github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-10-01 12:07:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixed files overwriting in installer; added OWASP CRS.

Browse Source
This commit is contained in:
Greg Wroblewski
2013-02-05 16:36:29 -08:00
parent 635a573894
commit c1ba71ab16
134 changed files with 33445 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_brute_force.conf Normal file
View File

@@ -0,0 +1,62 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Anti-Automation Rule for specific Pages (Brute Force Protection)
# This is a rate-limiting rule set and does not directly correlate whether the
# authentication attempt was successful or not.
#
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute. You can adjust how often
# you want to receive status alerts by changing the expirevar setting below.
#
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "chain,phase:1,id:'981036',block,msg:'Brute Force Attack Identified from %{remote_addr} (%{tx.brute_force_block_counter} hits since last alert)',setvar:ip.brute_force_block_counter=+1"
SecRule &IP:BRUTE_FORCE_BLOCK_FLAG "@eq 0" "setvar:ip.brute_force_block_flag=1,expirevar:ip.brute_force_block_flag=60,setvar:tx.brute_force_block_counter=%{ip.brute_force_block_counter},setvar:ip.brute_force_block_counter=0"
#
# Block and track # of requests but don't log
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:1,id:'981037',block,nolog,setvar:ip.brute_force_block_counter=+1"
#
# skipAfter Checks
# There are different scenarios where we don't want to do checks -
# 1. If the user has not defined any URLs for Brute Force Protection in the 10 config file
# 2. If the current URL is not listed as a protected URL
# 3. If the current IP address has already been blocked due to high requests
# In these cases, we skip doing the request counts.
#
SecRule &TX:BRUTE_FORCE_PROTECTED_URLS "@eq 0" "phase:5,id:'981038',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}" "phase:5,id:'981039',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:5,id:'981040',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"
#
# Brute Force Counter
# Count the number of requests to these resoures
#
SecAction "phase:5,id:'981041',t:none,nolog,pass,setvar:ip.brute_force_counter=+1"
#
# Check Brute Force Counter
# If the request count is greater than or equal to 50 within 5 mins,
# we then set the burst counter
#
SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}" "phase:5,id:'981042',t:none,nolog,pass,t:none,setvar:ip.brute_force_burst_counter=+1,expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice},setvar:!ip.brute_force_counter"
#
# Check Brute Force Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
#
SecRule IP:BRUTE_FORCE_BURST_COUNTER "@ge 2" "phase:5,id:'981043',t:none,log,pass,msg:'Potential Brute Force Attack from %{remote_addr} - # of Request Bursts: %{ip.brute_force_burst_counter}',setvar:ip.brute_force_block=1,expirevar:ip.brute_force_block=%{tx.brute_force_block_timeout}"
SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS

46
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_dos_protection.conf Normal file
View File

@@ -0,0 +1,46 @@
#
# Anti-Automation rule set for detecting Denial of Service Attacks.
#
#
# Enforce an existing IP address block and log only 1-time/minute
# We don't want to get flooded by alerts during an attack or scan so
# we are only triggering an alert once/minute. You can adjust how often
# you want to receive status alerts by changing the expirevar setting below.
#
SecRule IP:DOS_BLOCK "@eq 1" "chain,phase:1,id:'981044',drop,msg:'Denial of Service (DoS) Attack Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0"
#
# Block and track # of requests but don't log
SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'981045',t:none,drop,nolog,setvar:ip.dos_block_counter=+1"
#
# skipAfter Check
# There are different scenarios where we don't want to do checks -
# 1. If the current IP address has already been blocked due to high requests
# In this case, we skip doing the request counts.
#
SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'981046',t:none,nolog,pass,skipAfter:END_DOS_PROTECTION_CHECKS"
#
# DOS Counter
# Count the number of requests to non-static resoures
#
SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,id:'981047',t:none,nolog,pass,setvar:ip.dos_counter=+1"
#
# Check DOS Counter
# If the request count is greater than or equal to user settings,
# we then set the burst counter
#
SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'981048',t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
#
SecRule IP:DOS_BURST_COUNTER "@ge 2" "phase:5,id:'981049',t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack from %{remote_addr} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout}"
SecMarker END_DOS_PROTECTION_CHECKS

28
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_proxy_abuse.conf Normal file
View File

