@abtnode/router-provider 1.16.46-beta-20250703-024219-4029ee97 → 1.16.46-beta-20250704-234926-09d872ad
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +1 -1
- package/lib/nginx/includes/security/crs4/rules/REQUEST-901-INITIALIZATION.conf +42 -40
- package/lib/nginx/includes/security/crs4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +4 -4
- package/lib/nginx/includes/security/crs4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +12 -11
- package/lib/nginx/includes/security/crs4/rules/REQUEST-913-SCANNER-DETECTION.conf +12 -11
- package/lib/nginx/includes/security/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +127 -148
- package/lib/nginx/includes/security/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf +80 -35
- package/lib/nginx/includes/security/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf +12 -6
- package/lib/nginx/includes/security/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +22 -17
- package/lib/nginx/includes/security/crs4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +20 -15
- package/lib/nginx/includes/security/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +254 -86
- package/lib/nginx/includes/security/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +172 -65
- package/lib/nginx/includes/security/crs4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf +65 -29
- package/lib/nginx/includes/security/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +114 -78
- package/lib/nginx/includes/security/crs4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +182 -120
- package/lib/nginx/includes/security/crs4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +19 -16
- package/lib/nginx/includes/security/crs4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +48 -34
- package/lib/nginx/includes/security/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf +30 -30
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-950-DATA-LEAKAGES.conf +20 -15
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +47 -29
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +15 -36
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +20 -15
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +22 -17
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-955-WEB-SHELLS.conf +92 -43
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +30 -30
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-980-CORRELATION.conf +23 -23
- package/lib/nginx/includes/security/crs4/rules/java-classes.data +11 -0
- package/lib/nginx/includes/security/crs4/rules/lfi-os-files.data +227 -15
- package/lib/nginx/includes/security/crs4/rules/php-function-names-933150.data +0 -7
- package/lib/nginx/includes/security/crs4/rules/restricted-files.data +250 -29
- package/lib/nginx/includes/security/crs4/rules/restricted-upload.data +200 -26
- package/lib/nginx/includes/security/crs4/rules/unix-shell-builtins.data +20 -0
- package/lib/nginx/includes/security/crs4/rules/unix-shell.data +39 -18
- package/lib/nginx/includes/security/crs4/rules/web-shells-asp.data +23 -0
- package/package.json +9 -9
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# ------------------------------------------------------------------------
|
|
2
|
-
# OWASP CRS ver.4.
|
|
2
|
+
# OWASP CRS ver.4.16.0
|
|
3
3
|
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
|
4
|
-
# Copyright (c) 2021-
|
|
4
|
+
# Copyright (c) 2021-2025 CRS project. All rights reserved.
|
|
5
5
|
#
|
|
6
6
|
# The OWASP CRS is distributed under
|
|
7
7
|
# Apache Software License (ASL) version 2
|
|
@@ -14,8 +14,8 @@
|
|
|
14
14
|
|
|
15
15
|
|
|
16
16
|
|
|
17
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
18
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
17
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
18
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
19
19
|
#
|
|
20
20
|
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
|
21
21
|
#
|
|
@@ -119,7 +119,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'O
|
|
|
119
119
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
120
120
|
# crs-toolchain regex update 932230
|
|
121
121
|
#
|
|
122
|
-
SecRule REQUEST_COOKIES
|
|
122
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*))\b" \
|
|
123
123
|
"id:932230,\
|
|
124
124
|
phase:2,\
|
|
125
125
|
block,\
|
|
@@ -133,9 +133,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
133
133
|
tag:'attack-rce',\
|
|
134
134
|
tag:'paranoia-level/1',\
|
|
135
135
|
tag:'OWASP_CRS',\
|
|
136
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
136
137
|
tag:'capec/1000/152/248/88',\
|
|
137
138
|
tag:'PCI/6.5.2',\
|
|
138
|
-
ver:'OWASP_CRS/4.
