https://www.modsecurity.org/tracker/browse/CORERULES-17
* Added new variable locations to the phpids filters
https://www.modsecurity.org/tracker/browse/CORERULES-19
* Use of transformation functions can cause false negatives - added multiMatch action to phpids rules
https://www.modsecurity.org/tracker/browse/CORERULES-20
* Fixed multipart parsing evasion issues by adding strict parsing rules
https://www.modsecurity.org/tracker/browse/CORERULES-21
* Fixed typo in xss rules (missing |)
https://www.modsecurity.org/tracker/browse/CORERULES-22
* Fixed regex text in IE8 XSS filters (changed to lowercase)
https://www.modsecurity.org/tracker/browse/CORERULES-23
== Version 2.0.2 - 09/11/2009 ==
Improvements:
* Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
https://www.modsecurity.org/tracker/browse/CORERULES-13
Bug Fixes:
* Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla.
https://www.modsecurity.org/tracker/browse/CORERULES-15
== Version 2.0.1 - 08/07/2009 ==
Improvements:
* Updated the transformation functions used in the XSS/SQLi rules to improve performance
https://www.modsecurity.org/tracker/browse/CORERULES-10
* Updated the variable/target list in the XSS rules
https://www.modsecurity.org/tracker/browse/CORERULES-11
* Added XSS Filters from IE8
https://www.modsecurity.org/tracker/browse/CORERULES-12
Bug Fixes:
* Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule.
https://www.modsecurity.org/tracker/browse/CORERULES-9
== Version 2.0.0 - 07/29/2009 ==
New Rules & Features:
* Fine Grained Policy
The rules have been split to having one signature per rule instead of having
all signatures combined into one optimized regular expression.
This should allow you to modify/disable events based on specific patterns
instead of having to deal with the whole rule.
* Converted Snort Rules
Emerging Threat web attack rules have been converted.
http://www.emergingthreats.net/
* Anomaly Scoring Mode Option
The rules have been updated to include anomaly scoring variables which allow
you to evaluate the score at the end of phase:2 and phase:5 and decide on what
logging and disruptive actions to take based on the score.
* Correlated Events
There are rules in phase:5 that will provide some correlation between inbound
events and outbound events and will provide a result of successful atttack or
attempted attack.
* Updated Severity Ratings
The severity ratings in the rules have been updated to the following:
- 0: Emergency - is generated from correlation where there is an inbound attack and
an outbound leakage.
- 1: Alert - is generated from correlation where there is an inbound attack and an
outbound application level error.
- 2: Critical - is the highest severity level possible without correlation. It is
normally generated by the web attack rules (40 level files).
- 3: Error - is generated mostly from outbound leakabe rules (50 level files).
- 4: Warning - is generated by malicious client rules (35 level files).
- 5: Notice - is generated by the Protocol policy and anomaly files.
- 6: Info - is generated by the search engine clients (55 marketing file).
* Updated Comment SPAM Protections
Updated rules to include RBL lookups and client fingerprinting concepts from
Bad Behavior (www.bad-behavior.ioerror.us)
* Creation of Global Collection
Automatically create a Global collection in the *10* config file. Other rules
can then access it.
* Use of Block Action
Updated the rules to use the "block" action. This allows the Admin to globally
set the desired block action once with SecDefaultAction in the *10* config file
rather than having to edit the disruptive actions in all of the rules or for
the need to have multiple versions of the rules (blocking vs. non-blocking).
* "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
* Added new generic RFI detection rules.
http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
* "Possibly malicious iframe tag in output" (Rules 981001,981002)
Planting invisible iframes in a site can be used by attackers to point users
from the victim site to their malicious site. This is actually as if the
user was visiting the attacker's site himself, causing the user's browser to
process the content in the attacker's site.
New Events:
* Rule 960019 - Expect Header Not Allowed.
* Rule 960020 - Pragma Header Requires Cache-Control Header
* Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
as it is reserved for use as a fragment identifier within the html page.
* Rule 958291 - Range: field exists and begins with 0.
* Rule 958292 - Invalid Request Header Found.
* Rule 958293 - Lowercase Via Request Header Found.
* Rule 958294 - Common SPAM Proxies found in Via Request Header.
* Rule 958295 - Multiple/Conflicting Connection Header Data Found.
* Rule 958296 - Request Indicates a SPAM client accessed the Site.
* Rule 958297 - Common SPAM/Email Harvester crawler.
* Rule 958298 - Common SPAM/Email Harvester crawler
Bug Fixes:
* Rule 950107 - Split the rule into 2 separate rules to factor in the
Content-Type when inspecting the REQUEST_BODY variable.
* Rule 960017 - Bug fix for when having port in the host header.
* Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
* Rule 950801 - Increased the logic so that the rule will only run if the web site
uses UTF-8 Encoding.
* Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
allow the IPv6 loopback address
* Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG
and to identify offsite hosts by comparing the ARG URI to the Host
header. Due to this rule now being stronger, moved it from optional
tight security rule to *40* generic attacks file.
Other Fixes:
* Added more HTTP Protocol violations to *20* file.
* Set the SecDefaultAction in the *10* config file to log/pass (This was the
default setting, however this sets it explicitly.
* Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This
was added so that when running the SecRuleEngine in DetectionOnly mode, it will
not deny response bodies that go over the size restrictions.
* Changed SecServerSignature to "Apache/1.3.28"
* Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have
BEGIN and END SecMarkers for rule groups to more accurately allow moving to
proper locations.
* Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
This removes the need for some SecAction/SkipAfter rules.
* Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier
rules and chained rules).
== Version 1.6.1 - 2008/04/22 ==
* Fixed a bug where phases and transformations where not specified explicitly
in rules. The issue affected a significant number of rules, and we strongly
recommend to upgrade.
== Version 1.6.0 - 2008/02/19 ==
New Rulesets & Features:
* 42 - Tight Security
This ruleset contains currently 2 rules which are considered highly prone
to FPs. They take care of Path Traversal attacks, and RFI attacks. This
ruleset is included in the optional_rulesets dir
* 42 - Comment Spam
Comment Spam is used by the spammers to increase their rating in search
engines by posting links to their site in other sites that allow posting
of comments and messages. The rules in this ruleset will work against that.
(Requires ModSecurity 2.5)
* Tags
A single type of attack is often detected by multiple rules. The new alert
classification tags solve this issue by providing an alternative alert type
indication and can serve for filtering and analysis of audit logs.
The classification tags are hierarchical with slashes separating levels.
Usually there are two levels with the top level describing the alert group
and the lower level denoting the alert type itself, for example:
WEB_ATTACK/SQL_INJECTION.
False Positives Fixes:
* Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs
* Rule 950107 - Will look for invalid url decoding in variables that are not
automatically url decoded
Additional rules logic:
* Using the new "logdata" action for logging the matched signature in rules
* When logging an event once, init the collection only if the alert needs to log
* Using the new operator @pm as a qualifier before large rules to enhance
performance (Requires ModSecurity 2.5)
* SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not
only 1=1. (Thanks to Marc Stern for the idea)
* New XSS signatures - iframe & flash XSS
== Version 1.5.1 - 2007/12/6 ==
False Positives Fixes:
* Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)
New Events:
* 960019 - Detect HTTP/0.9 Requests
HTTP/0.9 request are not common these days. This rule will log by default,
and block in the blocking version of file 21
Other Fixes:
* File 40, Rules 950004,950005 - Repaired the correction for the double
url decoding problem
* File 55 contained empty regular expressions. Fixed.
== Version 1.5 - 2007/11/23 ==
New Rulesets:
* 23 - Request Limits
"Judging by appearances". This rulesets contains rules blocking based on
the size of the request, for example, a request with too many arguments
will be denied.
Default policy changes:
* XML protection off by default
* BLOCKING dir renamed to optional_rules
* Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
* Ruleset 21 - The exception for apache internal monitor will not log anymore
New Events:
* 960912 - Invalid request body
Malformed content will not be parsed by modsecurity, but still there might
be applications that will parse it, ignoring the errors.
* 960913 - Invalid Request
Will trigger a security event when request was rejected by apache with
code 400, without going through ModSecurity rules.
Additional rules logic:
* 950001 - New signature: delete from
* 950007 - New signature: waitfor delay
False Positives Fixes:
* 950006 - Will not be looking for /cc pattern in User-Agent header
* 950002 - "Internet Explorer" signature removed
* Double decoding bug used to cause FPs. Some of the parameters are already
url-decoded by apache. This caused FPs when the rule performed another
url-decoding transformation. The rules have been split so that parameters
already decoded by apache will not be decoded by the rules anymore.
* 960911 - Expression is much more permissive now
* 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,
then you should uncomment this rule (in file 20)
version 1.4.3 - 2007/07/21
New Events:
* 950012 - HTTP Request Smuggling
For more info on this attack:
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
* 960912 - Invalid request body
Malformed content will not be parsed by modsecurity, but still there might
be applications that will parse it, ignoring the errors.
* 960913 - Invalid Request
Will trigger a security event when request was rejected by apache with
code 400, without going through ModSecurity rules.
False Positives Fixes:
* 950107 - Will allow a % sign in the middle of a string as well
* 960911 - A more accurate expression based on the rfc:
http://www.ietf.org/rfc/rfc2396.txt
* 950015 - Will not look for http/ pattern in the request headers
Additional rules logic:
* Since Apache applies scope directives only after ModSecurity phase 1
this directives cannot be used to exclude phase 1 rules. Therefore
we moved all inspection rules to phase 2.
version 1.4 build 2 - 2007/05/17
New Feature:
* Search for signatures in XML content
XML Content will be parsed and ispected for signatures
New Events:
* 950116 - Unicode Full/Half Width Abuse Attack Attempt
Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden
http://www.kb.cert.org/vuls/id/739224
* 960911 - Invalid HTTP request line
Enforce request line to be valid, i.e.: <METHOD> <path> <HTTP version>
* 960904 - Request Missing Content-Type (when there is content)
When a request contains content, the content-type must be specified. If not, the content will not be inspected
* 970018 - IIS installed in default location (any drive)
Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)
* 950019 - Email Injection
Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails
Regular expressions fixes:
* Further optimization of some regular expressions (using the non-greediness operator)
The non-greediness operator, <?>, prevents excessive backtracking
FP fixes:
* Rule 950107 - Will allow a parameter to end in a % sign from now on
version 1.4 - 2007/05/02
New Events:
* 970021 - WebLogic information disclosure
Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
* 950015,950910,950911 - HTTP Response Splitting
Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper:
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
* 960902 - Content-Encoding in request not supported
Any incoming compressed request will be denied
* 960903 - Content-Encoding in response not suppoted
An outgoing compressed response will be logged to alert, but ONLY ONCE.
False Positives Fixes:
* Removed <.exe>,<.shtml> from restricted extensions
* Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
* Excluded Referer header from SQL injection, XSS and command injection rules
* Excluded X-OS-Prefs header from command injection rule
* Will be looking for command injection signatures in
REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
* Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type
Additional rules logic:
* Corrected match of OPTIONS method in event 960015
* Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
* Moved all rules apart from method inspection from phase 1 to phase 2 -
This will enable viewing content if such a rule triggers as well as setting
exceptions using Apache scope tags.
* Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
* Added 1=1 signature (SQL Injection)
version 1.3.2 build 4 2007/01/17
Fixed apache 2.4 dummy requests exclusion
Added persistent PDF UXSS detection rule
== Version 1.3.2 build 3 2007/01/10 ==
Fixed regular expression in rule 960010 (file #30) to allow multipart form data
content
== Version 1.3.2 - 2006/12/27 ==
New events:
* 960037 Directory is restricted by policy
* 960038 HTTP header is restricted by policy
Regular expressions fixes:
* Regular expressions with @ at end of beginning (for example "@import)
* Regular expressions with un-escaped "."
* Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
* The command injection wget is not searched in the UA header as it has different meaning there.
* LDAP Fixed to reduce FPs:
+ More accurate regular expressions
+ high bit characters not accpeted between signature tokens.
* Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
* Removed Java from automation UA
* When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"
Additional rules logic:
* Checks for empty headers in addition to missing ones (Host, Accept and User-Agent)
* OPTIONS method does not require an accept header.
* Apache keep alive request exception.
* PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
* Validate byte range checks by default only that no NULL char exists.
* Added CSS to allowed extensions in strict rule sets.
* Changed default action in file #50 to pass instead of deny.
* Moved IP host header from protocol violations to protocol anomalies.
Modified descriptions:
* 950107: URL Encoding Abuse Attack Attempt
* 950801: UTF8 Encoding Abuse Attack Attempt
* Added matched pattern in many events using capture and %{TX.0}
* Added ctl:auditLogParts=+E for outbound events and attacks to collect response.
== Version 1.2 - 2006/11/19 ==
Changes:
+ Move all events to the range of events allocated to Thinking Stone, now Breach
by prefixing all event IDs with "9".
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is
the highest and 5 the lowest.
Bug fixes:
+ Removed quotes from list of mime types inspected on exit (directive
SecResponseBodyMimeType)
+ Corrected "cd .." signature. Now the periods are escaped.
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.
== Version 1.1 - 2006/10/18 ==
Initial version

93
iis/ModSecurityIIS/owasp_crs/INSTALL
View File

@ -1,93 +0,0 @@
Core Rule Set Quick Setup
=========================
To activate the rules for your web server installation:
1) Copy the modsecurity_crs_10_config.conf.example file to modsecurity_crs_10_config.conf
and customize the settings for your local environment.
The modsecurity_crs_10_config.conf file includes management rules and directives
that can control important CRS functions. Pay attention to
the SecRuleEngine setting (On by default) and that the SecDefaultAction
directive is set to "pass". The 49 inbound blocking and 59 outbound blocking
rules files use the "block" action which
inherits this setting. This effectively means that you can toggle the
SecDefaultAction setting to decide if you would like to deny on an
anomaly scoring/correlation match.
Update the PARANOID_MODE variable setting if you want to become more
aggressive in your detection. Caution - this will cause more false positives.
Update the appropriate anomaly scoring levels that will be propagated
to the inbound/outbound blocking files.
Update the TX policy settings for allowed Request Methods, File Extensions, etc...
2) Enable the CRS rules files you want to use by creating symlinks under the
"activated_rules" directory location. You will want to create symlinks for the
following:
1) The main modsecurity_crs_10_config.conf file
2) Any rules from the base_rules directory
3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories
$ pwd
/usr/local/apache/conf/crs
$ ls
CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
LICENSE base_rules modsecurity_crs_10_config.conf.example util
README experimental_rules modsecurity_crs_15_customrules.conf
activated_rules lua optional_rules
$ sudo ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
$ for f in `ls base_rules/` ; do sudo ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done
$ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done
$ ls -l activated_rules
total 216
lrwxr-xr-x 1 root wheel 52 May 17 14:01 GsbMalware.dat -> /usr/local/apache/conf/crs/base_rules/GsbMalware.dat
lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data
lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data
lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf
lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_config.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf
lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf
lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf
lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf
lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf
lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf
lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf
lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf
lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf
3) Add the following line to your httpd.conf (assuming
you've placed the rule files into conf/crs/):
<IfModule security2_module>
Include conf/crs/modsecurity_crs_10_config.conf
Include conf/crs/activated_rules/*.conf
</IfModule>
3) Restart web server.
4) Make sure your web sites are still running fine.
5) Simulate an attack against the web server. Then check
the attack was correctly logged in the Apache error log,
ModSecurity debug log (if you enabled it) and ModSecurity
audit log (if you enabled it).

201
iis/ModSecurityIIS/owasp_crs/LICENSE
View File

@ -1,201 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

25
iis/ModSecurityIIS/owasp_crs/README.md
View File

@ -1,25 +0,0 @@
# OWASP ModSecurity Core Rule Set (CRS)
ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Trustwave's SpiderLabs is sponsoring and maintaining a free certified rule set for the community. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the OWASP ModSecurity Core Rule Set provides generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity™.
## Licensing
(c) 2006-2012 Trustwave
The ModSecurity Core Rule Set is provided to you under the terms and
conditions of Apache Software License Version 2 (ASLv2)
http://www.apache.org/licenses/LICENSE-2.0.txt
## Mail-List
For more information refer to the OWASP Core Rule Set Project page at
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Core Rules Mail-list -
Suscribe here: https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Archive: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
## Downloading
You can manually download the latest CRS from the GitHub Repo:
https://github.com/SpiderLabs/owasp-modsecurity-crs

49
iis/ModSecurityIIS/owasp_crs/activated_rules/README
View File

@ -1,49 +0,0 @@
Enable the CRS rules files you want to use by creating symlinks under the
"activated_rules" directory location. You will want to create symlinks for the
following:
1) The main modsecurity_crs_10_config.conf file
2) Any rules from the base_rules directory
3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories.
$ pwd
/usr/local/apache/conf/crs
$ ls
CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
LICENSE base_rules modsecurity_crs_10_config.conf.example util
README experimental_rules modsecurity_crs_15_customrules.conf
activated_rules lua optional_rules
$ sudo ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
$ for f in `ls base_rules/` ; do sudo ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done
$ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done
$ ls -l activated_rules
total 216
lrwxr-xr-x 1 root wheel 52 May 17 14:01 GsbMalware.dat -> /usr/local/apache/conf/crs/base_rules/GsbMalware.dat
lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data
lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data
lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf
lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_config.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf
lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf
lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf
lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf
lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf
lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf
lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf
lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf
lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf

145
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_bad_robots.data
View File

@ -1,145 +0,0 @@
webmole
wisenutbot
prowebwalker
hanzoweb
email
toata dragostea mea pentru diavola
gameBoy, powered by nintendo
missigua
poe-component-client
emailsiphon
adsarobot
under the rainbow 2.
nessus
floodgate
email extractor
webaltbot
contactbot/
butch__2.1.1
pe 1.4
indy library
autoemailspider
mozilla/3.mozilla/2.01
fantombrowser
digout4uagent
panscient.com
telesoft
; widows
converacrawler
www.weblogs.com
murzillo compatible
isc systems irc search 2.1
emailmagnet
microsoft url control
datacha0s
emailwolf
production bot
sitesnagger
webbandit
web by mail
faxobot
grub crawler
jakarta
eirgrabber
webemailextrac
extractorpro
attache
educate search vxb
8484 boston project
franklin locator
nokia-waptoolkit
mailto:craftbot@yahoo.com
full web bot
pcbrowser
psurf
user-Agent
pleasecrawl/1.
kenjin spider
gecko/25
no browser
webster pro
wep Search 00
grub-client
fastlwspider
this is an exploit
contentsmartz
teleport pro
dts agent
nikto
morzilla
via
atomic_email_hunter
program shareware 1.0.
ecollector
emailcollect
china local browse 2.
backdoor
stress test
foobar/
emailreaper
xmlrpc exploit
compatible ; msie
s.t.a.l.k.e.r.
compatible-
webvulnscan
nameofagent
copyrightcheck
advanced email extractor
surveybot
compatible ;.
searchbot admin@google
wordpress/4.01
webemailextract
larbin@unspecified
turing machine
zeus
windows-update-agent
morfeus fucking scanner
user-agent:
voideye
mosiac 1
chinaclaw
newt activeX; win32
web downloader
safexplorer tl
agdm79@mail.ru
cheesebot
hhjhj@yahoo
fiddler
psycheclone
microsoft internet explorer/5.0
core-project/1
atspider
copyguard
neuralbot/0.2
wordpress hash grabber
amiga-aweb/3.4
packrat
rsync
crescent internet toolpak
security scan
vadixbot
concealed defense
a href=
bwh3_user_agent
internet ninja
microsoft url
emailharvest
shai
wisebot
internet exploiter sux
wells search ii
webroot
digimarc webreader
botversion
black hole
windows xp 5
w3mir
pmafind
athens
hl_ftien_spider
injection
takeout
eo browse
cherrypicker
internet-exprorer

35
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_scanners.data
View File

@ -1,35 +0,0 @@
grabber
cgichk
bsqlbf
mozilla/4.0 (compatible)
sqlmap
mozilla/4.0 (compatible; msie 6.0; win32)
mozilla/5.0 sf//
nessus
arachni
metis
sql power injector
bilbo
absinthe
black widow
n-stealth
brutus
webtrends security analyzer
netsparker
python-httplib2
jaascois
pmafind
.nasl
nsauditor
paros
dirbuster
pangolin
nmap nse
sqlninja
nikto
webinspect
blackwidow
grendel-scan
havij
w3af
hydra

445
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_40_generic_attacks.data
View File

@ -1,445 +0,0 @@
set-cookie
.cookie
expiressys.user_objects
sys.user_triggers
@@spid
msysaces
instr
sys.user_views
mysql.
sys.tab
charindex
locate
sys.user_catalog
constraint_type
msysobjects
attnotnull
select
sys.user_tables
sys.user_constraints
sys.user_tab_columns
waitfor
sys.all_tables
msysrelationships
msyscolumns
msysqueriessubstr
xtype
textpos
all_objects
rownum
sysfilegroups
sysprocesses
user_group
sysobjects
systables
user_tables
pg_attribute
column_id
user_password
user_users
attrelid
user_tab_columns
table_name
pg_class
user_constraints
user_objects
object_type
sysconstraints
mb_users
column_name
atttypid
substring
object_id
syscat
sysibm
user_ind_columns
syscolumns
sysdba
object_name
sqrt
insert
date
instr
floor
autonomous_transaction
print
encode
coalesce
if
degrees
release_lock
procedure_analyse
password
least
cr32
subdate
xp_filelist
owa_util
trim
xp_regenumkeys
charset
ciel
bit_or
delete
time
month
xp_execresultset
round
dba_users
is
master_pos_wait
decode
unhex
char_length
strcmp
rtrim
'sa'
version
ord
xp_makecab
truncate
last
concat
coercibility
right
length
ascii
var_samp
char
extract
get_
bit_length
xp_regread
export_set
aes_decrypt
name_const
left
conv
bin
not_in
infile
substr
uuid
is_srvrolemember
var_pop
ln
aes_encrypt
outfile
current_date
quote
in
user
locate
@@version
exp
current_timestamp
sql_longvarchar
values
subtime
xp_loginconfig
sin
xp_regaddmultistring
replace
tan
xmltype
character_length
cast
current_time
varchar
position
to_number
addtime
mid
found_rows
stddev
xp_availablemedia
substring
dumpfile
isnull
cot
select
concat_ws
convert
uncompress
radians
uncompressed_length
acos
'sqloledb'
dbms_pipe.receive_message
utl_http
cieling
row_count
benchmark
sec_to_time
sysdate
hour
current_user
utc_
curdate
nvarchar
schema
data_type
lcase
inner
make_set
day
tbcreator
sum
sign
adddate
ltrim
variance
weight_string
second
microsecond
system_user
abs
ifnull
minute
unix_timestamp
collation
curtime
lower
repeat
sp_oacreate
group_concat
sp_execute
xp_ntsec
xp_regdeletekey
drop
quarter
local
str_to_date
nullif
from_
old_password
xp_regdeletevalue
asin
oct
load_file
sp_password
bit_xor
xp_regremovemultistring
chr
avg
std
openquery
makedate
database
updatexml
datediff
now
year
mod
bit_and
lpad
xp_enumdsn
max
period_
soundex
shutdown
bit_count
field
connection_id
sha
default
interval
xp_dirtree
reverse
ucase
compress
xp_terminate_process
md5
rpad
session_user
find_in_set
dump
convert_tz
having
des_
greatest
xp_regenumvalues
utl_file
cos
log
pi
sql_variant
encrypt
upper
rand
week
min
xp_cmdshell
'msdasql'
space
sp_executesql
elt
pow
'dbo'
sp_makewebtask
dbms_java
to_
format
xp_regwrite
sp_helpjscript
onsubmit
copyparentfolder
document
javascript
meta
onchange
onmove
onkeydown
onkeyup
activexobject
onerror
onmouseup
ecmascript
bexpression
onmouseover
vbscript:
<![cdata[
http:
.innerhtml
settimeout
shell:
onabort
asfunction:
onkeypress
onmousedown
onclick
.fromcharcode
background-image:
x-javascript
ondragdrop
onblur
mocha:
javascript:
onfocus
lowsrc
getparentfolder
onresize
@import
alert
script
onselect
onmouseout
application
onmousemove
background
.execscript
livescript:
vbscript
getspecialfolder
.addimport
iframe
onunload
createtextrange
<input
onload.www_acl
.htpasswd
.htaccess
httpd.conf
boot.ini
/etc/
.htgroup
global.asa
.wwwaclnet.exe
cmd.exe
cmd
telnet.exe
wguest.exe
ftp.exe
nmap.exe
wsh.exe
rcmd.exe
nc.exe
cmd32.exechgrp
cmd32
uname
kill
localgroup
wguest.exe
nasm
rcmd.exe
nc.exe
id
nc
tclsh
finger
tftp
cmd
chown
chsh
ping
nmap.exe
ps
net.exe
telnet.exe
ls
tclsh8
ftp.exe
ftp
lsof
xterm
mail
echo
tracert
nmap
cmd.exe
rm
python
cd
traceroute
chmod
perl
passwd
wsh.exe
cpp
telnet
gcc
g++chgrp
cmd32
uname
kill
localgroup
wguest.exe
nasm
rcmd.exe
nc.exe
id
nc
tclsh
finger
tftp
cmd
chown
chsh
ping
nmap.exe
ps
net.exe
telnet.exe
ls
tclsh8
ftp.exe
ftp
lsof
xterm
mail
echo
tracert
nmap
cmd.exe
rm
python
cd
traceroute
chmod
perl
passwd
wsh.exe
cpp
telnet
gcc
g++<?

282
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_41_sql_injection_attacks.data
View File

@ -1,282 +0,0 @@
sys.user_objects
sys.user_triggers
@@spid
msysaces
instr
sys.user_views
mysql.
sys.tab
charindex
locate
sys.user_catalog
constraint_type
msysobjects
attnotnull
select
sys.user_tables
sys.user_constraints
sys.user_tab_columns
waitfor
sys.all_tables
msysrelationships
msyscolumns
msysqueriessubstr
xtype
textpos
all_objects
rownum
sysfilegroups
sysprocesses
user_group
sysobjects
systables
user_tables
pg_attribute
column_id
user_password
user_users
attrelid
user_tab_columns
table_name
pg_class
user_constraints
user_objects
object_type
sysconstraints
mb_users
column_name
atttypid
substring
object_id
syscat
sysibm
user_ind_columns
syscolumns
sysdba
object_name
sqrt
insert
date
instr
floor
autonomous_transaction
print
encode
coalesce
if
degrees
release_lock
procedure_analyse
password
least
cr32
subdate
xp_filelist
owa_util
trim
xp_regenumkeys
charset
ciel
bit_or
delete
time
month
xp_execresultset
round
dba_users
is
master_pos_wait
decode
unhex
char_length
strcmp
rtrim
'sa'
version
ord
xp_makecab
truncate
last
concat
coercibility
right
length
ascii
var_samp
char
extract
get_
bit_length
xp_regread
export_set
aes_decrypt
name_const
left
conv
bin
not_in
infile
substr
uuid
is_srvrolemember
var_pop
ln
aes_encrypt
outfile
current_date
quote
in
user
locate
@@version
exp
current_timestamp
sql_longvarchar
values
subtime
xp_loginconfig
sin
xp_regaddmultistring
replace
tan
xmltype
character_length
cast
current_time
varchar
position
to_number
addtime
mid
found_rows
stddev
xp_availablemedia
substring
dumpfile
isnull
cot
select
concat_ws
convert
uncompress
radians
uncompressed_length
acos
'sqloledb'
dbms_pipe.receive_message
utl_http
cieling
row_count
benchmark
sec_to_time
sysdate
hour
current_user
utc_
curdate
nvarchar
schema
data_type
lcase
inner
make_set
day
tbcreator
sum
sign
adddate
ltrim
variance
weight_string
second
microsecond
system_user
abs
ifnull
minute
unix_timestamp
collation
curtime
lower
repeat
sp_oacreate
group_concat
sp_execute
xp_ntsec
xp_regdeletekey
drop
quarter
local
str_to_date
nullif
from_
old_password
xp_regdeletevalue
asin
oct
load_file
sp_password
bit_xor
xp_regremovemultistring
chr
avg
std
openquery
makedate
database
updatexml
datediff
now
year
mod
bit_and
lpad
xp_enumdsn
max
period_
soundex
shutdown
bit_count
field
connection_id
sha
default
interval
xp_dirtree
reverse
ucase
compress
xp_terminate_process
md5
rpad
session_user
find_in_set
dump
convert_tz
having
des_
greatest
xp_regenumvalues
utl_file
cos
log
pi
sql_variant
encrypt
upper
rand
week
min
xp_cmdshell
'msdasql'
space
sp_executesql
elt
pow
'dbo'
sp_makewebtask
dbms_java
to_
format
xp_regwrite
sp_help

49
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_23_request_limits.conf
View File

@ -1,49 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# In most cases, you should expect a certain volume of each a request on your
# website. For example, a request with 400 arguments, can be suspicious.
# This file creates limitations on the request.
#
# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
# Note that most of the rules are commented out by default.
# Uncomment the rules you need
#
## -- Arguments limits --
# Limit argument name length
SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit value name length
SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Maximum number of arguments in request limited
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit arguments total length
SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
## -- File upload limits --
# Individual file size is limited
SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:1,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data" "chain"
SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Combined file size is limited
SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

102
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_30_http_policy.conf
View File

@ -1,102 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# HTTP policy enforcement
# The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
# Few applications require the breadth and depth of the HTTP protocol. On the
# other hand many attacks abuse valid but rare HTTP use patterns. Restricting
# HTTP protocol usage is effective in therefore effective in blocking many
# application layer attacks.
#
# TODO Many automation programs use non standard HTTP requests. While you may
# want to allow some of those, try not to create exceptions only for the
# automated program based on properties such as their source IP address or
# the URL they access.
#
# allow request methods
#
# TODO Most applications only use GET, HEAD, and POST request
# methods. If that is not the case with your environment, you are advised
# to edit the line or uncomment it.
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict which content-types we accept.
#
# TODO Most applications support only two types for request bodies
# because that is all browsers know how to produce. If you are using
# automated tools to talk to the application you may be using other
# content types and would want to change the list of supported types.
#
# Note though that ModSecurity parses only three content types:
# application/x-www-form-urlencoded, multipart/form-data request and
# text/xml. The protection provided for any other type is inferior.
#
# TODO There are many applications that are not using multipart/form-data
# types (typically only used for file uploads). This content type
# can be disabled if not used.
#
# NOTE We allow any content type to be specified with GET or HEAD
# because some tools incorrectly supply content type information
# even when the body is not present. There is a rule further in
# the file to prevent GET and HEAD requests to have bodies to we're
# safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
# applications running on the PocketPC and AvantGo platforms use
# non-standard content types:
#
# M-Business iAnywhere application/x-mal-client-data
# UltraLite iAnywhere application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict protocol versions.
#
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only
# this version.
#
# NOTE Automation programs, both malicious and non malicious many times use
# other HTTP versions. If you want to allow a specific automated program
# to use your site, try to create a narrower expection and not allow any
# client to send HTTP requests in a version lower than 1.1
#
SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict file extension
#
# TODO the list of file extensions below are virtually always considered unsafe
# and not in use in any valid program. If your application uses one of
# these extensions, please remove it from the list of blocked extensions.
# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
# comment the whole rule.
#
SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension=.%{tx.1}/,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960035',tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
# Restricted HTTP headers
#
# TODO the list of HTTP headers below are considered unsafe for your environment.
# If your application uses one of these directories, please remove it from
# the list of blocked extensions. You may need to use ModSecurity Core Rule
# Set Templates to do so, otherwise comment the whole rule.
#
SecRule REQUEST_HEADERS_NAMES "^(.*)$" "chain,phase:2,t:none,block,msg:'HTTP header is restricted by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960038',tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',tag:'OWASP_CRS/POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',capture,setvar:'tx.header_name=/%{tx.0}/'"
SecRule TX:HEADER_NAME "@within %{tx.restricted_headers}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

30
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_35_bad_robots.conf
View File

@ -1,30 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# NOTE Bad robots detection is based on checking elements easily
# controlled by the client. As such a determined attacked can bypass
# those checks. Therefore bad robots detection should not be viewed as
# a security mechanism against targeted attacks but rather as a nuisance
# reduction, eliminating most of the random attacks against your web
# site.
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990002',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990901',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
"chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'OWASP_CRS/AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}'"
SecRule REQUEST_HEADERS:User-Agent "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by mail)|(?:(?:altb|ro)o|bandi)t|emailextract?|vulnscan|mole)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent| xp 5)|se(?:nut)?bot)|ordpress(?: hash grabber|\/4\.01)|3mir)|m(?:o(?:r(?:feus fucking scanner|zilla)|zilla\/3\.mozilla\/2\.01$|siac 1.)|i(?:crosoft (?:internet explorer\/5\.0$|url control)|ssigua)|ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:ro(?:gram shareware 1\.0\.|duction bot|webwalker)|a(?:nscient\.com|ckrat)|oe-component-client|s(?:ycheclone|urf)|leasecrawl\/1\.|cbrowser|e 1\.4|mafind)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|(siphon|spider)|siphon|wolf)|(?:collecto|irgrabbe)r|ducate search vxb|xtractorpro|o browse)|t(?:(?: ?h ?a ?t ?' ?s g ?o ?t ?t ?a ? h ?u ?r ?|his is an exploi|akeou)t|oata dragostea mea pentru diavola|ele(?:port pro|soft)|uring machine)|a(?:t(?:(?:omic_email_hunt|spid)er|tache|hens)|d(?:vanced email extractor|sarobot)|gdm79\@mail\.ru|miga-aweb\/3\.4|utoemailspider| href=)|^(?:(google|i?explorer?\.exe|(ms)?ie( [0-9.]+)?\ ?(compatible( browser)?)?)$|www\.weblogs\.com|(?:jakart|vi)a|microsoft url|user-Agent)|s(?:e(?:archbot admin@google.com|curity scan)|(?:tress tes|urveybo)t|\.t\.a\.l\.k\.e\.r\.|afexplorer tl|itesnagger|hai)|n(?:o(?:kia-waptoolkit.* googlebot.*googlebot| browser)|e(?:(?:wt activeX; win3|uralbot\/0\.)2|ssus)|ameofagent|ikto)|f(?:a(?:(?:ntombrows|stlwspid)er|xobot)|(?:ranklin locato|iddle)r|ull web bot|loodgate|oobar/)|i(?:n(?:ternet(?: (?:exploiter sux|ninja)|-exprorer)|dy library)|sc systems irc search 2\.1)|g(?:ameBoy, powered by nintendo|rub(?: crawler|-client)|ecko\/25)|(myie2|libwen-us|murzillo compatible|webaltbot|wisenutbot)|b(?:wh3_user_agent|utch__2\.1\.1|lack hole|ackdoor)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|(?:(script|sql) inject|$botname/$botvers)ion|(msie .+; .*windows xp|compatible \; msie)|h(?:l_ftien_spider|hjhj@yahoo|anzoweb)|(?:8484 boston projec|xmlrpc exploi)t|u(?:nder the rainbow 2\.|ser-agent:)|(sogou develop spider|sohu agent)|(?:(?:d|e)browse|demo bot)|zeus(?: .*webster pro)?|[a-z]surf[0-9][0-9]|v(?:adixbot|oideye)|larbin@unspecified|\bdatacha0s\b|kenjin spider|; widows|rsync|\\\r))" "capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
SecMarker END_ROBOT_CHECK

236
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_40_generic_attacks.conf
View File

@ -1,236 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# OS Command Injection Attacks
#
# -=[ Rule Logic ]=-
# These rules look for attempts to access OS commands such as curl, wget and cc
# These commands are often used in injection attacks to force the victim web
# application to initiate a connection out to a hacker site to download, compile
# and install malicious toolkits such as those to participate in Botnets.
#
# -=[ References ]=-
# http://projects.webappsec.org/OS-Commanding
# http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
SecMarker END_COMMAND_INJECTION1
#
# -=[ Heuristic Checks ]=-
#
# [ Repeatative Non-Word Chars ]
#
# This rule attempts to identify when multiple (4 or more) non-word characters are repeated in sequence
#
SecRule ARGS "\W{4,}" "phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
#
# Coldfusion Injection
#
# -=[ Rule Logic ]=-
# These rules look for the existence of undocumented ColdFusion Admin functions on input
#
# -=[ References ]=-
# http://www.adobe.com/devnet/security/security_zone/asb99-10.html
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
SecMarker END_CF_INJECTION
#
# LDAP Injection
#
# -=[ Rule Logic ]=-
# These rules look for common LDAP data constructions.
#
# -=[ References ]=-
# http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
SecMarker END_LDAP_INJECTION
#
# SSI injection
#
# -=[ Rule Logic ]=-
# These rules look for common Server-Site Include format data on input.
#
# -=[ References ]=-
# http://projects.webappsec.org/SSI-Injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'SSI injection Attack',id:'950011',tag:'OWASP_CRS/WEB_ATTACK/SSI_INJECTION',tag:'WASCTC/WASC-36',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION"
SecMarker END_SSI_INJECTION
#
# UPDF XSS
#
# -=[ Rule Logic ]=-
# This rule looks for a link being submitted that contains the # fragment in a query_string.
#
# -=[ References ]=-
# http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Universal PDF XSS URL Detected.',id:'950018',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}"
#
# Email Injection
#
# -=[ References ]=-
# http://projects.webappsec.org/Mail-Command-Injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Email Injection Attack',id:'950019',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# HTTP Request Smuggling
#
# -=[ Rule Logic ]=-
# This rule looks for a comma character in either the Content-Length or Transfer-Encoding
# request headers. This character would indicate that there were more than one request header
# with this same name. In these instances, Apache treats the data in a similar manner as
# multiple cookie values.
#
# -=[ References ]=-
# http://projects.webappsec.org/HTTP-Request-Smuggling
# http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
#
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:1,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
#
# HTTP Response Splitting
#
# -=[ Rule Logic ]=-
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# -=[ References ]=-
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r](?:content-(type|length)|set-cookie|location):" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
#
# RFI Attack
#
# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
# - URL Contains an IP Address
# - The PHP "include()" Function
# - RFI Data Ends with Question Mark(s) (?)
# - RFI Host Doesn't Match Local Host
#
# -=[ References ]=-
# http://projects.webappsec.org/Remote-File-Inclusion
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
#
SecRule ARGS "^(?i)(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950117',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" \
"phase:2,rev:'3',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950118',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule ARGS "^(?i)(?:ft|htt)ps?(.*?)\?+$" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950119',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" \
"chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
#
# Prequalify Request Matches
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \
"phase:2,id:'981133',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"
SecRule TX:PM_SCORE "@eq 0" "phase:2,id:'981134',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,pass,skipAfter:END_PM_CHECK,nolog"
#
# Begin RegEx Checks for target locations that matched the prequalifier checks
#
#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation Attack',id:'950009',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950003',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
SecRule REQUEST_HEADERS:Referer "^(?:ht|f)tps?://(.*?)\/" "chain,capture"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950000',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecMarker END_SESSION_FIXATION
#
# File Injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Remote File Access Attempt',id:'950005',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_FILE_INJECTION
#
# Command access
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Access',id:'950002',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecMarker END_COMMAND_ACCESS
#
# Command injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:\.exe|32)\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b)))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950006',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_COMMAND_INJECTION
#
# PHP injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<\?(?!xml)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'959151',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958976',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_PM_CHECK