@@ -0,0 +1,28 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Rule set for detecting Open Proxy Abuse/Chaining.
#
# http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html
#
#
# You must first download the MaxMind GeoIP Lite City DB -
#
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#
# You then need to define the proper path for the SecGeoLookupDb directive
#
SecGeoLookupDb /usr/local/apache/conf/modsec/GeoLiteCity.dat
SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" "chain,phase:1,id:'981050',t:none,capture,block,rev:'2.2.6',msg:'Potential Open Proxy Abuse - GeoIP Country Code Mismatch of X-Forwarded-For Request Header and Client REMOTE_ADDR',logdata:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{tx.geo_x-forwarded-for}'"
SecRule TX:0 "@geoLookup" "chain,setvar:tx.geo_x-forwarded-for=%{geo.country_code}"
SecRule REMOTE_ADDR "@geoLookup" "chain,t:none"
SecRule GEO:COUNTRY_CODE "!@streq %{tx.geo_x-forwarded-for}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"

35
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_slow_dos_protection.conf Normal file
View File

@@ -0,0 +1,35 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Rule set for detecting Slow HTTP Denial of Service Attacks.
#
# http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
#
#
# Mitigate Slowloris-type slow HTTP attacks
#
SecReadStateLimit 100
#
# Mitigate Slow HTTP POST attacks
#
# Must have the mod_reqtimeout module installed
# You should adjust the RequestReadTimeout body directive setting to a limit
# that will allow any legitimate slow clients or large file uplaods.
#
<IfModule reqtimeout_module>
RequestReadTimeout body=30
</IfModule>
SecRule RESPONSE_STATUS "@streq 408" "phase:5,id:'981051',t:none,nolog,pass,setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,id:'981052',t:none,log,drop,msg:'Client Connection Dropped due to high # of slow DoS alerts'"

33
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_16_scanner_integration.conf Normal file
View File

@@ -0,0 +1,33 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ You must be using the Resource Profiling Rules to track this data ]=-
#
# modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
# modsecurity_crs_40_appsensor_detection_point_3.0_end.conf
#
#
# -=[ Disable ModSecurity For Arachni Scans ]=-
#
# Update the remote IP address for your Arachni RPC host
#
SecRule REMOTE_ADDR "@ipMatch 192.168.168.128" "chain,phase:1,t:none,nolog,pass"
SecRule REQUEST_HEADERS:User-Agent "@beginsWith Arachni/" "ctl:ruleEngine=Off"
#
# -=[ Initiate Arachni Scan on 1st URL Access ]=-
#
# Update the path to the arachni_integration.lua script
#
SecRule &RESOURCE:ARACHNI_SCAN_COMPLETED "@eq 0" "chain,phase:5,t:none,log,pass"
SecRule &ARGS "@gt 0" "exec:/etc/apache2/modsecurity-crs/lua/arachni_integration.lua"

22
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_25_cc_track_pan.conf Normal file
View File

@@ -0,0 +1,22 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Credit Card Track 1 and 2 and PAN Leakage Checks
#
SecRule RESPONSE_BODY "\%[Bb][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}\^[^\^]+\^[0-9]+\?" \
"phase:4,t:none,block,msg:'Possible Credit Card Track 1 Data Leakage.',severity:'1',id:'920021',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "\;[3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[=Dd][0-9]+\?" \
"phase:4,t:none,block,msg:'Possible Credit Card Track 2 Data Leakage.',severity:'1',id:'920022',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "[^0-9][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[^0-9]" \
"phase:4,t:none,block,msg:'Possible Credit Card PAN Data Leakage.',severity:'1',id:'920023',tag:'WASCTC/5.2',tag:'PCI/3.3',setvar:tx.anomaly_score=+{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"

