npm - @abtnode/router-provider - Versions diffs - 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8 - Mend

@abtnode/router-provider 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/lib/nginx/includes/security/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf ADDED Viewed

@@ -0,0 +1,280 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+# Summing up the blocking and detection anomaly scores in phase 3
+# even when early blocking is disabled, we need to sum up the scores in phase 3
+# this prevents bugs in phase 5 if Apache skips phases because of error handling
+# See: https://github.com/coreruleset/coreruleset/issues/2319#issuecomment-1047503932
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
+    "id:959052,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
+    "id:959152,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
+    "id:959053,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
+    "id:959153,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
+    "id:959054,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
+    "id:959154,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
+    "id:959055,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
+    "id:959155,\
+    phase:3,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
+# at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
+# this is necessary because the per-PL scores are counted across phases
+SecAction \
+    "id:959059,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=0'"
+SecAction \
+    "id:959159,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=0'"
+SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
+# Summing up the blocking and detection anomaly scores in phase 4
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
+    "id:959060,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
+    "id:959160,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
+    "id:959061,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
+    "id:959161,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
+    "id:959062,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
+    "id:959162,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
+SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
+    "id:959063,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
+    "id:959163,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
+#
+# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
+#
+# if early blocking is active, check threshold in phase 3
+SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
+    "id:959101,\
+    phase:3,\
+    deny,\
+    t:none,\
+    msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
+    tag:'anomaly-evaluation',\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    chain"
+    SecRule TX:EARLY_BLOCKING "@eq 1"
+# always check threshold in phase 4
+SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
+    "id:959100,\
+    phase:4,\
+    deny,\
+    t:none,\
+    msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
+    tag:'anomaly-evaluation',\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"

package/lib/nginx/includes/security/crs4/rules/RESPONSE-980-CORRELATION.conf ADDED Viewed

@@ -0,0 +1,138 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+#
+# This file is used in post processing after the response has been sent to
+# the client (in the logging phase).  Its purpose is to provide inbound+outbound
+# correlation of events to provide a more intelligent designation as to the outcome
+# or result of the transaction - meaning, was this a successful attack?
+#
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+# Combine inbound and outbound scores
+SecAction \
+    "id:980099,\
+    phase:5,\
+    pass,\
+    t:none,\
+    nolog,\
+    noauditlog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
+    setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
+    setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
+    setvar:'tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score}',\
+    setvar:'tx.anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
+    setvar:'tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}'"
+#
+# -=[ Anomaly Score Reporting ]=-
+#
+# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
+SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REPORTING"
+# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
+SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:LOG-REPORTING"
+# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
+SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REPORTING"
+# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
+SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:LOG-REPORTING"
+SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:LOG-REPORTING"
+# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
+SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REPORTING"
+# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
+SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:LOG-REPORTING"
+SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:LOG-REPORTING"
+# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
+SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REPORTING"
+# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
+SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:LOG-REPORTING"
+# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
+SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REPORTING"
+# At this point, the reporting level is 4 and there's a non-zero detection
+# score (already established by rule 980043) so fall through to the reporting
+# rule.
+# Requests that land on the following SecMarker:
+# - At reporting level 5 (unconditional reporting)
+# - At reporting levels 1-4 when a blocking score exceeds a threshold
+# - At reporting levels 2-4 when a detection score exceeds a threshold
+# - At reporting levels 3-4 when the total blocking score is greater than zero
+# - At reporting level 4 when the total detection score is greater than zero
+SecMarker "LOG-REPORTING"
+# Inbound and outbound - all requests
+SecAction \
+    "id:980170,\
+    phase:5,\
+    pass,\
+    t:none,\
+    noauditlog,\
+    msg:'Anomaly Scores: \
+(Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - \
+(Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \
+(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
+    tag:'reporting',\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0'"
+SecMarker "END-REPORTING"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-980-CORRELATION"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-RESPONSE-980-CORRELATION"

package/lib/nginx/includes/security/crs4/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ADDED Viewed