245
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
View File

@ -1,245 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# References:
#
# SQL Injection Pocket Reference (via @LightOS) -
# https://docs.google.com/Doc?docid=0AZNlBave77hiZGNjanptbV84Z25yaHJmMjk
#
# SQLi Filter Evasion Cheat Sheet -
# http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
#
# SQL Injection Cheat Sheet -
# http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
#
# SQLMap's Tamper Scripts (for evasions)
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/
#
#
# -=[ Detect SQL Comment Sequences ]=-
#
# Example Payloads Detected:
# -------------------------
# OR 1#
# DROP sampletable;--
# admin'--
# DROP/*comment*/sampletable
# DR/**/OP/*bypass blacklisting*/sampletable
# SELECT/*avoid-spaces*/password/**/FROM/**/Members
# SELECT /*!32302 1/0, */ 1 FROM tablename
# or 1=1#
# or 1=1-- -
# or 1=1/*
# ' or 1=1;\x00
# 1='1' or-- -
# ' /*!50000or*/1='1
# ' /*!or*/1='1
# 0/**/union/*!50000select*/table_name`foo`/**/
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ SQL Hex Evasion Methods ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" "phase:2,id:'981260',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Hex Encoding Identified',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ String Termination/Statement Ending Injection Testing ]=-
#
# Identifies common initial SQLi probing requests where attackers insert/append
# quote characters to the existing normal payload to see how the app/db responds.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´;]+|[\"'`´;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ SQL Operators ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:'981319',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ SQL Tautologies ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`´\(\)]*?)([\d\w]++)([\s'\"`´\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´\(\)]*?)(?!\2)([\d\w]+)))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: SQL Tautology Detected.',id:'950901',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ Detect DB Names ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)|s(?:ys(?:\.database_name|aux)|chema(?:\W*\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\W*\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# SQL Keyword Anomaly Scoring
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'"
SecRule TX:SQLI_SELECT_STATEMENT "@contains select" "phase:2,id:'981301',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains show" "phase:2,id:'981302',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains top" "phase:2,id:'981303',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains distinct" "phase:2,id:'981304',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains from" "phase:2,id:'981305',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains dual" "phase:2,id:'981306',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains where" "phase:2,id:'981307',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains group by" "phase:2,id:'981308',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains order by" "phase:2,id:'981309',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains having" "phase:2,id:'981310',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains limit" "phase:2,id:'981311',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains offset" "phase:2,id:'981312',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains union" "phase:2,id:'981313',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains union all" "phase:2,id:'981314',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains rownum as" "phase:2,id:'981315',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains (case" "phase:2,id:'981316',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT_COUNT "@ge 3" "phase:2,t:none,block,id:'981317',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',msg:'SQL SELECT Statement Anomaly Detection Alert',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# Blind SQL injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.(db|user))|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)|\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\W+\bchar|mb_users|rownum)\b|t(?:able_name\b|extpos\W+\()))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'Blind SQL Injection Attack',id:'950007',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# SQL injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*\(|llation\W*\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'950001',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959070',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959071',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via "(?i:\b(?:coalesce\b|root\@))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,id:'950908',msg:'SQL Injection Attack.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959073',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# [ SQL Injection Character Anomaly Usage ]
#
# These rules attempted to gauge when there is an exccesive use of
# meta-characters within a single parameter payload.
#
# The most likely false positive instances will be free-form text fields.
# Adjust the the @ge operator value appropriately for your site. Increasing
# the score will reduce false positives but may also decrease detection of
# obfuscated attack payloads.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\\\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\\\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
#
# -=[ PHPIDS - Converted SQLI Filters ]=-
#
# https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
#
#
# Example Payloads Detected:
# -------------------------
# IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))
# SELECT pg_sleep(10);
# IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = root;
# select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' );
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects blind sqli tests using sleep() or benchmark().',id:'981272',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
#
# Example Payloads Detected:
# -------------------------
# ' or 1=1#
# ') or ('1'='1--
# 1 OR \'1\'!=0
# aaa\' or (1)=(1) #!asd
# aaa\' OR (1) IS NOT NULL #!asd
# ' =+ '
# asd' =- (-'asd') -- -a
# aa" =+ - "0
# aa' LIKE 0 -- -a
# aa' LIKE md5(1) or '1
# asd"or-1="-1
# asd"or!1="!1
# asd"or!(1)="1
# asd" or ascii(1)="49
# asd' or md5(5)^'1
# \"asd" or 1="1
# ' or id= 1 having 1 #1 !
# ' or id= 2-1 having 1 #1 !
# aa'or BINARY 1= '1
# aa'like-'aa
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?i:\d[\"'`´]\s+[\"'`´]\s+\d)|(?:^admin\s*?[\"'`´]|(\/\*)+[\"'`´]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`´])|(?:[\"'`´]\s*?[^\w\s]?=\s*?[\"'`´])|(?:[\"'`´]\W*?[+=]+\W*?[\"'`´])|(?:[\"'`´]\s*?[!=|][\d\s!=+-]+.*?[\"'`´(].*?$)|(?:[\"'`´]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´]\s*?like\W+[\w\"'`´(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´][<>~]+[\"'`´]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'981244',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\sexec\s+xp_cmdshell)|(?:[\"'`´]\s*?!\s*?[\"'`´\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`´];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`´]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MSSQL code execution and information gathering attempts',id:'981255',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`´][\"'`´](?:[\"'`´].*?[\"'`´]|\Z|[^\"'`´]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'981257',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`´=()]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 1/2',id:'981248',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.60738585072007e-308|1e309)$))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for intiger overflow attacks, these are taken from skipfish, except 2.2.60738585072007e-308 is the \"magic number\" crash',id:'981277',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'981250',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects conditional SQL injection attempts',id:'981241',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:alter\s*?\w+.*?character\s+set\s+\w+)|([\"'`´];\s*?waitfor\s+time\s+[\"'`´])|(?:[\"'`´];.*?:\s*?goto))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'981252',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'981256',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select)|(?:\w+\s+like\s+[\"'`´])|(?:like\s*?[\"'`´]\%)|(?:[\"'`´]\s*?like\W*?[\"'`´\d])|(?:[\"'`´]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having)|(?:[\"'`´]\s*?\*\s*?\w+\W+[\"'`´])|(?:[\"'`´]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´]*?\s*?\w+\W+\w)|(?:select\s*?[\[\]()\s\w\.,\"'`´-]+from)|(?:find_in_set\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'981245',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:'981276',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`´]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'981254',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Finds basic MongoDB SQL injection attempts',id:'981270',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`´]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'981240',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`´]\s*?(?:[-+=|@]+\s*?)+[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`´]\w)|(?:[\"'`´];\s*?(?:if|while|begin))|(?:[\"'`´][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 2/2',id:'981249',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'981253',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´]\s*?(x?or|div|like|between|and)\s*?[\"'`´]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`´]$)|(?:(?:^[\"'`´\\\\]*?(?:[\d\"'`´]+|[^\"'`´]+[\"'`´]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`´][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`´]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`´\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`´].)|(?:\Winformation_schema|table_name\W))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 1/2',id:'981242',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`´]|[=\d]+x))|([\"'`´]\s*?\d\s*?(?:--|#))|(?:[\"'`´][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`´]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`´])|(?:[\"'`´]\s*?is\s*?\d.+[\"'`´]?\w)|(?:[\"'`´]\|?[\w-]{3,}[^\w\s.,]+[\"'`´])|(?:[\"'`´]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`´]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'981246',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:create\s+function\s+\w+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'981251',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\d\W]\s+as\s*?[\"'`´\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´]\s+regexp\W)|(?:[\s(]load_file\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'981247',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´]\d)|(?:\^[\"'`´])|(?:^[\w\s\"'`´-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´\d])|(?:[\"'`´]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´])|(?:[\"'`´]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´].*?\*\s*?\d)|(?:[\"'`´]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´][^,]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 2/2',id:'981243',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

491
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_41_xss_attacks.conf
View File

@ -1,491 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# XSS
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \
"phase:2,id:'981136',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}"
SecRule TX:PM_XSS_SCORE "@eq 0" "phase:2,id:'981018',t:none,pass,skipAfter:END_XSS_CHECK,nolog"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousedown\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bmocha:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonabort\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bhttp:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseup\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*\=.*bexpression\b\W*\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcreatetextrange\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bondragdrop\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcopyparentfolder\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonunload\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.execscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetspecialfolder\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bonload\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeydown\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousemove\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blivescript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonblur\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmove\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsettimeout\b\W*?\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?iframe" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bbackground\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\becmascript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonfocus\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bdocument\b\s*\.\s*\bcookie\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\<\!\[cdata\[" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonerror\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bactivexobject\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeypress\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonsubmit\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.addimport\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonchange\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\balert\b\W*?\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?meta\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bhttp:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bvbscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseout\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\basfunction:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseover\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.innerhtml\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonselect\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\@import\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonload\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?script\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonresize\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonclick\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\biframe\b.{0,100}?\bsrc\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bbackground-image:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeyup\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<input\b.*?\btype\b\W*?\bimage\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjavascript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.fromcharcode\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecMarker END_XSS_CHECK
# Detect tags that are the most common direct HTML injection points.
#
# <a href=javascript:...
# <applet src="..." type=text/html>
# <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
# <base href=javascript:...
# <base href=... // change base URL to something else to exploit relative filename inclusion
# <bgsound src=javascript:...
# <body background=javascript:...
# <body onload=...
# <embed src=http://www.example.com/flash.swf allowScriptAccess=always
# <embed src="data:image/svg+xml;
# <frameset><frame src="javascript:..."></frameset>
# <iframe src=javascript:...
# <img src=x onerror=...
# <input type=image src=javascript:...
# <layer src=...
# <link href="javascript:..." rel="stylesheet" type="text/css"
# <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
# <meta http-equiv="refresh" content="0;url=javascript:..."
# <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
# <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
# <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
# <object data=http://www.example.com
# <object type=text/x-scriptlet data=...
# <object type=application/x-shockwave-flash data=xss.swf>
# <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
# <script>...</script>
# <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
# <script src="data:text/javascript,alert(1)"></script>
# <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
# <style>STYLE</style>
# <style type=text/css>STYLE</style>
# <style type=text/javascript>alert('xss')</style>
# <table background=javascript:...
# <td background=javascript:
#
#
# NOTES
#
# - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
#
# - Not using closing brackets because they are not needed for the
# attacks to succeed. The following seems to work in FF: <body/s/onload=...
#
# - Also, browsers sometimes tend to translate < into >, in order to "repair"
# what they think was a mistake made by the programmer/template designer.
#
# - Browsers are flexible when it comes to what they accept as separator between
# tag names and attributes. The following is commonly used in payloads: <img/src=...
# A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
#
# - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
# but I don't believe we need to look for quotes anywhere.
#
# - Links do not have to be fully qualified. For example, the following works:
# <script src="//ha.ckers.org/.j">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973300',capture,t:none,t:jsDecode,t:lowercase,block,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\ballowscriptaccess\b|\brel\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973301',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# TODO Would evasion such as null and whitespace work here?
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* ".+application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973302',capture,t:none,t:htmlEntityDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Detect event handler names
#
# <body onload=...>
# <img src=x onerror=...>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973303',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Detect usage of common URI attributes (e.g. src)
#
# <a href="javascript:...">Link</a>
# <base href="javascript:...">
# <bgsound src="javascript:...">
# <body background="javascript:...">
# <frameset><frame src="javascript:..."></frameset>
# <iframe src=javascript:...>
# <img dynsrc=javascript:...>
# <img lowsrc=javascript:...>
# <img src=javascript:...>
# <input type=image src=javascript:...>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973304',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# As above, but try to catch the other bit that is necessary to execute the attack.
#
# <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
# <img src=jaVaScrIpt:...>
# <img src=&#6a;avascript:...> (not evasion)
# <img src="jav ascript:..."> (embedded tab; null byte, other whitespace characters work too)
# <img src="jaa&#09;ascript:..."> (the combination of the above two)
#
# NOTES
#
# - htmlEntityDecode needs to be applied because this content appears in HTML
# attributes, so it's not evasion.
#
# TODO I think asfunction only work in HTML files handled by Flash. Needs verifying.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(asfunction|javascript|vbscript|data|mocha|livescript):" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973305',capture,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Detect attempts to use the style attribute, which works with any tag in at
# least one major browser.
#
# <div style="background-image: url(javascript:...)">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973306',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# -- JavaScript fragments --
#
# TODO Need more fragments.
#
# TODO What about JavaScript code hidden behind CSS?
#
# TODO There is a bunch of DOM-manipulation stuff that we want to cover here.
#
# alert(String.fromCharCode(88,83,83)
# - window.name
# - document.cookie
# - document.location
# - document.write
# - document.styleSheets[0].addImport('yourstylesheet.css', 2);
# - window.execScript("alert('test');", "JavaScript");
# - document.body.innerHTML = ''
# - newObj = new ActiveXObject(servername.typename[, location])
# - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx
# - setTimeout("alert('xss')", 1000)
# - xmlHttp.onreadystatechange=function() {}
# - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier
#
# NOTES:
#
# - JavaScript evasion:
#
# http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/
# http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# -- CSS attack fragments --
# <div style="background-image: url(javascript:...)">
# <div style="background-image: url(&#1;javascript:alert('XSS'))"> // not used
# <div style="width: expression(...);">
# <img style="x:expression(document.write(1))">
# <xss style="behavior: url(http://ha.ckers.org/xss.htc);">
# - <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss
# <style>@import url(...);</style>
# -moz-binding:url(...)
# background:url("javascript:...")
# </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify
# <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion)
# <li style="behavior:url(hilite.htc)">xss
#
# Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
#
# Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors)
#
# Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring
# a match of that before we do anything might help us reduce the FP rate.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973308',capture,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!\[cdata\[|\]\]>" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973309',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# -- Misc --
# alert('xss')
# alert("xss")
# alert(/xss/)
# <xss>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[/'\"<]xss[/'\">]" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973310',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# String.fromCharCode(88,83,83)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(88,83,83)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973311',capture,t:none,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# '';!--"<XSS>=&{()}
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "'';!--\"<xss>=&{()}" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973312',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Handle &{alert('xss')} which is supposed to work in Netscape 4.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "&{" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973313',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# <!DOCTYPE html [
# <!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
# ]>
# <html xmlns="http://www.w3.org/1999/xhtml">
# <head>
# <title>Test</title>
# </head>
#
# <body>
# &inject;
# </body>
# </html>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!(doctype|entity)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973314',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
#
# XSS Filters from IE8
# http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&[#\(\)=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973315',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]style[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973316',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973317',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<applet[ /+\t].*?code[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973318',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973319',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<base[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973320',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<link[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973321',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_BODY "(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973322',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<\?import[ /+\t].*?implementation[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973323',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<embed[ /+\t].*?SRC.*?=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973324',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]on\c\c\c+?[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973325',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<.*[:]vmlframe.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973326',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973327',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<isindex[ /+\t>])" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973328',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<form.*?>)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973329',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973330',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?>)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973331',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))).*?=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973332',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?))=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973333',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'].*?\[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\()" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973334',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\(.*?\))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973335',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

25
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_42_tight_security.conf
View File

@ -1,25 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This ruleset file contains rules that are highly prone to FPs
# Enable PARANOID_MODE in the 10 config file if you want to activate this rule
#
#
# Directory Traversal
#
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?i)(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\.){2}(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'7',t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,capture,tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
# Weaker signature
#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,rev:'2.2.6',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

35
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_45_trojans.conf
View File

@ -1,35 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# The trojan access detection rules detects access to known Trojans already
# installed on a server. Uploading of Trojans is part of the Anti-Virus rules
# and uses external Anti Virus program when uploading files.
#
# Detection of Trojans access is especially important in a hosting environment
# where the actual Trojan upload may be done through valid methods and not
# through hacking.
# --
#
# NOTE Trojans detection is based on checking elements controlled by the client.
# A determined attacked can bypass those checks. We are working on
# enchaining the checks so it would require a major change in the Trojan
# to overcome.
#
# NOTE We found out that Trojan horses are not detected easily by Anti-Virus
# software when uploading as the signature set of AV software is not tuned
# for this purpose. We are working on adding signature tuned to detect
# Trojans upload to file uploading inspection.
#
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950110',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_FILENAME "root\.exe" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950921',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',t:none,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950922',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"

40
iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_47_common_exceptions.conf
View File

@ -1,40 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This file is used as an exception mechanism to remove common false positives
# that may be encountered.
#
# Exception for Apache SSL pinger
#
SecRule REQUEST_LINE "^GET /$" "chain,phase:2,id:'981020',t:none,pass,nolog"
SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
#
# Exception for Apache internal dummy connection
#
SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,id:'981021',t:none,pass,nolog"
SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none,t:none,chain"
SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
#
# Exception for Adobe Flash Player
# https://www.modsecurity.org/tracker/browse/CORERULES-57
#
SecRule REQUEST_METHOD "@streq POST" "chain,phase:2,id:'981022',t:none,pass,nolog"
SecRule REQUEST_HEADERS:User-Agent "@contains Adobe Flash Player" "chain,t:none"
SecRule REQUEST_HEADERS:X-Flash-Version ".*" "chain,t:none"
SecRule REQUEST_HEADERS:Content-Type "@contains application/x-amf" "chain,t:none"
SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"

145
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_bad_robots.data
View File

@ -1,145 +0,0 @@
webmole
wisenutbot
prowebwalker
hanzoweb
email
toata dragostea mea pentru diavola
gameBoy, powered by nintendo
missigua
poe-component-client
emailsiphon
adsarobot
under the rainbow 2.
nessus
floodgate
email extractor
webaltbot
contactbot/
butch__2.1.1
pe 1.4
indy library
autoemailspider
mozilla/3.mozilla/2.01
fantombrowser
digout4uagent
panscient.com
telesoft
; widows
converacrawler
www.weblogs.com
murzillo compatible
isc systems irc search 2.1
emailmagnet
microsoft url control
datacha0s
emailwolf
production bot
sitesnagger
webbandit
web by mail
faxobot
grub crawler
jakarta
eirgrabber
webemailextrac
extractorpro
attache
educate search vxb
8484 boston project
franklin locator
nokia-waptoolkit
mailto:craftbot@yahoo.com
full web bot
pcbrowser
psurf
user-Agent
pleasecrawl/1.
kenjin spider
gecko/25
no browser
webster pro
wep Search 00
grub-client
fastlwspider
this is an exploit
contentsmartz
teleport pro
dts agent
nikto
morzilla
via
atomic_email_hunter
program shareware 1.0.
ecollector
emailcollect
china local browse 2.
backdoor
stress test
foobar/
emailreaper
xmlrpc exploit
compatible ; msie
s.t.a.l.k.e.r.
compatible-
webvulnscan
nameofagent
copyrightcheck
advanced email extractor
surveybot
compatible ;.
searchbot admin@google
wordpress/4.01
webemailextract
larbin@unspecified
turing machine
zeus
windows-update-agent
morfeus fucking scanner
user-agent:
voideye
mosiac 1
chinaclaw
newt activeX; win32
web downloader
safexplorer tl
agdm79@mail.ru
cheesebot
hhjhj@yahoo
fiddler
psycheclone
microsoft internet explorer/5.0
core-project/1
atspider
copyguard
neuralbot/0.2
wordpress hash grabber
amiga-aweb/3.4
packrat
rsync
crescent internet toolpak
security scan
vadixbot
concealed defense
a href=
bwh3_user_agent
internet ninja
microsoft url
emailharvest
shai
wisebot
internet exploiter sux
wells search ii
webroot
digimarc webreader
botversion
black hole
windows xp 5
w3mir
pmafind
athens
hl_ftien_spider
injection
takeout
eo browse
cherrypicker
internet-exprorer

35
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_scanners.data
View File

@ -1,35 +0,0 @@
grabber
cgichk
bsqlbf
mozilla/4.0 (compatible)
sqlmap
mozilla/4.0 (compatible; msie 6.0; win32)
mozilla/5.0 sf//
nessus
arachni
metis
sql power injector
bilbo
absinthe
black widow
n-stealth
brutus
webtrends security analyzer
netsparker
python-httplib2
jaascois
pmafind
.nasl
nsauditor
paros
dirbuster
pangolin
nmap nse
sqlninja
nikto
webinspect
blackwidow
grendel-scan
havij
w3af
hydra

445
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_40_generic_attacks.data
View File

@ -1,445 +0,0 @@
set-cookie
.cookie
expiressys.user_objects
sys.user_triggers
@@spid
msysaces
instr
sys.user_views
mysql.
sys.tab
charindex
locate
sys.user_catalog
constraint_type
msysobjects
attnotnull
select
sys.user_tables
sys.user_constraints
sys.user_tab_columns
waitfor
sys.all_tables
msysrelationships
msyscolumns
msysqueriessubstr
xtype
textpos
all_objects
rownum
sysfilegroups
sysprocesses
user_group
sysobjects
systables
user_tables
pg_attribute
column_id
user_password
user_users
attrelid
user_tab_columns
table_name
pg_class
user_constraints
user_objects
object_type
sysconstraints
mb_users
column_name
atttypid
substring
object_id
syscat
sysibm
user_ind_columns
syscolumns
sysdba
object_name
sqrt
insert
date
instr
floor
autonomous_transaction
print
encode
coalesce
if
degrees
release_lock
procedure_analyse
password
least
cr32
subdate
xp_filelist
owa_util
trim
xp_regenumkeys
charset
ciel
bit_or
delete
time
month
xp_execresultset
round
dba_users
is
master_pos_wait
decode
unhex
char_length
strcmp
rtrim
'sa'
version
ord
xp_makecab
truncate
last
concat
coercibility
right
length
ascii
var_samp
char
extract
get_
bit_length
xp_regread
export_set
aes_decrypt
name_const
left
conv
bin
not_in
infile
substr
uuid
is_srvrolemember
var_pop
ln
aes_encrypt
outfile
current_date
quote
in
user
locate
@@version
exp
current_timestamp
sql_longvarchar
values
subtime
xp_loginconfig
sin
xp_regaddmultistring
replace
tan
xmltype
character_length
cast
current_time
varchar
position
to_number
addtime
mid
found_rows
stddev
xp_availablemedia
substring
dumpfile
isnull
cot
select
concat_ws
convert
uncompress
radians
uncompressed_length
acos
'sqloledb'
dbms_pipe.receive_message
utl_http
cieling
row_count
benchmark
sec_to_time
sysdate
hour
current_user
utc_
curdate
nvarchar
schema
data_type
lcase
inner
make_set
day
tbcreator
sum
sign
adddate
ltrim
variance
weight_string
second
microsecond
system_user
abs
ifnull
minute
unix_timestamp
collation
curtime
lower
repeat
sp_oacreate
group_concat
sp_execute
xp_ntsec
xp_regdeletekey
drop
quarter
local
str_to_date
nullif
from_
old_password
xp_regdeletevalue
asin
oct
load_file
sp_password
bit_xor
xp_regremovemultistring
chr
avg
std
openquery
makedate
database
updatexml
datediff
now
year
mod
bit_and
lpad
xp_enumdsn
max
period_
soundex
shutdown
bit_count
field
connection_id
sha
default
interval
xp_dirtree
reverse
ucase
compress
xp_terminate_process
md5
rpad
session_user
find_in_set
dump
convert_tz
having
des_
greatest
xp_regenumvalues
utl_file
cos
log
pi
sql_variant
encrypt
upper
rand
week
min
xp_cmdshell
'msdasql'
space
sp_executesql
elt
pow
'dbo'
sp_makewebtask
dbms_java
to_
format
xp_regwrite
sp_helpjscript
onsubmit
copyparentfolder
document
javascript
meta
onchange
onmove
onkeydown
onkeyup
activexobject
onerror
onmouseup
ecmascript
bexpression
onmouseover
vbscript:
<![cdata[
http:
.innerhtml
settimeout
shell:
onabort
asfunction:
onkeypress
onmousedown
onclick
.fromcharcode
background-image:
x-javascript
ondragdrop
onblur
mocha:
javascript:
onfocus
lowsrc
getparentfolder
onresize
@import
alert
script
onselect
onmouseout
application
onmousemove
background
.execscript
livescript:
vbscript
getspecialfolder
.addimport
iframe
onunload
createtextrange
<input
onload.www_acl
.htpasswd
.htaccess
httpd.conf
boot.ini
/etc/
.htgroup
global.asa
.wwwaclnet.exe
cmd.exe
cmd
telnet.exe
wguest.exe
ftp.exe
nmap.exe
wsh.exe
rcmd.exe
nc.exe
cmd32.exechgrp
cmd32
uname
kill
localgroup
wguest.exe
nasm
rcmd.exe
nc.exe
id
nc
tclsh
finger
tftp
cmd
chown
chsh
ping
nmap.exe
ps
net.exe
telnet.exe
ls
tclsh8
ftp.exe
ftp
lsof
xterm
mail
echo
tracert
nmap
cmd.exe
rm
python
cd
traceroute
chmod
perl
passwd
wsh.exe
cpp
telnet
gcc
g++chgrp
cmd32
uname
kill
localgroup
wguest.exe
nasm
rcmd.exe
nc.exe
id
nc
tclsh
finger
tftp
cmd
chown
chsh
ping
nmap.exe
ps
net.exe
telnet.exe
ls
tclsh8
ftp.exe
ftp
lsof
xterm
mail
echo
tracert
nmap
cmd.exe
rm
python
cd
traceroute
chmod
perl
passwd
wsh.exe
cpp
telnet
gcc
g++<?

282
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_41_sql_injection_attacks.data
View File

@ -1,282 +0,0 @@
sys.user_objects
sys.user_triggers
@@spid
msysaces
instr
sys.user_views
mysql.
sys.tab
charindex
locate
sys.user_catalog
constraint_type
msysobjects
attnotnull
select
sys.user_tables
sys.user_constraints
sys.user_tab_columns
waitfor
sys.all_tables
msysrelationships
msyscolumns
msysqueriessubstr
xtype
textpos
all_objects
rownum
sysfilegroups
sysprocesses
user_group
sysobjects
systables
user_tables
pg_attribute
column_id
user_password
user_users
attrelid
user_tab_columns
table_name
pg_class
user_constraints
user_objects
object_type
sysconstraints
mb_users
column_name
atttypid
substring
object_id
syscat
sysibm
user_ind_columns
syscolumns
sysdba
object_name
sqrt
insert
date
instr
floor
autonomous_transaction
print
encode
coalesce
if
degrees
release_lock
procedure_analyse
password
least
cr32
subdate
xp_filelist
owa_util
trim
xp_regenumkeys
charset
ciel
bit_or
delete
time
month
xp_execresultset
round
dba_users
is
master_pos_wait
decode
unhex
char_length
strcmp
rtrim
'sa'
version
ord
xp_makecab
truncate
last
concat
coercibility
right
length
ascii
var_samp
char
extract
get_
bit_length
xp_regread
export_set
aes_decrypt
name_const
left
conv
bin
not_in
infile
substr
uuid
is_srvrolemember
var_pop
ln
aes_encrypt
outfile
current_date
quote
in
user
locate
@@version
exp
current_timestamp
sql_longvarchar
values
subtime
xp_loginconfig
sin
xp_regaddmultistring
replace
tan
xmltype
character_length
cast
current_time
varchar
position
to_number
addtime
mid
found_rows
stddev
xp_availablemedia
substring
dumpfile
isnull
cot
select
concat_ws
convert
uncompress
radians
uncompressed_length
acos
'sqloledb'
dbms_pipe.receive_message
utl_http
cieling
row_count
benchmark
sec_to_time
sysdate
hour
current_user
utc_
curdate
nvarchar
schema
data_type
lcase
inner
make_set
day
tbcreator
sum
sign
adddate
ltrim
variance
weight_string
second
microsecond
system_user
abs
ifnull
minute
unix_timestamp
collation
curtime
lower
repeat
sp_oacreate
group_concat
sp_execute
xp_ntsec
xp_regdeletekey
drop
quarter
local
str_to_date
nullif
from_
old_password
xp_regdeletevalue
asin
oct
load_file
sp_password
bit_xor
xp_regremovemultistring
chr
avg
std
openquery
makedate
database
updatexml
datediff
now
year
mod
bit_and
lpad
xp_enumdsn
max
period_
soundex
shutdown
bit_count
field
connection_id
sha
default
interval
xp_dirtree
reverse
ucase
compress
xp_terminate_process
md5
rpad
session_user
find_in_set
dump
convert_tz
having
des_
greatest
xp_regenumvalues
utl_file
cos
log
pi
sql_variant
encrypt
upper
rand
week
min
xp_cmdshell
'msdasql'
space
sp_executesql
elt
pow
'dbo'
sp_makewebtask
dbms_java
to_
format
xp_regwrite
sp_help

92
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound.data
View File

@ -1,92 +0,0 @@
<TITLE>Index of
><br>
<title>Index ofMicrosoft VBScript runtime (0x8
error '800
Application uses a value of the wrong type for the current operation
Microsoft VBScript compilation (0x8
Microsoft VBScript compilation error
Microsoft .NET Framework Version:
A trappable error occurred in an external object. The script cannot continue running
rror
Microsoft VBScript runtime Error
>Syntax error in string in query expression
ADODB.Command
Object required: '
<b>Version Information:</b> does not match with a table name or alias name used in the query
You have an error in your SQL syntax near '
Wora_
Wpg_
select list because it is not contained in either an aggregate function or the GROUP BY clause
Syntax error converting the
supplied argument is not a valid MS SQL
supplied argument is not a valid Oracle
Unclosed quotation mark before the character string
Warning: mysql_connect():
Unable to connect to PostgreSQL server:
SQL Server does not exist or access denied
supplied argument is not a valid PostgreSQL result
Microsoft OLE DB Provider for
Access Database Engine
Either BOF or EOF is True, or the current record has been deleted
supplied argument is not a valid ODBC
supplied argument is not a valid MySQL
WRoadhouse
You have an error in your SQL syntax
error '800a01b8'
data type as an argument.
SQL syntax
select list because it is not contained in an aggregate function and there is no GROUP BY clause
' in sysservers. execute sp_addlinkedserver
incorrect syntax near These statistics were produced by PeLAB
This analysis was produced by
These statistics were produced by getstats
This report was generated by WebLog
ebalizer
This summary was generated byfgets
ftp_put
ftp_nb_put
fopen
readdir
$_post
ftp_nb_fput
ftp_get
scandir
readgzfile
proc_open
ftp_fput
fwrite
session_start
gzopen
$_session
move_uploaded_file
readfile
ftp_fget
gzencode
bzopen
gzread
call_user_func
ftp_nb_fget
$_get
fscanf
fread
fgetc
ftp_nb_get
fgetss
gzwrite
gzcompressserver.urlencode
server.createobject
scripting.filesystemobject
server.execute
wscript.shell
<jsp:
.createtextfile
.addheader
wscript.network
javax.servlet
.loadfromfile
server.mappath
vbscript.encode
server.htmlencode
response.write
response.binarywrite
.getfile

2947
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound_malware.data
View File

File diff suppressed because it is too large Load Diff

539
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_20_protocol_violations.conf
View File

@ -1,539 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Some protocol violations are common in application layer attacks.
# Validating HTTP requests eliminates a large number of application layer attacks.
#
# The purpose of this rules file is to enforce HTTP RFC requirements that state how
# the client is supposed to interact with the server.
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
#
#
# Validate request line against the format specified in the HTTP RFC
#
# -=[ Rule Logic ]=-
#
# Uses rule negation against the regex for positive security. The regex specifies the proper
# construction of URI request lines such as:
#
# "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
#
# It also outlines proper construction for CONNECT, OPTIONS and GET requests.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
# http://capec.mitre.org/data/definitions/272.html
#
SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\
"msg:'Invalid HTTP Request Line',\
severity:'4',\
id:'960911',\
ver:'OWASP_CRS/2.2.6',\
rev:'2',\
maturity:'9',\
accuracy:'9',\
logdata:'%{request_line}',\
phase:1,\
block,\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
tag:'CAPEC-272',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
#
# Identify Invalid URIs Blocked by Apache
#
# -=[ Rule Logic ]=-
#
# There are some request violations that Apache will handle internally, prior to the
# ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get
# visibility by running a check in phase:5 logging to look for the Apache error msg.
#
# -=[ References ]=-
#
SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" \
"msg:'Apache Error: Invalid URI in Request.', \
severity:'4', \
id:'981227', \
ver:'OWASP_CRS/2.2.6', \
rev:'1', \
maturity:'9', \
accuracy:'9', \
logdata:'%{request_line}', \
phase:5, \
pass, \
t:none, \
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
tag:'CAPEC-272', \
setvar:'tx.msg=%{rule.msg}', \
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
#
# Identify multipart/form-data name evasion attempts
#
# There are possible impedance mismatches between how
# ModSecurity interprets multipart file names and how
# a destination app server such as PHP might parse the
# Content-Disposition data:
#
# filename-parm := "filename" "=" value
#
# -=[ Rule Logic ]=-
# These rules check for the existence of the ' " ; = meta-characters in
# either the file or file name variables.
#
# -=[ References ]=-
# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000
# http://www.ietf.org/rfc/rfc2183.txt
#
SecRule FILES_NAMES|FILES "['\";=]" \
"msg:'Attempted multipart/form-data bypass', \
severity:'2', \
id:'960000', \
ver:'OWASP_CRS/2.2.6', \
rev:'1', \
maturity:'9', \
accuracy:'7', \
logdata:'%{matched_var}', \
phase:2, \
block, \
t:none,t:urlDecodeUni, \
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
tag:'CAPEC-272', \
setvar:'tx.msg=%{rule.msg}', \
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
#
# Verify that we've correctly processed the request body.
#
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
# -=[ Rule Logic ]=-
# Checks for the existence of the REQBODY_ERROR variable that is created
# by the request body processor if it encounters errors.
#
# -=[ References ]=-
# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#REQBODY_ERROR
#
SecRule REQBODY_ERROR "!@eq 0" \
"msg:'Failed to parse request body.', \
severity:'2', \
id:'960912', \
ver:'OWASP_CRS/2.2.6', \
rev:'1', \
maturity:'9', \
accuracy:'9', \
logdata:'%{REQBODY_ERROR_MSG}', \
phase:2, \
block, \
t:none, \
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
tag:'CAPEC-272', \
setvar:'tx.msg=%{rule.msg}', \
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
#
# Strict Multipart Parsing Checks
#
# -=[ Rule Logic ]=-
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
# -=[ References ]=-
# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_STRICT_ERROR
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}', \
severity:'2', \
id:'960914', \
ver:'OWASP_CRS/2.2.6', \
rev:'1', \
maturity:'8', \
accuracy:'7', \
phase:2, \
block, \
t:none, \
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
tag:'CAPEC-272', \
setvar:'tx.msg=%{rule.msg}', \
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
#
# Multipart Unmatched Boundary Check
#
# -=[ Rule Logic ]=-
# Check for the MULTIPART_UNMATCHED_BOUNDARY flag and alert
#
# -=[ References ]=-
# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_UNMATCHED_BOUNDARY
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"msg:'Multipart parser detected a possible unmatched boundary.', \
severity:'2', \
id:'960915', \
ver:'OWASP_CRS/2.2.6', \
rev:'1', \
maturity:'8', \
accuracy:'8', \
phase:2, \
block, \
t:none, \
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
tag:'CAPEC-272', \
setvar:'tx.msg=%{rule.msg}', \
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
#
# Accept only digits in content length
#
# -=[ Rule Logic ]=-
# This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header
# is NOT all digits, then it will match.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
#
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \
"msg:'Content-Length HTTP header is not numeric.',\
severity:'2',\
id:'960016',\
ver:'OWASP_CRS/2.2.6',\
rev:'1',\
maturity:'9',\
accuracy:'9',\
phase:1,\
block,\
logdata:'%{matched_var}',\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
tag:'CAPEC-272',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
#
# Do not accept GET or HEAD requests with bodies
# HTTP standard allows GET requests to have a body but this
# feature is not used in real life. Attackers could try to force
# a request body on an unsuspecting web applications.
#
# -=[ Rule Logic ]=-
# This is a chained rule that first checks the Request Method. If it is a
# GET or HEAD method, then it checks for the existence of a Content-Length
# header. If the header exists and its payload is either not a 0 digit or not
# empty, then it will match.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3
#
SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
"msg:'GET or HEAD Request with Body Content.',\
severity:'2',\
id:'960011',\
ver:'OWASP_CRS/2.2.6',\
rev:'1',\
maturity:'9',\
accuracy:'9',\
phase:1,\
block,\
logdata:'%{matched_var}',\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
tag:'CAPEC-272',\
chain"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
"t:none,\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
#
# Require Content-Length to be provided with every POST request.
#
# -=[ Rule Logic ]=-
# This chained rule checks if the request method is POST, if so, it checks that a Content-Length
# header is also present.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
#
SecRule REQUEST_METHOD "^POST$" \
"msg:'POST request missing Content-Length Header.',\
severity:'4',\
id:'960012',\
ver:'OWASP_CRS/2.2.6',\
rev:'1',\
maturity:'9',\
accuracy:'9',\
phase:1,\
block,\
logdata:'%{matched_var}',\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
tag:'CAPEC-272',\
chain"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
"t:none,\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
#
# Deny inbound compressed content
# identity The default (identity) encoding; the use of no transformation whatsoever.
# This content-coding is used only in the Accept- Encoding header, and SHOULD NOT be
# used in the Content-Encoding header.
#
# -=[ Rule Logic ]=-
# This rule inspects the Content-Encoding request header to ensure that Identity
# is not specified.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
#
SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" \
"msg:'Invalid Use of Identity Encoding.',\
severity:'4',\
id:'960902',\
ver:'OWASP_CRS/2.2.6',\
rev:'2',\
maturity:'9',\
accuracy:'9',\
phase:1,\
block,\
logdata:'%{matched_var}',\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
tag:'CAPEC-272',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
#
# Expect header is an HTTP/1.1 protocol feature
# Automated programs and bots often do not obey the HTTP RFC
#
# -=[ Rule Logic ]=-
# This chained rule looks for the Expect request header, and if it is found then it
# checks the HTTP protocol version supplied by the client. If it is version 1.0, the
# rule matches.
#
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
SecRule REQUEST_HEADERS:Expect "@contains 100-continue" \
"msg:'Expect Header Not Allowed for HTTP 1.0.',\
severity:'5',\
id:'960022',\
ver:'OWASP_CRS/2.2.6',\
rev:'2',\
maturity:'7',\
accuracy:'9',\
phase:1,\
block,\
logdata:'%{matched_var}',\
t:none,\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
tag:'CAPEC-272',\
chain"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" \
"t:none,\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
#
# Pragma Header requires a Cache-Control Header
# Automated programs and bots often do not obey the HTTP RFC
#
# -=[ Rule Logic ]=-
# This chained rule first checks for the existence of a Pragma request header. If it is found,
# then it checks for a corresponding Cache-Control header (as the HTTP 1.1 RFC states clients should submit
# one). If this is also missing, then it verifies the HTTP protocol version. If it is 1.1 then the rule
# matches.
#
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ'"
SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Range Header Checks
#
# 1. Range Header exists and begins with 0 - normal browsers don't do this.
# Automated programs and bots often do not obey the HTTP RFC
#
# -=[ Rule Logic ]=-
# This rule inspects the Range request header to see if it starts with 0.
#
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
# 2. Per RFC 2616 -
# "If the last-byte-pos value is present, it MUST be greater than or equal to the first-byte-pos in that byte-range-spec,
# or the byte- range-spec is syntactically invalid."
# -=[ Rule Logic ]=-
# This rule compares the first and second byte ranges and flags when the first value is greater than the second.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
# http://seclists.org/fulldisclosure/2011/Aug/175
#
# 3. Identifies an excessive number of byte range fields within one request
#
SecRule REQUEST_HEADERS:Range "@beginsWith bytes=0-" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}',severity:'4',id:'958291',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:'%{matched_var}',severity:'4',id:'958230',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
SecRule TX:2 "!@ge %{tx.1}"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\," "phase:2,capture,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Too many fields',logdata:'%{matched_var}',severity:'4',id:'958231',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Broken/Malicous clients often have duplicate or conflicting headers
# Automated programs and bots often do not obey the HTTP RFC
#
# -=[ Rule Logic ]=-
# This rule inspects the Connection header and looks for duplicates of the
# keep-alive and close options.
#
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',logdata:'%{matched_var}',id:'958295',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Check URL encodings
#
# -=[ Rule Logic ]=-
# There are two different chained rules. We need to separate them as we are inspecting two
# different variables - REQUEST_URI and REQUEST_BODY. For REQUEST_BODY, we only want to
# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding.
#
# -=[ References ]=-
# http://www.ietf.org/rfc/rfc1738.txt
#
SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
"chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple URL Encoding Detected',id:'950109',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
"chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
#
# Check UTF enconding
# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
# it will result in false positives.
#
# -=[ Rule Logic ]=-
# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING
# variable in the modsecurity_crs_10_config.conf file.
#
SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
#
# Disallow use of full-width unicode as decoding evasions my be possible.
#
# -=[ Rule Logic ]=-
# This rule looks for full-width encoding by looking for %u following by 2 f characters
# and then 2 hex characters.
#
# -=[ References ]=-
# http://www.kb.cert.org/vuls/id/739224
#
SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \
"t:none,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
#
# Proxy access attempt
# NOTE Apache blocks such access by default if not set as a proxy. The rule is
# included in case Apache proxy is misconfigured.
# NOTE There are some clients (mobile devices) that will send a full URI even when connecting to
# your local application and this rule allows it.
# NOTE Need to have UseCanonicalName On in Apache config to properly set the SERVER_NAME variable.
# If you have set UseCanonicalName, the you can uncomment this rule.
#
# -=[ Rule Logic ]=-
# This chained rule first inspects the URI to see if a full domain name is specified.
# If it is, then this data is compared against the Cononical SERVER_NAME. If it does
# not match, then the client is making a request for an off-site location.
#
#SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Proxy access attempt',severity:'3',id:'960014',tag:'OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS'"
#SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}"
#
# Restrict type of characters sent
# NOTE In order to be broad and support localized applications this rule
# only validates that NULL Is not used.
#
# The strict policy version also validates that protocol and application
# generated fields are limited to printable ASCII.
#
# -=[ Rule Logic ]=-
# This rule uses the @validateByteRange operator to look for Nul Bytes.
# If you set Paranoid Mode - it will check if your application use the range 32-126 for parameters.
#
# -=[ References ]=-
# http://i-technica.com/whitestuff/asciichart.html
#
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',block,msg:'Invalid character in request',id:'960901',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'7',block,msg:'Invalid character in request',id:'960018',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA \
"@validateByteRange 32-126" \
"t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