57
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf Normal file
View File

@@ -0,0 +1,57 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ OWASP AppSensor Detection Points - Setup ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints
#
# Instead of creating rule set based on analyzing saved audit log data, we can
# instead profile live transactions in phase:5 post processing and save data in
# Resource-based persistent collections. Once we have seen enough traffic (as
# defined below) we can then move into Enforcement Mode.
#
#
# --[ Step 1: Initiate the Resource Collection ]--
#
# We are using the REQUEST_FILENAME as the key and then set 2 variables -
#
# [resource.min_pattern_threshold]
# Set the resource.min_pattern_threshold as the minimum number of times that a match should occur
# in order to include it into the profile
#
# [resource.min_traffic_threshold]
# Set the resource.min_traffic_threshold as the minimum number of "clean" transactions
# to profile/inspect before enforcement of the profile begins.
#
SecAction "phase:1,id:'981082',t:none,nolog,pass,initcol:resource=%{request_headers.host}_%{request_filename},setvar:resource.min_pattern_threshold=50,setvar:resource.min_traffic_threshold=100"
#
# --[ Ignore Resource ]--
#
# If you want to exclude a resource from being profiled, you can specify it in the
# modsecurity_40_profiler_ignore.data file. This rule will evaluate the REQUEST_FILENAME
# and if there is match in the @pmFromFile check, it will skip all profiling/enforcement
# rules in this file. We have to run two checks here -
# 1. For Phase:2 - Enforcement Checks
# 2. For Phase:5 - Profiling Analysis
#
# If there is a match, the rules will skip down until it hits the SecMarker END_PROFILER_RULES
# at the end of this file.
#
# If you want to use these rules you must:
# 1. Uncomment the rules
# 2. Create the modsecurity_40_appsensor_ignore.data file in the same directory
#
#SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:2,id:'981083',t:none,nolog,pass,skipAfter:END_PROFILER_RULES"
#SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:5,id:'981084',t:none,nolog,pass,skipAfter:END_PROFILER_RULES"

