github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
ModSecurity/test/test-cases/data/big-file.conf
Felipe Zimmerle 973c1f1028
Fix rule line number 
Issue #1844
2018-10-24 21:02:35 -03:00

199 lines
5.9 KiB
Plaintext
Raw Blame History

# 1
# 2
# 3
# 4
# 5
# 6
# 7
# 8
# 10
# 11
# 12
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:930011,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:930012,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
# 18
# 19
# 20
# 22
# 23
# 24
# 25
# 26
# 27
# 28
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))|test1" \
"phase:request,\
msg:'Path Traversal Attack (/../)',\
id:930100,\
ver:'OWASP_CRS/3.0.0',\
rev:'3',\
maturity:'9',\
accuracy:'7',\
t:none,\
block,\
severity:CRITICAL,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
# 52
# 53
# 54
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm test2" \
"phase:request,\
msg:'Path Traversal Attack (/../)',\
id:930110,\
ver:'OWASP_CRS/3.0.0',\
rev:'1',\
maturity:'9',\
accuracy:'7',\
multiMatch,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
block,\
severity:CRITICAL,\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
capture,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
# 79
# 80
# 81
# 82
# 83
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm test3" \
"phase:request,\
msg:'OS File Access Attempt',\
rev:'4',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
block,\
id:930120,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
tag:'WASCTC/WASC-33',\
tag:'OWASP_TOP_10/A4',\
tag:'PCI/6.5.4',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
# 110
# 111
# 112
# 113
# 114
# 115
SecRule REQUEST_FILENAME|ARGS "@pm test4" \
"phase:request,\
msg:'Restricted File Access Attempt',\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'7',\
accuracy:'8',\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
block,\
id:930130,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
tag:'WASCTC/WASC-33',\
tag:'OWASP_TOP_10/A4',\
tag:'PCI/6.5.4',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:930013,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:930014,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
# 146
# 147
# 148
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:930015,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:930016,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
# 154
# 155
# 156
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:930017,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:930018,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
# 162
# 163
# 164
# 168
# 169
# 170
SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"
# 172
SecRule REQUEST_FILENAME|ARGS "@pm test5" \
"phase:request,\
msg:'Restricted File Access Attempt',\
rev:'1',\
ver:'OWASP_CRS/3.0.0',\
maturity:'7',\
accuracy:'8',\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
block,\
id:9304130,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-lfi',\
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
tag:'WASCTC/WASC-33',\
tag:'OWASP_TOP_10/A4',\
tag:'PCI/6.5.4',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
severity:'CRITICAL',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
Reference in New Issue View Git Blame Copy Permalink