108
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
View File

@ -1,108 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Some common HTTP usage patterns are indicative of attacks but may also be used by non-browsers for legitimate uses.
#
# Do not accept requests without common headers.
# All normal web browsers include Host, User-Agent and Accept headers.
# Implies either an attacker or a legitimate automation client.
#
#
# Missing/Empty Host Header
#
# -=[ Rule Logic ]=-
# These rules will first check to see if a Host header is present.
# The second check is to see if a Host header exists but is empty.
#
SecMarker BEGIN_HOST_CHECK
SecRule &REQUEST_HEADERS:Host "@eq 0" \
"skipAfter:END_HOST_CHECK,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:Host "^$" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Empty Host Header',id:'960007',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecMarker END_HOST_CHECK
#
# Missing/Empty Accept Header
#
# -=[ Rule Logic ]=-
# These rules will first check to see if an Accept header is present.
# The second check is to see if an Accept header exists but is empty.
#
SecMarker BEGIN_ACCEPT_CHECK
SecRule REQUEST_METHOD "!^OPTIONS$" \
"skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing an Accept Header',severity:'5',id:'960015',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'"
SecRule &REQUEST_HEADERS:Accept "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_METHOD "!^OPTIONS$" \
"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Has an Empty Accept Header',severity:'5',id:'960021',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
SecRule REQUEST_HEADERS:Accept "^$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecMarker END_ACCEPT_CHECK
#
# Missing/Empty User-Agent Header
#
# -=[ Rule Logic ]=-
# These rules will first check to see if a User-Agent header is present.
# The second check is to see if a User-Agent header exists but is empty.
#
SecMarker BEGIN_UA_CHECK
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
"skipAfter:END_UA_CHECK,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:User-Agent "^$" \
"phase:2,t:none,block,msg:'Empty User Agent Header',id:'960006',rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecMarker END_UA_CHECK
#
# Missing Content-Type Header with Request Body
#
# -=[ Rule Logic ]=-
# These rules will first check to see if a Content-Type header is missing.
# The second check is to see if a Content-Length header is present and is
# not empty or contains a 0. If the Content-Length header contains other data
# than this means that there is a request body and the RFC states that there
# MUST be a Content-Type header so that the app knows how to parse the data.
#
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
"chain,phase:1,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
# Check that the host header is not an IP address
# This is not an HTTP RFC violation but it is indicative of automated client access.
# Many web-based worms propagate by scanning IP address blocks.
#
# -=[ Rule Logic ]=-
# This rule triggers if the Host header contains all digits (and possible port)
#
# -=[ References ]=-
# http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
#
SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Host header is a numeric IP address',logdata:'%{matched_var}',severity:'4',id:'960017',tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
# Log a security event when the request is rejected by apache
#
# You must patch mod_unique_id for this to work correctly. See the following
# mod-security-users mail-list post for the patch details -
# http://article.gmane.org/gmane.comp.apache.mod-security.user/5808
#
#SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,block,msg:'Invalid request',id:'960913',severity:'4'"
#SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"

49
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_23_request_limits.conf
View File

@ -1,49 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# In most cases, you should expect a certain volume of each a request on your
# website. For example, a request with 400 arguments, can be suspicious.
# This file creates limitations on the request.
#
# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
# Note that most of the rules are commented out by default.
# Uncomment the rules you need
#
## -- Arguments limits --
# Limit argument name length
SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit value name length
SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Maximum number of arguments in request limited
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit arguments total length
SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
## -- File upload limits --
# Individual file size is limited
SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:1,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data" "chain"
SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Combined file size is limited
SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

102
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_30_http_policy.conf
View File

@ -1,102 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# HTTP policy enforcement
# The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
# Few applications require the breadth and depth of the HTTP protocol. On the
# other hand many attacks abuse valid but rare HTTP use patterns. Restricting
# HTTP protocol usage is effective in therefore effective in blocking many
# application layer attacks.
#
# TODO Many automation programs use non standard HTTP requests. While you may
# want to allow some of those, try not to create exceptions only for the
# automated program based on properties such as their source IP address or
# the URL they access.
#
# allow request methods
#
# TODO Most applications only use GET, HEAD, and POST request
# methods. If that is not the case with your environment, you are advised
# to edit the line or uncomment it.
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict which content-types we accept.
#
# TODO Most applications support only two types for request bodies
# because that is all browsers know how to produce. If you are using
# automated tools to talk to the application you may be using other
# content types and would want to change the list of supported types.
#
# Note though that ModSecurity parses only three content types:
# application/x-www-form-urlencoded, multipart/form-data request and
# text/xml. The protection provided for any other type is inferior.
#
# TODO There are many applications that are not using multipart/form-data
# types (typically only used for file uploads). This content type
# can be disabled if not used.
#
# NOTE We allow any content type to be specified with GET or HEAD
# because some tools incorrectly supply content type information
# even when the body is not present. There is a rule further in
# the file to prevent GET and HEAD requests to have bodies to we're
# safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
# applications running on the PocketPC and AvantGo platforms use
# non-standard content types:
#
# M-Business iAnywhere application/x-mal-client-data
# UltraLite iAnywhere application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict protocol versions.
#
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only
# this version.
#
# NOTE Automation programs, both malicious and non malicious many times use
# other HTTP versions. If you want to allow a specific automated program
# to use your site, try to create a narrower expection and not allow any
# client to send HTTP requests in a version lower than 1.1
#
SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict file extension
#
# TODO the list of file extensions below are virtually always considered unsafe
# and not in use in any valid program. If your application uses one of
# these extensions, please remove it from the list of blocked extensions.
# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
# comment the whole rule.
#
SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension=.%{tx.1}/,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960035',tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
# Restricted HTTP headers
#
# TODO the list of HTTP headers below are considered unsafe for your environment.
# If your application uses one of these directories, please remove it from
# the list of blocked extensions. You may need to use ModSecurity Core Rule
# Set Templates to do so, otherwise comment the whole rule.
#
SecRule REQUEST_HEADERS_NAMES "^(.*)$" "chain,phase:2,t:none,block,msg:'HTTP header is restricted by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960038',tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',tag:'OWASP_CRS/POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',capture,setvar:'tx.header_name=/%{tx.0}/'"
SecRule TX:HEADER_NAME "@within %{tx.restricted_headers}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

30
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_35_bad_robots.conf
View File

@ -1,30 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# NOTE Bad robots detection is based on checking elements easily
# controlled by the client. As such a determined attacked can bypass
# those checks. Therefore bad robots detection should not be viewed as
# a security mechanism against targeted attacks but rather as a nuisance
# reduction, eliminating most of the random attacks against your web
# site.
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990002',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990901',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
"chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'OWASP_CRS/AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}'"
SecRule REQUEST_HEADERS:User-Agent "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by mail)|(?:(?:altb|ro)o|bandi)t|emailextract?|vulnscan|mole)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent| xp 5)|se(?:nut)?bot)|ordpress(?: hash grabber|\/4\.01)|3mir)|m(?:o(?:r(?:feus fucking scanner|zilla)|zilla\/3\.mozilla\/2\.01$|siac 1.)|i(?:crosoft (?:internet explorer\/5\.0$|url control)|ssigua)|ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:ro(?:gram shareware 1\.0\.|duction bot|webwalker)|a(?:nscient\.com|ckrat)|oe-component-client|s(?:ycheclone|urf)|leasecrawl\/1\.|cbrowser|e 1\.4|mafind)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|(siphon|spider)|siphon|wolf)|(?:collecto|irgrabbe)r|ducate search vxb|xtractorpro|o browse)|t(?:(?: ?h ?a ?t ?' ?s g ?o ?t ?t ?a ? h ?u ?r ?|his is an exploi|akeou)t|oata dragostea mea pentru diavola|ele(?:port pro|soft)|uring machine)|a(?:t(?:(?:omic_email_hunt|spid)er|tache|hens)|d(?:vanced email extractor|sarobot)|gdm79\@mail\.ru|miga-aweb\/3\.4|utoemailspider| href=)|^(?:(google|i?explorer?\.exe|(ms)?ie( [0-9.]+)?\ ?(compatible( browser)?)?)$|www\.weblogs\.com|(?:jakart|vi)a|microsoft url|user-Agent)|s(?:e(?:archbot admin@google.com|curity scan)|(?:tress tes|urveybo)t|\.t\.a\.l\.k\.e\.r\.|afexplorer tl|itesnagger|hai)|n(?:o(?:kia-waptoolkit.* googlebot.*googlebot| browser)|e(?:(?:wt activeX; win3|uralbot\/0\.)2|ssus)|ameofagent|ikto)|f(?:a(?:(?:ntombrows|stlwspid)er|xobot)|(?:ranklin locato|iddle)r|ull web bot|loodgate|oobar/)|i(?:n(?:ternet(?: (?:exploiter sux|ninja)|-exprorer)|dy library)|sc systems irc search 2\.1)|g(?:ameBoy, powered by nintendo|rub(?: crawler|-client)|ecko\/25)|(myie2|libwen-us|murzillo compatible|webaltbot|wisenutbot)|b(?:wh3_user_agent|utch__2\.1\.1|lack hole|ackdoor)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|(?:(script|sql) inject|$botname/$botvers)ion|(msie .+; .*windows xp|compatible \; msie)|h(?:l_ftien_spider|hjhj@yahoo|anzoweb)|(?:8484 boston projec|xmlrpc exploi)t|u(?:nder the rainbow 2\.|ser-agent:)|(sogou develop spider|sohu agent)|(?:(?:d|e)browse|demo bot)|zeus(?: .*webster pro)?|[a-z]surf[0-9][0-9]|v(?:adixbot|oideye)|larbin@unspecified|\bdatacha0s\b|kenjin spider|; widows|rsync|\\\r))" "capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
SecMarker END_ROBOT_CHECK

236
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_40_generic_attacks.conf
View File

@ -1,236 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# OS Command Injection Attacks
#
# -=[ Rule Logic ]=-
# These rules look for attempts to access OS commands such as curl, wget and cc
# These commands are often used in injection attacks to force the victim web
# application to initiate a connection out to a hacker site to download, compile
# and install malicious toolkits such as those to participate in Botnets.
#
# -=[ References ]=-
# http://projects.webappsec.org/OS-Commanding
# http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
SecMarker END_COMMAND_INJECTION1
#
# -=[ Heuristic Checks ]=-
#
# [ Repeatative Non-Word Chars ]
#
# This rule attempts to identify when multiple (4 or more) non-word characters are repeated in sequence
#
SecRule ARGS "\W{4,}" "phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
#
# Coldfusion Injection
#
# -=[ Rule Logic ]=-
# These rules look for the existence of undocumented ColdFusion Admin functions on input
#
# -=[ References ]=-
# http://www.adobe.com/devnet/security/security_zone/asb99-10.html
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
SecMarker END_CF_INJECTION
#
# LDAP Injection
#
# -=[ Rule Logic ]=-
# These rules look for common LDAP data constructions.
#
# -=[ References ]=-
# http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
SecMarker END_LDAP_INJECTION
#
# SSI injection
#
# -=[ Rule Logic ]=-
# These rules look for common Server-Site Include format data on input.
#
# -=[ References ]=-
# http://projects.webappsec.org/SSI-Injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'SSI injection Attack',id:'950011',tag:'OWASP_CRS/WEB_ATTACK/SSI_INJECTION',tag:'WASCTC/WASC-36',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION"
SecMarker END_SSI_INJECTION
#
# UPDF XSS
#
# -=[ Rule Logic ]=-
# This rule looks for a link being submitted that contains the # fragment in a query_string.
#
# -=[ References ]=-
# http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Universal PDF XSS URL Detected.',id:'950018',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}"
#
# Email Injection
#
# -=[ References ]=-
# http://projects.webappsec.org/Mail-Command-Injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Email Injection Attack',id:'950019',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# HTTP Request Smuggling
#
# -=[ Rule Logic ]=-
# This rule looks for a comma character in either the Content-Length or Transfer-Encoding
# request headers. This character would indicate that there were more than one request header
# with this same name. In these instances, Apache treats the data in a similar manner as
# multiple cookie values.
#
# -=[ References ]=-
# http://projects.webappsec.org/HTTP-Request-Smuggling
# http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
#
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:1,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
#
# HTTP Response Splitting
#
# -=[ Rule Logic ]=-
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# -=[ References ]=-
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r](?:content-(type|length)|set-cookie|location):" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
#
# RFI Attack
#
# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
# - URL Contains an IP Address
# - The PHP "include()" Function
# - RFI Data Ends with Question Mark(s) (?)
# - RFI Host Doesn't Match Local Host
#
# -=[ References ]=-
# http://projects.webappsec.org/Remote-File-Inclusion
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
#
SecRule ARGS "^(?i)(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950117',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule QUERY_STRING|REQUEST_BODY "(?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" \
"phase:2,rev:'3',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950118',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule ARGS "^(?i)(?:ft|htt)ps?(.*?)\?+$" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950119',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" \
"chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
#
# Prequalify Request Matches
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \
"phase:2,id:'981133',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"
SecRule TX:PM_SCORE "@eq 0" "phase:2,id:'981134',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,pass,skipAfter:END_PM_CHECK,nolog"
#
# Begin RegEx Checks for target locations that matched the prequalifier checks
#
#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation Attack',id:'950009',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950003',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
SecRule REQUEST_HEADERS:Referer "^(?:ht|f)tps?://(.*?)\/" "chain,capture"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950000',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecMarker END_SESSION_FIXATION
#
# File Injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Remote File Access Attempt',id:'950005',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_FILE_INJECTION
#
# Command access
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Access',id:'950002',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecMarker END_COMMAND_ACCESS
#
# Command injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:\.exe|32)\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b)))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950006',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_COMMAND_INJECTION
#
# PHP injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<\?(?!xml)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'959151',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958976',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_PM_CHECK

245
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
View File

@ -1,245 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# References:
#
# SQL Injection Pocket Reference (via @LightOS) -
# https://docs.google.com/Doc?docid=0AZNlBave77hiZGNjanptbV84Z25yaHJmMjk
#
# SQLi Filter Evasion Cheat Sheet -
# http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
#
# SQL Injection Cheat Sheet -
# http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
#
# SQLMap's Tamper Scripts (for evasions)
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/
#
#
# -=[ Detect SQL Comment Sequences ]=-
#
# Example Payloads Detected:
# -------------------------
# OR 1#
# DROP sampletable;--
# admin'--
# DROP/*comment*/sampletable
# DR/**/OP/*bypass blacklisting*/sampletable
# SELECT/*avoid-spaces*/password/**/FROM/**/Members
# SELECT /*!32302 1/0, */ 1 FROM tablename
# or 1=1#
# or 1=1-- -
# or 1=1/*
# ' or 1=1;\x00
# 1='1' or-- -
# ' /*!50000or*/1='1
# ' /*!or*/1='1
# 0/**/union/*!50000select*/table_name`foo`/**/
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ SQL Hex Evasion Methods ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" "phase:2,id:'981260',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Hex Encoding Identified',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ String Termination/Statement Ending Injection Testing ]=-
#
# Identifies common initial SQLi probing requests where attackers insert/append
# quote characters to the existing normal payload to see how the app/db responds.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´;]+|[\"'`´;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ SQL Operators ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:'981319',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ SQL Tautologies ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`´\(\)]*?)([\d\w]++)([\s'\"`´\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´\(\)]*?)(?!\2)([\d\w]+)))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: SQL Tautology Detected.',id:'950901',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# -=[ Detect DB Names ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)|s(?:ys(?:\.database_name|aux)|chema(?:\W*\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\W*\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# SQL Keyword Anomaly Scoring
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'"
SecRule TX:SQLI_SELECT_STATEMENT "@contains select" "phase:2,id:'981301',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains show" "phase:2,id:'981302',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains top" "phase:2,id:'981303',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains distinct" "phase:2,id:'981304',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains from" "phase:2,id:'981305',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains dual" "phase:2,id:'981306',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains where" "phase:2,id:'981307',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains group by" "phase:2,id:'981308',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains order by" "phase:2,id:'981309',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains having" "phase:2,id:'981310',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains limit" "phase:2,id:'981311',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains offset" "phase:2,id:'981312',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains union" "phase:2,id:'981313',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains union all" "phase:2,id:'981314',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains rownum as" "phase:2,id:'981315',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT "@contains (case" "phase:2,id:'981316',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
SecRule TX:SQLI_SELECT_STATEMENT_COUNT "@ge 3" "phase:2,t:none,block,id:'981317',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',msg:'SQL SELECT Statement Anomaly Detection Alert',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# Blind SQL injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.(db|user))|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)|\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\W+\bchar|mb_users|rownum)\b|t(?:able_name\b|extpos\W+\()))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'Blind SQL Injection Attack',id:'950007',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# SQL injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*\(|llation\W*\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'950001',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959070',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959071',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via "(?i:\b(?:coalesce\b|root\@))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,id:'950908',msg:'SQL Injection Attack.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959073',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# [ SQL Injection Character Anomaly Usage ]
#
# These rules attempted to gauge when there is an exccesive use of
# meta-characters within a single parameter payload.
#
# The most likely false positive instances will be free-form text fields.
# Adjust the the @ge operator value appropriately for your site. Increasing
# the score will reduce false positives but may also decrease detection of
# obfuscated attack payloads.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\\\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\\\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
#
# -=[ PHPIDS - Converted SQLI Filters ]=-
#
# https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
#
#
# Example Payloads Detected:
# -------------------------
# IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))
# SELECT pg_sleep(10);
# IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = root;
# select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' );
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects blind sqli tests using sleep() or benchmark().',id:'981272',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
#
# Example Payloads Detected:
# -------------------------
# ' or 1=1#
# ') or ('1'='1--
# 1 OR \'1\'!=0
# aaa\' or (1)=(1) #!asd
# aaa\' OR (1) IS NOT NULL #!asd
# ' =+ '
# asd' =- (-'asd') -- -a
# aa" =+ - "0
# aa' LIKE 0 -- -a
# aa' LIKE md5(1) or '1
# asd"or-1="-1
# asd"or!1="!1
# asd"or!(1)="1
# asd" or ascii(1)="49
# asd' or md5(5)^'1
# \"asd" or 1="1
# ' or id= 1 having 1 #1 !
# ' or id= 2-1 having 1 #1 !
# aa'or BINARY 1= '1
# aa'like-'aa
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?i:\d[\"'`´]\s+[\"'`´]\s+\d)|(?:^admin\s*?[\"'`´]|(\/\*)+[\"'`´]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`´])|(?:[\"'`´]\s*?[^\w\s]?=\s*?[\"'`´])|(?:[\"'`´]\W*?[+=]+\W*?[\"'`´])|(?:[\"'`´]\s*?[!=|][\d\s!=+-]+.*?[\"'`´(].*?$)|(?:[\"'`´]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´]\s*?like\W+[\w\"'`´(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´][<>~]+[\"'`´]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'981244',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\sexec\s+xp_cmdshell)|(?:[\"'`´]\s*?!\s*?[\"'`´\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`´];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`´]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MSSQL code execution and information gathering attempts',id:'981255',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`´][\"'`´](?:[\"'`´].*?[\"'`´]|\Z|[^\"'`´]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'981257',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`´=()]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 1/2',id:'981248',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.60738585072007e-308|1e309)$))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for intiger overflow attacks, these are taken from skipfish, except 2.2.60738585072007e-308 is the \"magic number\" crash',id:'981277',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'981250',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects conditional SQL injection attempts',id:'981241',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:alter\s*?\w+.*?character\s+set\s+\w+)|([\"'`´];\s*?waitfor\s+time\s+[\"'`´])|(?:[\"'`´];.*?:\s*?goto))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'981252',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'981256',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select)|(?:\w+\s+like\s+[\"'`´])|(?:like\s*?[\"'`´]\%)|(?:[\"'`´]\s*?like\W*?[\"'`´\d])|(?:[\"'`´]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having)|(?:[\"'`´]\s*?\*\s*?\w+\W+[\"'`´])|(?:[\"'`´]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´]*?\s*?\w+\W+\w)|(?:select\s*?[\[\]()\s\w\.,\"'`´-]+from)|(?:find_in_set\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'981245',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:'981276',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`´]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'981254',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Finds basic MongoDB SQL injection attempts',id:'981270',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`´]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'981240',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`´]\s*?(?:[-+=|@]+\s*?)+[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`´]\w)|(?:[\"'`´];\s*?(?:if|while|begin))|(?:[\"'`´][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 2/2',id:'981249',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'981253',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´]\s*?(x?or|div|like|between|and)\s*?[\"'`´]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`´]$)|(?:(?:^[\"'`´\\\\]*?(?:[\d\"'`´]+|[^\"'`´]+[\"'`´]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`´][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`´]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`´\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`´].)|(?:\Winformation_schema|table_name\W))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 1/2',id:'981242',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`´]|[=\d]+x))|([\"'`´]\s*?\d\s*?(?:--|#))|(?:[\"'`´][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`´]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`´])|(?:[\"'`´]\s*?is\s*?\d.+[\"'`´]?\w)|(?:[\"'`´]\|?[\w-]{3,}[^\w\s.,]+[\"'`´])|(?:[\"'`´]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`´]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'981246',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:create\s+function\s+\w+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'981251',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\d\W]\s+as\s*?[\"'`´\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´]\s+regexp\W)|(?:[\s(]load_file\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'981247',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´]\d)|(?:\^[\"'`´])|(?:^[\w\s\"'`´-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´\d])|(?:[\"'`´]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´])|(?:[\"'`´]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´].*?\*\s*?\d)|(?:[\"'`´]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´][^,]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 2/2',id:'981243',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

491
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_xss_attacks.conf
View File

@ -1,491 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# XSS
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \
"phase:2,id:'981136',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}"
SecRule TX:PM_XSS_SCORE "@eq 0" "phase:2,id:'981018',t:none,pass,skipAfter:END_XSS_CHECK,nolog"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousedown\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bmocha:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonabort\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bhttp:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseup\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*\=.*bexpression\b\W*\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcreatetextrange\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bondragdrop\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcopyparentfolder\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonunload\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.execscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetspecialfolder\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bonload\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeydown\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousemove\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blivescript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonblur\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmove\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsettimeout\b\W*?\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?iframe" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bbackground\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\becmascript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonfocus\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bdocument\b\s*\.\s*\bcookie\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\<\!\[cdata\[" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonerror\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bactivexobject\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeypress\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonsubmit\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.addimport\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonchange\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\balert\b\W*?\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?meta\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bhttp:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bvbscript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseout\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\basfunction:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseover\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bjavascript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.innerhtml\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonselect\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\@import\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bvbscript:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonload\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?script\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonresize\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonclick\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\biframe\b.{0,100}?\bsrc\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bbackground-image:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeyup\b\W*?\=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<input\b.*?\btype\b\W*?\bimage\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bshell:" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjavascript\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.fromcharcode\b" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecMarker END_XSS_CHECK
# Detect tags that are the most common direct HTML injection points.
#
# <a href=javascript:...
# <applet src="..." type=text/html>
# <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
# <base href=javascript:...
# <base href=... // change base URL to something else to exploit relative filename inclusion
# <bgsound src=javascript:...
# <body background=javascript:...
# <body onload=...
# <embed src=http://www.example.com/flash.swf allowScriptAccess=always
# <embed src="data:image/svg+xml;
# <frameset><frame src="javascript:..."></frameset>
# <iframe src=javascript:...
# <img src=x onerror=...
# <input type=image src=javascript:...
# <layer src=...
# <link href="javascript:..." rel="stylesheet" type="text/css"
# <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
# <meta http-equiv="refresh" content="0;url=javascript:..."
# <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
# <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
# <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
# <object data=http://www.example.com
# <object type=text/x-scriptlet data=...
# <object type=application/x-shockwave-flash data=xss.swf>
# <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
# <script>...</script>
# <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
# <script src="data:text/javascript,alert(1)"></script>
# <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
# <style>STYLE</style>
# <style type=text/css>STYLE</style>
# <style type=text/javascript>alert('xss')</style>
# <table background=javascript:...
# <td background=javascript:
#
#
# NOTES
#
# - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
#
# - Not using closing brackets because they are not needed for the
# attacks to succeed. The following seems to work in FF: <body/s/onload=...
#
# - Also, browsers sometimes tend to translate < into >, in order to "repair"
# what they think was a mistake made by the programmer/template designer.
#
# - Browsers are flexible when it comes to what they accept as separator between
# tag names and attributes. The following is commonly used in payloads: <img/src=...
# A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
#
# - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
# but I don't believe we need to look for quotes anywhere.
#
# - Links do not have to be fully qualified. For example, the following works:
# <script src="//ha.ckers.org/.j">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973300',capture,t:none,t:jsDecode,t:lowercase,block,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\ballowscriptaccess\b|\brel\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973301',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# TODO Would evasion such as null and whitespace work here?
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* ".+application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973302',capture,t:none,t:htmlEntityDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Detect event handler names
#
# <body onload=...>
# <img src=x onerror=...>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973303',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Detect usage of common URI attributes (e.g. src)
#
# <a href="javascript:...">Link</a>
# <base href="javascript:...">
# <bgsound src="javascript:...">
# <body background="javascript:...">
# <frameset><frame src="javascript:..."></frameset>
# <iframe src=javascript:...>
# <img dynsrc=javascript:...>
# <img lowsrc=javascript:...>
# <img src=javascript:...>
# <input type=image src=javascript:...>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973304',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# As above, but try to catch the other bit that is necessary to execute the attack.
#
# <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
# <img src=jaVaScrIpt:...>
# <img src=&#6a;avascript:...> (not evasion)
# <img src="jav ascript:..."> (embedded tab; null byte, other whitespace characters work too)
# <img src="jaa&#09;ascript:..."> (the combination of the above two)
#
# NOTES
#
# - htmlEntityDecode needs to be applied because this content appears in HTML
# attributes, so it's not evasion.
#
# TODO I think asfunction only work in HTML files handled by Flash. Needs verifying.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(asfunction|javascript|vbscript|data|mocha|livescript):" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973305',capture,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Detect attempts to use the style attribute, which works with any tag in at
# least one major browser.
#
# <div style="background-image: url(javascript:...)">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*?=" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973306',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# -- JavaScript fragments --
#
# TODO Need more fragments.
#
# TODO What about JavaScript code hidden behind CSS?
#
# TODO There is a bunch of DOM-manipulation stuff that we want to cover here.
#
# alert(String.fromCharCode(88,83,83)
# - window.name
# - document.cookie
# - document.location
# - document.write
# - document.styleSheets[0].addImport('yourstylesheet.css', 2);
# - window.execScript("alert('test');", "JavaScript");
# - document.body.innerHTML = ''
# - newObj = new ActiveXObject(servername.typename[, location])
# - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx
# - setTimeout("alert('xss')", 1000)
# - xmlHttp.onreadystatechange=function() {}
# - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier
#
# NOTES:
#
# - JavaScript evasion:
#
# http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/
# http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# -- CSS attack fragments --
# <div style="background-image: url(javascript:...)">
# <div style="background-image: url(&#1;javascript:alert('XSS'))"> // not used
# <div style="width: expression(...);">
# <img style="x:expression(document.write(1))">
# <xss style="behavior: url(http://ha.ckers.org/xss.htc);">
# - <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss
# <style>@import url(...);</style>
# -moz-binding:url(...)
# background:url("javascript:...")
# </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify
# <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion)
# <li style="behavior:url(hilite.htc)">xss
#
# Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
#
# Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors)
#
# Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring
# a match of that before we do anything might help us reduce the FP rate.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973308',capture,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!\[cdata\[|\]\]>" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973309',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# -- Misc --
# alert('xss')
# alert("xss")
# alert(/xss/)
# <xss>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[/'\"<]xss[/'\">]" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973310',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# String.fromCharCode(88,83,83)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(88,83,83)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973311',capture,t:none,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# '';!--"<XSS>=&{()}
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "'';!--\"<xss>=&{()}" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973312',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# Handle &{alert('xss')} which is supposed to work in Netscape 4.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "&{" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973313',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
# <!DOCTYPE html [
# <!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
# ]>
# <html xmlns="http://www.w3.org/1999/xhtml">
# <head>
# <title>Test</title>
# </head>
#
# <body>
# &inject;
# </body>
# </html>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!(doctype|entity)" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973314',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
#
# XSS Filters from IE8
# http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&[#\(\)=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973315',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]style[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973316',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973317',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<applet[ /+\t].*?code[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973318',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973319',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<base[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973320',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<link[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973321',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_BODY "(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973322',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<\?import[ /+\t].*?implementation[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973323',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<embed[ /+\t].*?SRC.*?=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973324',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]on\c\c\c+?[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973325',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<.*[:]vmlframe.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973326',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973327',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<isindex[ /+\t>])" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973328',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<form.*?>)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973329',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973330',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?>)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973331',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))).*?=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973332',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?))=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973333',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'].*?\[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\()" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973334',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\(.*?\))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973335',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

25
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_42_tight_security.conf
View File

@ -1,25 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This ruleset file contains rules that are highly prone to FPs
# Enable PARANOID_MODE in the 10 config file if you want to activate this rule
#
#
# Directory Traversal
#
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?i)(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\.){2}(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'7',t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,capture,tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
# Weaker signature
#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,rev:'2.2.6',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

35
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_45_trojans.conf
View File

@ -1,35 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# The trojan access detection rules detects access to known Trojans already
# installed on a server. Uploading of Trojans is part of the Anti-Virus rules
# and uses external Anti Virus program when uploading files.
#
# Detection of Trojans access is especially important in a hosting environment
# where the actual Trojan upload may be done through valid methods and not
# through hacking.
# --
#
# NOTE Trojans detection is based on checking elements controlled by the client.
# A determined attacked can bypass those checks. We are working on
# enchaining the checks so it would require a major change in the Trojan
# to overcome.
#
# NOTE We found out that Trojan horses are not detected easily by Anti-Virus
# software when uploading as the signature set of AV software is not tuned
# for this purpose. We are working on adding signature tuned to detect
# Trojans upload to file uploading inspection.
#
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950110',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_FILENAME "root\.exe" \
"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950921',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',t:none,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950922',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"

40
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_47_common_exceptions.conf
View File

@ -1,40 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This file is used as an exception mechanism to remove common false positives
# that may be encountered.
#
# Exception for Apache SSL pinger
#
SecRule REQUEST_LINE "^GET /$" "chain,phase:2,id:'981020',t:none,pass,nolog"
SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
#
# Exception for Apache internal dummy connection
#
SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,id:'981021',t:none,pass,nolog"
SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none,t:none,chain"
SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
#
# Exception for Adobe Flash Player
# https://www.modsecurity.org/tracker/browse/CORERULES-57
#
SecRule REQUEST_METHOD "@streq POST" "chain,phase:2,id:'981022',t:none,pass,nolog"
SecRule REQUEST_HEADERS:User-Agent "@contains Adobe Flash Player" "chain,t:none"
SecRule REQUEST_HEADERS:X-Flash-Version ".*" "chain,t:none"
SecRule REQUEST_HEADERS:Content-Type "@contains application/x-amf" "chain,t:none"
SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"

59
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
View File

@ -1,59 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This file is used to allow custom checks and exclusions for the transactional
# variable rules. Place rules in this file so that you may influence what happens
# in the 49 - Enforcement File.
# In previous ModSecurity rules, the TARGET list would have to be updated in
# order to exclude a specific paramater like this -
#
# SecRule ARGS_NAMES|ARGS|!ARGS:foo
#
# With the new transactional variable rules, parameter exceptions can now
# be handled AFTER the initial inspection as the rules now use setvars to
# capture meta-data with each rule match. They use this syntax -
#
# setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}
#
# When the transactional rules trigger, they will set a TX variable similar to this
# for an SQL Injection attack -
#
# Set variable "tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments" to "1' or select * from users where username = admin ".
#
# With this data now available, the user can implement flexible exceptions.
#
# Exception example - exclude a parameter
#
# In this example, we are inspecting
# the TX collections to see if there is a current variable that has matched
# for the 950001 SQL Injection rule ID and for the "comments" parameter. If
# so, then we are going to remove the collection entirely by using the
# setvar:!tx. syntax. By doing this, the TX collection is removed before final
# inspection at the end of phase 2 in the enforcement file.
#
#SecRule TX:'/^950001.*ARGS:comments/' ".*" "chain,phase:2,t:none,nolog,pass"
# SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
#
# This is an example exclusion for the entire SQL Injection category of rules
#
#SecRule TX:'/SQL_INJECTION/' ".*" "phase:2,t:none,nolog,pass,chain,setvar:tx.sql_injection=+1,setvar:tx.sql_injection_%{tx.sql_injection}=%{matched_var_name}"
# SecRule TX:'/^SQL_INJECTION_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
#
# This is an example exclusion that combines the URL and parameter and removes
# a specific SQL Injection ID only if the parameter foo payload matches
#
#SecRule REQUEST_FILENAME "@streq /path/to/file.php" "chain,phase:2,t:none,nolog,pass"
# SecRule TX:'/^950001.*ARGS:foo/' "@streq Item 1=1" "chain,t:none"
# SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"

35
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
View File

@ -1,35 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# Uncomment the anomaly sections you wish to use.
# These rules use the anomaly score settings specified in the 10 config file.
# You should also set the desired disruptive action (deny, redirect, etc...).
#
# Alert and Block based on Anomaly Score and OSVDB Check
#
SecRule TX:ANOMALY_SCORE "@gt 0" \
"chain,phase:2,id:'981175',t:none,deny,log,msg:'Inbound Attack Targeting OSVDB Flagged Resource.',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
SecRule RESOURCE:OSVDB_VULNERABLE "@eq 1" chain
SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on"
# Alert and Block based on Anomaly Scores
#
SecRule TX:ANOMALY_SCORE "@gt 0" \
"chain,phase:2,id:'981176',t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain
SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
SecRule TX:/^\d/ "(.*)"
# Alert and Block on a specific attack category such as SQL Injection
#
#SecRule TX:SQL_INJECTION_SCORE "@gt 0" \
# "phase:2,t:none,log,block,msg:'SQL Injection Detected (score %{TX.SQL_INJECTION_SCORE}): %{tx.msg}'"

138
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_50_outbound.conf
View File

@ -1,138 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# NOTE By default the status code sent is 501, which implies that the web
# server does not support the required operation. This is a non standard
# of this status code which normally refers to unsupported HTTP methods.
# It is used in order to confuse automated clients and scanners.
# Zope Information Leakage
SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Zope Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970007',tag:'OWASP_CRS/LEAKAGE/ERRORS_ZOPE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
# CF Information Leakage
SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970008',tag:'OWASP_CRS/LEAKAGE/ERRORS_CF',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
# PHP Information Leakage
SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970009',tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
# ISA server existence revealed
SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ISA server existence revealed',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970010',tag:'MISCONFIGURATION',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{tx.0}"
# Microsoft Office document properties leakage
SecRule RESPONSE_BODY "<o:documentproperties>" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,block,msg:'Microsoft Office document properties leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970012',tag:'OWASP_CRS/LEAKAGE/INFO_STATISTICS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970903',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
# CF source code leakage
SecRule RESPONSE_BODY "<cf" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970016',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_CF',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
# IIS default location
SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,t:lowercase,ctl:auditLogParts=+E,block,msg:'IIS installed in default location',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970018',severity:'3',chain"
SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score}"
# The application is not available
SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970118',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
# Weblogic information disclosure
SecRule RESPONSE_STATUS "^500$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'WebLogic information disclosure',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970021',severity:'3'"
SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
# File or Directory Names Leakage
SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,capture,t:none,capture,ctl:auditLogParts=+E,block,msg:'File or Directory Names Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970011',tag:'OWASP_CRS/LEAKAGE/INFO_FILE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,capture,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
#
# IFrame Injection
#
SecRule RESPONSE_BODY "!@pm iframe" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'6',id:'981177',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK"
SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \
"t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981000',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \
"t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981001',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?i:<\s*IFRAME\s*?[^>]*?src=\"javascript:)" \
"t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Malicious iframe+javascript tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981003',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',tag:'bugtraq,13544',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"
SecMarker END_IFRAME_CHECK
#
# Generic Malicious JS Detection
#
SecRule RESPONSE_BODY "(?i)(String\.fromCharCode\(.*?){4,}" \
"t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981004',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?i)(eval\(.{0,15}unescape\()" \
"t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981005',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?i)(var[^=]+=\s*unescape\s*;)" \
"t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981006',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" \
"t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981007',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
#
# Run PM check against response body data before running any RegEx Checks
# If nothing matches, then we skip the remainder of phase:4
#
SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',pass,id:'981178',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK"
# ASP/JSP source code leakage
SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970014',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
# PHP source code leakage
SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970015',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "<\?(?!xml)" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970902',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
# Statistics pages revealed
SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Statistics Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970002',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
# SQL Errors leakage
SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:PostgreSQL result|O(?:racle|DBC)|M(?:S |y)SQL))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(. Requested|; the operation)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|microsoft jet database engine error '8|Microsoft Access Driver|JET Database Engine|Access Database Engine|ORA-\d{5}: |ORA-[0-9][0-9][0-9][0-9]|Oracle error|Oracle.*Driver|Warning.*Woci_.*|Warning.*Wora_.*|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|PostgreSQL query failed:|PostgreSQL.*ERROR|Warning.*Wpg_.*|valid PostgreSQL result|Npgsql.|(?:Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|You have an error in your SQL syntax(?: near ')?|incorrect syntax near (?:\'|the\b|\@\@error\b)|cannot take a \w+ data type as an argument\.|Warning: mysql_connect\(\):)|\[Microsoft\]\[ODBC |Driver.* SQL[-_ ]*Server|OLE DB.* SQL Server|(W|A)SQL Server.*Driver|Warning.*mssql_.*|(W|A)SQL Server.*[0-9a-fA-F]{8}|Exception Details:.*WSystem.Data.SqlClient.|Exception Details:.*WRoadhouse.Cms.|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient.|SQLite\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*sqlite_.*|Warning.*SQLite3::)" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970003',tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
# IIS Errors leakage
SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970004',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_STATUS "!^404$" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970904',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
# Directory Listing
SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Directory Listing',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970013',tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
SecMarker END_OUTBOUND_CHECK

27
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
View File

@ -1,27 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "@gt 20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
# You should also set the desired disruptive action (deny, redirect, etc...).
#
# Alert and Block on High Anomaly Scores - this would block outbound data leakages
#
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" \
"chain,phase:4,id:'981200',t:none,deny,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}'"
SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
SecRule TX:/^\d/ "(.*)"

42
iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_60_correlation.conf
View File

@ -1,42 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This file is used in post processing after the response has been sent to
# the client (in the logging phase). Its purpose is to provide inbound+outbound
# correlation of events to provide a more intelligent designation as to the outcome
# or result of the transaction - meaning, was this a successful attack?
#
# Correlated Successful Attack
#
SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
"chain,phase:5,id:'981201',t:none,log,pass,skipAfter:END_CORRELATION,severity:'0',msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
# Correlated Attack Attempt
#
SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
"chain,phase:5,id:'981202',t:none,log,pass,skipAfter:END_CORRELATION,severity:'1',msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
"chain,phase:5,id:'981203',t:none,log,noauditlog,pass,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}"
SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" \
"phase:5,id:'981204',t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" \
"phase:5,id:'981205',t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
SecMarker END_CORRELATION