136
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf Normal file
View File

@@ -0,0 +1,136 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ OWASP AppSensor Detection Points - Request Exceptions (RE) Category ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RequestException
#
# Instead of creating rule set based on analyzing saved audit log data, we can
# instead profile live transactions in phase:5 post processing and save data in
# Resource-based persistent collections. Once we have seen enough traffic (as
# defined below) we can then move into Enforcement Mode.
#
SecMarker BEGIN_RE_PROFILE_ENFORCEMENT
#
# Should we enforce the learned profile for this transaction?
#
# If the resource.enforce_profile parameter is not set, then we skip enforcement.
#
SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 0" "phase:2,id:'981085',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ENFORCEMENT"
SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 1" "phase:2,id:'981086',t:none,nolog,pass,exec:/opt/modsecurity/etc/crs/lua/appsensor_request_exception_enforce.lua"
#
# -=[ RE2: Attempt to Invoke Unsupported HTTP Method ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE2:_Attempt_to_Invoke_Unsupported_HTTP_Method
#
SecRule REQUEST_METHOD "!@within HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT" "phase:2,id:'981087',t:none,block,msg:'Attempt to Invoke Unsupported HTTP Method.',logdata:'%{request_method}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/METHOD_NOT_ALLOWED',tag:'OWASP_AppSensor/RE2',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE2:_Attempt_to_Invoke_Unsupported_HTTP_Method'"
#
# -=[ RE1: Unexpected HTTP Command ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE1:_Unexpected_HTTP_Command
#
SecRule TX:REQUEST_METHOD_VIOLATION "@eq 1" "phase:2,id:'981088',t:none,block,capture,msg:'Invalid Request Method for Resource.',logdata:'Current Request Method: %{request_method} and Allowed Request Method(s): %{resource.enforce_request_methods}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/METHOD_NOT_ALLOWED',tag:'OWASP_AppSensor/RE1',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE1:_Unexpected_HTTP_Command'"
#
# -=[ RE5: Additional/Duplicated Data in Request ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request
#
SecRule TX:MIN_NUM_ARGS_VIOLATION "@eq 1" "phase:2,id:'981089',t:none,block,msg:'Invalid Number of Parameters - Missing Parameter(s)',logdata:'Min Number of ARGS: %{resource.minnumofargs} and Number of ARGS Submitted: %{tx.num_of_args}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request'"
SecRule TX:MAX_NUM_ARGS_VIOLATION "@eq 1" "phase:2,id:'981090',t:none,block,msg:'Invalid Number of Parameters - Additional Parameter(s)',logdata:'Max Number of ARGS: %{resource.maxnumofargs} and Number of ARGS Submitted: %{tx.num_of_args}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request'"
SecRule TX:ARGS_NAMES_VIOLATION ".*" "phase:2,id:'981091',t:none,block,msg:'Invalid Parameter Name(s).',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE5',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE5:_Additional.2FDuplicated_Data_in_Request'"
#
# -=[ RE7: Unexpected Quantity of Characters in Parameter ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE7:_Unexpected_Quantity_of_Characters_in_Parameter
#
SecMarker BEGIN_ENFORCE_LENGTH
SecRule TX:/^ARGS.*_MIN_LENGTH_VIOLATION/ ".*" "phase:2,id:'981092',t:none,block,msg:'Invalid Parameter Length - Value Is Below Normal Range',logdata:'Normal Minimum Length for Parameter (%{tx.minarglengthname}): %{tx.minarglength} and Current Length: %{matched_var}',tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE7',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
SecRule TX:/^ARGS.*_MAX_LENGTH_VIOLATION/ ".*" "phase:2,id:'981093',t:none,block,msg:'Invalid Parameter Length - Value Is Above Normal Range',logdata:'Normal Maximum Length for Parameter (%{tx.maxarglengthname}): %{tx.maxarglength} and Current Length: %{matched_var}',tag:'POLICY/PARAMETER_VIOLATION',tag:'OWASP_AppSensor/RE7',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
SecMarker END_ENFORCE_LENGTH
#
# -=[ RE8: Unexpected Type of Characters in Parameter ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RE8:_Unexpected_Type_of_Characters_in_Parameter
#
#
# Enforce Digits Character Class
#
SecRule TX:/^ARGS.*_digits_violation/ ".*" "phase:2,id:'981094',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Digits.',logdata:'Parameter (%{tx.digits_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Alpha Character Class
#
SecRule TX:/^ARGS.*_alpha_violation/ ".*" "phase:2,id:'981095',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Letters.',logdata:'Parameter (%{tx.alpha_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce AlphaNumeric Character Class
#
SecRule TX:/^ARGS.*_alphanumeric_violation/ ".*" "phase:2,id:'981096',t:none,block,msg:'Invalid Character(s) in Payload - Expecting AlphNumeric.',logdata:'Parameter (%{tx.alphanumeric_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Email Character Class
#
SecRule TX:/^ARGS.*_email_violation/ ".*" "phase:2,id:'981097',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Email.',logdata:'Parameter (%{tx.email_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Path Character Class
#
SecRule TX:/^ARGS.*_path_violation/ ".*" "phase:2,id:'981103',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Path.',logdata:'Parameter (%{tx.path_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Url Character Class
#
SecRule TX:/^ARGS.*_url_violation/ ".*" "phase:2,id:'981104',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Url.',logdata:'Parameter (%{tx.url_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce Flag Character Class
#
SecRule TX:/^ARGS.*_flag_violation/ ".*" "phase:2,id:'981110',t:none,block,msg:'Invalid Character(s) in Payload - Expecting Flag.',logdata:'Parameter (%{tx.flag_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
#
# Enforce SafeText Character Class
#
SecRule TX:/^ARGS.*_safetext_violation/ ".*" "phase:2,id:'981105',t:none,block,msg:'Invalid Character(s) in Payload - Expecting SafeText.',logdata:'Parameter (%{tx.safetext_violation_name}): %{matched_var}',tag:'OWASP_AppSensor/RE8',setvar:tx.profiler_score=+%{tx.error_anomaly_score}"
SecMarker END_RE_PROFILE_ENFORCEMENT
#
# --[ Begin Profiling Phase ]--
#
SecMarker BEGIN_RE_PROFILE_ANALYSIS
SecAction "phase:5,id:'981098',t:none,nolog,pass,ctl:ruleEngine=DetectionOnly"
SecRule RESPONSE_STATUS "^404$" "phase:5,id:'981099',t:none,nolog,pass,setvar:!resource.KEY,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRule RESPONSE_STATUS "^(5|4)" "phase:5,id:'981100',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRule TX:ANOMALY_SCORE "!@eq 0" "phase:5,id:'981101',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRule &RESOURCE:ENFORCE_RE_PROFILE "@eq 1" "phase:2,id:'981102',t:none,nolog,pass,skipAfter:END_RE_PROFILE_ANALYSIS"
SecRuleScript /opt/modsecurity/etc/crs/lua/appsensor_request_exception_profile.lua "phase:5,nolog,pass"
SecMarker END_RE_PROFILE_ANALYSIS

