@abtnode/router-provider 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8

package/lib/nginx/includes/security/crs4/rules/RESPONSE-955-WEB-SHELLS.conf

@@ -0,0 +1,558 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+# Skip all rules if RESPONSE_BODY is compressed.
+SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
+    "id:955010,\
+    phase:4,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    skipAfter:END-RESPONSE-955-WEB-SHELLS"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+
+# For performance reasons, most of the shells are matched using this rule.
+# This rule is intended for PHP web shells.
+SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
+    "id:955100,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Web shell detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# r57 web shell
+SecRule RESPONSE_BODY "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>" \
+    "id:955110,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'r57 web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# WSO web shell
+SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>" \
+    "id:955120,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'WSO web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n)
+SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" \
+    "id:955130,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'b4tm4n web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Mini Shell web shell
+SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
+    "id:955140,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Mini Shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Ashiyane web shell
+SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
+    "id:955150,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Ashiyane web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Symlink_Sa web shell
+SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
+    "id:955160,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Symlink_Sa web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# CasuS web shell
+SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
+    "id:955170,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'CasuS web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# GRP WebShell
+SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
+    "id:955180,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'GRP WebShell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# NGHshell web shell
+SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
+    "id:955190,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'NGHshell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# SimAttacker web shell
+SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \
+    "id:955200,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'SimAttacker web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Unknown web shell
+SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell</title>" \
+    "id:955210,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Unknown web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# lama's'hell web shell
+SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
+    "id:955220,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'lama\'s\'hell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# lostDC web shell
+SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
+    "id:955230,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'lostDC web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Unknown web shell
+SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n    <!-- Replaces command with Base64-encoded Data -->" \
+    "id:955240,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Unknown web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Unknown web shell
+SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\">Input command :</font></div>\n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" \
+    "id:955250,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Unknown web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Ru24PostWebShell web shell
+# Removed '- ' from the end of the pattern so this file won't get detected as
+# malware by Windows Defender.
+SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
+    "id:955260,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Ru24PostWebShell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# s72 Shell web shell
+SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" \
+    "id:955270,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'s72 Shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# PhpSpy web shell
+SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\r\n<title>PhpSpy Ver [0-9]+</title>" \
+    "id:955280,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PhpSpy web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# g00nshell web shell
+SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
+    "id:955290,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'g00nshell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# PuNkHoLic shell web shell
+# Various versions has this text written little differently so we need to do
+# t:removeWhitespace and t:lowercase.
+SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
+    "id:955300,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,t:removeWhitespace,t:lowercase,\
+    msg:'PuNkHoLic shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# azrail web shell
+SecRule RESPONSE_BODY "@rx ^<html>\n      <head>\n             <title>azrail [0-9.]+ by C-W-M</title>" \
+    "id:955310,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'azrail web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# SmEvK_PaThAn Shell web shell
+SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
+    "id:955320,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'SmEvK_PaThAn Shell web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Shell I web shell
+SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style>" \
+    "id:955330,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Shell I web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# b374k m1n1 web shell
+SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" \
+    "id:955340,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'b374k m1n1 web shell',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+
+# webadmin.php file manager
+# This is placed in PL2 because of too generic pattern.
+SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>" \
+    "id:955350,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'webadmin.php file manager',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-RESPONSE-955-WEB-SHELLS"