62
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_brute_force.conf
View File

@ -1,62 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Anti-Automation Rule for specific Pages (Brute Force Protection)
# This is a rate-limiting rule set and does not directly correlate whether the
# authentication attempt was successful or not.
#
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute. You can adjust how often
# you want to receive status alerts by changing the expirevar setting below.
#
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "chain,phase:1,id:'981036',block,msg:'Brute Force Attack Identified from %{remote_addr} (%{tx.brute_force_block_counter} hits since last alert)',setvar:ip.brute_force_block_counter=+1"
SecRule &IP:BRUTE_FORCE_BLOCK_FLAG "@eq 0" "setvar:ip.brute_force_block_flag=1,expirevar:ip.brute_force_block_flag=60,setvar:tx.brute_force_block_counter=%{ip.brute_force_block_counter},setvar:ip.brute_force_block_counter=0"
#
# Block and track # of requests but don't log
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:1,id:'981037',block,nolog,setvar:ip.brute_force_block_counter=+1"
#
# skipAfter Checks
# There are different scenarios where we don't want to do checks -
# 1. If the user has not defined any URLs for Brute Force Protection in the 10 config file
# 2. If the current URL is not listed as a protected URL
# 3. If the current IP address has already been blocked due to high requests
# In these cases, we skip doing the request counts.
#
SecRule &TX:BRUTE_FORCE_PROTECTED_URLS "@eq 0" "phase:5,id:'981038',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}" "phase:5,id:'981039',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:5,id:'981040',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
#
# Brute Force Counter
# Count the number of requests to these resoures
#
SecAction "phase:5,id:'981041',t:none,nolog,pass,setvar:ip.brute_force_counter=+1"
#
# Check Brute Force Counter
# If the request count is greater than or equal to 50 within 5 mins,
# we then set the burst counter
#
SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}" "phase:5,id:'981042',t:none,nolog,pass,t:none,setvar:ip.brute_force_burst_counter=+1,expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice},setvar:!ip.brute_force_counter"
#
# Check Brute Force Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
#
SecRule IP:BRUTE_FORCE_BURST_COUNTER "@ge 2" "phase:5,id:'981043',t:none,log,pass,msg:'Potential Brute Force Attack from %{remote_addr} - # of Request Bursts: %{ip.brute_force_burst_counter}',setvar:ip.brute_force_block=1,expirevar:ip.brute_force_block=%{tx.brute_force_block_timeout}"
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS

46
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
View File

@ -1,46 +0,0 @@
#
# Anti-Automation rule set for detecting Denial of Service Attacks.
#
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute. You can adjust how often
# you want to receive status alerts by changing the expirevar setting below.
#
SecRule IP:DOS_BLOCK "@eq 1" "chain,phase:1,id:'981044',drop,msg:'Denial of Service (DoS) Attack Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0"
#
# Block and track # of requests but don't log
SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'981045',t:none,drop,nolog,setvar:ip.dos_block_counter=+1"
#
# skipAfter Check
# There are different scenarios where we don't want to do checks -
# 1. If the current IP address has already been blocked due to high requests
# In this case, we skip doing the request counts.
#
SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'981046',t:none,nolog,pass,skipAfter:END_DOS_PROTECTION_CHECKS"
#
# DOS Counter
# Count the number of requests to non-static resoures
#
SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,id:'981047',t:none,nolog,pass,setvar:ip.dos_counter=+1"
#
# Check DOS Counter
# If the request count is greater than or equal to user settings,
# we then set the burst counter
#
SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'981048',t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
#
SecRule IP:DOS_BURST_COUNTER "@ge 2" "phase:5,id:'981049',t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack from %{remote_addr} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout}"
SecMarker END_DOS_PROTECTION_CHECKS

28
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_proxy_abuse.conf
View File

@ -1,28 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Rule set for detecting Open Proxy Abuse/Chaining.
#
# http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html
#
#
# You must first download the MaxMind GeoIP Lite City DB -
#
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#
# You then need to define the proper path for the SecGeoLookupDb directive
#
SecGeoLookupDb /usr/local/apache/conf/modsec/GeoLiteCity.dat
SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" "chain,phase:1,id:'981050',t:none,capture,block,rev:'2.2.6',msg:'Potential Open Proxy Abuse - GeoIP Country Code Mismatch of X-Forwarded-For Request Header and Client REMOTE_ADDR',logdata:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{tx.geo_x-forwarded-for}'"
SecRule TX:0 "@geoLookup" "chain,setvar:tx.geo_x-forwarded-for=%{geo.country_code}"
SecRule REMOTE_ADDR "@geoLookup" "chain,t:none"
SecRule GEO:COUNTRY_CODE "!@streq %{tx.geo_x-forwarded-for}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"

35
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_slow_dos_protection.conf
View File

@ -1,35 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Rule set for detecting Slow HTTP Denial of Service Attacks.
#
# http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
#
#
# Mitigate Slowloris-type slow HTTP attacks
#
SecReadStateLimit 100
#
# Mitigate Slow HTTP POST attacks
#
# Must have the mod_reqtimeout module installed
# You should adjust the RequestReadTimeout body directive setting to a limit
# that will allow any legitimate slow clients or large file uplaods.
#
<IfModule reqtimeout_module>
RequestReadTimeout body=30
</IfModule>
SecRule RESPONSE_STATUS "@streq 408" "phase:5,id:'981051',t:none,nolog,pass,setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,id:'981052',t:none,log,drop,msg:'Client Connection Dropped due to high # of slow DoS alerts'"

33
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_16_scanner_integration.conf
View File

@ -1,33 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ You must be using the Resource Profiling Rules to track this data ]=-
#
# modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
# modsecurity_crs_40_appsensor_detection_point_3.0_end.conf
#
#
# -=[ Disable ModSecurity For Arachni Scans ]=-
#
# Update the remote IP address for your Arachni RPC host
#
SecRule REMOTE_ADDR "@ipMatch 192.168.168.128" "chain,phase:1,t:none,nolog,pass"
SecRule REQUEST_HEADERS:User-Agent "@beginsWith Arachni/" "ctl:ruleEngine=Off"
#
# -=[ Initiate Arachni Scan on 1st URL Access ]=-
#
# Update the path to the arachni_integration.lua script
#
SecRule &RESOURCE:ARACHNI_SCAN_COMPLETED "@eq 0" "chain,phase:5,t:none,log,pass"
SecRule &ARGS "@gt 0" "exec:/etc/apache2/modsecurity-crs/lua/arachni_integration.lua"

22
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_25_cc_track_pan.conf
View File

@ -1,22 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Credit Card Track 1 and 2 and PAN Leakage Checks
#
SecRule RESPONSE_BODY "\%[Bb][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}\^[^\^]+\^[0-9]+\?" \
"phase:4,t:none,block,msg:'Possible Credit Card Track 1 Data Leakage.',severity:'1',id:'920021',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "\;[3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[=Dd][0-9]+\?" \
"phase:4,t:none,block,msg:'Possible Credit Card Track 2 Data Leakage.',severity:'1',id:'920022',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "[^0-9][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[^0-9]" \
"phase:4,t:none,block,msg:'Possible Credit Card PAN Data Leakage.',severity:'1',id:'920023',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

57
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
View File

@ -1,57 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ OWASP AppSensor Detection Points - Setup ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints
#
# Instead of creating rule set based on analyzing saved audit log data, we can
# instead profile live transactions in phase:5 post processing and save data in
# Resource-based persistent collections. Once we have seen enough traffic (as
# defined below) we can then move into Enforcement Mode.
#
#
# --[ Step 1: Initiate the Resource Collection ]--
#
# We are using the REQUEST_FILENAME as the key and then set 2 variables -
#
# [resource.min_pattern_threshold]
# Set the resource.min_pattern_threshold as the minimum number of times that a match should occur
# in order to include it into the profile
#
# [resource.min_traffic_threshold]
# Set the resource.min_traffic_threshold as the minimum number of "clean" transactions
# to profile/inspect before enforcement of the profile begins.
#
SecAction "phase:1,id:'981082',t:none,nolog,pass,initcol:resource=%{request_headers.host}_%{request_filename},setvar:resource.min_pattern_threshold=50,setvar:resource.min_traffic_threshold=100"
#
# --[ Ignore Resource ]--
#
# If you want to exclude a resource from being profiled, you can specify it in the
# modsecurity_40_profiler_ignore.data file. This rule will evaluate the REQUEST_FILENAME
# and if there is match in the @pmFromFile check, it will skip all profiling/enforcement
# rules in this file. We have to run two checks here -
# 1. For Phase:2 - Enforcement Checks
# 2. For Phase:5 - Profiling Analysis
#
# If there is a match, the rules will skip down until it hits the SecMarker END_PROFILER_RULES
# at the end of this file.
#
# If you want to use these rules you must:
# 1. Uncomment the rules
# 2. Create the modsecurity_40_appsensor_ignore.data file in the same directory
#
#SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:2,id:'981083',t:none,nolog,pass,skipAfter:END_PROFILER_RULES"
#SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:5,id:'981084',t:none,nolog,pass,skipAfter:END_PROFILER_RULES"

136
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf
View File

@ -1,136 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ OWASP AppSensor Detection Points - Request Exceptions (RE) Category ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException
#
# Instead of creating rule set based on analyzing saved audit log data, we can
# instead profile live transactions in phase:5 post processing and save data in
# Resource-based persistent collections. Once we have seen enough traffic (as
# defined below) we can then move into Enforcement Mode.
#
SecMarker BEGIN_RE_PROFILE_ENFORCEMENT
#
# Should we enforce the learned profile for this transaction?
#
# If the resource.enforce_profile parameter is not set, then we skip enforcement.
#
SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 0" "phase:2,id:'981085',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ENFORCEMENT"
SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 1" "phase:2,id:'981086',t:none,nolog,pass,exec:/opt/modsecurity/etc/crs/lua/appsensor_request_exception_enforce.lua"
#
# -=[ RE2: Attempt to Invoke Unsupported HTTP Method ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE2:_Attempt_to_Invoke_Unsupported_HTTP_Method
#
SecRule REQUEST_METHOD "!@within HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT" "phase:2,id:'981087',t:none,block,msg:'Attempt to Invoke Unsupported HTTP Method.',logdata:'%{request_method}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/METHOD_NOT_ALLOWED',tag:'OWASP_AppSensor/RE2',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE2:_Attempt_to_Invoke_Unsupported_HTTP_Method'"
#
# -=[ RE1: Unexpected HTTP Command ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE1:_Unexpected_HTTP_Command
#
SecRule TX:REQUEST_METHOD_VIOLATION "@eq 1" "phase:2,id:'981088',t:none,block,capture,msg:'Invalid Request Method for Resource.',logdata:'Current Request Method: %{request_method} and Allowed Request Method(s): %{resource.enforce_request_methods}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/METHOD_NOT_ALLOWED',tag:'OWASP_AppSensor/RE1',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE1:_Unexpected_HTTP_Command'"
#
# -=[ RE5: Additional/Duplicated Data in Request ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request
#
SecRule TX:MIN_NUM_ARGS_VIOLATION "@eq 1" "phase:2,id:'981089',t:none,block,msg:'Invalid Number of Parameters - Missing Parameter(s)',logdata:'Min Number of ARGS: %{resource.minnumofargs} and Number of ARGS Submitted: %{tx.num_of_args}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request'"
SecRule TX:MAX_NUM_ARGS_VIOLATION "@eq 1" "phase:2,id:'981090',t:none,block,msg:'Invalid Number of Parameters - Additional Parameter(s)',logdata:'Max Number of ARGS: %{resource.maxnumofargs} and Number of ARGS Submitted: %{tx.num_of_args}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request'"
SecRule TX:ARGS_NAMES_VIOLATION ".*" "phase:2,id:'981091',t:none,block,msg:'Invalid Parameter Name(s).',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request'"
#
# -=[ RE7: Unexpected Quantity of Characters in Parameter ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE7:_Unexpected_Quantity_of_Characters_in_Parameter
#
SecMarker BEGIN_ENFORCE_LENGTH
SecRule TX:/^ARGS.*_MIN_LENGTH_VIOLATION/ ".*" "phase:2,id:'981092',t:none,block,msg:'Invalid Parameter Length - Value Is Below Normal Range',logdata:'Normal Minimum Length for Parameter (%{tx.minarglengthname}): %{tx.minarglength} and Current Length: %{matched_var}',tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE7',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
SecRule TX:/^ARGS.*_MAX_LENGTH_VIOLATION/ ".*" "phase:2,id:'981093',t:none,block,msg:'Invalid Parameter Length - Value Is Above Normal Range',logdata:'Normal Maximum Length for Parameter (%{tx.maxarglengthname}): %{tx.maxarglength} and Current Length: %{matched_var}',tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE7',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
SecMarker END_ENFORCE_LENGTH
#
# -=[ RE8: Unexpected Type of Characters in Parameter ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE8:_Unexpected_Type_of_Characters_in_Parameter
#
#
# Enforce Digits Character Class
#
SecRule TX:/^ARGS.*_digits_violation/ ".*" "phase:2,id:'981094',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Digits.',logdata:'Parameter (%{tx.digits_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Alpha Character Class
#
SecRule TX:/^ARGS.*_alpha_violation/ ".*" "phase:2,id:'981095',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Letters.',logdata:'Parameter (%{tx.alpha_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce AlphaNumeric Character Class
#
SecRule TX:/^ARGS.*_alphanumeric_violation/ ".*" "phase:2,id:'981096',t:none,block,msg:'Invalid Character(s) in Payload - Expecting AlphNumeric.',logdata:'Parameter (%{tx.alphanumeric_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Email Character Class
#
SecRule TX:/^ARGS.*_email_violation/ ".*" "phase:2,id:'981097',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Email.',logdata:'Parameter (%{tx.email_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Path Character Class
#
SecRule TX:/^ARGS.*_path_violation/ ".*" "phase:2,id:'981103',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Path.',logdata:'Parameter (%{tx.path_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Url Character Class
#
SecRule TX:/^ARGS.*_url_violation/ ".*" "phase:2,id:'981104',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Url.',logdata:'Parameter (%{tx.url_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Flag Character Class
#
SecRule TX:/^ARGS.*_flag_violation/ ".*" "phase:2,id:'981110',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Flag.',logdata:'Parameter (%{tx.flag_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce SafeText Character Class
#
SecRule TX:/^ARGS.*_safetext_violation/ ".*" "phase:2,id:'981105',t:none,block,msg:'Invalid Character(s) in Payload - Expecting SafeText.',logdata:'Parameter (%{tx.safetext_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
SecMarker END_RE_PROFILE_ENFORCEMENT
#
# --[ Begin Profiling Phase ]--
#
SecMarker BEGIN_RE_PROFILE_ANALYSIS
SecAction "phase:5,id:'981098',t:none,nolog,pass,ctl:ruleEngine=DetectionOnly"
SecRule RESPONSE_STATUS "^404$" "phase:5,id:'981099',t:none,nolog,pass,setvar:!resource.KEY,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRule RESPONSE_STATUS "^(5|4)" "phase:5,id:'981100',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRule TX:ANOMALY_SCORE "!@eq 0" "phase:5,id:'981101',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 1" "phase:2,id:'981102',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRuleScript /opt/modsecurity/etc/crs/lua/appsensor_request_exception_profile.lua "phase:5,nolog,pass"
SecMarker END_RE_PROFILE_ANALYSIS

32
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf
View File

@ -1,32 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ HT1: Alteration to Honey Trap Data ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#HT1:_Alteration_to_Honey_Trap_Data
#
SecRule ARGS:DEBUG "!@streq false" "phase:2,id:'981131',t:none,block,msg:'Tampering of Hidden Parameter Honeytrap Data.',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'HONEYTRAP/HIDDEN_DATA_TAMPERING',tag:'OWASP_AppSensor/HT1',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#HT1:_Alteration_to_Honey_Trap_Data'"
#
# Add a fake "debug" hidden parameter to forms.
#
# Here are some examples of parameter names/values that could be used:
#
# - debug=false
# - debug=0
# - role=user
# - role=1
# - admin=false
# - admin=0
#
# Make sure that your settings here match the detection rules above.
#
SecRule STREAM_OUTPUT_BODY "@rsub s/<\/form>/<input type=\"hidden\" name=\"debug\" value=\"false\"><\/form>/" "phase:4,id:'981132',t:none,nolog,pass"

11
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_3.0_end.conf
View File

@ -1,11 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
SecMarker END_PROFILER_RULES

42
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_http_parameter_pollution.conf
View File

@ -1,42 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# The rules in this file are considered experimental/beta rules. They attempt to address
# some advanced attacks, use some new ModSecurity features or new rules language techniques.
#
#
# HTTP Parameter Pollution (HPP)
#
# One HPP attack vector is to try evade signature filters by distributing the attack payload
# across multiple parameters with the same name. This works as many security devices only
# apply signatures to individual parameter payloads, however the back-end web application
# may (in the case of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# -=[ Rules Logic }=-
# The ruleset below is not looking for attacks directly, but rather is a crude normalization
# function that mimics ASP.NET with regards to joining the payloads of parameters with the
# same name. These rules will create a new TX:HPP_DATA variable that will hold this data.
# If you have enabled PARANOID_MODE, then this variable data will also be searched against
# attack filters.
#
# -=[ References ]=-
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
#
SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'960022',rev:'2.2.6',setvar:tx.%{matched_var_name}=+1"
SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}"
SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'"
SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}"
SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'"

370
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_41_advanced_filters.conf
View File

@ -1,370 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Lua script to normalize input payloads
# Based on PHPIDS Converter.php code
# Reference the following whitepaper -
# http://docs.google.com/Doc?id=dd7x5smw_17g9cnx2cn
#
SecRuleScript ../lua/advanced_filter_converter.lua "phase:2,t:none,pass"
SecRule TX:/centrifuge_ratio/ ".*" "phase:2,t:none,log,capture,msg:'Centrifuge Threshold Alert - Ratio Value is: %{tx.0}'"
#
# PHP-IDS rules (www.php-ids.org)
# Attack Filters
# https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml
#
SecRule TX:'/_normalized/' "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'9000033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'9000033',tag:'WEB_ATTACK/XSS'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible event handlers',id:'9000032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible event handlers',id:'9000032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common mail header injections',id:'9000063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/SPAM-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common mail header injections',id:'9000063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/SPAM-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects very basic XSS probings',id:'9000021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects very basic XSS probings',id:'9000021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\s\d\/\"]+(?:on\w+|style|poster|background)=[$\"\w])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds malicious attribute injection attempts',id:'9000071',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds malicious attribute injection attempts',id:'9000071',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s\d\/\"]+(?:on\w+|style|poster|background)=[$\"\w])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'900007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'900007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'9000026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'9000026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'9000018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'9000018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'9000016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'9000016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'9000044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'9000044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\sexec\s+xp_cmdshell)|(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:\";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'9000055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'9000055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\sexec\s+xp_cmdshell)|(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:\";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'9000027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'9000027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:,.*[)\da-f\"]\"(?:\".*\"|\Z|[^\"]+))|(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'9000057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'9000057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:,.*[)\da-f\"]\"(?:\".*\"|\Z|[^\"]+))|(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'9000061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'9000061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\".+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'9000020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'9000020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\".+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:\/|\\\\)?\.+(\/|\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic directory traversal',id:'9000010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic directory traversal',id:'9000010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:\/|\\\\\\\\)?\.+(\/|\\\\\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'9000031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'9000031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:%c0%ae\/)|(?:(?:\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\))|(?:(?:\/|\\\\)inetpub|localstart\.asp|boot\.ini)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%c0%ae\/)|(?:(?:\/|\\\\\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\\\\\))|(?:(?:\/|\\\\\\\\)inetpub|localstart\.asp|boot\.ini)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\\\\\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:etc\/\W*passwd)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:etc\/\W*passwd)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\s\/\"]+[-\w\/\\\\\*]+\s*=.+(?:\/\s*>))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s\/\"]+[-\w\/\\\\\\\\\*]+\s*=.+(?:\/\s*>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"\s*or\s*\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'9000042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'9000042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s*or\s*\d)|(?:\\\\\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\\\\\".+(?<!\\\\\\\\)\")|(?:(?:^[\"\\\\\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:^>[\w\s]*<\/?\w{2,}>)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:^>[\w\s]*<\/?\w{2,}>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\d{2,3})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\u00[a-f0-9]{2})|(?:\\\\\\\\x0*[a-f0-9]{2})|(?:\\\\\\\\\d{2,3})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'900008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'900008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'9000038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'9000038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'9000037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'9000037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'900005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'900005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"

49
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_42_csp_enforcement.conf
View File

@ -1,49 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ Content Security Policy (CSP) Settings ]=-
#
# The purpose of these settings is to send CSP response headers to
# Mozilla FireFox users so that you can enforce how dynamic content
# is used. CSP usage helps to prevent XSS attacks against your users.
#
# Reference Link:
#
# https://developer.mozilla.org/en/Security/CSP
#
#
# If this is a CSP Violation Report Request, we need to enable request
# body population of the REQUEST_BODY variable. This is not done by
# default since the request body content-type is JSON.
#
SecRule REQUEST_FILENAME "@streq %{tx.csp_report_uri}" "phase:1,id:'981142',t:none,nolog,pass,ctl:forceRequestBodyVariable=On"
#
# Check the REQUEST_BODY for CSP Violation Report data and generate an Alert
#
SecRule REQUEST_BODY "({\"csp-report\":.*blocked-uri\":\"(.*?)\".*violated-directive\":\"(.*)\")" "phase:2,id:'960001',capture,t:none,log,pass,msg:'Content Security Policy (CSP) Violation',logdata:'blocked-uri:%{tx.2} violated-directive:%{tx.3}',tag:'OWASP_AppSensor/RP3',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP3:_Suspicious_Client-Side_Behavior'"
#
# Check the User-Agent string for FireFox users and then set an ENV var
# to tell Apache which CSP header policy to use.
#
SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960002',t:none,nolog,pass,chain"
SecRule TX:CSP_REPORT_ONLY "@eq 1" "setenv:firefox_client-csp_report_only=1"
SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960003',t:none,nolog,pass,chain"
SecRule TX:CSP_REPORT_ONLY "@eq 0" "setenv:firefox_client-csp_enforce=1"
#
# Set the appropriate CSP Policy Header for FireFox clients
#
Header set X-Content-Security-Policy-Report-Only "%{csp_policy}e" env=firefox_client-csp_report_only
Header set X-Content-Security-Policy "%{csp_policy}e" env=firefox_client-csp_enforce

59
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_45_char_anomaly.conf
View File

@ -1,59 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# The rules in this file are considered experimental/beta rules. They attempt to address
# some advanced attacks, use some new ModSecurity features or new rules language techniques.
#
#
# Restricted Character Anomaly Usage
# These rules attempted to gauge when there is an exccesive use of
# restricted, meta-characters within a single parameter payload.
#
# The most likely false positive instances will be free-form text fields.
# Adjust the the @ge operator value appropriately for your site. Increasing
# the score will reduce false positives but may also decrease detection of
# obfuscated attack payloads.
#
SecRule ARGS "@pm ~ ` ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' < >" "phase:2,id:'981146',t:none,nolog,pass,nolog,setvar:tx.restricted_char_payload=%{matched_var}"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ~" "phase:2,id:'981147',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains `" "phase:2,id:'981148',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains !" "phase:2,id:'981149',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains @" "phase:2,id:'981150',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains #" "phase:2,id:'981151',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains $" "phase:2,id:'981152',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains %" "phase:2,id:'981153',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ^" "phase:2,id:'981154',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains &" "phase:2,id:'981155',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains *" "phase:2,id:'981156',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains (" "phase:2,id:'981157',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains )" "phase:2,id:'981158',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains -" "phase:2,id:'981159',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains +" "phase:2,id:'981160',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains =" "phase:2,id:'981161',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains {" "phase:2,id:'981162',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains }" "phase:2,id:'981163',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains [" "phase:2,id:'981164',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ]" "phase:2,id:'981165',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains |" "phase:2,id:'981166',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains :" "phase:2,id:'981167',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ;" "phase:2,id:'981168',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains \"" "phase:2,id:'981169',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains '" "phase:2,id:'981170',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains <" "phase:2,id:'981171',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains >" "phase:2,id:'981172',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_COUNT "@ge 5" "phase:2,t:none,block,nolog,auditlog,id:'960023',rev:'2.2.6',msg:'Restricted Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_CHARS-%{matched_var_name}=%{tx.0}"
#
# This rule attempts to identify when multiple (3 or more) speciail, non-word characters are repeated
#
SecRule ARGS "\W{4,}" "phase:2,capture,t:none,block,nolog,auditlog,id:'960024',rev:'2.2.6',msg:'Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'%{tx.0}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_CHARS-%{matched_var_name}=%{tx.0}"

24
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_46_scanner_integration.conf
View File

@ -1,24 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ You must be using the Resource Profiling Rules to track this data ]=-
#
# modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
# modsecurity_crs_40_appsensor_detection_point_3.0_end.conf
#
SecRule TX:/XSS-ARGS:/ ".*" "id:'999003',chain,phase:2,t:none,msg:'XSS Attack Against Known Vulnerable Parameter.',logdata:'%{matched_var}'"
SecRule MATCHED_VARS_NAMES "-ARGS:(.*)$" "chain,capture"
SecRule TX:1 "@within %{resource.xss_vulnerable_params}"
SecRule TX:/SQL_INJECTION-ARGS:/ ".*" "id:'999004',chain,phase:2,t:none,msg:'SQLi Attack Against Known Vulnerable Parameter.',logdata:'%{matched_var}'"
SecRule MATCHED_VARS_NAMES "-ARGS:(.*)$" "chain,capture"
SecRule TX:1 "@within %{resource.sqli_vulnerable_params}"

17
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_48_bayes_analysis.conf
View File

@ -1,17 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# You must edit the local path to the lua scripts
#
SecRule TX:'/^\\\d.*WEB_ATTACK/' ".*" "phase:2,t:none,log,pass,logdata:'%{tx.bayes_msg}',exec:lua/bayes_train_spam.lua"
SecRuleScript lua/bayes_check_spam.lua "phase:2,t:none,block,msg:'Bayesian Analysis Detects Probable Attack.',logdata:'Score: %{tx.bayes_score}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/BAYESIAN-%{matched_var_name}=%{tx.0}"
SecRule &TX:ANOMALY_SCORE "@eq 0" "phase:5,t:none,log,pass,logdata:'%{tx.bayes_msg}',exec:lua/bayes_train_ham.lua"

27
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_55_response_profiling.conf
View File

@ -1,27 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
SecRuleScript profile_page_scripts.lua "phase:4,id:'981187',t:none,nolog,pass"
SecRule &RESOURCE:'/(niframes|nscripts|nlinks|nimages)/' "@eq 0" "skipAfter:END_PAGE_PROFILE,phase:4,id:'981188',t:none,nolog,pass,setvar:resource.niframes=%{tx.niframes},setvar:resource.nscripts=%{tx.nscripts},setvar:resource.nlinks=%{tx.nlinks},setvar:resource.nimages=%{tx.nimages}"
SecRule TX:NIFRAMES "@eq %{resource.niframes}" "phase:4,id:'981189',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule TX:NSCRIPTS "@eq %{resource.nscripts}" "phase:4,id:'981190',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule TX:NLINKS "@eq %{resource.nlinks}" "phase:4,id:'981191',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule TX:NIMAGES "@eq %{resource.nimages}" "phase:4,id:'981192',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule RESOURCE:PROFILE_CONFIDENCE_COUNTER "@lt 40" "phase:4,id:'981193',t:none,nolog,pass,skipAfter:END_PAGE_PROFILE"
SecRule TX:NIFRAMES "!@eq %{resource.niframes}" "phase:4,id:'981194',t:none,block,msg:'Number of IFrames in Page Have Changed.',logdata:'Previous #: %{resource.niframes} and Current #: %{tx.niframes}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecRule TX:NSCRIPTS "!@eq %{resource.nscripts}" "phase:4,id:'981195',t:none,block,msg:'Number of Scripts in Page Have Changed.',logdata:'Previous #: %{resource.nscripts} and Current #: %{tx.nscripts}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecRule TX:NLINKS "!@eq %{resource.nlinks}" "phase:4,id:'981196',t:none,block,msg:'Number of Links in Page Have Changed.',logdata:'Previous #: %{resource.nlinks} and Current #: %{tx.nlinks}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecRule TX:NIMAGES "!@eq %{resource.nimages}" "phase:4,id:'981197',t:none,block,msg:'Number of Images in Page Have Changed.',logdata:'Previous #: %{resource.nimages} and Current #: %{tx.nimages}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecMarker END_PAGE_PROFILE

13
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_56_pvi_checks.conf
View File

@ -1,13 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
SecRule &RESOURCE:OSVDB_CHECK "@eq 0" "chain,phase:5,id:'981198',t:none,nolog,pass"
SecRule RESPONSE_STATUS "@streq 200" "exec:/usr/local/apache/conf/modsec_current/base_rules/osvdb.lua"
SecRule TX:OSVDB_MSG "!^$" "phase:5,id:'981199',t:none,log,pass,msg:'Passive Vulnerabilty Check with OSVDB - %{matched_var}'"

41
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_61_ip_forensics.conf
View File

@ -1,41 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Gather IP/Host Data for Audit Logging
#
# - http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
#
# Execute the IP Lookup/Whois Check when anomaly scores are not 0
#
# You must update the local path for the exec action to point to the lua script.
#
SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,nolog,id:'960004',exec:/usr/local/apache/conf/crs/lua/gather_ip_data.lua"
SecRule TX:HOSTNAME ".*" "phase:5,t:none,pass,log,id:'960005',msg:'Client Nslookup/WHOIS Abuse Info.',logdata:'Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',setvar:'ip.hostname=Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',expirevar:ip.hostname=86400,skip:1"
SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,log,id:'960006',msg:'Client Nslookup/WHOIS Abust Info.',logdata:'%{ip.hostname}'"
#
# Download the GeoIP DB from MaxMind
#
# GeoLite City - http://www.maxmind.com/app/geolitecity
# GeoLite Country - http://www.maxmind.com/app/geoip_country
#
# Define the proper path to the GeoIP DB
SecGeoLookupDb /usr/local/apache/conf/modsec_current/base_rules/GeoLiteCity.dat
#
# Check the Transactional Anomaly Score - if it is not 0 then record the GeoIP data
# for the client in the audit log.
#
SecRule TX:ANOMALY_SCORE "@gt 0" "chain,phase:5,pass,t:none,log,id:'960007',severity:'5',msg:'Logging GeoIP Data due to anomaly score.',logdata:'Country Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country Name=%{geo.country_name}, Country Continent=%{geo.country_continent}, City=%{geo.city}'"
SecRule REMOTE_ADDR "@geoLookup"