32
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf Normal file
View File

@@ -0,0 +1,32 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ HT1: Alteration to Honey Trap Data ]=-
#
# - https://www.owasp.org/index.php/AppSensor_DetectionPoints#HT1:_Alteration_to_Honey_Trap_Data
#
SecRule ARGS:DEBUG "!@streq false" "phase:2,id:'981131',t:none,block,msg:'Tampering of Hidden Parameter Honeytrap Data.',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.profiler_score=+%{tx.error_anomaly_score},tag:'HONEYTRAP/HIDDEN_DATA_TAMPERING',tag:'OWASP_AppSensor/HT1',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#HT1:_Alteration_to_Honey_Trap_Data'"
#
# Add a fake "debug" hidden parameter to forms.
#
# Here are some examples of parameter names/values that could be used:
#
# - debug=false
# - debug=0
# - role=user
# - role=1
# - admin=false
# - admin=0
#
# Make sure that your settings here match the detection rules above.
#
SecRule STREAM_OUTPUT_BODY "@rsub s/<\/form>/<input type=\"hidden\" name=\"debug\" value=\"false\"><\/form>/" "phase:4,id:'981132',t:none,nolog,pass"

11
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_3.0_end.conf Normal file
View File

@@ -0,0 +1,11 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
SecMarker END_PROFILER_RULES

42
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_http_parameter_pollution.conf Normal file
View File

@@ -0,0 +1,42 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# The rules in this file are considered experimental/beta rules. They attempt to address
# some advanced attacks, use some new ModSecurity features or new rules language techniques.
#
#
# HTTP Parameter Pollution (HPP)
#
# One HPP attack vector is to try evade signature filters by distributing the attack payload
# across multiple parameters with the same name. This works as many security devices only
# apply signatures to individual parameter payloads, however the back-end web application
# may (in the case of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# -=[ Rules Logic }=-
# The ruleset below is not looking for attacks directly, but rather is a crude normalization
# function that mimics ASP.NET with regards to joining the payloads of parameters with the
# same name. These rules will create a new TX:HPP_DATA variable that will hold this data.
# If you have enabled PARANOID_MODE, then this variable data will also be searched against
# attack filters.
#
# -=[ References ]=-
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
#
SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'960022',rev:'2.2.6',setvar:tx.%{matched_var_name}=+1"
SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}"
SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'"
SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}"
SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'"

370
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_41_advanced_filters.conf Normal file
View File