@@ -0,0 +1,76 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+#
+# The purpose of this file is to hold LOCAL exceptions for your site.
+# The types of rules that would go into this file are one where you want
+# to unconditionally disable rules or modify their actions during startup.
+#
+# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+# for a description of the rule exclusions mechanism and the correct
+# use of this file.
+#
+#
+# Example Exclusion Rule: To unconditionally disable a rule ID
+#
+# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
+# SecRuleRemoveById 942100
+# Example Exclusion Rule: Remove a group of rules
+#
+# ModSecurity Rule Exclusion: Disable PHP injection rules
+# SecRuleRemoveByTag "attack-injection-php"
+#
+# Example Exclusion Rule: To unconditionally remove parameter "foo" from
+#                         inspection for SQLi rules
+#
+# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
+# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
+# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
+#
+# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
+# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
+# against your policy. To apply a disruptive action, they overwrite the default
+# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
+# This 'deny' is by default paired with a 'status:403' action.
+#
+# In order to change the disruptive action from 'deny' to something else,
+# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
+# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
+#
+# These actions only apply when using Anomaly Mode.
+#
+# Default action: block with error 403
+# (No configuration needed in this file if you want the default behavior.)
+#
+# Example: redirect back to the homepage on blocking
+#
+# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
+# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
+# Example: redirect to another URL on blocking
+#
+# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
+# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
+# Example: send an error 404
+#
+# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
+# SecRuleUpdateActionById 959100 "t:none,deny,status:404"
+# Example: drop the connection (best for DoS attacks)
+#
+# SecRuleUpdateActionById 949110 "t:none,drop"
+# SecRuleUpdateActionById 959100 "t:none,drop"

package/lib/nginx/includes/security/crs4/rules/iis-errors.data ADDED Viewed

@@ -0,0 +1,59 @@
+# This list comes from the default IIS error pages
+# To renerate get the files from a default installation and use:
+# grep -h '<title' *.htm
+<title>401.1 - Unauthorized: Access is denied due to invalid credentials.</title>
+<title>401.2 - Unauthorized: Access is denied due to server configuration.</title>
+<title>401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.</title>
+<title>401.4 - Unauthorized: Authorization failed by filter installed on the Web server.</title>
+<title>401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application.</title>
+<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
+<title>403.1 - Forbidden: Execute access is denied.</title>
+<title>403.10 - Forbidden: Web server is configured to deny Execute access.</title>
+<title>403.11 - Forbidden: Password has been changed.</title>
+<title>403.12 - Forbidden: Client certificate is denied access by the server certificate mapper.</title>
+<title>403.13 - Forbidden: Client certificate has been revoked on the Web server.</title>
+<title>403.14 - Forbidden: Directory listing denied.</title>
+<title>403.15 - Forbidden: Client access licenses have exceeded limits on the Web server.</title>
+<title>403.16 - Forbidden: Client certificate is ill-formed or is not trusted by the Web server.</title>
+<title>403.17 - Forbidden: Client certificate has expired or is not yet valid.</title>
+<title>403.18 - Forbidden: Cannot execute requested URL in the current application pool.</title>
+<title>403.19 - Forbidden: Cannot execute CGIs for the client in this application pool.</title>
+<title>403.2 - Forbidden: Read access is denied.</title>
+<title>403.3 - Forbidden: Write access is denied.</title>
+<title>403.4 - Forbidden: SSL is required to view this resource.</title>
+<title>403.5 - Forbidden: SSL 128 is required to view this resource.</title>
+<title>403.6 - Forbidden: IP address of the client has been rejected.</title>
+<title>403.7 - Forbidden: SSL client certificate is required.</title>
+<title>403.8 - Forbidden: DNS name of the client is rejected.</title>
+<title>403.9 - Forbidden: Too many clients are trying to connect to the Web server.</title>
+<title>403 - Forbidden: Access is denied.</title>
+<title>404.1 - File or directory not found: Web site not accessible on the requested port.</title>
+<title>404.11 - URL is double-escaped.</title>
+<title>404.12 - URL has high bit characters.</title>
+<title>404.14 - URL too long.</title>
+<title>404.15 - Query-String too long.</title>
+<title>404.2 - File or directory not found: Lockdown policy prevents this request.</title>
+<title>404.3 - File or directory not found: MIME map policy prevents this request.</title>
+<title>404.4 - File or directory not found: No module handler is registered to handle the request.</title>
+<title>404.5 - URL sequence denied.</title>
+<title>404.6 - HTTP verb denied.</title>
+<title>404.7 - File extension denied.</title>
+<title>404.8 - URL namespace hidden.</title>
+<title>404.9 - File attribute hidden.</title>
+<title>404 - File or directory not found.</title>
+<title>405 - HTTP verb used to access this page is not allowed.</title>
+<title>406 - Client browser does not accept the MIME type of the requested page.</title>
+<title>412 - Precondition set by the client failed when evaluated on the Web server.</title>
+<title>413.1 - Content-Length too large.</title>
+<title>431 - Request header too long.</title>
+<title>500.13 - Server error: Web server is too busy.</title>
+<title>500.14 - Server error: Invalid application configuration on the server.</title>
+<title>500.15 - Server error: Direct requests for GLOBAL.ASA are not allowed.</title>
+<title>500.16 - Server error: UNC authorization credentials incorrect.</title>
+<title>500.17 - Server error: URL authorization store cannot be found.</title>
+<title>500.18 - Server error: URL authorization store cannot be opened.</title>
+<title>500.19 - Server error: Data for this file is configured improperly.</title>
+<title>500 - Internal server error.</title>
+<title>501 - Header values specify a method that is not implemented.</title>
+<title>502 - Web server received an invalid response while acting as a gateway or proxy server.</title>