1
iis/ModSecurityIIS/owasp_crs/id-range
View File

@ -1 +0,0 @@
900000-999999

798
iis/ModSecurityIIS/owasp_crs/lua/advanced_filter_converter.lua
View File

@ -1,798 +0,0 @@
#!/opt/local/bin/lua
local rex = require "rex_pcre"
local B = require "bit"
function main()
function dec2hex(nValue)
if type(nValue) == "string" then
nValue = String.ToNumber(nValue);
end
nHexVal = string.format("%X", nValue);
sHexVal = nHexVal.."";
return sHexVal;
end
function hex2dec (arg)
local dec = {}
for str in string.gfind(arg, "%w%w") do
local str = '0X'..str
table.insert(dec, tonumber(str))
end
return unpack(dec)
end
function explode ( seperator, str )
local pos, arr = 0, {}
for st, sp in function() return string.find( str, seperator, pos, true ) end
do
table.insert( arr, string.sub( str, pos, st-1 ) );
pos = sp + 1;
end
table.insert( arr, string.sub( str, pos ) );
return arr
end
function oct2dec(octstr)
local i, len, num;
num = 0;
i = 0;
octstr = string.reverse(octstr);
len = string.len(octstr);
if (len > 11) then
return 1;
end
for str in string.gfind(octstr, "%w") do
number = tonumber(str);
if((number < 0) or (number > 7)) then
num = 0;
return 0;
end
i = tonumber(i);
num_shr = B.lshift(number ,(i*3));
num = B.bor(num,num_shr);
i = i + 1;
end
return num;
end
function str_split_unique(data)
a = {}
b = {}
-- use table to eliminate duplicates
for i=1,string.len(data) do
v = string.sub(data,i,i)
a[v] = v
end
-- insert into ordered array and sort
for k,v in pairs(a) do
table.insert(b,k)
end
table.sort(b)
return b
end
function str_split(data)
a = {}
for i=1,string.len(data) do
a[i] = string.sub(data,i,i)
end
return a
end
-- character table string
local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
-- base64 decoding
function base64decode(data)
data = string.gsub(data, '[^'..b..'=]', '')
return (data:gsub('.', function(x)
if (x == '=') then return '' end
local r,f='',(b:find(x)-1)
for i=6,1,-1 do r=r..(f%2^i-f%2^(i-1)>0 and '1' or '0') end
return r;
end):gsub('%d%d%d?%d?%d?%d?%d?%d?', function(x)
if (#x ~= 8) then return '' end
local c=0
for i=1,8 do c=c+(x:sub(i,i)=='1' and 2^(8-i) or 0) end
return string.char(c)
end))
end
function urldecode(s)
return (string.gsub (string.gsub (s, "+", " "),
"%%(%x%x)",
function (str)
return string.char (tonumber (str, 16))
end ))
end
function urlencode(s)
return (string.gsub (s, "%W",
function (str)
return string.format ("%%%02X", string.byte (str))
end ))
end
function strip_tags(h)
local newstr = rex.gsub(h, "<(\/?)(\\w+)[^\>]*>", "%2", nil, 0, 0);
return newstr
end
function hexdecode(s)
s = string.gsub(s, "%%(%x%x)", function (h)
return string.char(tonumber(h, 16))
end)
return s
end
function sql_hexdecode(s)
s = string.gsub(s, "(%x%x)", function (h)
return string.char(tonumber(h, 16))
end)
return s
end
--[[ Retrieve all ARGS parameters from ModSec
urlDecodeUni, htmlEntityDecode and jsDecode can be used here with the initial
extraction of data since they are able to decode any inline value vs.
other transformation functions which will attempt to decode the entire
string value. For those situations, we must create our own Lua functions
]]
local args = {};
args = m.getvars("ARGS", {"none"});
-- Only run checks if ARGS are present
if (#args == "0") then
m.log(4, "# of ARGS: " ..#args.. ".");
return nil;
end
-- Place ARGS data into key/value pairs for inspection
for k,v in pairs(args) do
name = v["name"];
value = v["value"];
original_value = value;
m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. ".");
--[[ Start Converter code ]]
--[[ Make sure the value to normalize and monitor doesn't contain
possibilities for a regex DoS.]]
-- remove obvious repetition patterns
value = rex.gsub(value, "(?:(.{2,})\\1{32,})|(?:[\-+=|@\\s]{128,})", "x", nil, 0, 0);
m.log(4, "Remove repetition patterns: " .. value .. "");
--[[ Check for comments and erases them if available ]]
-- check for existing comments
if rex.match(value, "(?ms:(?:\\<!\-|\-\->|\\/\\*|\\*\\/|\\/\\/\\W*\\w+\\s*$)|(?:\-\-[^\\-]*\-))", 1) then
converted = rex.gsub(value, "(?ms:(?:(?:<!)(?:(?:\-\-(?:[^\\-]*(?:\-[^\\-]+)*)\-\-\\s*)*)(?:>))|(?:(?:\\/\\*\\/*[^\\/\\*]*)+\\*\\/)|(?:\-\-[^\\-]*\-))", ";", nil, 0, 0);
value = (value .. "\n" .. converted);
m.log(4, "Check for Existing Comments: " .. value .. "");
end
-- make sure inline comments are detected and converted correctly
value = rex.gsub(value, "(?m:(<\\w+)\\/+(\\w+=?))", "%1/%2", nil, 0, 0);
m.log(4, "Remove Inline Comments1: " .. value .. "");
value = rex.gsub(value, "(?m:[^\\\\:]\\/\\/(.*)$)", "/**/%1", nil, 0, 0);
m.log(4, "Remove Inline Comments2: " .. value .. "");
--[[ Strip newlines ]]
-- check for inline linebreaks
value = rex.gsub(value, "\\\\(r|n|f|t|v)", ";", nil, 0, 0);
m.log(4, "Check for inline linebreaks: " .. value .. "");
-- replace replacement characters regular spaces
value = string.gsub(value, "<EFBFBD>", ' ', nil, 0, 0);
m.log(4, "Replace replacement chars: " .. value .. "");
-- convert real linebreaks
value = rex.gsub(value, "(?m:[\\r\\n\\f\\t\\v])", " ", nil, 0, 0);
m.log(4, "Convert real linebreaks: " .. value .. "");
--[[ Checks for common charcode pattern and decodes them ]]
function convertFromJSCharcode(value)
local matches, matches2, matches3;
local changed = 0;
local sum = 0;
local chr = 0;
local converted = "";
local tmp_value = value;
-- check if value matches typical charCode pattern
for line in rex.gmatch(tmp_value, "(?ms:(?:[\\d+-=\/\* ]+(?:\\s?,\\s?[\\d+-=\/\* ]+)){4,})", 0, 0)
do
if(matches ~= nil) then
matches = matches .. "," .. line;
else
matches = line;
end
end
if(matches ~= nil) then
matches = rex.gsub(matches,"(\\s)", "");
matches = rex.gsub(matches,"(\\w+=)", "");
str = explode(",",matches);
for i=1, table.getn(str) do
chr = str[i];
if(string.len(str[i]) > 0) then
chr = rex.gsub(chr,"(?s:\\W0)", "");
if(chr ~= nil) then
for line2 in rex.gmatch(chr, "(\\d*[+-\/\* ]\\d+)",0, 0)
do
if(matches2 ~= nil) then
matches2 = matches2 .. "" .. line2;
else
matches2 = line2;
end
end
if( matches2 ~= nil )then
for line3 in rex.split(matches2, "((\\W?\\d+))",0, 0)
do
if(line ~= nil) then
changed = 1;
sum = sum + tonumber(line3);
end
if(matches3 ~= nil) then
matches3 = matches3 .. line3;
else
matches3 = line3;
end
end
end
if(changed == 1) then
if(sum >= 20) then
if(sum <= 127) then
converted = converted .. string.char(sum);
end
end
end
if(changed == 0) then
local num = 0;
if(string.len(chr) > 0) then
num = tonumber(chr);
end
converted = converted .. string.char(num);
end
end
value = tmp_value .. "\n" .. converted;
end
end
end
end
function convertFromJSCharcode_hex(value)
-- check for hexadecimal charcode pattern
local matches_hex = "";
local converted = "";
local tmp_value = value;
for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\w+\\s*){8,}))", 0, 0)
do
if(matches_hex ~= nil) then
matches_hex = matches_hex .. "," .. line;
else
matches_hex = line;
end
end
if(matches_hex ~= nil) then
matches_hex = rex.gsub(matches_hex,"([ux])", "");
converted = "";
str = explode(",",matches_hex);
for i=1, table.getn(str) do
chr = str[i];
if(tonumber(chr) ~= 0) then
converted = converted .. string.char(hex2dec(chr));
end
end
value = tmp_value .. "\n" .. converted;
end
print(value);
return value;
end
function convertFromJSCharcode_oct(value)
local matches_oct = "";
local converted_oct = "";
local tmp_value = value;
-- check for octal charcode pattern
for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\d+){8,}))", 0, 0)
do
if(matches_oct ~= nil) then
matches_oct = matches_oct .. "," .. line;
else
matches_oct = line;
end
end
if(matches_oct ~= nil) then
matches_oct = rex.gsub(matches_oct,"(\\s)", "");
str = explode(",",matches_oct);
print(str);
for i=1, table.getn(str) do
chr = str[i];
if (tonumber(str[i]) ~= 0) then
n = oct2dec(chr);
n = dec2hex(n);
if(n ~= 0)then
str2 = string.char(hex2dec(n));
if(converted_oct ~= nil) then
converted_oct = converted_oct .. str2;
else
converted_oct = str2;
end
end
end
end
if(converted_oct ~= nil) then
value = tmp_value .. "\n" .. converted_oct;
else
value = tmp_value;
end
end
print(value);
return value;
end
convertFromJSCharcode(value);
m.log(4, "convertFromJSCharcode: " .. value .. "");
convertFromJSCharcode_hex(value);
m.log(4, "convertFromJSCharcode_hex: " .. value .. "");
convertFromJSCharcode_oct(value);
m.log(4, "convertFromJSCharcode_oct: " .. value .. "");
--[[ Eliminate JS regex modifiers ]]
value = rex.gsub(value, "\/[gim]+", "\/", nil, 0, 0);
m.log(4, "Eliminate JS regex modifiers: " .. value .. ".");
--[[ Converts from hex/dec entities ]]
-- deal with double encoded payload
function htmlEntityDecode(value)
value = rex.gsub(value, "&amp;", "&", nil, 0, 0);
local result;
local tmp_value = value;
for line in rex.gmatch(tmp_value, "(?ms:&#x?([\\w]{2}\\d?);?)", 0, 0)
do
if(line ~= nil) then
if(result ~= nil) then
result = result .. line;
else
result = line;
end
end
end
if(result ~= nil) then
result = sql_hexdecode(result);
value = tmp_value .. "\n" .. result;
result = rex.gsub(result, ";;", ";", nil, 0, 0);
else
value = tmp_value;
end
print(result);
return result;
end
htmlEntityDecode(value);
m.log(4, "Converts from hex/dex entities: " .. value .. ".");
-- normalize obfuscated protocol handlers
value = rex.gsub(value, "(?ms:(?:j\\s*a\\s*v\\s*a\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t\\s*)|(d\\s*a\\s*t\\s*a\\s*))", "javascript", nil, 0, 0);
--[[ Normalize Quotes ]]
-- normalize different quotes to "
value = rex.gsub(value, "[\'\`\´\\]", "\"", nil, 0, 0);
m.log(4, "Normalize Quotes: " .. value .. ".");
-- make sure harmless quoted strings don't generate false alerts
value = rex.gsub(value, "^\"([^\"=\\!><~]+)\"$", "%1", nil, 0, 0);
m.log(4, "Harmless Quotes: " .. value .. ".");
--[[ Converts SQLHEX to plain text ]]
local tmp_value = value;
while true do
sql_hex_value = rex.match(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)");
if (sql_hex_value == nil) then break end
m.log(4, "SQL Hex Data: " .. sql_hex_value .. ".");
local sql_hex_decoded = sql_hexdecode(sql_hex_value);
m.log(4, "SQL Hex Data Decoded: " .. sql_hex_decoded .. ".");
tmp_value = rex.gsub(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)", sql_hex_decoded, 1, 0, 0);
m.log(4, "SQL Hex Data Normalized: " .. tmp_value .. ".");
end
value = rex.gsub(tmp_value, "(?m:0x\\d+)", "1", nil, 0, 0);
--[[ Converts basic SQL keywords and obfuscations ]]
value = rex.gsub(value, "(?ims:(?:IS\\s+null)|(LIKE\\s+null)|(?:(?:^|\\W)IN[\+\\s]*\([\\s\\d\"]+[^\(\)]*\)))", "\"=0", nil, 0, 0);
value = rex.gsub(value, "(?ims:\\W+\\s*like\\s*\\W+)", "1\" OR \"1\"", nil, 0, 0);
value = rex.gsub(value, "(?ims:null[,\"\\s])", ",0", nil, 0, 0);
value = rex.gsub(value, "(?ims:\\d+\\.)", " 1", nil, 0, 0);
value = rex.gsub(value, "(?ims:,null)", ",0", nil, 0, 0);
value = rex.gsub(value, "(?ims:between|mod)", "or", nil, 0, 0);
value = rex.gsub(value, "(?ims:and\\s+\\d+\.?\\d*)", "", nil, 0, 0);
value = rex.gsub(value, "(?ims:\\s+and\\s+)", " or ", nil, 0, 0);
value = rex.gsub(value, "(?ims:[^\\w,\(]NULL|\\\\N|TRUE|FALSE|UTC_TIME|LOCALTIME(?:STAMP)?|CURRENT_\\w+|BINARY|(?:(?:ASCII|SOUNDEX|FIND_IN_SET|MD5|R?LIKE)[\+\\s]*\\([^\(\)]+\\))|(?:\-+\\d))", "0", nil, 0, 0);
value = rex.gsub(value, "(?ims:(?:NOT\\s+BETWEEN)|(?:IS\\s+NOT)|(?:NOT\\s+IN)|(?:XOR|\\WDIV\\W|\\WNOT\\W|<>|RLIKE(?:\\s+BINARY)?)|(?:REGEXP\\s+BINARY)|(?:SOUNDS\\s+LIKE))", "!", nil, 0, 0);
value = rex.gsub(value, "\"\\s+\\d", "\"", nil, 0, 0);
value = rex.gsub(value, "\\/(?i:\\d+|null)", "", nil, 0, 0);
m.log(4, "Convert SQL Keywords and Obfuscations: " .. value .. ".");
--[[ Detects nullbytes and controls chars via ord() ]]
-- critical ctrl values
value = rex.gsub(value, "(?i:cha?r\\((0|1|2|3|4|5|6|7|8|11|12|14|15|16|17|18|19|24|25|192|193|238|255)\\))", "%%00", nil, 0, 0);
m.log(4, "Convert nullbytes and control chars via ord(): " .. value .. ".");
-- take care for malicious unicode characters
value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%E(?:2|3)\%8(?:0|1)\%(?:A|8|9)\\w|\%EF\%BB\%BF|\%EF\%BF\%BD)|(?:&#(?:65|8)\\d{3};?))", "", nil, 0, 0));
value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BE))", ">", nil, 0, 0));
value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BC))", "<", nil, 0, 0));
value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A2))", "\"", nil, 0, 0));
value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A7))", "\'", nil, 0, 0));
value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%ff1c))", "<", nil, 0, 0));
value = rex.gsub(value, "(?i:(?:&[#x]*(200|820|200|820|zwn?j|lrm|rlm)\\w?;?))", "", nil, 0, 0);
value = rex.gsub(value, "(?i:(?:&#(?:65|8)\\d{3};?)|(?:&#(?:56|7)3\\d{2};?)|(?:&#x(?:fe|20)\\w{2};?)|(?:&#x(?:d[c-f])\\w{2};?))", "", nil, 0, 0);
value = rex.gsub(value, "(«|〈|||〈|⟨)", "<", nil, 0, 0);
value = rex.gsub(value, "(»|〉|||〉|⟩)", ">", nil, 0, 0);
m.log(4, "Malicious unicode characters: " .. value .. "");
--[[ This method matches and translates base64 strings and fragments
used in data URIs ]]
tmp_value = value;
while true do
base64_value = rex.match(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", 1, 0, 0);
if (base64_value == nil) then break end
m.log(4, "Base64 Data is: " .. base64_value .. ".");
base64_value_decoded = base64decode(base64_value);
m.log(4, "Base64 Data Decoded is: " .. base64_value_decoded .. ".");
tmp_value = rex.gsub(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", base64_value_decoded, 1, 0, 0);
m.log(4, "Base64 Data Normalized: " .. tmp_value .. ".");
end
value = tmp_value;
--[[ Detects nullbytes and controls chars via ord() ]]
local mytable = {};
mytable = str_split(value);
j = 1
while mytable[j] do
if (string.byte(mytable[j]) >= 127) then
mytable[j] = rex.gsub(mytable[j], ".*", " ", nil, 0, 0);
end
j = j + 1
end
value = table.concat(mytable);
m.log(4, "Detect nullbytes and control chars via ord(): " .. value .. ".");
--[[ Strip XML patterns ]]
converted = strip_tags(value);
if (converted ~= value) then
value = (value .. "\n" .. converted);
m.log(4, "Strip XML patterns: " .. value .. ".");
end
--[[ This method converts JS unicode code points to regular characters ]]
function convertFromJSUnicode(args)
local new_value = "";
for line in rex.gmatch(args, "(?ims:\\\\u[0-9a-f]{4})", 0, 0)
do
hex = print(string.sub(line,3,6))
chr = string.char(hex2dec(string.sub(line,5,7)));
if ( new_value == nil ) then
new_value = chr;
else
new_value = new_value .. chr;
end
end
if ( string.len(new_value) > 0 ) then
value = new_value .. "\n\\u0001";
end
end
convertFromJSUnicode(value);
m.log(4, "Convert JS unicode code points to regular chars: " .. value .. "");
--[[ Converts relevant UTF-7 tags to UTF-8 ]]
value = rex.gsub(value,"\\+ACI\\-","\"");
value = rex.gsub(value,"\\+ADw\\-","<");
value = rex.gsub(value,"\\+AD4\\-",">");
value = rex.gsub(value,"\\+AFs\\-","%[");
value = rex.gsub(value,"\\+AF0\\-","]");
value = rex.gsub(value,"\\+AHs\\-","{");
value = rex.gsub(value,"\\+AH0\\-","}");
value = rex.gsub(value,"\\+AFw\\-","\\");
value = rex.gsub(value,"\\+ADs\\-",";");
value = rex.gsub(value,"\\+ACM\\-","#");
value = rex.gsub(value,"\\+ACY\\-","&");
value = rex.gsub(value,"\\+ACU\\-","%%");
value = rex.gsub(value,"\\+ACQ\\-","$");
value = rex.gsub(value,"\\+AD0\\-","=");
value = rex.gsub(value,"\\+AGA\\-","`");
value = rex.gsub(value,"\\+ALQ\\-","\"");
value = rex.gsub(value,"\\+IBg\\-","\"");
value = rex.gsub(value,"\\+IBk\\-","\"");
value = rex.gsub(value,"\\+AHw\\-","|");
value = rex.gsub(value,"\\+ACo\\-","*");
value = rex.gsub(value,"\\+AF4\\-","%^");
value = rex.gsub(value,"\\+ACIAPg\\-","\">");
value = rex.gsub(value,"\\+ACIAPgA8\\-","\">");
m.log(4, "Convert relevant UTF-7 tags to UTF-8: " .. value .. "");
--[[ Converts basic concatenations ]]
function stripslashes(args)
local value = rex.gsub(args,"(\\\\(.?))","");
return value;
end
function convertFromConcatenated(value)
--normalize remaining backslashes
if (value ~= rex.gsub(value,"((\\w)\\\\)", "%1")) then
value = value .. rex.gsub(value,"((\\w)\\\\)", "%1");
end
local compare = stripslashes(value);
pattern = { "(?s:(?:<\/\\w+>\+<\\w+>))",
"(?s:(?:\":\\d+[^\"\[]+\"))",
"(?s:(?:\"?\"\+\\w+\+\"))",
"(?s:(?:\"\\s*;[^\"]+\")|(?:\";[^\"]+:\\s*\"))",
"(?s:(?:\"\\s*(?:\;|\\+).{8,18}:\\s*\"))",
"(?s:(?:\";\\w+=)|(?:!\"\"&&\")|(?:~))",
"(?s:(?:\"?\"\\+\"\"?\\+?\"?)|(?:;\\w+=\")|(?:\"[|&]{2,}))",
"(?s:(?:\"\\s*\\W+\"))",
"(?s:(?:\";\\w\\s*\\+=\\s*\\w?\\s*\"))",
"(?s:(?:\"[|&;]+\\s*[^\|\&\\n]*[\|\&]+\\s*\"?))",
"(?s:(?:\";\\s*\\w+\\W+\\w*\\s*[\|\&]*\"))",
"(?s:(?:\"\\s*\"\\s*\.))",
"((?:\\s*new\\s+\\w+\\s*[\\+\\\"\,]))",
"((?:(?:^|\\s+)(?:do|else)\\s+))",
"((?:(?:^|\\s+)(?:do|else)\\s+))",
"((?:[{(]\\s*new\\s+\\w+\\s*[\)\}]))",
"((?:(this|self)\.))",
"((?:undefined))",
"((?:in\\s+))" };
for i=1, table.getn(pattern) do
-- strip out concatenations
converted = rex.gsub(compare,pattern[i],"");
end
-- strip object traversal
converted = rex.gsub(converted,"(\\w(\.\\w\()))", "%1");
-- normalize obfuscated method calls
converted = rex.gsub(converted,"(\\)\\s*\+)", ")");
--convert JS special numbers
converted = rex.gsub(converted,"(?ims:(?:\\(*[.\\d]e[\+\-]*[^a-z\\W]+\\)*)|(?:NaN|Infinity)\\W)", "1");
if (converted ~= nil) then
if (compare ~= converted) then
value = value .. "\n" .. converted;
end
end
-- return value;
end
convertFromConcatenated(value);
m.log(4, "Convert basic concatenations: " .. value .. "");
--[[ This method collects and decodes proprietary encoding types ]]
function convertFromProprietaryEncodings(args)
local value = args;
--Xajax error reportings
value = rex.gsub(value,"(?im:<!\[CDATA\[(.*)\]\]>)","%1", nil, 0, 0);
--strip false alert triggering apostrophes
value = rex.gsub(value,"(?m:(\\w)\"(s))", "%1%2");
--strip quotes within typical search patterns
value = rex.gsub(value,"(^\"([^\"=\\!><~]+)\"/$)", "%1");
--OpenID login tokens
value = rex.gsub(value,"({[\\w-]{8,9}\}(?:\{[\w=]{8}\}){2})", "");
--convert Content and \sdo\s to null
value = rex.gsub(value,"(?s:Content|\\Wdo)", "");
--strip emoticons
value = rex.gsub(value,
"(?m:(?:\\s[:;]-[)\/PD]+)|(?:\\s;[)PD]+)|(?:\\s:[)PD]+)|-\.-|\^\^)",
"");
--normalize separation char repetion
value = rex.gsub(value,"(?m:([.+~=*_;\-])\1{2,})", "%1");
--normalize multiple single quotes
value = rex.gsub(value,"(?m:/\"{2,})", "\"");
--normalize quoted numerical values and asterisks
value = rex.gsub(value,"(?m:\"(\\d+)\")", "%1");
--normalize pipe separated request parameters
value = rex.gsub(value,"(?m:\|(\\w+=\\w+))", "&%1");
--normalize ampersand listings
value = rex.gsub(value,"((\\w\\s)&\\s(\\w))", "%1%2");
--normalize escaped RegExp modifiers
value = rex.gsub(value,"(\/\\\\(\\w))", "/%1");
end
convertFromProprietaryEncodings(value);
m.log(4, "convertFromProprietaryEncodings: " .. value .. "");
normalized_name = rex.gsub(name, "^(.*)$", "tx.%1_normalized");
m.setvar(normalized_name, value);
--[[ This method is the centrifuge prototype ]]
m.log(4, "Starting Centrifuge.. Arg Name = " ..name.. " and Arg Value = " ..value.. ".");
threshold = 3.49;
-- Examine each value
if string.len(value) > 25 then
local name = name;
-- strip padding
tmp_value = rex.gsub(value, "\\s{4}|==$", "", nil, 0, 0);
m.log(4, "Strip Padding1 - name is: " .. name .. " and value is: " .. tmp_value ..".");
tmp_value = rex.gsub(tmp_value, "\\s{4}|[\\p{L}\\d\+\-\=\,\.\%\(\)]{8,}", "aaa", nil, 0, 0);
m.log(4, "Strip Padding2 - name is: " .. name .. " and value is: " .. tmp_value ..".");
-- Check for the attack char ratio
tmp_value = rex.gsub(tmp_value, "([\*\.\!\?\+\-])\\1{1,}", "%1", nil, 0, 0);
tmp_value = rex.gsub(tmp_value, "\"[\\p{L}\\d\\s]+\"", "", nil, 0, 0);
stripped_length = string.len(rex.gsub(tmp_value, "[\\d\\s\\p{L}\.\:\,\%\&\/\>\<\\-)\!\|]+", "", nil, 0, 0));
m.log(4, "stripped_length is: " .. stripped_length .. ".");
overall_value = rex.gsub(tmp_value, "([\\d\\s\\p{L}\:\,\.]{3,})+", "aaa", nil, 0, 0);
m.log(4, "overall_value is: " .. overall_value .. ".");
overall_length = string.len(rex.gsub(overall_value, "\\s{2,}", "", nil, 0, 0));
m.log(4, "overall_length is: " .. overall_length .. ".");
if ((stripped_length ~= 0) and (overall_length/stripped_length <= threshold)) then
ratio_value = (overall_length/stripped_length);
ratio_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_ratio");
m.setvar(ratio_name, ratio_value);
m.log(4, "Threshold is: " .. threshold .. " and Ratio Value is: " .. ratio_value .. ".");
end
end
-- Examine each value
if string.len(value) > 40 then
converted = value;
mytable = str_split_unique(converted)
j = 1
while mytable[j] do
print(mytable[j])
j = j + 1
end
converted = table.concat(mytable);
m.log(4, "Unique/Sorted: " .. converted .. ".");
-- Replace all non-special chars
converted = rex.gsub(converted, "[\\w\\s\\p{L},\.:!]", "");
m.log(4, "Replace non-special chars: " .. converted .. ".");
-- Normalize certain tokens
converted = rex.gsub(converted, "(\\~|\\^|\\||\\*|\\%|\\&|\\/)", "+");
m.log(4, "Normalize certain tokens: " .. converted .. ".");
converted = rex.gsub(converted, "(\\+|\\-)\\s*\\d+", "+");
m.log(4, "Normalize certain tokens: " .. converted .. ".");
converted = rex.gsub(converted, "(\\(|\\)|\\[|\\]|\\{|\\})", "(");
m.log(4, "Normalize certain tokens: " .. converted .. ".");
converted = rex.gsub(converted, "(\\!|\\?|\\:|\=)", ":");
m.log(4, "Normalize certain tokens: " .. converted .. ".");
converted = rex.gsub(converted, "[^:(+]", "");
m.log(4, "Normalize certain tokens: " .. converted .. ".");
converted = string.gsub(converted, "\\", "");
m.log(4, "Normalize certain tokens: " .. converted .. ".");
mytable = str_split(converted)
table.sort(mytable);
converted = table.concat(mytable);
m.log(4, "Sorted: " .. converted .. ".");
stripped_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_converted");
m.setvar(stripped_name, converted);
end
end
if value ~= "." then
return ("Normalized Payload: " .. name .. " = " .. value .. "");
else
-- Nothing wrong found.
return nil;
end
end

251
iis/ModSecurityIIS/owasp_crs/lua/appsensor_request_exception_enforce.lua
View File

@ -1,251 +0,0 @@
function main()
--[[ Enforce Request Method ]]
EnforceRequestMethod()
--[[ Enforce Number of Parameters/ARGS ]]
EnforceNumOfArgs()
--[[ Enforce Parameter Names ]]
EnforceArgsNames()
--[[ Enforce Parameter Lengths ]]
EnforceArgsLength()
--[[ Enforce Parameter Character Class ]]
EnforceArgCharClass()
m.log(4, "Ending Profile Enforcer Script")
return nil
end
--[[ Begin Enforcement Functions ]]
function EnforceArgCharClass()
local Args = {}
Args = m.getvars("ARGS", {"none"})
local EnforceArgCharClassEmail = m.getvar("RESOURCE.enforce_charclass_email")
local EnforceArgCharClassDigits = m.getvar("RESOURCE.enforce_charclass_digits")
local EnforceArgCharClassUrl = m.getvar("RESOURCE.enforce_charclass_url")
local EnforceArgCharClassPath = m.getvar("RESOURCE.enforce_charclass_path")
local EnforceArgCharClassFlag = m.getvar("RESOURCE.enforce_charclass_flag")
local EnforceArgCharClassAlpha = m.getvar("RESOURCE.enforce_charclass_alphas")
local EnforceArgCharClassAlphaNumeric = m.getvar("RESOURCE.enforce_charclass_alphanumeric")
local EnforceArgCharClassSafeText = m.getvar("RESOURCE.enforce_charclass_safetext")
for k,v in pairs(Args) do
name = v["name"];
value = v["value"];
m.log(4, "CharClass Check - Arg Name: " ..name.. " and Value: " ..value.. ".");
--[[ Check for Digits Character Class ]]
if (EnforceArgCharClassDigits) then
local CheckArgCharClassDigits = string.find(EnforceArgCharClassDigits, name)
if (CheckArgCharClassDigits) then
m.log(4, "Arg Name: " .. name .. " in Digits Enforcement list.")
if string.match(value, "^%d+$") then
m.log(4, "Parameter " ..name.. " payload matches digit class.")
else
m.log(4, "Parameter " ..name.. " payload does not match digit class.")
m.setvar("TX." ..name.. "_digits_violation", value)
m.setvar("TX.digits_violation_name", name)
end
end
end
--[[ Check for Email Character Class ]]
if (EnforceArgCharClassEmail) then
local CheckArgCharClassEmail = string.find(EnforceArgCharClassEmail, name)
if (CheckArgCharClassEmail) then
m.log(4, "Arg Name: " .. name .. " in Email Enforcement list.")
if string.match(value, "^[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?$") then
m.log(4, "Parameter " ..name.. " payload matches email class.")
else
m.log(4, "Parameter " ..name.. " payload does not match email class.")
m.setvar("TX." ..name.. "_email_violation", value)
m.setvar("TX.email_violation_name", name)
end
end
end
--[[ Check for URL Class ]]
if (EnforceArgCharClassUrl) then
local CheckArgCharClassUrl = string.find(EnforceArgCharClassUrl, name)
if (CheckArgCharClassUrl) then
m.log(4, "Arg Name: " .. name .. " in Url Enforcement list.")
if string.match(value, "[A-Za-z]+://[A-Za-z0-9-_]+%.[A-Za-z0-9-_.]+/?") then
m.log(4, "Parameter " ..name.. " payload matches url class.")
else
m.log(4, "Parameter " ..name.. " payload does not match url class.")
m.setvar("TX." ..name.. "_url_violation", value)
m.setvar("TX.url_violation_name", name)
end
end
end
--[[ Check for Path Class ]]
if (EnforceArgCharClassPath) then
local CheckArgCharClassPath = string.find(EnforceArgCharClassPath, name)
if (CheckArgCharClassPath) then
m.log(4, "Arg Name: " .. name .. " in Path Enforcement list.")
if string.match(value, "[-a-zA-Z0-9/._]*/[-a-zA-Z0-9/._]*") then
m.log(4, "Parameter " ..name.. " payload matches path class.")
else
m.log(4, "Parameter " ..name.. " payload does not match path class.")
m.setvar("TX." ..name.. "_path_violation", value)
m.setvar("TX.path_violation_name", name)
end
end
end
--[[ Check for Flag Parameter Class ]]
if (EnforceArgCharClassFlag) then
local CheckArgCharClassFlag = string.find(EnforceArgCharClassFlag, name)
if (CheckArgCharClassFlag) then
m.log(4, "Arg Name: " .. name .. " in Flag Enforcement list.")
if string.match(value, "^$") then
m.log(4, "Parameter " ..name.. " payload matches flag class.")
else
m.log(4, "Parameter " ..name.. " payload does not match flag class.")
m.setvar("TX." ..name.. "_flag_violation", value)
m.setvar("TX.flag_violation_name", name)
end
end
end
--[[ Check for Alpha/Letters Character Class ]]
if (EnforceArgCharClassAlpha) then
local CheckArgCharClassAlpha = string.find(EnforceArgCharClassAlpha, name)
if (CheckArgCharClassAlpha) then
m.log(4, "Arg Name: " .. name .. " in Alpha Enforcement list.")
if string.match(value, "^%a+$") then
m.log(4, "Parameter " ..name.. " payload matches alpha class.")
else
m.log(4, "Parameter " ..name.. " payload does not match alpha class.")
m.setvar("TX." ..name.. "_alpha_violation", value)
m.setvar("TX.alpha_violation_name", name)
end
end
end
--[[ Check for AlphaNumeric Character Class ]]
if (EnforceArgCharClassAlphaNumeric) then
local CheckArgCharClassAlphaNumeric = string.find(EnforceArgCharClassAlphaNumeric, name)
if (CheckArgCharClassAlphaNumeric) then
m.log(4, "Arg Name: " .. name .. " in AlphaNumeric Enforcement list.")
if string.match(value, "^%w+$") then
m.log(4, "Parameter " ..name.. " payload matches alphanumeric class.")
else
m.log(4, "Parameter " ..name.. " payload does not match alphanumeric class.")
m.setvar("TX." ..name.. "_alphanumeric_violation", value)
m.setvar("TX.alphanumeric_violation_name", name)
end
end
end
--[[ Check for SafeText Character Class ]]
if (EnforceArgCharClassSafeText) then
local CheckArgCharClassSafeText = string.find(EnforceArgCharClassSafeText, name)
if (CheckArgCharClassSafeText) then
m.log(4, "Arg Name: " .. name .. " in SafeText Enforcement list.")
if string.match(value, "^[a-zA-Z0-9%s_%.%-]+$") then
m.log(4, "Parameter " ..name.. " payload matches safetext class.")
else
m.log(4, "Parameter " ..name.. " payload does not match safetext class.")
m.setvar("TX." ..name.. "_safetext_violation", value)
m.setvar("TX.safetext_violation_name", name)
end
end
end
end
end
function EnforceArgsLength()
local ArgsLength = {}
ArgsLength = m.getvars("ARGS", {"none", "length"})
for k,v in pairs(ArgsLength) do
name = v["name"];
value = v["value"];
value = tonumber(value);
m.log(4, "Arg Name: " ..name.. " and Length: " ..value.. ".");
local MinArgLength = tonumber(m.getvar("RESOURCE." .. name .. "_length_min", {"none"}))
local MaxArgLength = tonumber(m.getvar("RESOURCE." .. name .. "_length_max", {"none"}))
if ((value > MinArgLength) and (value < MaxArgLength)) then
m.log(4, "Arg Name: " .. name .. " with Length: :" ..value.. " is within normal range.")
elseif value < MinArgLength then
m.log(4, "Arg Name: " .. name .. " Length " ..value.. " is below the normal range.")
m.setvar("TX." .. name .. "_min_length_violation", value)
m.setvar("TX.MinArgLength", MinArgLength)
m.setvar("TX.MinArgLengthName", name)
elseif value > MaxArgLength then
m.log(4, "Arg Name: " .. name .. " Length " ..value.. " is above the normal range.")
m.setvar("TX." .. name .. "_max_length_violation", value)
m.setvar("TX.MaxArgLength", MaxArgLength)
m.setvar("TX.MaxArgLengthName", name)
end
end
end
function EnforceArgsNames()
local ArgsNames = {}
ArgsNames = m.getvars("ARGS_NAMES", {"none"})
local EnforceArgsNames = m.getvar("RESOURCE.enforce_args_names")
for k,v in pairs(ArgsNames) do
name = v["name"];
value = v["value"];
m.log(4, "ArgsName: " ..value.. ".");
local CheckArgsNames = string.find(EnforceArgsNames, value)
if (CheckArgsNames) then
m.log(4, "Arg Name: " .. value .. " is valid.")
else
m.log(4, "Args Name: " .. value .. " is not valid.")
m.setvar("TX.args_names_violation", name)
end
end
end
function EnforceRequestMethod()
local RequestMethod = m.getvar("REQUEST_METHOD", {"none"})
local EnforceRequestMethods = m.getvar("RESOURCE.enforce_request_methods")
local EnforceMethods = string.find(EnforceRequestMethods, RequestMethod)
if (EnforceMethods) then
m.log(4, "Request Method " .. RequestMethod .. " already in Enforcement List.")
else
m.log(4, "Request Method: " .. RequestMethod .. " profile violation.")
m.setvar("TX.request_method_violation", "1")
end
end
function EnforceNumOfArgs()
local ARGS = {}
local ARGS = m.getvars("ARGS", {"none"})
local NumOfArgs = tonumber(#ARGS)
local MinNumOfArgs = tonumber(m.getvar("RESOURCE.MinNumOfArgs", {"none"}))
local MaxNumOfArgs = tonumber(m.getvar("RESOURCE.MaxNumOfArgs", {"none"}))
local EnforceNumOfArgs = m.getvar("RESOURCE.enforce_num_of_args")
if ((NumOfArgs > MinNumOfArgs) and (NumOfArgs < MaxNumOfArgs)) then
m.log(4, "Number of ARGS is within normal range.")
elseif NumOfArgs < MinNumOfArgs then
m.log(4, "Number of ARGS is less than MinNumOfArgs: " .. MinNumOfArgs .. ".")
m.setvar("TX.MIN_NUM_ARGS_VIOLATION", "1")
m.setvar("TX.NUM_OF_ARGS", NumOfArgs)
elseif NumOfArgs > MaxNumOfArgs then
m.log(4, "Number of ARGS is more than MxxiaxinNumOfArgs: " .. MaxNumOfArgs .. ".")
m.setvar("TX.MAX_NUM_ARGS_VIOLATION", "1")
m.setvar("TX.NUM_OF_ARGS", NumOfArgs)
end
end

789
iis/ModSecurityIIS/owasp_crs/lua/appsensor_request_exception_profile.lua
View File