@@ -0,0 +1,370 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Lua script to normalize input payloads
# Based on PHPIDS Converter.php code
# Reference the following whitepaper -
# http://docs.google.com/Doc?id=dd7x5smw_17g9cnx2cn
#
SecRuleScript ../lua/advanced_filter_converter.lua "phase:2,t:none,pass"
SecRule TX:/centrifuge_ratio/ ".*" "phase:2,t:none,log,capture,msg:'Centrifuge Threshold Alert - Ratio Value is: %{tx.0}'"
#
# PHP-IDS rules (www.php-ids.org)
# Attack Filters
# https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml
#
SecRule TX:'/_normalized/' "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'9000033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'9000033',tag:'WEB_ATTACK/XSS'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible event handlers',id:'9000032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible event handlers',id:'9000032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[^\w\s=]on(?!g\&gt;)\w+[^=_+-]*=[^$]+(?:\W|\&gt;)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common mail header injections',id:'9000063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/SPAM-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common mail header injections',id:'9000063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/SPAM-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects very basic XSS probings',id:'9000021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects very basic XSS probings',id:'9000021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s\-]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\s\d\/\"]+(?:on\w+|style|poster|background)=[$\"\w])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds malicious attribute injection attempts',id:'9000071',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds malicious attribute injection attempts',id:'9000071',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s\d\/\"]+(?:on\w+|style|poster|background)=[$\"\w])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'900007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'900007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'9000026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'9000026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'9000018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'9000018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'9000016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'9000016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|iterator|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'9000044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'9000044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\sexec\s+xp_cmdshell)|(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:\";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'9000055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'9000055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\sexec\s+xp_cmdshell)|(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:\";?\s*(?:select|union|having)\s*[^\s])|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'9000027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'9000027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:,.*[)\da-f\"]\"(?:\".*\"|\Z|[^\"]+))|(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'9000057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'9000057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:,.*[)\da-f\"]\"(?:\".*\"|\Z|[^\"]+))|(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'9000061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'9000061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\".+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'9000020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'9000020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\)\s*\[)|(?:\/\w*\s*\)\s*\W)|([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|for\s*(?:each)?|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\".+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:\/|\\\\)?\.+(\/|\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic directory traversal',id:'9000010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic directory traversal',id:'9000010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:\/|\\\\\\\\)?\.+(\/|\\\\\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'9000031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'9000031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:%c0%ae\/)|(?:(?:\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\))|(?:(?:\/|\\\\)inetpub|localstart\.asp|boot\.ini)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%c0%ae\/)|(?:(?:\/|\\\\\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\\\\\))|(?:(?:\/|\\\\\\\\)inetpub|localstart\.asp|boot\.ini)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\\\\\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:etc\/\W*passwd)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:etc\/\W*passwd)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\s\/\"]+[-\w\/\\\\\*]+\s*=.+(?:\/\s*>))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s\/\"]+[-\w\/\\\\\\\\\*]+\s*=.+(?:\/\s*>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"\s*or\s*\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'9000042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'9000042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s*or\s*\d)|(?:\\\\\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\\\\\".+(?<!\\\\\\\\)\")|(?:(?:^[\"\\\\\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:^>[\w\s]*<\/?\w{2,}>)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:^>[\w\s]*<\/?\w{2,}>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\d{2,3})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\u00[a-f0-9]{2})|(?:\\\\\\\\x0*[a-f0-9]{2})|(?:\\\\\\\\\d{2,3})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'900008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'900008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'9000038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'9000038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'9000037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'9000037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
SecRule TX:'/_normalized/' "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'900005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'900005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"

49
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_42_csp_enforcement.conf Normal file
View File

@@ -0,0 +1,49 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ Content Security Policy (CSP) Settings ]=-
#
# The purpose of these settings is to send CSP response headers to
# Mozilla FireFox users so that you can enforce how dynamic content
# is used. CSP usage helps to prevent XSS attacks against your users.
#
# Reference Link:
#
# https://developer.mozilla.org/en/Security/CSP
#
#
# If this is a CSP Violation Report Request, we need to enable request
# body population of the REQUEST_BODY variable. This is not done by
# default since the request body content-type is JSON.
#
SecRule REQUEST_FILENAME "@streq %{tx.csp_report_uri}" "phase:1,id:'981142',t:none,nolog,pass,ctl:forceRequestBodyVariable=On"
#
# Check the REQUEST_BODY for CSP Violation Report data and generate an Alert
#
SecRule REQUEST_BODY "({\"csp-report\":.*blocked-uri\":\"(.*?)\".*violated-directive\":\"(.*)\")" "phase:2,id:'960001',capture,t:none,log,pass,msg:'Content Security Policy (CSP) Violation',logdata:'blocked-uri:%{tx.2} violated-directive:%{tx.3}',tag:'OWASP_AppSensor/RP3',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP3:_Suspicious_Client-Side_Behavior'"
#
# Check the User-Agent string for FireFox users and then set an ENV var
# to tell Apache which CSP header policy to use.
#
SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960002',t:none,nolog,pass,chain"
SecRule TX:CSP_REPORT_ONLY "@eq 1" "setenv:firefox_client-csp_report_only=1"
SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960003',t:none,nolog,pass,chain"
SecRule TX:CSP_REPORT_ONLY "@eq 0" "setenv:firefox_client-csp_enforce=1"
#
# Set the appropriate CSP Policy Header for FireFox clients
#
Header set X-Content-Security-Policy-Report-Only "%{csp_policy}e" env=firefox_client-csp_report_only
Header set X-Content-Security-Policy "%{csp_policy}e" env=firefox_client-csp_enforce

59
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_45_char_anomaly.conf Normal file
View File