package/lib/nginx/includes/security/crs4/rules/java-classes.data ADDED Viewed

@@ -0,0 +1,64 @@
+# Java Classes for use with Java RCEs
+#
+# Used With Rule 944130 in Apache Struts and Oracle Weblogic RCEs Detection:
+#
+# CVE-2017-5638  (2017.01.29) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
+# CVE-2017-9791  (2017.06.21) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791
+# CVE-2017-9805  (2017.06.21) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805
+# CVE-2017-10271 (2017.06.21) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271
+# CVE-2018-11776 (2018.06.05) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
+# CVE-2021-44228 (2021.11.26) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
+#
+# Additional Resources
+# Apache S2-057 (2019.01.20) https://cwiki.apache.org/confluence/display/WW/S2-057
+com.opensymphony.xwork2
+com.sun.org.apache
+freemarker.core
+freemarker.template
+freemarker.ext.rhino
+java.io.BufferedInputStream
+java.io.BufferedReader
+java.io.ByteArrayInputStream
+java.io.ByteArrayOutputStream
+java.io.CharArrayReader
+java.io.DataInputStream
+java.io.File
+java.io.FileOutputStream
+java.io.FilePermission
+java.io.FileWriter
+java.io.FilterInputStream
+java.io.FilterOutputStream
+java.io.FilterReader
+java.io.InputStream
+java.io.InputStreamReader
+java.io.IOException
+java.io.LineNumberReader
+java.io.ObjectOutputStream
+java.io.OutputStream
+java.io.PipedOutputStream
+java.io.PipedReader
+java.io.PrintStream
+java.io.PushbackInputStream
+java.io.Reader
+java.io.StringReader
+java.lang.Class
+java.lang.Integer
+java.lang.Number
+java.lang.Object
+java.lang.Process
+java.lang.ProcessBuilder
+java.lang.reflect
+java.lang.Runtime
+java.lang.String
+java.lang.StringBuilder
+java.lang.System
+java.net.Socket
+javassist
+javax.script.ScriptEngineManager
+org.apache.commons
+org.apache.struts
+org.apache.struts2
+org.omg.CORBA
+java.beans.XMLDecode
+sun.reflect

package/lib/nginx/includes/security/crs4/rules/java-code-leakages.data ADDED Viewed

@@ -0,0 +1,17 @@
+<jsp:
+javax.servlet
+.addheader
+.createtextfile
+.getfile
+.loadfromfile
+response.binarywrite
+response.write
+scripting.filesystemobject
+server.createobject
+server.execute
+server.htmlencode
+server.mappath
+server.urlencode
+vbscript.encode
+wscript.network
+wscript.shell

package/lib/nginx/includes/security/crs4/rules/java-errors.data ADDED Viewed

@@ -0,0 +1,10 @@
+[java.lang.
+class java.lang.
+java.lang.NullPointerException
+java.rmi.ServerException
+at java.lang.
+onclick="toggle('full exception chain stacktrace')"
+at org.apache.catalina
+at org.apache.coyote.
+at org.apache.tomcat.
+at org.apache.jasper.