@ -1,789 +0,0 @@
function main()
--[[ Global Vars ]]
--[[ Import Profile Learning Thresholds
[resource.min_traffic_threshold]
Set the resource.min_traffic_threshold as the minimum number of "clean" transactions
to profile/inspect before enforcement of the profile begins.
[resource.min_pattern_threshold]
resource.min_pattern_threshold is the minimum number of times that an individual match should occur
in order to include the it into the learned profile
]]
MinPatternThreshold = tonumber(m.getvar("RESOURCE.min_pattern_threshold"))
MinTrafficThreshold = tonumber(m.getvar("RESOURCE.min_traffic_threshold"))
TrafficCounter = m.getvar("RESOURCE.traffic_counter")
if TrafficCounter == nil then
TrafficCounter = "1"
m.setvar("RESOURCE.traffic_counter", TrafficCounter)
m.log(4, "Traffic Counter: " ..TrafficCounter.. ".")
else
TrafficCounter = tonumber(TrafficCounter + 1)
m.setvar("RESOURCE.traffic_counter", TrafficCounter)
m.log(4, "Traffic Counter: " ..TrafficCounter.. ".")
end
--[[ Profile Request Method ]]
ProfileRequestMethod()
--[[ Profile Number of Parameters/ARGS ]]
ProfileNumOfArgs()
--[[ Profile Parameter Names ]]
ProfileArgsNames()
--[[ Profile Parameter Lengths ]]
ProfileArgsLength()
--[[ Profile Parameter Character Class ]]
ProfileArgCharClass()
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("RESOURCE.enforce_re_profile", "1")
end
m.log(4, "Ending Profile Analyzer Script")
return nil
end
--[[ Begin Profiler Functions ]]
function ProfileArgCharClass()
local Args = {}
Args = m.getvars("ARGS", {"none"})
for k,v in pairs(Args) do
name = v["name"];
value = v["value"];
m.log(4, "CharClass Check - Arg Name: " ..name.. " and Value: " ..value.. ".");
--[[ Check for Digits Character Class ]]
if string.match(value, "^%d+$") then
m.log(4, "Parameter " ..name.. " payload matches digit class.")
local EnforceArgCharClassDigits = m.getvar("RESOURCE.enforce_charclass_digits")
if not (EnforceArgCharClassDigits) then
local ArgDigitCounter = m.getvar("RESOURCE." ..name.. "_digit_counter")
if not (ArgDigitCounter) then
ArgDigitCounter = 1
m.log(4, "Creating " .. name .. " Digit Counter: " .. ArgDigitCounter)
m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter)
else
ArgDigitCounter = ArgDigitCounter + 1
m.log(4, "Updating " .. name .. " Digit Counter: " .. ArgDigitCounter)
m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter)
end
if (ArgDigitCounter == MinPatternThreshold) then
if not (EnforceArgCharClassDigits) then
EnforceArgCharClassDigits = name
else
EnforceArgCharClassDigits = EnforceArgCharClassDigits .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Digits Enforcement list: " .. EnforceArgCharClassDigits)
m.setvar("RESOURCE.enforce_charclass_digits", EnforceArgCharClassDigits)
m.setvar("!RESOURCE." .. name .. "_digit_counter", "0")
end
else
local CheckArgCharClassDigits = string.find(EnforceArgCharClassDigits, name)
if (CheckArgCharClassDigits) then
m.log(4, "Arg Name: " .. name .. " already in Digits Enforcement list.")
else
local ArgDigitCounter = m.getvar("RESOURCE." ..name.. "_digit_counter")
if not (ArgDigitCounter) then
ArgDigitCounter = 1
m.log(4, "Creating " .. name .. " Digit Counter: " .. ArgDigitCounter)
m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter)
else
ArgDigitCounter = ArgDigitCounter + 1
m.log(4, "Updating " .. name .. " Digit Counter: " .. ArgDigitCounter)
m.setvar("RESOURCE." .. name .. "_digit_counter", ArgDigitCounter)
end
if (ArgDigitCounter == MinPatternThreshold) then
if not (EnforceArgCharClassDigits) then
EnforceArgCharClassDigits = name
else
EnforceArgCharClassDigits = EnforceArgCharClassDigits .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Digits Enforcement list: " .. EnforceArgCharClassDigits)
m.setvar("RESOURCE.enforce_charclass_digits", EnforceArgCharClassDigits)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_digit_counter", "0")
end
--[[ Check for Email Class ]]
elseif string.match(value, "^[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?$") then
m.log(4, "Parameter " ..name.. " payload matches email class.")
local EnforceArgCharClassEmail = m.getvar("RESOURCE.enforce_charclass_email")
if not (EnforceArgCharClassEmail) then
local ArgEmailCounter = m.getvar("RESOURCE." ..name.. "_email_counter")
if not (ArgEmailCounter) then
ArgEmailCounter = 1
m.log(4, "Creating " .. name .. " Email Counter: " .. ArgEmailCounter)
m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter)
else
ArgEmailCounter = ArgEmailCounter + 1
m.log(4, "Updating " .. name .. " Email Counter: " .. ArgEmailCounter)
m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter)
end
if (ArgEmailCounter == MinPatternThreshold) then
if not (EnforceArgCharClassEmail) then
EnforceArgCharClassEmail = name
else
EnforceArgCharClassEmail = EnforceArgCharClassEmail .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Email Enforcement list: " .. EnforceArgCharClassEmail)
m.setvar("RESOURCE.enforce_charclass_email", EnforceArgCharClassEmail)
end
else
local CheckArgCharClassEmail = string.find(EnforceArgCharClassEmail, name)
if (CheckArgCharClassEmail) then
m.log(4, "Arg Name: " .. name .. " already in Email Enforcement list.")
else
local ArgEmailCounter = m.getvar("RESOURCE." ..name.. "_email_counter")
if not (ArgEmailCounter) then
ArgEmailCounter = 1
m.log(4, "Creating " .. name .. " Email Counter: " .. ArgEmailCounter)
m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter)
else
ArgEmailCounter = ArgEmailCounter + 1
m.log(4, "Updating " .. name .. " Email Counter: " .. ArgEmailCounter)
m.setvar("RESOURCE." .. name .. "_email_counter", ArgEmailCounter)
end
if (ArgEmailCounter == MinPatternThreshold) then
if not (EnforceArgCharClassEmail) then
EnforceArgCharClassEmail = name
else
EnforceArgCharClassEmail = EnforceArgCharClassEmail .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Email Enforcement list: " .. EnforceArgCharClassEmail)
m.setvar("RESOURCE.enforce_charclass_email", EnforceArgCharClassEmail)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_email_counter", "0")
end
--[[ Check for URL Class ]]
elseif string.match(value, "[A-Za-z]+://[A-Za-z0-9-_]+%.[A-Za-z0-9-_.]+/?") then
m.log(4, "Parameter " ..name.. " payload matches url class.")
local EnforceArgCharClassUrl = m.getvar("RESOURCE.enforce_charclass_url")
if not (EnforceArgCharClassUrl) then
local ArgUrlCounter = m.getvar("RESOURCE." ..name.. "_url_counter")
if not (ArgUrlCounter) then
ArgUrlCounter = 1
m.log(4, "Creating " .. name .. " Url Counter: " .. ArgUrlCounter)
m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter)
else
ArgUrlCounter = ArgUrlCounter + 1
m.log(4, "Updating " .. name .. " Url Counter: " .. ArgUrlCounter)
m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter)
end
if (ArgUrlCounter == MinPatternThreshold) then
if not (EnforceArgCharClassUrl) then
EnforceArgCharClassUrl = name
else
EnforceArgCharClassUrl = EnforceArgCharClassUrl .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Url Enforcement list: " .. EnforceArgCharClassUrl)
m.setvar("RESOURCE.enforce_charclass_url", EnforceArgCharClassUrl)
end
else
local CheckArgCharClassUrl = string.find(EnforceArgCharClassUrl, name)
if (CheckArgCharClassUrl) then
m.log(4, "Arg Name: " .. name .. " already in Url Enforcement list.")
else
local ArgUrlCounter = m.getvar("RESOURCE." ..name.. "_url_counter")
if not (ArgUrlCounter) then
ArgUrlCounter = 1
m.log(4, "Creating " .. name .. " Url Counter: " .. ArgUrlCounter)
m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter)
else
ArgUrlCounter = ArgUrlCounter + 1
m.log(4, "Updating " .. name .. " Url Counter: " .. ArgUrlCounter)
m.setvar("RESOURCE." .. name .. "_url_counter", ArgUrlCounter)
end
if (ArgUrlCounter == MinPatternThreshold) then
if not (EnforceArgCharClassUrl) then
EnforceArgCharClassUrl = name
else
EnforceArgCharClassUrl = EnforceArgCharClassUrl .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Url Enforcement list: " .. EnforceArgCharClassUrl)
m.setvar("RESOURCE.enforce_charclass_url", EnforceArgCharClassUrl)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_url_counter", "0")
end
--[[ Check for Path Class ]]
elseif string.match(value, "[-a-zA-Z0-9/._]*/[-a-zA-Z0-9/._]*") then
m.log(4, "Parameter " ..name.. " payload matches path class.")
local EnforceArgCharClassPath = m.getvar("RESOURCE.enforce_charclass_path")
if not (EnforceArgCharClassPath) then
local ArgPathCounter = m.getvar("RESOURCE." ..name.. "_path_counter")
if not (ArgPathCounter) then
ArgPathCounter = 1
m.log(4, "Creating " .. name .. " Path Counter: " .. ArgPathCounter)
m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter)
else
ArgPathCounter = ArgPathCounter + 1
m.log(4, "Updating " .. name .. " Path Counter: " .. ArgPathCounter)
m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter)
end
if (ArgPathCounter == MinPatternThreshold) then
if not (EnforceArgCharClassPath) then
EnforceArgCharClassPath = name
else
EnforceArgCharClassPath = EnforceArgCharClassPath .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Path Enforcement list: " .. EnforceArgCharClassPath)
m.setvar("RESOURCE.enforce_charclass_path", EnforceArgCharClassPath)
end
else
local CheckArgCharClassPath = string.find(EnforceArgCharClassPath, name)
if (CheckArgCharClassPath) then
m.log(4, "Arg Name: " .. name .. " already in Path Enforcement list.")
else
local ArgPathCounter = m.getvar("RESOURCE." ..name.. "_path_counter")
if not (ArgPathCounter) then
ArgPathCounter = 1
m.log(4, "Creating " .. name .. " Path Counter: " .. ArgPathCounter)
m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter)
else
ArgPathCounter = ArgPathCounter + 1
m.log(4, "Updating " .. name .. " Path Counter: " .. ArgPathCounter)
m.setvar("RESOURCE." .. name .. "_path_counter", ArgPathCounter)
end
if (ArgPathCounter == MinPatternThreshold) then
if not (EnforceArgCharClassPath) then
EnforceArgCharClassPath = name
else
EnforceArgCharClassPath = EnforceArgCharClassPath .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Path Enforcement list: " .. EnforceArgCharClassPath)
m.setvar("RESOURCE.enforce_charclass_path", EnforceArgCharClassPath)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_path_counter", "0")
end
--[[ Check for Flag Parameter Class ]]
elseif string.match(value, "^$") then
m.log(4, "Parameter " ..name.. " payload matches flag parameter class.")
local EnforceArgCharClassFlag = m.getvar("RESOURCE.enforce_charclass_flag")
if not (EnforceArgCharClassFlag) then
local ArgFlagCounter = m.getvar("RESOURCE." ..name.. "_flag_counter")
if not (ArgFlagCounter) then
ArgFlagCounter = 1
m.log(4, "Creating " .. name .. " Flag Counter: " .. ArgFlagCounter)
m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter)
else
ArgFlagCounter = ArgFlagCounter + 1
m.log(4, "Updating " .. name .. " Flag Counter: " .. ArgFlagCounter)
m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter)
end
if (ArgFlagCounter == MinPatternThreshold) then
if not (EnforceArgCharClassFlag) then
EnforceArgCharClassFlag = name
else
EnforceArgCharClassFlag = EnforceArgCharClassFlag .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Flag Enforcement list: " .. EnforceArgCharClassFlag)
m.setvar("RESOURCE.enforce_charclass_flag", EnforceArgCharClassFlag)
end
else
local CheckArgCharClassFlag = string.find(EnforceArgCharClassFlag, name)
if (CheckArgCharClassFlag) then
m.log(4, "Arg Name: " .. name .. " already in Flag Enforcement list.")
else
local ArgFlagCounter = m.getvar("RESOURCE." ..name.. "_flag_counter")
if not (ArgFlagCounter) then
ArgFlagCounter = 1
m.log(4, "Creating " .. name .. " Flag Counter: " .. ArgFlagCounter)
m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter)
else
ArgFlagCounter = ArgFlagCounter + 1
m.log(4, "Updating " .. name .. " Flag Counter: " .. ArgFlagCounter)
m.setvar("RESOURCE." .. name .. "_flag_counter", ArgFlagCounter)
end
if (ArgFlagCounter == MinPatternThreshold) then
if not (EnforceArgCharClassFlag) then
EnforceArgCharClassFlag = name
else
EnforceArgCharClassFlag = EnforceArgCharClassFlag .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Flag Enforcement list: " .. EnforceArgCharClassFlag)
m.setvar("RESOURCE.enforce_charclass_flag", EnforceArgCharClassFlag)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_flag_counter", "0")
end
--[[ Check for Alpha/Letters Character Class ]]
elseif string.match(value, "^%a+$") then
m.log(4, "Parameter " ..name.. " payload matches alpha class.")
local EnforceArgCharClassAlpha = m.getvar("RESOURCE.enforce_charclass_alphas")
if not (EnforceArgCharClassAlpha) then
local ArgAlphaCounter = m.getvar("RESOURCE." ..name.. "_alpha_counter")
if not (ArgAlphaCounter) then
ArgAlphaCounter = 1
m.log(4, "Creating " .. name .. " Alpha Counter: " .. ArgAlphaCounter)
m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter)
else
ArgAlphaCounter = ArgAlphaCounter + 1
m.log(4, "Updating " .. name .. " Alpha Counter: " .. ArgAlphaCounter)
m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter)
end
if (ArgAlphaCounter == MinPatternThreshold) then
if not (EnforceArgCharClassAlpha) then
EnforceArgCharClassAlpha = name
else
EnforceArgCharClassAlpha = EnforceArgCharClassAlpha .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Alpha Enforcement list: " .. EnforceArgCharClassAlpha)
m.setvar("RESOURCE.enforce_charclass_alphas", EnforceArgCharClassAlpha)
m.setvar("!RESOURCE." .. name .. "_alpha_counter", "0")
end
else
local CheckArgCharClassAlpha = string.find(EnforceArgCharClassAlpha, name)
if (CheckArgCharClassAlpha) then
m.log(4, "Arg Name: " .. name .. " already in Alpha Enforcement list.")
else
local ArgAlphaCounter = m.getvar("RESOURCE." ..name.. "_alpha_counter")
if not (ArgAlphaCounter) then
ArgAlphaCounter = 1
m.log(4, "Creating " .. name .. " Alpha Counter: " .. ArgAlphaCounter)
m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter)
else
ArgAlphaCounter = ArgAlphaCounter + 1
m.log(4, "Updating " .. name .. " Alpha Counter: " .. ArgAlphaCounter)
m.setvar("RESOURCE." .. name .. "_alpha_counter", ArgAlphaCounter)
end
if (ArgAlphaCounter == MinPatternThreshold) then
if not (EnforceArgCharClassAlpha) then
EnforceArgCharClassAlpha = name
else
EnforceArgCharClassAlpha = EnforceArgCharClassAlpha .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the Alpha Enforcement list: " .. EnforceArgCharClassAlpha)
m.setvar("RESOURCE.enforce_charclass_alphas", EnforceArgCharClassAlpha)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_alpha_counter", "0")
end
--[[ Check for AlphaNumeric Character Class ]]
elseif string.match(value, "^%w+$") then
m.log(4, "Parameter " ..name.. " payload matches alphanumeric class.")
local EnforceArgCharClassAlphaNumeric = m.getvar("RESOURCE.enforce_charclass_alphanumeric")
if not (EnforceArgCharClassAlphaNumeric) then
local ArgAlphaNumericCounter = m.getvar("RESOURCE." ..name.. "_alphanumeric_counter")
if not (ArgAlphaNumericCounter) then
ArgAlphaNumericCounter = 1
m.log(4, "Creating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter)
m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter)
else
ArgAlphaNumericCounter = ArgAlphaNumericCounter + 1
m.log(4, "Updating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter)
m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter)
end
if (ArgAlphaNumericCounter == MinPatternThreshold) then
if not (EnforceArgCharClassAlphaNumeric) then
EnforceArgCharClassAlphaNumeric = name
else
EnforceArgCharClassAlphaNumeric = EnforceArgCharClassAlphaNumeric .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the AlphaNumeric Enforcement list: " .. EnforceArgCharClassAlphaNumeric)
m.setvar("RESOURCE.enforce_charclass_alphanumeric", EnforceArgCharClassAlphaNumeric)
m.setvar("!RESOURCE." .. name .. "_alphanumeric_counter", "0")
end
else
local CheckArgCharClassAlphaNumeric = string.find(EnforceArgCharClassAlphaNumeric, name)
if (CheckArgCharClassAlphaNumeric) then
m.log(4, "Arg Name: " .. name .. " already in AlphaNumeric Enforcement list.")
else
local ArgAlphaNumericCounter = m.getvar("RESOURCE." ..name.. "_alphanumeric_counter")
if not (ArgAlphaNumericCounter) then
ArgAlphaNumericCounter = 1
m.log(4, "Creating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter)
m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter)
else
ArgAlphaNumericCounter = ArgAlphaNumericCounter + 1
m.log(4, "Updating " .. name .. " AlphaNumeric Counter: " .. ArgAlphaNumericCounter)
m.setvar("RESOURCE." .. name .. "_alphanumeric_counter", ArgAlphaNumericCounter)
end
if (ArgAlphaNumericCounter == MinPatternThreshold) then
if not (EnforceArgCharClassAlphaNumeric) then
EnforceArgCharClassAlphaNumeric = name
else
EnforceArgCharClassAlphaNumeric = EnforceArgCharClassAlphaNumeric .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the AlphaNumeric Enforcement list: " .. EnforceArgCharClassAlphaNumeric)
m.setvar("RESOURCE.enforce_charclass_alphanumeric", EnforceArgCharClassAlphaNumeric)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_alphanumeric_counter", "0")
end
--[[ Check for SafeText Character Class ]]
elseif string.match(value, "^[a-zA-Z0-9%s_%.%-]+$") then
m.log(4, "Parameter " ..name.. " payload matches safetext class.")
local EnforceArgCharClassSafeText = m.getvar("RESOURCE.enforce_charclass_safetext")
if not (EnforceArgCharClassSafeText) then
local ArgSafeTextCounter = m.getvar("RESOURCE." ..name.. "_safetext_counter")
if not (ArgSafeTextCounter) then
ArgSafeTextCounter = 1
m.log(4, "Creating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter)
m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter)
else
ArgSafeTextCounter = ArgSafeTextCounter + 1
m.log(4, "Updating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter)
m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter)
end
if (ArgSafeTextCounter == MinPatternThreshold) then
if not (EnforceArgCharClassSafeText) then
EnforceArgCharClassSafeText = name
else
EnforceArgCharClassSafeText = EnforceArgCharClassSafeText .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the SafeText Enforcement list: " .. EnforceArgCharClassSafeText)
m.setvar("RESOURCE.enforce_charclass_safetext", EnforceArgCharClassSafeText)
end
else
local CheckArgCharClassSafeText = string.find(EnforceArgCharClassSafeText, name)
if (CheckArgCharClassSafeText) then
m.log(4, "Arg Name: " .. name .. " already in SafeText Enforcement list.")
else
local ArgSafeTextCounter = m.getvar("RESOURCE." ..name.. "_safetext_counter")
if not (ArgSafeTextCounter) then
ArgSafeTextCounter = 1
m.log(4, "Creating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter)
m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter)
else
ArgSafeTextCounter = ArgSafeTextCounter + 1
m.log(4, "Updating " .. name .. " SafeText Counter: " .. ArgSafeTextCounter)
m.setvar("RESOURCE." .. name .. "_safetext_counter", ArgSafeTextCounter)
end
if (ArgSafeTextCounter == MinPatternThreshold) then
if not (EnforceArgCharClassSafeText) then
EnforceArgCharClassSafeText = name
else
EnforceArgCharClassSafeText = EnforceArgCharClassSafeText .. ", " .. name
end
m.log(4, "Arg Name: " .. name .. " Reached Pattern Threshold. Adding it to the SafeText Enforcement list: " .. EnforceArgCharClassSafeText)
m.setvar("RESOURCE.enforce_charclass_safetext", EnforceArgCharClassSafeText)
end
end
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE." .. name .. "_safetext_counter", "0")
end
end
end
end
function ProfileArgsLength()
local ArgsLength = {}
ArgsLength = m.getvars("ARGS", {"none", "length"})
for k,v in pairs(ArgsLength) do
name = v["name"];
value = v["value"];
m.log(4, "Arg Name: " ..name.. " and Length: " ..value.. ".");
local EnforceArgLength = m.getvar("RESOURCE.enforce_" ..name .. "_length")
if EnforceArgsLength ~= nil then
local CheckArgsLength = string.find(EnforceArgLength, value)
if (CheckArgsLength) then
m.log(4, "Arg Name: " .. name .. " with Length: :" ..value.. " already in Enforcement list.")
else
local ArgLengthCounter = m.getvar("RESOURCE." .. name .. "_length_" ..value.. "_counter")
if not (ArgLengthCounter) then
ArgLengthCounter = 1
m.log(4, "Creating " .. name .. " Length " ..value.. " Counter: " .. ArgLengthCounter)
m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter)
else
ArgLengthCounter = ArgLengthCounter + 1
m.log(4, "Increasing " .. name .. " Length " .. value .. " Counter: " .. ArgLengthCounter)
m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter)
end
if (ArgLengthCounter == MinPatternThreshold) then
if not (EnforceArgLength) then
EnforceArgLength = value
else
EnforceArgLength = EnforceArgLength .. ", " .. value
end
m.log(4, "Arg Name: " .. name .. " with Length: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgLength)
m.setvar("RESOURCE.enforce_" ..name .. "_length", EnforceArgLength)
end
end
else
local ArgLengthCounter = m.getvar("RESOURCE." .. name .. "_length_" ..value.. "_counter")
if not (ArgLengthCounter) then
ArgLengthCounter = 1
m.log(4, "Creating " .. name .. " Length " ..value.. " Counter: " .. ArgLengthCounter)
m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter)
else
ArgLengthCounter = ArgLengthCounter + 1
m.log(4, "Increasing " .. name .. " Length " .. value .. " Counter: " .. ArgLengthCounter)
m.setvar("RESOURCE." .. name .. "_length_" ..value.. "_counter", ArgLengthCounter)
end
if (ArgLengthCounter == MinPatternThreshold) then
if not (EnforceArgLength) then
EnforceArgLength = value
else
EnforceArgLength = EnforceArgLength .. ", " .. value
end
m.log(4, "Arg Name: " .. name .. " with Length: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgLength)
m.setvar("RESOURCE.enforce_" ..name.. "_length", EnforceArgLength)
end
end
if (TrafficCounter == MinTrafficThreshold) then
i=1
length_of_arg={}
for num in string.gmatch(EnforceArgLength, "%d+") do
length_of_arg[i]=num;i=i+1;
end
local MinArgLength = math.min(unpack(length_of_arg))
m.setvar("RESOURCE." .. name .. "_length_min", MinArgLength)
local MaxArgLength = math.max(unpack(length_of_arg))
m.setvar("RESOURCE." .. name .. "_length_max", MaxArgLength)
m.log(4, "Min Length of " .. name .. ": " ..MinArgLength.. " and Max Length: " ..MaxArgLength.. ".")
m.setvar("!RESOURCE." .. name .. "_length_" ..value.. "_counter", "0")
end
end
end
function ProfileArgsNames()
local ArgsNames = {}
ArgsNames = m.getvars("ARGS_NAMES", {"none"})
local EnforceArgsNames = m.getvar("RESOURCE.enforce_args_names")
for k,v in pairs(ArgsNames) do
name = v["name"];
value = v["value"];
m.log(4, "ArgsName: " ..value.. ".");
if EnforceArgsNames ~= nil then
local CheckArgsNames = string.find(EnforceArgsNames, value)
if (CheckArgsNames) then
m.log(4, "Arg Name: " .. value .. " already in Enforcement list.")
else
local ArgsNamesCounter = m.getvar("RESOURCE.args_names_counter_" .. value)
if not (ArgsNamesCounter) then
ArgsNamesCounter = 1
m.log(4, "Creating " .. value .. " Pattern Score: " .. ArgsNamesCounter)
m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter)
else
ArgsNamesCounter = ArgsNamesCounter + 1
m.log(4, "Increasing " .. value .. " Pattern Score to: " .. ArgsNamesCounter)
m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter)
end
if (ArgsNamesCounter == MinPatternThreshold) then
if not (EnforceArgsNames) then
EnforceArgsNames = value
else
EnforceArgsNames = EnforceArgsNames .. ", " .. value
end
m.log(4, "Args Names: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgsNames)
m.setvar("RESOURCE.enforce_args_names", EnforceArgsNames)
m.setvar("!RESOURCE.args_names_counter_" .. value, "0")
end
end
else
local ArgsNamesCounter = m.getvar("RESOURCE.args_names_counter_" .. value)
if not (ArgsNamesCounter) then
ArgsNamesCounter = 1
m.log(4, "Creating " .. value .. " Pattern Score: " .. ArgsNamesCounter)
m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter)
else
ArgsNamesCounter = ArgsNamesCounter + 1
m.log(4, "Increasing " .. value .. " Pattern Score to: " .. ArgsNamesCounter)
m.setvar("RESOURCE.args_names_counter_" .. value, ArgsNamesCounter)
end
if (ArgsNamesCounter == MinPatternThreshold) then
if not (EnforceArgsNames) then
EnforceArgsNames = value
else
EnforceArgsNames = EnforceArgsNames .. ", " .. value
end
m.log(4, "Args Names: " .. value .. " Reached Pattern Threshold. Adding it to the Enforcement list: " .. EnforceArgsNames)
m.setvar("RESOURCE.enforce_args_names", EnforceArgsNames)
m.setvar("!RESOURCE.args_names_counter_" .. value, "0")
end
end
end
end
function ProfileRequestMethod()
local RequestMethod = m.getvar("REQUEST_METHOD", {"none"})
local EnforceRequestMethods = m.getvar("RESOURCE.enforce_request_methods")
if EnforceRequestMethods ~= nil then
local CheckEnforceMethods = string.find(EnforceRequestMethods, RequestMethod)
if (CheckEnforceMethods) then
m.log(4, "Request Method " .. RequestMethod .. " already in Enforcement List.")
end
end
local RequestMethodCounter = m.getvar("RESOURCE.request_method_counter_" .. RequestMethod)
if not (RequestMethodCounter) then
RequestMethodCounter = 1
m.log(4, "Creating " .. RequestMethod .. " Pattern Score: " .. RequestMethodCounter)
m.setvar("RESOURCE.request_method_counter_" .. RequestMethod, RequestMethodCounter)
else
RequestMethodCounter = RequestMethodCounter + 1
m.log(4, "Increasing " .. RequestMethod .. " Pattern Score to: " .. RequestMethodCounter)
m.setvar("RESOURCE.request_method_counter_" .. RequestMethod, RequestMethodCounter)
end
if (RequestMethodCounter == MinPatternThreshold) then
if not (EnforceRequestMethods) then
EnforceRequestMethods = RequestMethod
else
EnforceRequestMethods = EnforceRequestMethods .. ", " .. RequestMethod
end
m.log(4, "Request Method Reached Pattern Threshold. Adding it to the EnforceRequestMethods list: " .. EnforceRequestMethods)
m.setvar("RESOURCE.enforce_request_methods", EnforceRequestMethods)
end
if (TrafficCounter == MinTrafficThreshold) then
m.setvar("!RESOURCE.request_method_counter_" .. RequestMethod, "0")
end
end
function ProfileNumOfArgs()
local ARGS = {}
local ARGS = m.getvars("ARGS", {"none"})
local NumOfArgs = tonumber(#ARGS)
local EnforceNumOfArgs = m.getvar("RESOURCE.enforce_num_of_args")
if EnforceNumOfArgs ~= nil then
local CheckNumOfArgs = string.find(EnforceNumOfArgs, NumOfArgs)
if (CheckNumOfArgs) then
m.log(4, "ARGS #: " .. NumOfArgs .. " already in Enforcement List.")
end
end
local NumOfArgsCounter = m.getvar("RESOURCE.NumOfArgs_counter_" .. NumOfArgs)
if not (NumOfArgsCounter) then
NumOfArgsCounter = 1
m.log(4, "Current # of ARGS: " ..NumOfArgs.. " has not been previously seen.")
m.log(4, "Creating " .. NumOfArgs .. " Pattern Score to: " .. NumOfArgsCounter)
m.setvar("RESOURCE.NumOfArgs_counter_" .. NumOfArgs, NumOfArgsCounter)
else
NumOfArgsCounter = NumOfArgsCounter + 1
m.log(4, "Current # of ARGS: " ..NumOfArgs.. " has been previously seen.")
m.log(4, "Increasing " .. NumOfArgs .. " Pattern Score to: " .. NumOfArgsCounter)
m.setvar("RESOURCE.NumOfArgs_counter_" .. NumOfArgs, NumOfArgsCounter)
end
if (NumOfArgsCounter == MinPatternThreshold) then
if not (EnforceNumOfArgs) then
EnforceNumOfArgs = NumOfArgs
else
EnforceNumOfArgs = EnforceNumOfArgs.. ", " ..NumOfArgs
end
m.log(4, "NumOfArgs Reached Pattern Threshold. Adding it to the EnforceRequestMethods list: " .. EnforceNumOfArgs)
m.setvar("RESOURCE.enforce_num_of_args", EnforceNumOfArgs)
end
if (TrafficCounter == MinTrafficThreshold) then
i=1
num_of_args={}
for num in string.gmatch(EnforceNumOfArgs, "%d+") do
num_of_args[i]=num;i=i+1;
end
local MinNumOfArgs = math.min(unpack(num_of_args))
m.setvar("RESOURCE.MinNumOfArgs", MinNumOfArgs)
local MaxNumOfArgs = math.max(unpack(num_of_args))
m.setvar("RESOURCE.MaxNumOfArgs", MaxNumOfArgs)
m.log(4, "Min # of ARGS: " ..MinNumOfArgs.. " and Max # of ARGS: " ..MaxNumOfArgs.. ".")
m.setvar("!RESOURCE.NumOfArgs_counter_" .. NumOfArgs, "0")
end
end

205
iis/ModSecurityIIS/owasp_crs/lua/arachni_integration.lua
View File

@ -1,205 +0,0 @@
--
-- Include Arachni RPC client code
--
require "client"
--
-- Call main ModSecurity Lua function
--
function main()
--
-- Set the remote Arachni RPC host
--
arachni_host = '192.168.168.128'
--
-- Extract Request Data
--
host = m.getvar("REQUEST_HEADERS.host")
m.log(4, "Arachni: Host: " .. host)
request_filename = m.getvar("REQUEST_FILENAME")
m.log(4, "Arachni: Filename: " .. request_filename)
url_to_scan = "http://" .. host .. request_filename
m.log(4, "Arachni: URL to scan is: " .. url_to_scan)
request_method = m.getvar("REQUEST_METHOD")
m.log(4, "Arachni: Request Method is: " .. request_method)
--
-- Convert ModSecurity ARGS data into a local table called args
--
ARGS = {}
ARGS = m.getvars("ARGS")
args = {}
for k,v in pairs(ARGS) do
name = v["name"];
name = string.gsub(name, "ARGS:(.*)", "%1")
value = v["value"];
m.log(4, "Arachni: Arg Name: " ..name.. " and Value: " ..value.. ".");
args[name] = value
end
local yaml_args = yaml.dump ( args )
m.log(4, "Arachni: Updated ARGS table is: " .. yaml_args)
--
-- Convert ModSecrity COOKIE data into a local table called cookies_table
--
COOKIES = {}
COOKIES = m.getvars("REQUEST_COOKIES")
cookies_table = {}
for k,v in pairs(COOKIES) do
name = v["name"];
name = string.gsub(name, "REQUEST_COOKIES:(.*)", "%1")
value = v["value"];
m.log(4, "Arachni: Cookie Name: " ..name.. " and Value: " ..value.. ".");
cookies_table[name] = value
end
local yaml_cookies = yaml.dump ( cookies_table )
m.log(4, "Arachni: Updated Cookies table is: " .. yaml_cookies)
--
-- Initiate Arachni RPC Dispatchers
--
dispatcher = ArachniRPCClient:new( { host = arachni_host, port = 7331 } )
instance_info = dispatcher:call( 'dispatcher.dispatch' )
--
-- Check to see if we have previously initiated a scan for the resource
--
-- If we have not, then we will contact the Dispatcher and start a scan
--
local arachni_scan_initiated = m.getvar("RESOURCE.arachni_scan_initiated")
if arachni_scan_initiated == nil then
--
-- Set the host to match the remote Dispatcher
--
instance = ArachniRPCClient:new({
host = arachni_host,
port = instance_info.port,
token = instance_info.token
})
opts = {
url = url_to_scan,
audit_links = true,
audit_forms = true,
audit_cookies = true,
-- only audit the stuff passed to vector feed
link_count_limit = 0,
cookies = cookies_table
}
instance:call( 'modules.load', { 'xss', 'sqli', 'path_traversal' } )
vectors = {}
-- add a form var (for POST params)
table.insert( vectors, {
type = 'form',
method = request_method,
action = url_to_scan,
inputs = args
})
local yaml_vectors = yaml.dump( vectors )
m.log(4, "Arachni: Yaml output of vectors is: " .. yaml_vectors)
plugins = {
vector_feed = {
vectors = vectors
}
}
instance:call( 'plugins.load', plugins )
instance:call( 'opts.set', opts )
instance:call( 'framework.run' )
--
-- Save the Dispatcher port/token data to pull the report later
--
m.setvar("RESOURCE.arachni_scan_initiated", "1")
m.setvar("RESOURCE.arachni_instance_info_port", instance_info.port)
m.setvar("RESOURCE.arachni_instance_info_token", instance_info.token)
return ("Arachni: Scan Initiated. Exiting")
else
--
-- If we have previously initiated a scan, we will now check for a report
--
m.log(4, "Arachni: Previous scan was initiated, checking scan status.")
local instance_info_port = m.getvar("RESOURCE.arachni_instance_info_port")
local instance_info_token = m.getvar("RESOURCE.arachni_instance_info_token")
m.log(4, "Arachni: Port info: " .. instance_info_port .. " and Token info: " .. instance_info_token)
instance = ArachniRPCClient:new({
host = arachni_host,
port = instance_info_port,
token = instance_info_token
})
if instance:call( 'framework.busy?' ) then
m.log(4, "Arachni: Scan still in progress, framework is busy. Exiting.")
return ("Arachni scan still in progress, framework is busy. Exiting.")
else
m.log(4, "Arachni: Scan completed - calling for report.")
local results = instance:call( 'framework.issues_as_hash' )
yaml_results = yaml.dump( results )
m.log(4, "Arachni: Yaml Results: " .. yaml_results)
for k,v in pairs(results) do
name = v["name"];
value = v["value"];
if ( v["mod_name"] == "XSS" ) then
local XssVulnParams = m.getvar("RESOURCE.xss_vulnerable_params")
if not (XssVulnParams) then
m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"")
m.setvar("RESOURCE.xss_vulnerable_params", v["var"])
else
local CheckArgInXssVulnParams = string.find(XssVulnParams, v["var"])
if (CheckArgInXssVulnParams) then
m.log(4, "Arachni: Arg Name: " .. v["var"] .. " already in XSS Vuln list.")
else
m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"")
XssVulnParams = XssVulnParams .. ", " .. v["var"]
m.setvar("RESOURCE.xss_vulnerable_params", XssVulnParams)
end
end
end
if ( v["mod_name"] == "SQLInjection" ) then
local SQLiVulnParams = m.getvar("RESOURCE.sqli_vulnerable_params")
if not (SQLiVulnParams) then
m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"")
m.setvar("RESOURCE.sqli_vulnerable_params", v["var"])
else
local CheckArgInSQLiVulnParams = string.find(SQLiVulnParams, v["var"])
if (CheckArgInSQLiVulnParams) then
m.log(4, "Arachni: Arg Name: " .. v["var"] .. " already in SQLi Vuln list.")
else
m.log(4, "Arachni: Vulnerability Identified for Parameter: \"" .. v["var"] .. "\", Vulnerability Type: \"" .. v["mod_name"] .. "\"")
SQLiVulnParams = SQLiVulnParams .. ", " .. v["var"]
m.setvar("RESOURCE.sqli_vulnerable_params", SQLiVulnParams)
end
end
end
end
instance:call( 'service.shutdown' )
m.setvar("RESOURCE.arachni_scan_completed", "1")
return ("Arachni: Done")
end
end
end

91
iis/ModSecurityIIS/owasp_crs/lua/bayes_check_spam.lua
View File

@ -1,91 +0,0 @@
#!/usr/bin/env lua
require("io");
function table.val_to_str ( v )
if "string" == type( v ) then
v = string.gsub( v, "\n", "\\n" )
if string.match( string.gsub(v,"[^'\"]",""), '^"+$' ) then
return "'" .. v .. "'"
end
return '"' .. string.gsub(v,'"', '\\"' ) .. '"'
else
return "table" == type( v ) and table.tostring( v ) or
tostring( v )
end
end
function table.key_to_str ( k )
if "string" == type( k ) and string.match( k, "^[_%a][_%a%d]*$" ) then
return k
else
return "[" .. table.val_to_str( k ) .. "]"
end
end
function table.tostring( tbl )
local result, done = {}, {}
for k, v in ipairs( tbl ) do
table.insert( result, table.val_to_str( v ) )
done[ k ] = true
end
for k, v in pairs( tbl ) do
if not done[ k ] then
table.insert( result,
table.key_to_str( k ) .. "=" .. table.val_to_str( v ) )
end
end
return "{" .. table.concat( result, "," ) .. "}"
end
function main()
local mf = require "moonfilter"
-- define the classes to use
mf.classes("/var/log/httpd/spam", "/var/log/httpd/ham")
-- create ham+spam DB on disk -- this is only necessary the first time
-- use command line moonfilter.lua to initially create the DBs outside
-- of ModSecurity
--mf.create()
local anomaly_score = m.getvar("TX.ANOMALY_SCORE", "none");
anomaly_score = tonumber(anomaly_score);
if not (anomaly_score) then
local score = ""
local args = {};
args = m.getvars("ARGS", {"none"});
if (#args == "0") then
m.log(4, "# of ARGS: " ..#args.. ".");
return nil;
end
-- Place ARGS data into key/value pairs for inspection
for k,v in pairs(args) do
name = v["name"];
value = v["value"];
m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. ".");
mf.text = value;
local class_result = mf.classify()
class_result = table.tostring(class_result)
m.log(4, "Classify Results: " .. class_result .. ".")
class = string.gsub(class_result, ".*class=\"(.*)\".*", "%1")
if (class == "/var/log/httpd/spam") then
score = string.gsub(class_result, ".*prob=(%d\.%d%d%d%d%d%d%d%d%d%d%d%d%d%d)\,.*", "%1")
score = tonumber(score)
if (score) then
if (score > 0.90) then
m.log(4, "Classify Results: " .. class .. ".")
m.setvar("tx.bayes_score", class_result);
m.setvar("tx.bayes_var_name", name);
m.setvar("tx.bayes_var", value);
return("Bayesian Analaysis Alert for " .. name .. " with payload: \"" .. value .. "\"")
end
end
end
end
end
return nil;
end

34
iis/ModSecurityIIS/owasp_crs/lua/bayes_train_ham.lua
View File

@ -1,34 +0,0 @@
#!/usr/bin/lua
require("io");
function main()
local mf = require "moonfilter"
-- define the classes to use
mf.classes("/var/log/httpd/spam", "/var/log/httpd/ham")
-- create ham+spam DB on disk -- this is only necessary the first time
-- mf.create()
local score = ""
local value = ""
local args = {};
args = m.getvars("ARGS", {"none"});
if (#args == 0) then
m.log(4, "# of ARGS: " ..#args.. ".");
return nil;
end
-- Place ARGS data into key/value pairs for inspection
for k,v in pairs(args) do
name = v["name"];
value = v["value"];
m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. ".");
mf.text = value;
local train_result = mf.train("/var/log/httpd/ham")
end
-- return nil;
m.log(4, "Low Bayesian Score: " .. score .. ". Training payloads as non-malicious.")
m.setvar("tx.bayes_msg", "Training payload as ham: " .. value .. ".");
return ("Training payloads as non-malicious: " .. value .. ".");
end

67
iis/ModSecurityIIS/owasp_crs/lua/bayes_train_spam.lua
View File

@ -1,67 +0,0 @@
#!/usr/bin/lua
require("io");
function table.val_to_str ( v )
if "string" == type( v ) then
v = string.gsub( v, "\n", "\\n" )
if string.match( string.gsub(v,"[^'\"]",""), '^"+$' ) then
return "'" .. v .. "'"
end
return '"' .. string.gsub(v,'"', '\\"' ) .. '"'
else
return "table" == type( v ) and table.tostring( v ) or
tostring( v )
end
end
function table.key_to_str ( k )
if "string" == type( k ) and string.match( k, "^[_%a][_%a%d]*$" ) then
return k
else
return "[" .. table.val_to_str( k ) .. "]"
end
end
function table.tostring( tbl )
local result, done = {}, {}
for k, v in ipairs( tbl ) do
table.insert( result, table.val_to_str( v ) )
done[ k ] = true
end
for k, v in pairs( tbl ) do
if not done[ k ] then
table.insert( result,
table.key_to_str( k ) .. "=" .. table.val_to_str( v ) )
end
end
return "{" .. table.concat( result, "," ) .. "}"
end
function main()
local mf = require "moonfilter"
-- define the classes to use
mf.classes("/var/log/httpd/spam", "/var/log/httpd/ham")
-- create ham+spam DB on disk -- this is only necessary the first time
-- mf.create()
local args = {};
args = m.getvars("MATCHED_VARS", {"none"});
if (#args == "0") then
m.log(4, "# of ARGS: " ..#args.. ".");
return nil;
end
-- Place ARGS data into key/value pairs for inspection
for k,v in pairs(args) do
name = v["name"];
value = v["value"];
m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. ".");
mf.text = value;
local train_result = mf.train("/var/log/httpd/spam")
train_result = table.tostring(train_result)
m.log(4, "Train Results: " .. train_result .. ".")
m.setvar("tx.bayes_msg", "Completed Bayesian SPAM Training on Payload: " .. mf.text .. ".");
return("Completed Bayesian SPAM Training on Payload: " .. mf.text .. ".");
end
return nil;
end

37
iis/ModSecurityIIS/owasp_crs/lua/gather_ip_data.lua
View File

@ -1,37 +0,0 @@
#!/opt/local/bin/lua
require("io");
function main()
local anomaly_score = m.getvar("TX.ANOMALY_SCORE", "none");
m.log(4, "Anomaly Score is: " .. anomaly_score .. ".");
local remote_addr = m.getvar("ARGS.REMOTE_ADDR", "none");
m.log(4, "Remote IP is: " .. remote_addr .. ".");
local ip_hostname = m.getvar("IP.HOSTNAME", "none");
if ((anomaly_score ~= nil) and (ip_hostname == nil)) then
local hostname = "NONE";
local abuse_contact = "NONE";
n = os.tmpname ()
os.execute ("nslookup '" .. remote_addr .. "' > " .. n)
os.execute ("whois '" .. remote_addr .. "' >> " .. n)
for line in io.lines (n) do
if string.match(line, "name = ") then
hostname = line
end
if string.match(line, "abuse") then
abuse_contact = line
end
end
m.log(4, "Hostname is: " .. hostname .. ".");
m.setvar("tx.hostname", hostname);
m.log(4, "Abuse Contact is: " .. abuse_contact .. ".");
m.setvar("tx.abuse_contact", abuse_contact);
os.remove (n)
return("Nslookup: " .. hostname .. " and WHOIS Abuse Info: " .. abuse_contact .. "");
end
return nil;
end

25
iis/ModSecurityIIS/owasp_crs/lua/osvdb.lua
View File

@ -1,25 +0,0 @@
#!/opt/local/bin/lua
local request_filename = m.getvar("REQUEST_FILENAME", "none")
local args = {};
args = m.getvars("ARGS_NAMES", "none")
function main ()
for line in io.lines("/usr/local/apache/conf/modsec_current/base_rules/vulnerabilities.txt") do
if line:find(request_filename) then
if string.find(line, "^%d+\,") then
for k,v in pairs(args) do
local arg_name = v["value"] .. "=";
if string.find(line, arg_name) then
m.setvar("resource.osvdb_check", "1")
m.setvar("resource.osvdb_vulnerable", "1")
m.setvar("tx.osvdb_msg", line)
return(line)
end
end
end
end
end
m.setvar("resource.osvdb_check", "1")
return nil
end

38
iis/ModSecurityIIS/owasp_crs/lua/profile_page_scripts.lua
View File

@ -1,38 +0,0 @@
#!/opt/local/bin/lua
function main()
local response_body = m.getvar("RESPONSE_BODY", "none");
if response_body ~= "" then
local _, nscripts = string.gsub(response_body, "<script", "");
local _, niframes = string.gsub(response_body, "<iframe", "");
local _, nlinks = string.gsub(response_body, "a href", "");
local _, nimages = string.gsub(response_body, "<img", "");
if nscripts == nil then
nscripts = 0
end
if niframes == nil then
niframes = 0
end
if nlinks == nil then
nlinks = 0
end
if nimages == nil then
nimages = 0
end
m.log(3, "niframes[" .. niframes .. "]");
m.setvar("tx.niframes", niframes);
m.log(3, "nscripts[" .. nscripts .. "]");
m.setvar("tx.nscripts", nscripts);
m.log(3, "nlinks[" .. nlinks .. "]");
m.setvar("tx.nlinks", nlinks);
m.log(3, "nimages[" .. nimages .. "]");
m.setvar("tx.nimages", nimages);
return nil;
end
return nil;
end

214
iis/ModSecurityIIS/owasp_crs/modsecurity.conf
View File

@ -1,214 +0,0 @@
# based on modsecurity.conf-recommended
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
#SecResponseBodyAccess On
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial
# -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir c:\inetpub\temp\
# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir c:\inetpub\temp\
# -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600
# -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
#SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
#SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
#SecAuditLogType Serial
#SecAuditLog c:\inetpub\log\modsec_audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir c:\inetpub\log\
# -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
#SecUnicodeCodePage 20127
#SecUnicodeMapFile unicode.mapping

428
iis/ModSecurityIIS/owasp_crs/modsecurity_crs_10_setup.conf
View File

@ -1,428 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -- [[ Recommended Base Configuration ]] -------------------------------------------------
#
# The configuration directives/settings in this file are used to control
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
# ModSecurity settings such as:
#
# - SecRuleEngine
# - SecRequestBodyAccess
# - SecAuditEngine
# - SecDebugLog
#
# You should use the modsecurity.conf-recommended file that comes with the
# ModSecurity source code archive.
#
# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
#
#
# -- [[ Rule Version ]] -------------------------------------------------------------------
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4.
#
# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature
#
SecComponentSignature "OWASP_CRS/2.2.6"
#
# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] -----------------
#
# Each detection rule uses the "block" action which will inherit the SecDefaultAction
# specified below. Your settings here will determine which mode of operation you use.
#
# -- [[ Self-Contained Mode ]] --
# Rules inherit the "deny" disruptive action. The first rule that matches will block.
#
# -- [[ Collaborative Detection Mode ]] --
# This is a "delayed blocking" mode of operation where each matching rule will inherit
# the "pass" action and will only contribute to anomaly scores. Transactional blocking
# can be applied
#
# -- [[ Alert Logging Control ]] --
# You have three options -
#
# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
# - To log *only* to the Apache error_log file use: "log,noauditlog"
#
# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
#
SecDefaultAction "phase:1,deny,log"
#
# -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------
#
# These are the default scoring points for each severity level. You may
# adjust these to you liking. These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
# - 2: Critical - Anomaly Score of 5.
# Is the highest severity level possible without correlation. It is
# normally generated by the web attack rules (40 level files).
# - 3: Error - Anomaly Score of 4.
# Is generated mostly from outbound leakage rules (50 level files).
# - 4: Warning - Anomaly Score of 3.
# Is generated by malicious client rules (35 level files).
# - 5: Notice - Anomaly Score of 2.
# Is generated by the Protocol policy and anomaly files.
#
SecAction \
"id:'900001', \
phase:1, \
t:none, \
setvar:tx.critical_anomaly_score=5, \
setvar:tx.error_anomaly_score=4, \
setvar:tx.warning_anomaly_score=3, \
setvar:tx.notice_anomaly_score=2, \
nolog, \
pass"
#
# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators. If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
SecAction \
"id:'900002', \
phase:1, \
t:none, \
setvar:tx.inbound_anomaly_score_level=5, \
nolog, \
pass"
SecAction \
"id:'900003', \
phase:1, \
t:none, \
setvar:tx.outbound_anomaly_score_level=4, \
nolog, \
pass"
#
# -- [[ Collaborative Detection Blocking ]] -----------------------------------------------
#
# This is a collaborative detection mode where each rule will increment an overall
# anomaly score for the transaction. The scores are then evaluated in the following files:
#
# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
#
# If you want to use anomaly scoring mode, then uncomment this line.
#
#SecAction \
"id:'900004', \
phase:1, \
t:none, \
setvar:tx.anomaly_score_blocking=on, \
nolog, \
pass"
#
# -- [[ GeoIP Database ]] -----------------------------------------------------------------
#
# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data.
#
# You must first download the MaxMind GeoIP Lite City DB -
#
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#
# You then need to define the proper path for the SecGeoLookupDb directive
#
# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat
#
# -- [[ Regression Testing Mode ]] --------------------------------------------------------
#
# If you are going to run the regression testing mode, you should uncomment the
# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
# will enable Response Header tagging so that the client testing script can see
# which rule IDs have matched.
#
# You must specify the your source IP address where you will be running the tests
# from.
#
#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
"id:'900005', \
phase:1, \
t:none, \
ctl:ruleEngine=DetectionOnly, \
setvar:tx.regression_testing=1, \
nolog, \
pass"
#
# -- [[ HTTP Policy Settings ]] ----------------------------------------------------------
#
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives. Uncomment the items you wish to set.
#
#
# -- Maximum number of arguments in request limited
SecAction \
"id:'900006', \
phase:1, \
t:none, \
setvar:tx.max_num_args=255, \
nolog, \
pass"
#
# -- Limit argument name length
#SecAction \
"id:'900007', \
phase:1, \
t:none, \
setvar:tx.arg_name_length=100, \
nolog, \
pass"
#
# -- Limit value name length
#SecAction \
"id:'900008', \
phase:1, \
t:none, \
setvar:tx.arg_length=400, \
nolog, \
pass"
#
# -- Limit arguments total length
#SecAction \
"id:'900009', \
phase:1, \
t:none, \
setvar:tx.total_arg_length=64000, \
nolog, \
pass"
#
# -- Individual file size is limited
#SecAction \
"id:'900010', \
phase:1, \
t:none, \
setvar:tx.max_file_size=1048576, \
nolog, \
pass"
#
# -- Combined file size is limited
#SecAction \
"id:'900011', \
phase:1, \
t:none, \
setvar:tx.combined_file_sizes=1048576, \
nolog, \
pass"
#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
nolog, \
pass"
#
# -- [[ Content Security Policy (CSP) Settings ]] -----------------------------------------
#
# The purpose of these settings is to send CSP response headers to
# Mozilla FireFox users so that you can enforce how dynamic content
# is used. CSP usage helps to prevent XSS attacks against your users.
#
# Reference Link:
#
# https://developer.mozilla.org/en/Security/CSP
#
# Uncomment this SecAction line if you want use CSP enforcement.
# You need to set the appropriate directives and settings for your site/domain and
# and activate the CSP file in the experimental_rules directory.
#
# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
#
#SecAction \
"id:'900013', \
phase:1, \
t:none, \
setvar:tx.csp_report_only=1, \
setvar:tx.csp_report_uri=/csp_violation_report, \
setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
nolog, \
pass"
#
# -- [[ Brute Force Protection ]] ---------------------------------------------------------
#
# If you are using the Brute Force Protection rule set, then uncomment the following
# lines and set the following variables:
# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction \
"id:'900014', \
phase:1, \
t:none, \
setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=10', \
setvar:'tx.brute_force_block_timeout=300', \
nolog, \
pass"
#
# -- [[ DoS Protection ]] ----------------------------------------------------------------
#
# If you are using the DoS Protection rule set, then uncomment the following
# lines and set the following variables:
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction \
"id:'900015', \
phase:1, \
t:none, \
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=100', \
setvar:'tx.dos_block_timeout=600', \
nolog, \
pass"
#
# -- [[ Check UTF enconding ]] -----------------------------------------------------------
#
# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
# it will result in false positives.
#
# Uncomment this line if your site uses UTF8 encoding
#SecAction \
"id:'900016', \
phase:1, \
t:none, \
setvar:tx.crs_validate_utf8_encoding=1, \
nolog, \
pass"
#
# -- [[ Enable XML Body Parsing ]] -------------------------------------------------------
#
# The rules in this file will trigger the XML parser upon an XML request
#
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'900017', \
phase:1, \
t:none,t:lowercase, \
nolog, \
pass, \
chain"
SecRule REQBODY_PROCESSOR "!@streq XML" \
"ctl:requestBodyProcessor=XML"
#
# -- [[ Global and IP Collections ]] -----------------------------------------------------
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
"id:'900018', \
phase:1, \
t:none,t:sha1,t:hexEncode, \
setvar:tx.ua_hash=%{matched_var}, \
nolog, \
pass"
SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
"id:'900019', \
phase:1, \
t:none, \
capture, \
setvar:tx.real_ip=%{tx.1}, \
nolog, \
pass"
SecRule &TX:REAL_IP "!@eq 0" \
"id:'900020', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
nolog, \
pass"
SecRule &TX:REAL_IP "@eq 0" \
"id:'900021', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
nolog, \
pass"