@@ -0,0 +1,59 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# The rules in this file are considered experimental/beta rules. They attempt to address
# some advanced attacks, use some new ModSecurity features or new rules language techniques.
#
#
# Restricted Character Anomaly Usage
# These rules attempted to gauge when there is an exccesive use of
# restricted, meta-characters within a single parameter payload.
#
# The most likely false positive instances will be free-form text fields.
# Adjust the the @ge operator value appropriately for your site. Increasing
# the score will reduce false positives but may also decrease detection of
# obfuscated attack payloads.
#
SecRule ARGS "@pm ~ ` ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' < >" "phase:2,id:'981146',t:none,nolog,pass,nolog,setvar:tx.restricted_char_payload=%{matched_var}"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ~" "phase:2,id:'981147',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains `" "phase:2,id:'981148',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains !" "phase:2,id:'981149',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains @" "phase:2,id:'981150',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains #" "phase:2,id:'981151',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains $" "phase:2,id:'981152',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains %" "phase:2,id:'981153',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ^" "phase:2,id:'981154',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains &" "phase:2,id:'981155',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains *" "phase:2,id:'981156',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains (" "phase:2,id:'981157',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains )" "phase:2,id:'981158',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains -" "phase:2,id:'981159',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains +" "phase:2,id:'981160',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains =" "phase:2,id:'981161',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains {" "phase:2,id:'981162',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains }" "phase:2,id:'981163',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains [" "phase:2,id:'981164',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ]" "phase:2,id:'981165',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains |" "phase:2,id:'981166',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains :" "phase:2,id:'981167',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ;" "phase:2,id:'981168',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains \"" "phase:2,id:'981169',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains '" "phase:2,id:'981170',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains <" "phase:2,id:'981171',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains >" "phase:2,id:'981172',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_COUNT "@ge 5" "phase:2,t:none,block,nolog,auditlog,id:'960023',rev:'2.2.6',msg:'Restricted Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_CHARS-%{matched_var_name}=%{tx.0}"
#
# This rule attempts to identify when multiple (3 or more) speciail, non-word characters are repeated
#
SecRule ARGS "\W{4,}" "phase:2,capture,t:none,block,nolog,auditlog,id:'960024',rev:'2.2.6',msg:'Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'%{tx.0}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_CHARS-%{matched_var_name}=%{tx.0}"

24
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_46_scanner_integration.conf Normal file
View File

@@ -0,0 +1,24 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -=[ You must be using the Resource Profiling Rules to track this data ]=-
#
# modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
# modsecurity_crs_40_appsensor_detection_point_3.0_end.conf
#
SecRule TX:/XSS-ARGS:/ ".*" "id:'999003',chain,phase:2,t:none,msg:'XSS Attack Against Known Vulnerable Parameter.',logdata:'%{matched_var}'"
SecRule MATCHED_VARS_NAMES "-ARGS:(.*)$" "chain,capture"
SecRule TX:1 "@within %{resource.xss_vulnerable_params}"
SecRule TX:/SQL_INJECTION-ARGS:/ ".*" "id:'999004',chain,phase:2,t:none,msg:'SQLi Attack Against Known Vulnerable Parameter.',logdata:'%{matched_var}'"
SecRule MATCHED_VARS_NAMES "-ARGS:(.*)$" "chain,capture"
SecRule TX:1 "@within %{resource.sqli_vulnerable_params}"

17
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_48_bayes_analysis.conf Normal file
View File

@@ -0,0 +1,17 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# You must edit the local path to the lua scripts
#
SecRule TX:'/^\\\d.*WEB_ATTACK/' ".*" "phase:2,t:none,log,pass,logdata:'%{tx.bayes_msg}',exec:lua/bayes_train_spam.lua"
SecRuleScript lua/bayes_check_spam.lua "phase:2,t:none,block,msg:'Bayesian Analysis Detects Probable Attack.',logdata:'Score: %{tx.bayes_score}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/BAYESIAN-%{matched_var_name}=%{tx.0}"
SecRule &TX:ANOMALY_SCORE "@eq 0" "phase:5,t:none,log,pass,logdata:'%{tx.bayes_msg}',exec:lua/bayes_train_ham.lua"

27
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_55_response_profiling.conf Normal file
View File