428
iis/ModSecurityIIS/owasp_crs/modsecurity_crs_10_setup.conf.example
View File

@ -1,428 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -- [[ Recommended Base Configuration ]] -------------------------------------------------
#
# The configuration directives/settings in this file are used to control
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
# ModSecurity settings such as:
#
# - SecRuleEngine
# - SecRequestBodyAccess
# - SecAuditEngine
# - SecDebugLog
#
# You should use the modsecurity.conf-recommended file that comes with the
# ModSecurity source code archive.
#
# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
#
#
# -- [[ Rule Version ]] -------------------------------------------------------------------
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4.
#
# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature
#
SecComponentSignature "OWASP_CRS/2.2.6"
#
# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] -----------------
#
# Each detection rule uses the "block" action which will inherit the SecDefaultAction
# specified below. Your settings here will determine which mode of operation you use.
#
# -- [[ Self-Contained Mode ]] --
# Rules inherit the "deny" disruptive action. The first rule that matches will block.
#
# -- [[ Collaborative Detection Mode ]] --
# This is a "delayed blocking" mode of operation where each matching rule will inherit
# the "pass" action and will only contribute to anomaly scores. Transactional blocking
# can be applied
#
# -- [[ Alert Logging Control ]] --
# You have three options -
#
# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
# - To log *only* to the Apache error_log file use: "log,noauditlog"
#
# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
#
SecDefaultAction "phase:1,deny,log"
#
# -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------
#
# These are the default scoring points for each severity level. You may
# adjust these to you liking. These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
# - 2: Critical - Anomaly Score of 5.
# Is the highest severity level possible without correlation. It is
# normally generated by the web attack rules (40 level files).
# - 3: Error - Anomaly Score of 4.
# Is generated mostly from outbound leakage rules (50 level files).
# - 4: Warning - Anomaly Score of 3.
# Is generated by malicious client rules (35 level files).
# - 5: Notice - Anomaly Score of 2.
# Is generated by the Protocol policy and anomaly files.
#
SecAction \
"id:'900001', \
phase:1, \
t:none, \
setvar:tx.critical_anomaly_score=5, \
setvar:tx.error_anomaly_score=4, \
setvar:tx.warning_anomaly_score=3, \
setvar:tx.notice_anomaly_score=2, \
nolog, \
pass"
#
# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators. If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
SecAction \
"id:'900002', \
phase:1, \
t:none, \
setvar:tx.inbound_anomaly_score_level=5, \
nolog, \
pass"
SecAction \
"id:'900003', \
phase:1, \
t:none, \
setvar:tx.outbound_anomaly_score_level=4, \
nolog, \
pass"
#
# -- [[ Collaborative Detection Blocking ]] -----------------------------------------------
#
# This is a collaborative detection mode where each rule will increment an overall
# anomaly score for the transaction. The scores are then evaluated in the following files:
#
# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
#
# If you want to use anomaly scoring mode, then uncomment this line.
#
#SecAction \
"id:'900004', \
phase:1, \
t:none, \
setvar:tx.anomaly_score_blocking=on, \
nolog, \
pass"
#
# -- [[ GeoIP Database ]] -----------------------------------------------------------------
#
# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data.
#
# You must first download the MaxMind GeoIP Lite City DB -
#
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#
# You then need to define the proper path for the SecGeoLookupDb directive
#
# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat
#
# -- [[ Regression Testing Mode ]] --------------------------------------------------------
#
# If you are going to run the regression testing mode, you should uncomment the
# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
# will enable Response Header tagging so that the client testing script can see
# which rule IDs have matched.
#
# You must specify the your source IP address where you will be running the tests
# from.
#
#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
"id:'900005', \
phase:1, \
t:none, \
ctl:ruleEngine=DetectionOnly, \
setvar:tx.regression_testing=1, \
nolog, \
pass"
#
# -- [[ HTTP Policy Settings ]] ----------------------------------------------------------
#
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives. Uncomment the items you wish to set.
#
#
# -- Maximum number of arguments in request limited
SecAction \
"id:'900006', \
phase:1, \
t:none, \
setvar:tx.max_num_args=255, \
nolog, \
pass"
#
# -- Limit argument name length
#SecAction \
"id:'900007', \
phase:1, \
t:none, \
setvar:tx.arg_name_length=100, \
nolog, \
pass"
#
# -- Limit value name length
#SecAction \
"id:'900008', \
phase:1, \
t:none, \
setvar:tx.arg_length=400, \
nolog, \
pass"
#
# -- Limit arguments total length
#SecAction \
"id:'900009', \
phase:1, \
t:none, \
setvar:tx.total_arg_length=64000, \
nolog, \
pass"
#
# -- Individual file size is limited
#SecAction \
"id:'900010', \
phase:1, \
t:none, \
setvar:tx.max_file_size=1048576, \
nolog, \
pass"
#
# -- Combined file size is limited
#SecAction \
"id:'900011', \
phase:1, \
t:none, \
setvar:tx.combined_file_sizes=1048576, \
nolog, \
pass"
#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
nolog, \
pass"
#
# -- [[ Content Security Policy (CSP) Settings ]] -----------------------------------------
#
# The purpose of these settings is to send CSP response headers to
# Mozilla FireFox users so that you can enforce how dynamic content
# is used. CSP usage helps to prevent XSS attacks against your users.
#
# Reference Link:
#
# https://developer.mozilla.org/en/Security/CSP
#
# Uncomment this SecAction line if you want use CSP enforcement.
# You need to set the appropriate directives and settings for your site/domain and
# and activate the CSP file in the experimental_rules directory.
#
# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
#
#SecAction \
"id:'900013', \
phase:1, \
t:none, \
setvar:tx.csp_report_only=1, \
setvar:tx.csp_report_uri=/csp_violation_report, \
setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
nolog, \
pass"
#
# -- [[ Brute Force Protection ]] ---------------------------------------------------------
#
# If you are using the Brute Force Protection rule set, then uncomment the following
# lines and set the following variables:
# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction \
"id:'900014', \
phase:1, \
t:none, \
setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=10', \
setvar:'tx.brute_force_block_timeout=300', \
nolog, \
pass"
#
# -- [[ DoS Protection ]] ----------------------------------------------------------------
#
# If you are using the DoS Protection rule set, then uncomment the following
# lines and set the following variables:
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction \
"id:'900015', \
phase:1, \
t:none, \
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=100', \
setvar:'tx.dos_block_timeout=600', \
nolog, \
pass"
#
# -- [[ Check UTF enconding ]] -----------------------------------------------------------
#
# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
# it will result in false positives.
#
# Uncomment this line if your site uses UTF8 encoding
#SecAction \
"id:'900016', \
phase:1, \
t:none, \
setvar:tx.crs_validate_utf8_encoding=1, \
nolog, \
pass"
#
# -- [[ Enable XML Body Parsing ]] -------------------------------------------------------
#
# The rules in this file will trigger the XML parser upon an XML request
#
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'900017', \
phase:1, \
t:none,t:lowercase, \
nolog, \
pass, \
chain"
SecRule REQBODY_PROCESSOR "!@streq XML" \
"ctl:requestBodyProcessor=XML"
#
# -- [[ Global and IP Collections ]] -----------------------------------------------------
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
"id:'900018', \
phase:1, \
t:none,t:sha1,t:hexEncode, \
setvar:tx.ua_hash=%{matched_var}, \
nolog, \
pass"
SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
"id:'900019', \
phase:1, \
t:none, \
capture, \
setvar:tx.real_ip=%{tx.1}, \
nolog, \
pass"
SecRule &TX:REAL_IP "!@eq 0" \
"id:'900020', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
nolog, \
pass"
SecRule &TX:REAL_IP "@eq 0" \
"id:'900021', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
nolog, \
pass"

3
iis/ModSecurityIIS/owasp_crs/modsecurity_iis.conf
View File

@ -1,3 +0,0 @@
Include modsecurity.conf
Include modsecurity_crs_10_setup.conf
Include activated_rules\*.conf

42
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_42_comment_spam.data
View File

@ -1,42 +0,0 @@
super happy fun
psycheclone
grub crawler
core-project/
winnie poh
mozilla/4.0+(
email siphon
internet explorer
nutscrape/
mozilla/4.0(
missigua
libwww-perl
movable type
user
blogsearchbot-martin
emailsiphon
digger
8484 boston project
nutchcvs
pycurl
java 1.
isc systems irc
emailcollector
mj12bot/v1.0.8
trackback/
microsoft url
diamond
autoemailspider
lwp
pussycat
jakarta commons
java/1.
user-agent:
<sc
adwords
omniexplorer
wordpress
httpproxy
user agent:
ecollector
msie
cherrypicker

47
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_10_ignore_static.conf
View File

@ -1,47 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# The rules in this file will cause ModSecurity to let requests for static
# content go into the server without being examined (mostly media content).
# This can reduce the load on the server considerably.
#
# This ruleset will skip all tests for media files, but will skip only the
# request body phase (phase 2) for text files. To skip the outbound stage
# for text files, add file 47 (skip_outbound_checks) to your configuration,
# in addition to this file
#
# NOTE If you are using mod_rewrite to rewrite URLs, please keep in mind
# that some URLs may seem static, when they are not. for example,
# if you have a rule like this in your configuration:
# RewriteRule (.*).gif images.php?id=$1 [QSA]
# then requests to the gif files will pass through ModSecurity without
# inspection.
#
# We skip inspection GET & HEAD requests that have no parameters
# and that end with static content file extension
SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,skip:1,pass,nolog,id:'999001',severity:'6'"
SecRule &ARGS "@eq 0" "t:none,setvar:tx.no_parameters=1"
SecAction "phase:2,t:none,nolog,pass,skipAfter:END_STATIC_CONTENT_CHECK"
# Determine actions based on static file extensions
# Images
SecRule REQUEST_FILENAME "\.(?:(?:jpe?|pn)g|gif|ico)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999003',severity:'6'"
# Documents
SecRule REQUEST_FILENAME "\.(?:doc|pdf|txt|xls)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'999004',severity:'6'"
# HTML
SecRule REQUEST_FILENAME "\.(?:(?:cs|j)s|html?)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'999005',severity:'6'"
# Media files
SecRule REQUEST_FILENAME "\.(?:mp(?:e?g|3)|avi|flv|swf|wma)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999006',severity:'6'"
SecMarker END_STATIC_CONTENT_CHECK

31
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_11_avs_traffic.conf
View File

@ -1,31 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This ruleset allows you to control how ModSecurity will handle traffic originating
# from Authorized Vulnerability Scanning (AVS) sources.
# See related blog post -
# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
#
#
# White-list ASV network block (no blocking or logging of AVS traffic)
# Update IP network block as appropriate for your AVS traffic
#SecRule REMOTE_ADDR "@beginsWith 192.168.1." "phase:1,id:'981033',t:none,nolog,pass,allow"
#
# Recommended "Block but Don't Log" rule for scanning traffic
# Update IP address/network block as appropriate for your ASV traffic
#SecRule REMOTE_ADDR "@streq 192.168.1.101" "phase:1,id:'981034',t:none,nolog,pass,ctl:auditEngine=Off"
# Recommended phase 3 rule that will re-enable the audit engine if the request
# was not blocked by one of the normal rules.
# Update IP address/network block as appropriate for your ASV traffic
#SecRule REMOTE_ADDR "@streq 192.168.1.101" "phase:3,id:'981035',t:none,nolog,pass,ctl:auditEngine=On"

18
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_13_xml_enabler.conf
View File

@ -1,18 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# The rules in this file will trigger the XML parser upon an XML request
# Initiate XML Processor in case of xml content-type
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"phase:1,id:'981053',t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

38
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_authentication_tracking.conf
View File

@ -1,38 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Create an audit log of a successful Authentication.
#
# We also set the username in the Session and User collections. This allows
# for showing the UserID associated with the SESSIONID in any alerts generated.
#
# Must review the ModSecurity audit log data to review what a successful auth attempt
# looks like and then customize this template ruleset for it.
#
#SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,nolog,auditlog,msg:'Successful Authentication Attempt.',logdata:'Username - %{args.userid}'"
# SecRule REQUEST_METHOD "@streq POST" "chain,t:none"
# SecRule ARGS:event "@streq LOGON" "chain,t:none"
# SecRule RESPONSE_STATUS "@streq 302" "chain,t:none"
# SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=WELCOME" "chain,t:none"
# SecRule ARGS:userid ".*" "t:none,setvar:session.username=%{args.userid},setuid:%{args.userid},setvar:session.successful_auth=1"
#
# Create an alert when a user fails authenticating.
#
# Must review the ModSecurity audit log data to review what a failed auth attempt
# looks like and then customize this template ruleset for it.
#
#SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,log,severity:'2',msg:'Failed Authentication Attempt.',logdata:'Username - %{args.userid}'"
# SecRule REQUEST_METHOD "@streq POST" "chain,t:none"
# SecRule ARGS:event "@streq LOGON" "chain,t:none"
# SecRule RESPONSE_STATUS "@streq 302" "chain,t:none"
# SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=ERROR&ErrorDesc=Invalid User ID/Password Please try again." "t:none"

51
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
View File

@ -1,51 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This rule file will identify outbound Set-Cookie/Set-Cookie2 response headers and
# then initiate the proper ModSecurity session persistent collection (setsid).
# The rules in this file are required if you plan to run other checks such as
# Session Hijacking, Missing HTTPOnly flag, etc...
#
#
# This rule set will identify subsequent SessionIDs being submitted by clients in
# Request Headers. First we check that the SessionID submitted is a valid one
#
SecMarker BEGIN_SESSION_STARTUP
SecRule REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' ".*" "chain,phase:1,id:'981054',t:none,block,log,msg:'Invalid SessionID Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var},skipAfter:END_SESSION_STARTUP"
SecRule SESSION:VALID "!@eq 1" "t:none,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/INVALID_SESSIONID-%{matched_var_name}=%{tx.0}"
SecRule &REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' "@eq 0" "phase:1,id:'981055',t:none,nolog,pass,skipAfter:END_SESSION_STARTUP"
SecAction "phase:1,id:'981056',t:none,nolog,pass,setuid:%{session.username},setvar:session.sessionid=%{tx.sessionid}"
SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,phase:1,id:'981057',capture,t:none,nolog,pass"
SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:tx.ip_hash=%{matched_var}"
SecRule REQUEST_HEADERS:User-Agent ".*" "phase:1,id:'981058',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:tx.ua_hash=%{matched_var}"
SecRule TX:IP_HASH "!@streq %{SESSION.IP_HASH}" "phase:1,id:'981059',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning - Sticky SessionID Data Changed - IP Address Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
SecRule TX:UA_HASH "!@streq %{SESSION.UA_HASH}" "phase:1,id:'981060',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning - Sticky SessionID Data Changed - User-Agent Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
SecRule TX:STICKY_SESSION_ANOMALY "@eq 2" "phase:1,id:'981061',t:none,block,msg:'Possible Session Hijacking - IP Address and User-Agent Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
SecMarker END_SESSION_STARTUP
#
# This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid
#
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)=([^\s].*?)\;\s?)" "chain,phase:3,id:'981062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:tx.ua=%{request_headers.user-agent},setvar:session.valid=1"
SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,phase:3,id:'981063',capture,t:none,nolog,pass"
SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}"
SecRule REQUEST_HEADERS:User-Agent ".*" "phase:3,id:'981064',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:session.ua_hash=%{matched_var}"

35
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_username_tracking.conf
View File

@ -1,35 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Template rules for login/audit rules.
# Uncomment the following lines and specify the path or specific login resource for protection
#
#<LocationMatch "^/(?:(admin|account\/login\.jsp$))">
#
# Identify/Set the UserID name and collection
# Must correctly specify the parameter name that holds the username data (example ARGS:username)
#
#SecRule ARGS:username ".*" "phase:2,id:'981075',t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}"
#
# Password Complexity Check
# Must correctly specify the parameter name that holds the password data (example ARGS:password)
# The regex below requires 8 length, one upper, one lower, and one number.
#
#SecRule ARGS:password "^(?=[a-zA-Z0-9]*?[A-Z])(?=[a-zA-Z0-9]*?[a-z])(?=[a-zA-Z0-9]*?[0-9])[a-zA-Z0-9]{8,}$" "phase:2,id:'981076',t:none,block,log,msg:'Password does meet complexity requirements.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-POLICY-%{matched_var_name}=%{matched_var}"
#
# Sanitize the user's password data in the audit logs
# Set the appropriate password parameter name
#SecAction "phase:5,id:'981077',t:none,pass,nolog,sanitiseArg:password"
#</LocationMatch>

110
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_25_cc_known.conf
View File

@ -1,110 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# Detect CC# in input, log transaction and sanitize
SecRule ARGS "@verifyCC (?:^|[^\d])(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \
"phase:2,id:'981078',t:none,pass,nolog,skip:1"
SecAction "phase:2,id:'981079',t:none,pass,nolog,skipAfter:END_KNOWN_CC_INBOUND_CHECK"
# GSA SmartPay
SecRule ARGS "@verifyCC (?:^|[^\d])((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
"phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'GSA SmartPay Credit Card Number detected in user input',id:'920019',tag:'PCI/10.2',severity:'5'"
# MasterCard
SecRule ARGS "@verifyCC (?:^|[^\d])(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
"phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'MasterCard Credit Card Number detected in user input',id:'920005',tag:'PCI/10.2',severity:'5'"
# Visa
SecRule ARGS "@verifyCC (?:^|[^\d])(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \
"phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Visa Credit Card Number detected in user input',id:'920007',tag:'PCI/10.2',severity:'5'"
# American Express
SecRule ARGS "@verifyCC (?:^|[^\d])(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
"phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'American Express Credit Card Number detected in user input',id:'920009',tag:'PCI/10.2',severity:'5'"
# Diners Club
SecRule ARGS "@verifyCC (?:^|[^\d])((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \
"phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Diners Club Credit Card Number detected in user input',id:'920011',tag:'PCI/10.2',severity:'5'"
# enRoute
#SecRule ARGS "(?:^|[^\d])(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
# "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'enRoute Credit Card Number detected in user input',id:'920013',tag:'PCI/10.2',severity:'5'"
# Discover
SecRule ARGS "@verifyCC (?:^|[^\d])(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
"phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Discover Credit Card Number detected in user input',id:'920015',tag:'PCI/10.2',severity:'5'"
# JCB
SecRule ARGS "@verifyCC (?:^|[^\d])(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
"phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'JCB Credit Card Number detected in user input',id:'920017',tag:'PCI/10.2',severity:'5'"
SecMarker END_KNOWN_CC_INBOUND_CHECK
# Detect CC# in output and block transaction
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \
"phase:4,id:'981080',t:none,pass,nolog,skip:1"
SecAction "phase:4,id:'981081',t:none,pass,nolog,skipAfter:END_KNOWN_CC_OUTBOUND_CHECK"
# GSA SmartPay
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'GSA SmartPay Card Number sent from site to user',id:'920020',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
# MasterCard
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'MasterCard Credit Card Number sent from site to user',id:'920006',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
# Visa
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \
"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Visa Credit Card Number sent from site to user',id:'920008',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
# American Express
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'American Express Credit Card Number sent from site to user',id:'920010',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
# Diners Club
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \
"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Diners Club Credit Card Number sent from site to user',id:'920012',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
# enRoute
#SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "(?:^|[^\d])(?<!google_ad_client = \"pub-)(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
# "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'enRoute Credit Card Number sent from site to user',id:'920014',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
# SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
# SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
# Discover
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Discover Credit Card Number sent from site to user',id:'920016',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
# JCB
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'JCB Credit Card Number sent from site to user',id:'920018',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
SecMarker END_KNOWN_CC_OUTBOUND_CHECK

47
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_42_comment_spam.conf
View File

@ -1,47 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Comment spam is an attack against blogs, guestbooks, wikis and other types of
# interactive web sites that accept and display hyperlinks submitted by
# visitors. The spammers automatically post specially crafted random comments
# which include links that point to the spammer's web site. The links
# artificially increas the site's search engine ranking and may make the site
# more noticable in search results.
#
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"
SecMarker END_RBL_LOOKUP
SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
SecMarker END_RBL_CHECK
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_42_comment_spam.data" \
"chain,phase:2,rev:'2.2.6',t:none,t:lowercase,pass,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'"
SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla\/4\.0\+?\(|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy|<sc)"
# Prequalifier. Look for <http> first
SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,rev:'2.2.6',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'"
SecAction phase:2,rev:'2.2.6',pass,nolog,skipAfter:END_COMMENT_SPAM
# Look for 2 ways of posting a link
SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,rev:'2.2.6',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,msg:'Comment Spam',id:'950923',severity:'2'"
SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{tx.0}'"
# Look for too many links in an argument (Prone to FPs)
SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,rev:'2.2.6',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'"
SecMarker END_COMMENT_SPAM

109
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_43_csrf_protection.conf
View File

@ -1,109 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# You must have also activated the 16 session hijacking conf file as
# it initiates the Session Collection and creates the CSRF token
#
#
# CSRF Protections
#
# Must set this directive to On to inject content in the response.
#
SecContentInjection On
#
# It is most likely not appropriate to force CSRF tokens/validation on *all* resources.
# You should edit the LocationMatch Regular Expression below and specify what resources
# you wish to protect. Some ideas would be for post-authentiacation directories, etc...
#
# Limitations - this implementation does not currently work with AJAX
#
<LocationMatch .*>
SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF Attack Detected - Missing CSRF Token.'"
SecRule &ARGS:CSRF_TOKEN "!@eq 1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"
SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF Attack Detected - Invalid Token.'"
SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"
#
# This rule will use Content Injection to append the CSRF Token
#
SecRule &SESSION:CSRF_TOKEN "@eq 1" "phase:4,id:'981145',t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> \
\
var tokenName = \'CSRF_TOKEN\'; \
var tokenValue = \'%{session.csrf_token}\'; \
\
function updateTags() { \
\
var all = document.all ? document.all : document.getElementsByTagName(\'*\'); \
var len = all.length; \
\
for(var i=0; i<len; i++) { \
var e = all[i]; \
\
updateTag(e, \'src\'); \
updateTag(e, \'href\'); \
} \
} \
\
function updateForms() { \
\
var forms = document.getElementsByTagName(\'form\'); \
\
for(i=0; i<forms.length; i++) { \
var html = forms[i].innerHTML; \
\
html += \'<input type=hidden name=\' + tokenName + \' value=\' + tokenValue + \' />\'; \
\
forms[i].innerHTML = html; \
} \
\
} \
\
function updateTag(element, attr) { \
\
var location = element.getAttribute(attr); \
\
if(location != null && location != \'\' && isHttpLink(location)) { \
\
var index = location.indexOf(\'?\'); \
\
if(index != -1) { \
location = location + \'&\' + tokenName + \'=\' + tokenValue; \
} else { \
location = location + \'?\' + tokenName + \'=\' + tokenValue; \
} \
\
element.setAttribute(attr, location); \
\
} \
\
} \
\
function isHttpLink(src) { \
var result = 0; \
\
if(src.substring(0, 4) != \'http\' || src.substring(0, 1) == \'/\') { \
result = 1; \
} \
\
return result; \
} \
\
updateTags(); \
updateForms(); \
\
</script></html>'"
</LocationMatch>

17
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_46_av_scanning.conf
View File

@ -1,17 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Modify the operator to use the correct AV scanning script/tool
# Example tools are in the util directory.
#
SecRule FILES_TMPNAMES "@inspectFile /bin/runAV" \
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"

21
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
View File

@ -1,21 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This ruleset is a complementary to ruleset 34 - Ignore Static. By default,
# ruleset 34 doesn't skip inspection for leakages in html/documents.
# Adding this ruleset to your configuration will cause ModSecurity to also
# skip the rules in files
#
# Skip outbound inspection on requests for text content which have no parameters
SecRule TX:text_file_extension "@eq 1" "chain,phase:3,allow,nolog,id:'999008',severity:'6'"
SecRule TX:no_parameters "@eq 1"

52
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_49_header_tagging.conf
View File

@ -1,52 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This file will add Request Header Tagging which allows ModSecurity to communicate
# any event/rule matches it finds with the downstream application server. The concept
# is similar to that of Anti-SPAM apps for Email (such as SpamAssassin).
#
# The idea is that if the WAF is in a DetectionOnly mode, it can still share data
# with the destination app server and then the app server may choose to inspect
# the new WAF request headers and factor in this data into a possible blocking
# decision.
#
# This concept is tremendously useful in a distributed architecture and/or when
# there are Fraud Detection Systems at the app server layer that can correlate
# the WAF data into the overall Fraud Score. This is also useful in Hosting
# Environments where the decision to block may not be as clear.
#
SecRule TX:ANOMALY_SCORE "@eq 0" "phase:2,id:'981173',t:none,nolog,pass,skipAfter:END_HEADER_TAGGING"
SecRule TX:/^\d/ "." "phase:2,id:'981174',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}"
RequestHeader append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1
RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2
RequestHeader append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3
RequestHeader append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4
RequestHeader append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5
RequestHeader append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6
RequestHeader append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7
RequestHeader append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8
RequestHeader append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9
RequestHeader append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10
RequestHeader append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11
RequestHeader append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12
RequestHeader append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13
RequestHeader append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14
RequestHeader append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15
RequestHeader append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16
RequestHeader append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17
RequestHeader append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18
RequestHeader append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19
RequestHeader append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20
RequestHeader set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score
SecMarker END_HEADER_TAGGING

190
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_55_application_defects.conf
View File

@ -1,190 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
##############################################################################
# -=[ Charset Checks ]=-
#
# http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
##############################################################################
#
# [ Charset not set ]
#
# - http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms
#
SecRule &GLOBAL:MISSING_CHARSET "@eq 0" "phase:5,t:none,nolog,pass,id:'981219',setvar:global.missing_charset=0"
SecRule GLOBAL:MISSING_CHARSET "@le 10" "chain,phase:5,t:none,pass,id:'981220',log,msg:'[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'APP_DEFECT/MISCONFIGURATION',tag:'http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms'"
SecRule RESPONSE_STATUS "@rx ^2" "chain"
SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);?$)" "chain"
SecRule RESPONSE_BODY "!@rx (?i:(<meta.*?(content|value)=\"text/html;\s?charset=|<\?xml.*?encoding=))" "setvar:global.missing_charset=+1,expirevar:global.missing_charset=86400"
#
# [ Charset not explicitly set to UTF-8 in HTML/XML content ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8
# - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
#
SecRule &GLOBAL:CHARSET_NOT_UTF8 "@eq 0" "phase:5,t:none,nolog,pass,id:'981221',setvar:global.charset_not_utf8=0"
SecRule GLOBAL:CHARSET_NOT_UTF8 "@le 10" "chain,phase:5,t:none,pass,id:'981222',log,msg:'[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8'"
SecRule RESPONSE_STATUS "@rx ^2" "chain"
SecRule RESPONSE_CONTENT_TYPE "(?i:(^text/html|^application/xml|^text/xml))" "chain"
SecRule RESPONSE_CONTENT_TYPE "!@contains charset=utf-8" "chain,t:none,t:lowercase"
SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
SecRule RESPONSE_BODY "!@rx (<meta.*?(content|value)=\"text/html;\s?charset=utf-8|<\?xml.*?encoding=\"utf-8\")" "t:none,t:lowercase,setvar:global.charset_not_utf8=+1,expirevar:global.charset_not_utf8=86400"
#
# [ Detect charset mismatches between HTTP header and HTML/XML bodies ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch
# - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
#
SecRule &GLOBAL:CHARSET_MISMATCH "@eq 0" "phase:5,t:none,nolog,pass,id:'981223',setvar:global.charset_mismatch=0"
SecRule GLOBAL:CHARSET_MISMATCH "@le 10" "chain,phase:5,t:none,pass,id:'981224',log,msg:'[Watcher Check] The charset specified was not the same in the HTTP Content-Type header and in the HTML content\'s meta tag',logdata:'Content-Type Response Header Charset is: %{tx.charset_header} and HTTP Equiv Charset is: %{tx.charset_body}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch'"
SecRule RESPONSE_STATUS "@rx ^2" "chain"
SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);\s?charset=([^;]*))" "chain,t:none,t:lowercase,capture,setvar:tx.charset_header=%{tx.2}"
SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
SecRule RESPONSE_BODY "(?i)(charset|encoding)=\"?(.*?)\"" "chain,t:none,t:lowercase,capture,setvar:tx.charset_body=%{tx.2}"
SecRule TX:CHARSET_HEADER "!@streq %{tx.charset_body}" "t:none,setvar:global.charset_mismatch=+1,expirevar:global.charset_mismatch=86400"
##############################################################################
# -=[ Cookie Checks ]=-
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies
##############################################################################
#
# [ Look for cookies with loosely scoped domain restrictions ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain
# - http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
#
SecRule &GLOBAL:LOOSE_DOMAIN_SCOPE "@eq 0" "phase:5,t:none,nolog,pass,id:'981237',setvar:global.loose_domain_scope=0"
SecRule GLOBAL:LOOSE_DOMAIN_SCOPE "@le 10" "chain,phase:5,id:'981238',t:none,pass,log,auditlog,msg:'AppDefect: Loose Domain Cookie Flag Restrictions.',logdata:'Cookie: %{tx.1} and Domain: %{tx.2}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain'"
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!@rx (?i)domain=(?:(?!\d|-)[a-zA-Z0-9\-]{1,63}(?<!-)\.)([a-zA-Z0-9\-]{1,63}(?<!-)\.)(?:[a-zA-Z]{2,})" "chain,setvar:tx.set-cookie-counter=+1,setvar:tx.%{matched_var_name}_%{tx.set-cookie-counter}=%{matched_var}"
SecRule TX:/^RESPONSE_HEADERS:Set-Cookie2?_/ "(?i)^(.*?);.*domain=(.*?);" "capture,setvar:global.loose_domain_scope=+1,expirevar:global.loose_domain_scope=86400"
#
# [ Cookie's HttpOnly Flag Was Not Set ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag
# - https://www.owasp.org/index.php/HttpOnly
#
SecRule &GLOBAL:MISSING_HTTPONLY "@eq 0" "phase:5,t:none,nolog,pass,id:'981235',setvar:global.missing_httponly=0"
SecRule GLOBAL:MISSING_HTTPONLY "@le 10" "chain,phase:5,id:'981184',t:none,pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag'"
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*httponly.*)(.*$)" "capture,setvar:global.missing_httponly=+1,expirevar:global.missing_httponly=86400"
#
# [ Fix Missing "httponly" Flag ]
#
Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly"
#
# [ Cookie's Secure Flag Was Not Set ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag
# - https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_.22Secure.22_Cookie_Flag
#
SecRule &GLOBAL:MISSING_SECURE "@eq 0" "phase:3,t:none,nolog,pass,id:'981236',setvar:global.missing_secure=0"
SecRule GLOBAL:MISSING_SECURE "@le 10" "chain,phase:3,id:'981185',t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag'"
SecRule SERVER_PORT "@streq 443" "chain,t:none,setenv:secure_site"
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*secure.*)(.*$)" "capture,setvar:global.missing_secure=+1,expirevar:global.missing_secure=86400"
#
# [ Fix Missing "secure" Flag ]
#
Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!secure).)+)$" "$1; secure" env=secure_site
##############################################################################
# -=[ HTTP Header Checks ]=-
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#header
##############################################################################
#
# [ Check that the cache-control HTTP header is set to 'no-store' ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store
#
SecRule &GLOBAL:CHECK_CACHE_CONTROL "@eq 0" "phase:5,t:none,nolog,pass,id:'981239',setvar:global.check_cache_control=0"
SecRule GLOBAL:CHECK_CACHE_CONTROL "@le 10" "chain,phase:5,id:'981240',t:none,pass,log,auditlog,msg:'AppDefect: Cache-Control Response Header Missing \'no-store\' flag.',logdata:'Cache-Control: %{response_headers.cache-control}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store'"
SecRule RESPONSE_HEADERS:Cache-Control "!@contains no-store" "t:none,t:lowercase,setvar:global.check_cache_control=+1,expirevar:global.check_cache_control=86400"
#
# [ Check that a Content-Type header is included in the HTTP response ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing
#
SecRule &GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@eq 0" "phase:5,t:none,nolog,pass,id:'981400',setvar:global.content_type_header_exists=0"
SecRule GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@le 10" "chain,phase:5,id:'981401',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing or Empty.',logdata:'Content-Type: %{response_headers.content-type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing'"
SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "t:none,setvar:global.content_type_header_exists=+1,expirevar:global.content_type_header_exists=86400"
#
# [ Check that IE's XSS protection filter is not being disabled by the Web-application ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled
#
SecRule &GLOBAL:X_XSS_PROTECTION_DISABLED "@eq 0" "phase:5,t:none,nolog,pass,id:'981402',setvar:global.x_xss_protection_disabled=0"
SecRule GLOBAL:X_XSS_PROTECTION_DISABLED "@le 10" "chain,phase:5,id:'981403',t:none,pass,log,auditlog,msg:'AppDefect: IE8\'s XSS protection Filter is Disabled.',logdata:'X-XSS-Protection: %{response_headers.x-xss-protection}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled'"
SecRule RESPONSE_HEADERS:X-XSS-Protection "@streq 0" "t:none,setvar:global.x_xss_protection_disabled=+1,expirevar:global.x_xss_protection_disabled=86400"
#
# [ Check that the X-FRAME-OPTIONS header is being set for Clickjacking defense ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options
#
SecRule &GLOBAL:X_FRAME_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981404',setvar:global.x_frame_options=0"
SecRule GLOBAL:X_FRAME_OPTIONS "@le 10" "chain,phase:5,id:'981405',t:none,pass,log,auditlog,msg:'AppDefect: X-FRAME-OPTIONS Response Header is Missing or not set to Deny.',logdata:'X-FRAME-OPTIONS: %{response_headers.x-frame-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options'"
SecRule &RESPONSE_HEADERS:X-FRAME-OPTIONS|RESPONSE_HEADERS:X-FRAME-OPTIONS "^(?i:0|allow)$" "t:none,setvar:global.x_frame_options=+1,expirevar:global.x_frame_options=86400"
#
# [ Checks that the X-CONTENT-TYPE-OPTIONS defense against MIME-sniffing has been declared ]
#
# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options
#
SecRule &GLOBAL:X_CONTENT_TYPE_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981406',setvar:global.x_content_type_options=0"
SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "chain,phase:5,id:'981407',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to \'nosniff\'.',logdata:'X-Content-Type-Options: %{response_headers.x-content-type-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options'"
SecRule GLOBAL:X_CONTENT_TYPE_OPTIONS "@le 10" "chain"
SecRule &RESPONSE_HEADERS:X-Content-Type-Options|RESPONSE_HEADERS:X-Content-Type-Options "^0$|^[a-z]+(?<!:nosniff)" "t:none,t:lowercase,setvar:global.x_content_type_options=+1,expirevar:global.x_content_type_options=86400"
# XSS Detection - Missing Output Encoding
#
SecAction "phase:1,nolog,pass,initcol:global=xss_list"
#
# Identifies Reflected XSS
# If malicious input (with Meta-Characters) is echoed back in the reply non-encoded.
#
SecRule &ARGS "@gt 0" "chain,phase:4,id:'981179',t:none,log,auditlog,deny,status:403,id:'1',msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'"
SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none"
SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}"
SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E"
#
# Check to see if TX XSS Data is already in the GLOBAL list. If it is - expire it.
SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,id:'981180',t:none,nolog,pass,skip:1"
SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,id:'981181',t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}"
#
# Identifies Stored XSS
# If malicious input (with Meta-Characters) is echoed back on any page non-encoded.
SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,id:'981182',t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'"

22
iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_55_marketing.conf
View File

@ -1,22 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# These rules do not have a security importance, but shows other benefits of
# monitoring and logging HTTP transactions.
# --
SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
"phase:2,rev:'2.2.6',t:none,t:lowercase,block,msg:'MSN robot activity',id:'910008',severity:'6'"
SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \
"phase:2,rev:'2.2.6',t:none,t:lowercase,block,msg:'Yahoo robot activity',id:'910007',severity:'6'"
SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \
"phase:2,rev:'2.2.6',t:none,t:lowercase,block,msg:'Google robot activity',id:'910006',severity:'6'"

45
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_joomla.data
View File

@ -1,45 +0,0 @@
/acomponents/com_mamboleto/mamboleto.php
/admin.rssreader.php
/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php
/administrator/components/com_jwmmxtd/admin.jwmmxtd.php
/administrator/components/com_sqlreport/ajax/print.php
/administrator/components/com_universal/includes/config/config.html.php
/administrator/components/com_xcloner-backupandrestore/cloner.cron.php
/administrator/components/com_xcloner-backupandrestore/index2.php
/com_koesubmit/koesubmit.php
/com_ongumatimesheet20/lib/onguma.class.php
/com_rwcards/rwcards.advancedate.php
/com_swmenupro/ImageManager/Classes/ImageManager.php
/com_xmovie/helpers/img.php
/components/com_ajaxchat/tests/ajcuser.php
/components/com_banners/banners.class.php
/components/com_ezine/class/php/d4m_ajax_pagenav.php
/components/com_intuit/models/intuit.php
/components/com_jcalpro/cal_popup.php
/components/com_mediaslide/viewer.php
/components/com_mgm/help.mgm.php
/components/com_mojo/wp-comments-post.php
/components/com_mojo/wp-trackback.php
/components/com_moofaq/includes/file_includer.php
/components/com_morfeoshow/morfeoshow.html.php
/components/com_smartformer/smartformer.php
/components/com_xgallery/helpers/img.php
/config.dadamail.php
/database/table/user.php
/example.php
/gmail.php
/index.php
/letterman.class.php
/models/category.php
/modules/mod_mainmenu/menu.php
/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php
/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php
/plugins/authentication/ldap.php
/plugins/search/categories.php
/plugins/search/contacts.php
/plugins/search/content.php
/plugins/search/sections.php
/plugins/search/weblinks.php
/plugins/user/example.php
/real_estate/index.php
admin.ponygallery.html.php

162
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_lfi.data
View File

@ -1,162 +0,0 @@
/123flashchat.php
/ADM_Pagina.php
/ST_browsers.php
/ST_countries.php
/ST_platforms.php
/_conf/core/common-tpl-vars.php
/_footer.php
/_functions.php
/acopia/manager/DiagCaptureFileListActionBody.do
/acopia/manager/DiagLogListActionBody.do
/acopia/sat/ViewInventoryErrorReport.do
/acopia/sat/ViewSatReport.do
/active_auctions.php
/addedit-render.php
/admin/admin_groups_reapir.php
/admin/admin_smilies.php
/admin/admin_words.php
/admin/loadplugin.php
/admin/thumbnailformpost.inc.php
/admin/upgrade_unattended.php
/administrator/components/com_xcloner-backupandrestore/cloner.cron.php
/api/download_launch.php
/arch.php
/artmedic_print.php
/authenticate/sessions.php
/baconmap/admin/updatelist.php
/bin/qte_init.php
/block_center_down.php
/block_center_top.php
/block_left.php
/block_right.php
/body_default.php
/books/getConfig.php
/centre.php
/chat/dac.php
/classes/BxDolGzip.php
/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php
/classes/flash_mp3_player/extras/external_feeds/getfeed.php
/cms_detect.php
/com_xmovie/helpers/img.php
/components/com_intuit/models/intuit.php
/components/com_mediaslide/viewer.php
/components/com_moofaq/includes/file_includer.php
/components/com_xgallery/helpers/img.php
/config.dadamail.php
/config.php
/container.php
/content/dynpage_load.php
/cron.php
/cuenta/cuerpo.php
/cultbooking.php
/debugger/debug_php.php
/detail.php
/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php
/dm-albums/template/album.php
/doku.php
/download.php
/examples/tbs_us_examples_0view.php
/export.php
/footer.inc.php
/forum.php
/gradebook/open_document.php
/header.inc.php
/header.php
/include/global.php
/include/timesheet.php
/include/unverified.inc.php
/includes/esqueletos/skel_null.php
/includes/function_core.php
/includes/header.php
/includes/initsystem.php
/includes/startmodules.inc.php
/index.php
/index_inc.php
/infusions/last_seen_users_panel/last_seen_users_panel.php
/init.php
/latestposts.php
/lib/function.php
/lib/lcUser.php
/library/setup/rpc.php
/locales.php
/locms/smarty.php
/login.tpl.php
/main.inc.php
/maincore.php
/message_class.php
/mini.php
/mods/ckeditor/filemanager/connectors/php/connector.php
/module.php
/modules/3rdparty/adminpart/add3rdparty.php
/modules/articles/adminpart/addarticles.php
/modules/brandnews/adminpart/addbrandnews.php
/modules/comments.php
/modules/contact/adminpart/addcontact.php
/modules/core/security/init.php
/modules/game/adminpart/addgame.php
/modules/login.php
/modules/maticmarket/bleu/blanc/bas.php
/modules/maticmarket/bleu/blanc/haut.php
/modules/maticmarket/bleu/default/bas.php
/modules/maticmarket/bleu/default/haut.php
/modules/maticmarket/bleu/gold/bas.php
/modules/maticmarket/bleu/gold/haut.php
/modules/maticmarket/deco/blanc/bas.php
/modules/maticmarket/deco/blanc/haut.php
/modules/newsletter/adminpart/addnewsletter.php
/modules/plain/adminpart/addplain.php
/modules/polling/adminpart/addpolling.php
/modules/product/adminpart/addproduct.php
/modules/profile/user.php
/modules/tour/adminpart/addtour.php
/news/search.php3
/news_show.php
/oldnews_reader.php
/op/op.Login.php
/passwiki.php
/pcltar.lib.php
/plog-includes/lib/phpthumb/phpThumb.php
/plugin/gateway/gnokii/init.php
/plugin/themes/default/init.php
/plugins/PluginController.php
/plugins/filemanager/get_file.php
/plugins/templateie/lib/templateie_install.class.php
/pmscript.php
/portfolio/css.php
/preview.php
/qlib/smarty.inc.php
/qte_web.php
/resource_categories_view.php
/scr/soustab.php
/section.php
/server_request.php
/show_joined.php
/sitemap.xml.php
/snippet.reflect.php
/spaw_control.class.php
/stage1.php
/stage4.php
/stage6.php
/telecharger.php
/templater.php
/templates/layout_lyrics.php
/threadstop/threadstop.php
/tiki-jsplugin.php
/update_trailer.php
/urheber.php
/util/barcode.php
/vars.inc.php
/viewsource.php
/website.php
/windetail.php
/window_down.php
/window_top.php
/wp-content/plugins/jquery-mega-menu/skin.php
/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
/wp-content/plugins/ungallery/source_vuln.php
/wp-content/plugins/wp-publication-archive/includes/openfile.php
/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php
app=urchin.cgi
functions_navlinks.php
profile_send.php
viewtopic_PM-link.php

10
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_phpbb.data
View File

@ -1,10 +0,0 @@
.php
/acp_lcxbbportal.php
/admin/admin_acronyms.php
/admin/admin_groups_reapir.php
/admin/admin_smilies.php
/admin/admin_words.php
/admin_hacks_list.php
/include/global.php
/index.php
/portal_block.php

485
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_rfi.data
View File

@ -1,485 +0,0 @@
.php
/123flashchat.php
/2checkout_return.inc.php
/ADM_Pagina.php
/Admin/ResellersManager.class.php
/Base/example_1.php
/Clickheat/Cache.php
/Clickheat_Heatmap.php
/CoupleDB.php
/Customers/PDPEmailReplaceConstants.class.php
/DB_adodb.class.php
/Framework/EmailTemplates.class.php
/GlobalVariables.php
/HTMLSax3.php
/LSTable.php
/OpenSiteAdmin/pages/pageHeader.php
/ST_browsers.php
/ST_countries.php
/ST_platforms.php
/SezHooTabsAndActions.php
/Thumbnail.php
/_conf/core/common-tpl-vars.php
/_footer.php
/_functions.php
/acomponents/com_mamboleto/mamboleto.php
/acopia/manager/DiagCaptureFileListActionBody.do
/acopia/manager/DiagLogListActionBody.do
/acopia/sat/ViewInventoryErrorReport.do
/acopia/sat/ViewSatReport.do
/acp_lcxbbportal.php
/action.php
/active_auctions.php
/activities/workflow-activities.php
/add_comments.php
/addedit-render.php
/adm/krgourl.php
/admin.googlebase.php
/admin.rssreader.php
/admin/admin_groups_reapir.php
/admin/admin_news_bot.php
/admin/admin_smilies.php
/admin/admin_words.php
/admin/frontpage_right.php
/admin/global.php
/admin/loadplugin.php
/admin/thumbnailformpost.inc.php
/admin/upgrade_unattended.php
/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php
/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php
/administrator/components/com_jwmmxtd/admin.jwmmxtd.php
/administrator/components/com_universal/includes/config/config.html.php
/administrator/components/com_xcloner-backupandrestore/cloner.cron.php
/application/views/public/commentform.php
/arch.php
/archive.php
/ardeaCore/lib/core/ardeaBlog.php
/ardeaCore/lib/core/ardeaInit.php
/ardeaCore/lib/core/mvc/ardeaMVC.php
/artmedic_print.php
/assets/plugins/mp3_id/mp3_id.php
/authenticate/sessions.php
/awcm/control/common.php
/awcm/header.php
/awcm/includes/window_top.php
/baconmap/admin/updatelist.php
/base/Archive.php
/base/Comments.php
/base/News.php
/base/SendFriend.php
/base_qry_common.php
/base_stat_common.php
/basicfogfactory.class.php
/bazar/picturelib.php
/berylium-classes.php
/bin/qte_init.php
/block.php
/block_center_down.php
/block_center_top.php
/block_left.php
/block_right.php
/blocks/file/controller.php
/blocks/headerfile.php
/body_comm.inc.php
/body_default.php
/centre.php
/ch_readalso.php
/chat/dac.php
/checkout.php
/class.csv.php
/class.phpmailer.php
/class_yapbbcooker.php
/classes/excel/class.writeexcel_workbook.inc.php
/classes/excel/class.writeexcel_worksheet.inc.php
/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php
/classes/flash_mp3_player/extras/external_feeds/getfeed.php
/cms/modules/form.lib.php
/cms_detect.php
/collectivite.class.php
/com_del.php
/com_koesubmit/koesubmit.php
/com_ongumatimesheet20/lib/onguma.class.php
/com_rwcards/rwcards.advancedate.php
/com_swmenupro/ImageManager/Classes/ImageManager.php
/com_xmovie/helpers/img.php
/comments.php
/common.php
/common/errormsg.php
/common/func.php
/components/com_ajaxchat/tests/ajcuser.php
/components/com_banners/banners.class.php
/components/com_ezine/class/php/d4m_ajax_pagenav.php
/components/com_intuit/models/intuit.php
/components/com_jcalpro/cal_popup.php
/components/com_mediaslide/viewer.php
/components/com_mgm/help.mgm.php
/components/com_mojo/wp-comments-post.php
/components/com_mojo/wp-trackback.php
/components/com_moofaq/includes/file_includer.php
/components/com_morfeoshow/morfeoshow.html.php
/components/com_smartformer/smartformer.php
/components/com_smf/smf.php
/components/com_xgallery/helpers/img.php
/config.dadamail.php
/config.php
/container.php
/content/dynpage_load.php
/content/themes/softsaurus_default/pages/subHeader.php
/content/themes/softsaurus_stretched/pages/subHeader.php
/core/includes/gfw_smarty.php
/courrier.class.php
/cron.php
/cuenta/cuerpo.php
/cultbooking.php
/customer_ftp.php
/datumscalc.php
/debugger.php
/debugger/debug_php.php
/define.php
/detail.php
/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php
/display.php
/dm-albums/template/album.php
/doku.php
/dompdf.php
/don3_requiem.php
/dosearch.php
/download.php
/downloads.php
/dp_logs.php
/e-pay/src/a_affil.php
/e107_handlers/secure_img_handler.php
/e107_plugins/trackback/trackbackClass.php
/editor/edit_htmlarea.php
/editors/FCKeditor/editor_registry.php
/editors/dhtmltextarea/editor_registry.php
/editors/tinymce/editor_registry.php
/emailsender.php
/embedforum.php
/engine/api/api.class.php
/example_clientside_javascript.php
/examples/tbs_us_examples_0view.php
/examples/widget8.php
/export.php
/export_batch.inc.php
/extensions/saurus4/captcha_image.php
/familynews.php
/faq.php
/filepool.php
/files/blocks/latest_files.php
/filters/headerfile.php
/fonctions_racine.php
/footer.inc.php
/footer.php
/forum.php
/forums/blocks/latest_posts.php
/frontpage.php
/ftp.php
/functionen/ref_kd_rubrik.php
/functions.php
/functions_install.php
/gallery2/lib/adodb/adodb-error.inc.php
/gbookmx/gbook.php
/get_header.php
/global.php
/groups/headerfile.php
/gunaysoft.php
/handle/proxy.php
/handlers/page/show.php
/header.inc.php
/header.php
/heatmap/_main.php
/heatmap/main.php
/help.php
/hg_referenz_jobgalerie.php
/html.php
/html2.php
/iframe.php
/inc/articles.inc.php
/inc/content.inc.php
/inc/logingecon.php
/include/_bot.php
/include/addons/version/pages/index.inc.php
/include/admin.lib.inc.php
/include/admin/device_admin.php
/include/classes/file.class.php
/include/engine/content/elements/menu.php
/include/global.php
/include/header.php
/include/libs/internals/core.process_compiled_include.php
/include/libs/internals/core.write_compiled_include.php
/include/libs/plugins/function.config_load.php
/include/logout.php
/include/pages/specials.inc.php
/include/payment/payflow_pro.php
/include/prodler.class.php
/include/timesheet.php
/include/top_graph_header.php
/include/unverified.inc.php
/includes/Cache/Lite/Output.php
/includes/ajax_listado.php
/includes/classes/pctemplate.php
/includes/common.php
/includes/competitions/add.php
/includes/competitions/competitions.php
/includes/converter.inc.php
/includes/esqueletos/skel_null.php
/includes/file_manager/special.php
/includes/footer.php
/includes/function_core.php
/includes/header.inc.php
/includes/header.php
/includes/hnmain.inc.php3
/includes/include.php
/includes/includes.php
/includes/init.php
/includes/initsystem.php
/includes/language.php
/includes/messages.inc.php
/includes/settings.inc.php
/includes/settings/settings.php
/includes/startmodules.inc.php
/includes/workspace.php
/index.php
/index_inc.php
/index_logged.php
/infusions/last_seen_users_panel/last_seen_users_panel.php
/init.php
/install.clickheat.php
/install/di.php
/js/wptable-button.php
/js/wptable-tinymce.php
/language/1/splash.lang.php
/last_gallery.php
/latestposts.php
/layout_admin_cfg.php
/layout_cfg.php
/layouts/standard.php
/left_menu.php
/lib.module.php
/lib/FSphp.php
/lib/action/rss.php
/lib/addressbook.php
/lib/function.php
/lib/layout/layoutHeaderFuncs.php
/lib/layout/layoutManager.php
/lib/layout/layoutParser.php
/lib/lcUser.php
/lib/navigation.php
/lib/page/pageDescriptionObject.php
/lib/pathwirte.php
/lib/smarty/SmartyFU.class.php
/libraries/database.php
/libraries/lib-remotehost.inc.php
/library/setup/rpc.php
/libs/db.php
/libs/ftp.php
/libs/lom.php
/libsecure.php
/linkadmin.php
/links/blocks/links.php
/load_lang.php
/locales.php
/locms/smarty.php
/login.php
/login.tpl.php
/logout.php
/lom_update.php
/ltdialogo.php
/main.inc.php
/main/forum/komentar.php
/main_prepend.php
/maincore.php
/membres/membreManager.php
/menu/headerfile.php
/message_class.php
/mini.php
/mod/image/index.php
/mod/liens/index.php
/mod/liste/index.php
/mod/special/index.php
/mod/texte/index.php
/mod/vm/controller/AccessController.php
/mod/vm/model/dao.php
/mods/ckeditor/filemanager/connectors/php/connector.php
/module.php
/module/referenz.php
/modules/3rdparty/adminpart/add3rdparty.php
/modules/admin/include/config.php
/modules/articles/adminpart/addarticles.php
/modules/brandnews/adminpart/addbrandnews.php
/modules/comments.php
/modules/contact/adminpart/addcontact.php
/modules/core/logger/init.php
/modules/core/security/init.php
/modules/dfss/lgsl/lgsl_players.php
/modules/dfss/lgsl/lgsl_settings.php
/modules/formmailer/formmailer.admin.inc.php
/modules/game/adminpart/addgame.php
/modules/guestbook/blocks/control.block.php
/modules/login.php
/modules/maticmarket/bleu/blanc/bas.php
/modules/maticmarket/bleu/blanc/haut.php
/modules/maticmarket/bleu/default/bas.php
/modules/maticmarket/bleu/default/haut.php
/modules/maticmarket/bleu/gold/bas.php
/modules/maticmarket/bleu/gold/haut.php
/modules/maticmarket/deco/blanc/bas.php
/modules/maticmarket/deco/blanc/haut.php
/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php
/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php
/modules/newsletter/adminpart/addnewsletter.php
/modules/noevents/templates/mfa_theme.php
/modules/plain/adminpart/addplain.php
/modules/polling/adminpart/addpolling.php
/modules/product/adminpart/addproduct.php
/modules/profile/user.php
/modules/tour/adminpart/addtour.php
/modules/users/headerfile.php
/monatsblatt.php
/mtdialogo.php
/mw_plugin.php
/nettools.popup.php
/news.php
/news/blocks/latest_news.php
/news/search.php3
/news_show.php
/newscat.php
/nucleus/libs/PLUGINADMIN.php
/nucleus/media.php
/nucleus/xmlrpc/server.php
/obj/action.class.php
/obj/architecte.class.php
/obj/avis.class.php
/obj/bible.class.php
/obj/blocnote.class.php
/oldnews_reader.php
/op/op.Login.php
/overview/main.php
/passwiki.php
/pcltar.lib.php
/pcltrace.lib.php
/pear.php
/pingsvr.php
/plugin/HP_DEV/cms2.php
/plugin/gateway/gnokii/init.php
/plugin/themes/default/init.php
/plugin_admin.php
/plugins/PluginController.php
/plugins/filemanager/get_file.php
/plugins/templateie/lib/templateie_install.class.php
/pmscript.php
/portal_block.php
/portfolio/css.php
/prepend.php
/preview.php
/produkte_nach_serie.php
/produkte_nach_serie_alle.php
/profil.class.php
/psg.smarty.lib.php
/public/code/cp_html2xhtmlbasic.php
/qlib/smarty.inc.php
/qte_web.php
/real_estate/index.php
/ref_kd_rubrik.php
/resource_categories_view.php
/resources/includes/class.Smarty.php
/rss_importer_functions.php
/run_auto_suspend.cron.php
/safehtml.php
/scorm/lib.inc.php
/scr/soustab.php
/scripts/check-lom.php
/scripts/weigh_keywords.php
/search.php
/section.php
/send_email_cache.php
/send_reminders.php
/server_request.php
/settings.php
/settings/headerfile.php
/show_joined.php
/site_conf.php
/sitemap.xml.php
/skins/header.php
/skins/phpchess/layout_t_top.php
/slogin_lib.inc.php
/smallaxe-0.3.1/inc/linkbar.php
/snippet.reflect.php
/spaw_control.class.php
/stage1.php
/stage4.php
/stage6.php
/standard/1/lay.php
/standard/3/lay.php
/startup.php
/sublink.php
/surfer_aendern.php
/surfer_anmeldung_NWL.php
/system/pageTemplate.php
/system/utilities.php
/templater.php
/templates/default/tpl_message.php
/templates/layout_lyrics.php
/test/pages/contact.php
/theme/format.php
/threadstop/threadstop.php
/tiki-jsplugin.php
/tmsp/add_tmsp.php
/tmsp/edit_tmsp.php
/tmsp/subscription.php
/tmsp/tmsp.php
/toolbar.php
/tools/filemanager/skins/mobile/admin1.template.php
/update_trailer.php
/urheber.php
/user/turbulence.php
/utdb_access.php
/utgn_message.php
/util/barcode.php
/utilisateur.class.php
/vars.inc.php
/velid3/getid3.php
/velid3/module.archive.gzip.php
/view_blog_archives.php
/view_blog_comments.php
/view_messages.php
/views/print/printbar.php
/viewsource.php
/viewver.php
/watermark.php
/web/lom.php
/website.php
/windetail.php
/window_down.php
/window_top.php
/wordtube-button.php
/wp-content/plugins/jquery-mega-menu/skin.php
/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
/wp-content/plugins/ungallery/source_vuln.php
/wp-content/plugins/wp-publication-archive/includes/openfile.php
/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php
/www/lib/head_auth.php
admin.ponygallery.html.php
app=urchin.cgi
crea.php
create_file.php
droit.class.php
functions_navlinks.php
plugins/links/functions.inc
plugins/polls/functions.inc
plugins/spamx/BlackList.Examine.class.php
plugins/spamx/DeleteComment.Action.class.php
plugins/spamx/EditHeader.Admin.class.php
plugins/spamx/EditIP.Admin.class.php
plugins/spamx/EditIPofURL.Admin.class.php
plugins/spamx/IPofUrl.Examine.class.php
plugins/spamx/Import.Admin.class.php
plugins/spamx/LogView.Admin.class.php
plugins/spamx/MTBlackList.Examine.class.php
plugins/spamx/MailAdmin.Action.class.php
plugins/spamx/MassDelTrackback.Admin.class.php
plugins/spamx/MassDelete.Admin.class.php
plugins/staticpages/functions.inc
profile_send.php
viewtopic_PM-link.php

398
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_sqli.data
View File

@ -1,398 +0,0 @@
/ASPKAT.ASP
/DocPay.w2b
/G_Display.php
/HABERLER.ASP
/HaberDetay.asp
/News/page.asp
/OmegaMw7.asp
/ProductDetails.asp
/Search/DisplayResults.php
/SecureLoginManager/list.asp
/SelGruFra.asp
/Types.asp
/ViewBugs.php
/ViewCat.php
/ViewReport.php
/WorkOrder.do
/account_change.php
/activeNews_categories.asp
/activeNews_comments.asp
/activenews_search.asp
/activenews_view.asp
/actualpic.asp
/ad.asp
/add2.php
/add_comment.php
/addrating.php
/admin.asp
/admin.php
/admin/admin_acronyms.php
/admin/admin_annonce/changeannonce.php
/admin/admin_annonce/okvalannonce.php
/admin/admin_mail_adressee.asp
/admin/admin_membre/fiche_membre.php
/admin/cms/opentree.php
/admin/code/tce_xml_user_results.php
/admin/config.php
/admin/edit.asp
/admin/memberlist.php
/admin/modules/modules.php
/admin_check_user.asp
/admin_hacks_list.php
/admincp.php
/admincp/attachment.php
/administration/administre2.php
/administrator/components/com_sqlreport/ajax/print.php
/albmgr.php
/annonce_detail.php
/applications/SecureLoginManager/inc_secureloginmanager.asp
/aramayap.asp
/archives.php
/articles.asp
/artreplydelete.asp
/auth.php
/badword.asp
/banner.php
/bb-includes/formatting-functions.php
/bexfront.php
/blocks/block-Old_Articles.php
/boxx/ShowAppendix.asp
/bry.asp
/bt-trackback.php
/bus_details.asp
/calendar_detail.asp
/cart.inc.php
/cart.php
/cat.asp
/categoria.php
/category.php
/cats.asp
/cchatbox.php
/cgi-bin/reorder2.asp
/check_vote.php
/class/debug/debug_show.php
/class/table_broken.php
/classes/class.news.php
/classes/class_session.php
/classified_img.php
/code/guestadd.php
/com_comment.php
/comersus_optReviewReadExec.asp
/comment.php
/comments.php
/compareHomes.asp
/compare_product.php
/connexion.php
/content.asp
/content.php
/content/rubric/index.php
/country_escorts.php
/coupon_detail.asp
/dagent/downloadreport.asp
/database/table/user.php
/db_ecard.php
/default.asp
/default2.asp
/detail.asp
/detail.php
/details.asp
/dettaglio.asp
/devami.asp
/diary.php
/dirSub.asp
/dircat.asp
/directions.php
/directory.php
/dispimage.asp
/displayCalendar.asp
/display_review.php
/displaypic.asp
/dl.php
/dlwallpaper.php
/down.asp
/down_indir.asp
/download_image.asp
/dsp_page.cfm
/duyuru.asp
/eWebQuiz.asp
/edit.asp
/edit_day.php
/email.php
/error.asp
/etkinlikbak.asp
/example.php
/faq.php
/faqDsp.asp
/filecheck.php
/filelist.asp
/filemgmt/singlefile.php
/forgotpass.asp
/forum.asp
/forum.php
/forum/include/error/autherror.cfm
/forum/modules/gallery/post.php
/forum/pop_up_member_search.asp
/forum2.asp
/forums.php
/friend.php
/functions.php
/functions/functions_filters.asp
/gallery.asp
/gallery.php
/game.php
/game_listing.php
/getnewsitem.php
/giris.asp
/giris_yap.asp
/glossaire-p-f.php
/gmail.php
/goster.asp
/guestbook.php
/h_goster.asp
/haber.asp
/haberdetay.asp
/haberoku.asp
/hilfsmittel.php
/home.php
/homeDetail.asp
/html/studentmain.php
/i-search.php
/imprimir.php
/inc/class_users.php
/inc/common.php
/inc_listnews.asp
/include.php
/includes/a_register.asp
/includes/mambo.php
/includes/nsbypass.php
/includes/rating.php
/index.asp
/index.cfm
/index.php
/index1.asp
/info_book.asp
/info_user.asp
/informacion_general.php
/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php
/infusions/teams_structure/team.php
/inlinemod.php
/inout/status.asp
/inout/update.asp
/install.php
/interna.php
/item.asp
/item.php
/item_list.asp
/item_show.asp
/ixm_ixpnews.php
/journal.php
/jtfwcpnt.jsp
/jump.php
/kategori.asp
/kernel/group.php
/kullanicilistesi.asp
/letterman.class.php
/lib/entry_reply_entry.php
/links.php
/linkslist.asp
/lire-avis.php
/list.asp
/list.php
/list_comments.php
/listfull.asp
/listings.asp
/listmain.asp
/listmembers.php
/listpics.asp
/login.asp
/login.php
/login/register.asp
/logon_user.php
/low.php
/mailer.w2b
/main.asp
/main/auth/my_progress.php
/main_page.php
/mainfile.php
/manufacturer.php
/meal_rest.asp
/members.asp
/mesajkutum.asp
/mezungiris.asp
/minbrowse.php
/mod.php
/mod_banners.php
/model-kits.php
/models/category.php
/modules.php
/modules/Advertising/admin/index.php
/modules/News/index.php
/modules/Surveys/modules.php
/modules/admin/modules/gallery.php
/modules/bms/invoices_discount_ajax.php
/modules/comments/json.php
/modules/mod_mainmenu/menu.php
/moscomment.php
/mystats.php
/navigacija.php
/news.asp
/news.php
/news_detail.asp
/news_page.asp
/newsdetail.asp
/newsletters/edition.php
/nickpage.php
/notaevento.php
/nukesentinel.php
/ogretmenkontrol.asp
/oku.asp
/openPolicy.asp
/open_tree.php
/openlink.asp
/orange.asp
/order-track.php
/ossim/repository/repository_attachment.php
/outputs.php
/page.asp
/page.php
/pages/addcomment2.php
/pfs/pfs.edit.inc.php
/philboard_forum.asp
/phonemessage.asp
/php-stats.recphp.php
/plugins/authentication/ldap.php
/plugins/campsiteattachment/attachments.php
/plugins/ipsearch/ipsearch.admin.php
/plugins/mp3playlist/mp3playlist.php
/plugins/pdfClasses/pdfgen.php
/plugins/search/categories.php
/plugins/search/contacts.php
/plugins/search/content.php
/plugins/search/sections.php
/plugins/search/weblinks.php
/plugins/user/example.php
/plus/feedback_js.php
/pms.php
/pollmentorres.asp
/polls.php
/pop_profile.asp
/post.php
/postingdetails.php
/preferences.asp
/prikazInformacije.php
/print.asp
/print.php
/printarticle.asp
/printmain.asp
/printview.php
/process.php
/prodList.asp
/product.asp
/product_review.php
/productdetail.asp
/products.asp
/products.php
/program/moduler_banner_aabn.php
/public/code/cp_downloads.php
/public/code/cp_menu_data_file.php
/publication_view.asp
/publications_list.asp
/qte_result.php
/question.php
/rating.asp
/read/index.php
/recipe.php
/refund_request.php
/register.php
/repass.php
/res_details.asp
/result.asp
/result.php
/roleManager.jsp
/rss.asp
/rss/show_webfeed.php
/samples/with_db/loaddetails.php
/save.php
/search.asp
/search.php
/search_listing.asp
/searchkey.asp
/searchmain.asp
/searchoption.asp
/section/default.asp
/send_password_preferences.asp
/sendarticle.asp
/set_preferences.asp
/shared/code/cp_authorization.php
/shared/code/cp_functions_downloads.php
/shopgiftregsearch.asp
/show_joined.php
/show_news.php
/show_owned.php
/showcats.php
/showfile.asp
/simplog/archive.php
/simplog/index.php
/site_info.php
/slideshow.asp
/sptrees/default.aspx
/style.php
/stylesheet.php
/subcat.php
/system/core/users/users.register.inc.php
/system/index.php
/takefreestart.php
/tde_busca/processaPesquisa.php
/templates/modif.html
/thread.php
/thumbnails.asp
/thumbnails.php
/topic_title.php
/torrents.php
/tracking/courseLog.php
/types.asp
/update_profile.php
/urunbak.asp
/user.asp
/user.php
/user_confirm.asp
/user_pages/page.asp
/userdetail.php
/usergroups.php
/usermgr.php
/users.php
/utilities/usermessages.asp
/uye_giris_islem.asp
/vBSupport.php
/vdateUsr.asp
/vehiclelistings.asp
/verify.php
/vf_memberdetail.asp
/view.php
/view_gallery.asp
/view_profile.php
/view_recent.asp
/viewad.asp
/viewcat.php
/viewimage.php
/viewlinks.asp
/viewthread.php
/virtuemart_parser.php
/visu_user.asp
/voirannonce.php
/wallpaper.php
/wbsearch.aspx
/web/classes/autocomplete.php
/windows.asp
/wp-admin/admin-ajax.php
/wp-admin/admin-functions.php
/wp-content/plugins/1-flash-gallery/massedit_album.php
/wp-content/plugins/cpl/cplphoto.php
/wp-content/plugins/flash-album-gallery/lib/hitcounter.php
/wp-content/plugins/forum-server/feed.php
/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php
/wp-trackback.php
/xNews.php
/xmlrpc.php
graph_view.php
tree.php

41
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_wordpress.data
View File

@ -1,41 +0,0 @@
/books/getConfig.php
/js/modalbox/tests/functional/_ajax_method_get.php
/js/wptable-button.php
/js/wptable-tinymce.php
/plugins/accept-signups/accept-signups_submit.php
/plugins/feedlist/handler_image.php
/plugins/inline-gallery/browser/browser.php
/plugins/socialgrid/static/js/inline-admin.js.php
/rss/show_webfeed.php
/sidebar.php
/wordtube-button.php
/wp-admin/admin-ajax.php
/wp-admin/admin-functions.php
/wp-admin/admin.php
/wp-content/plugins/1-flash-gallery/folder.php
/wp-content/plugins/1-flash-gallery/massedit_album.php
/wp-content/plugins/audio/getid3/demos/demo.browse.php
/wp-content/plugins/cpl/cplphoto.php
/wp-content/plugins/firestats/php/window-add-excluded-ip.php
/wp-content/plugins/firestats/php/window-add-excluded-url.php
/wp-content/plugins/firestats/php/window-new-edit-site.php
/wp-content/plugins/flash-album-gallery/lib/hitcounter.php
/wp-content/plugins/forum-server/feed.php
/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php
/wp-content/plugins/jquery-mega-menu/skin.php
/wp-content/plugins/lazyest-gallery/lazyest-popup.php
/wp-content/plugins/nextgen-gallery/xml/media-rss.php
/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
/wp-content/plugins/ungallery/source_vuln.php
/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php
/wp-content/plugins/wp-cumulus/tagcloud.swf
/wp-content/plugins/wp-publication-archive/includes/openfile.php
/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php
/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php
/wp-content/plugins/xcloner-backup-and-restore/index2.php
/wp-content/plugins/zotpress/zotpress.image.php
/wp-login.php
/wp-trackback.php
/xmlrpc.php
page=eshop-orders.php
page=eshop-templates.php

179
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_xss.data
View File

@ -1,179 +0,0 @@
/Aris/wflogin.jsp
/Default.aspx
/English_manual_version_2.php
/Forms/home_1
/ReadMsg.php
/ReqWebHelp/advanced/workingSet.jsp
/ReqWebHelp/basic/searchView.jsp
/SearchCenter/Pages/AllResults.aspx
/WebEditor/Authentication/LoginPage.aspx
/WorkArea/reterror.aspx
/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php
/action_create/index.php
/addons/kcfinder/browse.php
/addressbook.cgi
/admin/editListing.php
/admin/queuedMessage.do
/admin/rp-menu.php
/admin/upgrade_unattended.php
/administrator/components/com_xcloner-backupandrestore/index2.php
/all_photos.html
/annonce.php
/appdev/sample/web/hello.jsp
/archiva/admin/addLegacyArtifactPath!commit.action
/archiva/admin/confirmDeleteRepository.action
/archiva/admin/deleteNetworkProxy!confirm.action
/archiva/deleteArtifact!doDelete.action
/archiva/security/roleedit.action
/archiva/security/useredit.action
/archiva/security/userlist!show.action
/awards.php
/awstats/awstats.pl
/basicstats.php
/bizdir/bizdir.cgi
/browseCat.php
/browseSubCat.php
/cacti/utilities.php
/calendar.php
/cand_login.asp
/cat.php
/catalogo.php
/cgi/surgeftpmgr.cgi
/config/edituser.php
/configure_plugin.tpl.php
/console.php
/contact/index.php
/core/themes.php
/cultbooking.php
/dailyview.php
/de/create_account.asp
/de/pda/dev_logon.asp
/devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php
/en/front_content.php
/explanation.php
/faces/jsf/tips.jsp
/fetchmailprefs.php
/footer.php
/forcerestart.php
/forcesd.php
/frontend/x3/files/fileop.html
/gnatsweb.pl
/header.php
/hlstats.php
/html/11-login.asp
/html/studentmain.php
/implicit-objects.jsp
/include/sessionRegister.php
/index.php
/js/modalbox/tests/functional/_ajax_method_get.php
/jscripts/folder_rte_files/module_table.php
/lib/jscalendar/test.php
/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php
/listmembers.php
/listmovies.php
/loan.php
/login.php
/main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php
/mods/ckeditor/filemanager/connectors/php/upload.php
/module_bbcodeloader.php
/module_div.php
/module_email.php
/module_image.php
/module_link.php
/modules.php
/modules/boonex/custom_rss/post_mod_crss.php
/modules/dl/download.php
/news.asp
/news.php
/news/list/index.php
/news/search.php3
/newsletter/create/index.php
/openBrowser.php
/openTutorial.php
/order_form.php
/patch/single_winner1.php
/picture.php
/plugins/accept-signups/accept-signups_submit.php
/plugins/csstidy/css_optimiser.php
/plugins/feedlist/handler_image.php
/plugins/inline-gallery/browser/browser.php
/plugins/photosmash-galleries/index.php
/plugins/socialgrid/static/js/inline-admin.js.php
/printcal.pl
/private/blade_leds.php
/private/cindefn.php
/private/ipmi_bladestatus.php
/private/pm_temp.php
/private/power_management_policy_options.php
/private/power_module.php
/profiles/html/simpleSearch.do
/rating/postcomments.php
/rating/rate.php
/register.php
/reportItem.do
/room/info_book.asp
/room/week.asp
/scripts/prodList.asp
/search.5.html
/search.php
/search/list/action_search/index.php
/sendcard.php
/sendmail.php
/sessions
/settings.php
/shared/code/cp_authorization.php
/shared/config/cp_config.php
/shipping/methods/fedex_v7/label_mgr/js_include.php
/shipping/pages/popup_shipping/js_include.php
/shopcontent.asp
/showown.php
/sidebar.php
/siteminderagent/forms/smpwservices.fcc
/skins/header.php
/snarf_ajax.php
/sqledit.php
/stats.php
/tagcloud-ru.swf
/tagcloud.swf
/templates/admin_default/confirm.tpl.php
/templates/recruitment/jobVacancy.php
/tiki-featured_link.php
/topFrame.php
/user/User_ChkLogin.asp
/users/payment.php
/usersettings.php
/usrmgr/registerAccount.asp
/vBTube.php
/verify/asp/n6plugindestructor.asp
/vtigerservice.php
/we/include/weTracking/econda/weEcondaImplement.inc.php
/we/include/we_modules/messaging/messaging_show_folder_content.php
/we/include/we_modules/shop/edit_shop_editorFrameset.php
/weapons.php
/web/msgList/viewmsg/actions/msgAnalyse.asp
/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp
/web/msgList/viewmsg/viewHeaders.asp
/web/phpinfo.php
/workarea/medialist.aspx
/wp-content/plugins/1-flash-gallery/folder.php
/wp-content/plugins/audio/getid3/demos/demo.browse.php
/wp-content/plugins/firestats/php/window-add-excluded-ip.php
/wp-content/plugins/firestats/php/window-add-excluded-url.php
/wp-content/plugins/firestats/php/window-new-edit-site.php
/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php
/wp-content/plugins/lazyest-gallery/lazyest-popup.php
/wp-content/plugins/nextgen-gallery/xml/media-rss.php
/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php
/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php
/wp-content/plugins/wp-cumulus/tagcloud.swf
/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php
/wp-content/plugins/xcloner-backup-and-restore/index2.php
/wp-content/plugins/zotpress/zotpress.image.php
/wp-content/themes/redoable/header.php
/wp-content/themes/redoable/searchloop.php
/xperience.php
/zimplit.php
_invoice.asp
page=eshop-orders.php
page=eshop-templates.php
stconf.nsf

1661
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf
View File

File diff suppressed because it is too large Load Diff

1187
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf
View File

File diff suppressed because it is too large Load Diff

150
iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf
View File

@ -1,150 +0,0 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This ruleset was created by Trustwave SpiderLabs Research Team and includes data from:
#
# http://www.emergingthreats.net/
#
SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_slr_et_phpbb.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SLR_ET_PHPBB_RULES"
# (2008964) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion
SecRule REQUEST_LINE "@contains /portal_block.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008964,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'"
SecRule REQUEST_LINE "@contains GET " "chain"
SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2008965) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion
SecRule REQUEST_LINE "@contains /acp_lcxbbportal.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008965,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',tag:'web-application-attack',tag:'bugtraq,32647'"
SecRule REQUEST_LINE "@contains GET " "chain"
SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=\s*(ftps?|https?|php)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2008938) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion
SecRule REQUEST_LINE "@contains /include/global.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2008938,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',tag:'web-application-attack'"
SecRule REQUEST_LINE "@contains GET " "chain"
SecRule ARGS:pfad "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2002731) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt
SecRule REQUEST_LINE "@contains .php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2002731,rev:8,msg:'SLR: ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',tag:'web-application-attack'"
SecRule ARGS:phpbb_root_path "(?i:phpbb_root_path=(ftps?|https?|php))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2005967) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT
SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005967,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
SecRule ARGS:id "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2005968) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT
SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005968,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
SecRule ARGS:id "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2005969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT
SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
SecRule ARGS:id "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2005970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE
SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
SecRule ARGS:id "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2005971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII
SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
SecRule ARGS:id "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2005972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE
SecRule REQUEST_LINE "@contains /admin/admin_acronyms.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2005972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/3033'"
SecRule ARGS:id "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2006969) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT
SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006969,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
SecRule ARGS:hack_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2006970) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT
SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006970,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
SecRule ARGS:hack_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2006971) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT
SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006971,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
SecRule ARGS:hack_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2006972) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE
SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006972,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
SecRule ARGS:hack_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2006973) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII
SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006973,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
SecRule ARGS:hack_id "(?i:.+ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2006974) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE
SecRule REQUEST_LINE "@contains /admin_hacks_list.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2006974,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/2851'"
SecRule ARGS:hack_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2004606) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT
SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004606,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
SecRule ARGS:c "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2004607) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT
SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004607,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
SecRule ARGS:c "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2004608) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT
SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004608,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
SecRule ARGS:c "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2004609) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE
SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004609,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
SecRule ARGS:c "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2004610) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII
SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004610,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
SecRule ARGS:c "(?i:ASCII\(.+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2004611) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE
SecRule REQUEST_LINE "@contains /index.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2004611,rev:5,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',tag:'web-application-attack',tag:'url,www.milw0rm.com/exploits/4026'"
SecRule ARGS:c "(?i:UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2009073) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion
SecRule REQUEST_LINE "@contains /admin/admin_words.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009073,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'"
SecRule REQUEST_LINE "@contains GET " "chain"
SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2009074) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion
SecRule REQUEST_LINE "@contains /admin/admin_groups_reapir.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009074,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'"
SecRule REQUEST_LINE "@contains GET " "chain"
SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
# (2009075) SpiderLabs Research (SLR) Public Vulns: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion
SecRule REQUEST_LINE "@contains /admin/admin_smilies.php" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',severity:'2',id:2009075,rev:3,msg:'SLR: ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',tag:'web-application-attack',tag:'bugtraq,33103'"
SecRule REQUEST_LINE "@contains GET " "chain"
SecRule ARGS:ModName "@contains ../" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/PHPBB-%{matched_var_name}=%{matched_var}'"
SecMarker END_SLR_ET_PHPBB_RULES

Some files were not shown because too many files have changed in this diff Show More