@@ -0,0 +1,27 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
SecRuleScript profile_page_scripts.lua "phase:4,id:'981187',t:none,nolog,pass"
SecRule &RESOURCE:'/(niframes|nscripts|nlinks|nimages)/' "@eq 0" "skipAfter:END_PAGE_PROFILE,phase:4,id:'981188',t:none,nolog,pass,setvar:resource.niframes=%{tx.niframes},setvar:resource.nscripts=%{tx.nscripts},setvar:resource.nlinks=%{tx.nlinks},setvar:resource.nimages=%{tx.nimages}"
SecRule TX:NIFRAMES "@eq %{resource.niframes}" "phase:4,id:'981189',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule TX:NSCRIPTS "@eq %{resource.nscripts}" "phase:4,id:'981190',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule TX:NLINKS "@eq %{resource.nlinks}" "phase:4,id:'981191',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule TX:NIMAGES "@eq %{resource.nimages}" "phase:4,id:'981192',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
SecRule RESOURCE:PROFILE_CONFIDENCE_COUNTER "@lt 40" "phase:4,id:'981193',t:none,nolog,pass,skipAfter:END_PAGE_PROFILE"
SecRule TX:NIFRAMES "!@eq %{resource.niframes}" "phase:4,id:'981194',t:none,block,msg:'Number of IFrames in Page Have Changed.',logdata:'Previous #: %{resource.niframes} and Current #: %{tx.niframes}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecRule TX:NSCRIPTS "!@eq %{resource.nscripts}" "phase:4,id:'981195',t:none,block,msg:'Number of Scripts in Page Have Changed.',logdata:'Previous #: %{resource.nscripts} and Current #: %{tx.nscripts}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecRule TX:NLINKS "!@eq %{resource.nlinks}" "phase:4,id:'981196',t:none,block,msg:'Number of Links in Page Have Changed.',logdata:'Previous #: %{resource.nlinks} and Current #: %{tx.nlinks}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecRule TX:NIMAGES "!@eq %{resource.nimages}" "phase:4,id:'981197',t:none,block,msg:'Number of Images in Page Have Changed.',logdata:'Previous #: %{resource.nimages} and Current #: %{tx.nimages}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
SecMarker END_PAGE_PROFILE

13
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_56_pvi_checks.conf Normal file
View File

@@ -0,0 +1,13 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
SecRule &RESOURCE:OSVDB_CHECK "@eq 0" "chain,phase:5,id:'981198',t:none,nolog,pass"
SecRule RESPONSE_STATUS "@streq 200" "exec:/usr/local/apache/conf/modsec_current/base_rules/osvdb.lua"
SecRule TX:OSVDB_MSG "!^$" "phase:5,id:'981199',t:none,log,pass,msg:'Passive Vulnerabilty Check with OSVDB - %{matched_var}'"

41
iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_61_ip_forensics.conf Normal file
View File

@@ -0,0 +1,41 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Gather IP/Host Data for Audit Logging
#
# - http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
#
# Execute the IP Lookup/Whois Check when anomaly scores are not 0
#
# You must update the local path for the exec action to point to the lua script.
#
SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,nolog,id:'960004',exec:/usr/local/apache/conf/crs/lua/gather_ip_data.lua"
SecRule TX:HOSTNAME ".*" "phase:5,t:none,pass,log,id:'960005',msg:'Client Nslookup/WHOIS Abuse Info.',logdata:'Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',setvar:'ip.hostname=Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',expirevar:ip.hostname=86400,skip:1"
SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,log,id:'960006',msg:'Client Nslookup/WHOIS Abust Info.',logdata:'%{ip.hostname}'"
#
# Download the GeoIP DB from MaxMind
#
# GeoLite City - http://www.maxmind.com/app/geolitecity
# GeoLite Country - http://www.maxmind.com/app/geoip_country
#
# Define the proper path to the GeoIP DB
SecGeoLookupDb /usr/local/apache/conf/modsec_current/base_rules/GeoLiteCity.dat
#
# Check the Transactional Anomaly Score - if it is not 0 then record the GeoIP data
# for the client in the audit log.
#
SecRule TX:ANOMALY_SCORE "@gt 0" "chain,phase:5,pass,t:none,log,id:'960007',severity:'5',msg:'Logging GeoIP Data due to anomaly score.',logdata:'Country Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country Name=%{geo.country_name}, Country Continent=%{geo.country_continent}, City=%{geo.city}'"
SecRule REMOTE_ADDR "@geoLookup"