|
|
139
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
139
140
|
severity:'CRITICAL',\
|
|
140
141
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
141
142
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -179,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
179
180
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
180
181
|
# crs-toolchain regex update 932235
|
|
181
182
|
#
|
|
182
|
-
SecRule REQUEST_COOKIES
|
|
183
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))(?:[\s\x0b&\),<>\|]|$)|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|nsible|pt(?:-get|itude(?:[\s\x0b&\),<>\|]|$))|r(?:ch(?:[\s\x0b&\),<>\|]|$)|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell))|b(?:a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)(?:[\s\x0b&\),<>\|]|$)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|p(?:(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab))|s(?:cli(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:psfilter|rl(?:[\s\x0b&\),<>\|]|$)))|d(?:(?:ash|i(?:alog|ff)|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)(?:[\s\x0b&\),<>\|]|$)|n(?:d(?:if|sw)(?:[\s\x0b&\),<>\|]|$)|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool))|f(?:acter|d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|(?:etch|grep|lock|unction)(?:[\s\x0b&\),<>\|]|$)|i(?:le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|tfacl(?:[\s\x0b&\),<>\|]|$))|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:conv|nstall)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:in(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$)|sshell)|l(?:a(?:st(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:cate|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx(?:[\s\x0b&\),<>\|]|$)|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|(?:ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt(?:[\s\x0b&\),<>\|]|$)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff|ull)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:ctave(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:(?:co|gz|ng)(?:[\s\x0b&\),<>\|]|$)|dstat)|k(?:exec|g_?info|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|stic)|l(?:ogin|wrap)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|mbclient|o(?:(?:ca|r)t(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|udo(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)(?:[\s\x0b&\),<>\|]|$)|ime(?:datectl|out(?:[\s\x0b&\),<>\|]|$))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:limit(?:[\s\x0b&\),<>\|]|$)|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|mdiff|sudo(?:-rs)?)|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:all|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|o(?:ami|is(?:[\s\x0b&\),<>\|]|$)))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:args|pad|term)(?:[\s\x0b&\),<>\|]|$)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|s(?:oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|ypper))" \
|
|
183
184
|
"id:932235,\
|
|
184
185
|
phase:2,\
|
|
185
186
|
block,\
|
|
@@ -193,9 +194,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
193
194
|
tag:'attack-rce',\
|
|
194
195
|
tag:'paranoia-level/1',\
|
|
195
196
|
tag:'OWASP_CRS',\
|
|
197
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
196
198
|
tag:'capec/1000/152/248/88',\
|
|
197
199
|
tag:'PCI/6.5.2',\
|
|
198
|
-
ver:'OWASP_CRS/4.
|
|
200
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
199
201
|
severity:'CRITICAL',\
|
|
200
202
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
201
203
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -211,7 +213,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
211
213
|
#
|
|
212
214
|
# https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff714569(v=msdn.10)
|
|
213
215
|
#
|
|
214
|
-
SecRule REQUEST_COOKIES
|
|
216
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \
|
|
215
217
|
"id:932120,\
|
|
216
218
|
phase:2,\
|
|
217
219
|
block,\
|
|
@@ -226,9 +228,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
226
228
|
tag:'attack-rce',\
|
|
227
229
|
tag:'paranoia-level/1',\
|
|
228
230
|
tag:'OWASP_CRS',\
|
|
231
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
229
232
|
tag:'capec/1000/152/248/88',\
|
|
230
233
|
tag:'PCI/6.5.2',\
|
|
231
|
-
ver:'OWASP_CRS/4.
|
|
234
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
232
235
|
severity:'CRITICAL',\
|
|
233
236
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
234
237
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -246,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
246
249
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
247
250
|
# crs-toolchain regex update 932125
|
|
248
251
|
#
|
|
249
|
-
SecRule REQUEST_COOKIES
|
|
252
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:[dpv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\x0b,\./;<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\x0b,\./;<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\x0b,\./;<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\x0b,\./;<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[uv])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\x0b,\./;<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\x0b,\./;<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\x0b,\./;<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\x0b,\./;<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\x0b,\./;<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[cv]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\x0b,\./;<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
|
|
250
253
|
"id:932125,\
|
|
251
254
|
phase:2,\
|
|
252
255
|
block,\
|
|
@@ -260,9 +263,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
260
263
|
tag:'attack-rce',\
|
|
261
264
|
tag:'paranoia-level/1',\
|
|
262
265
|
tag:'OWASP_CRS',\
|
|
266
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
263
267
|
tag:'capec/1000/152/248/88',\
|
|
264
268
|
tag:'PCI/6.5.2',\
|
|
265
|
-
ver:'OWASP_CRS/4.
|
|
269
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
266
270
|
severity:'CRITICAL',\
|
|
267
271
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
268
272
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -290,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
290
294
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
291
295
|
# crs-toolchain regex update 932130
|
|
292
296
|
#
|
|
293
|
-
SecRule REQUEST_COOKIES
|
|
297
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\}|\[.*\])|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \
|
|
294
298
|
"id:932130,\
|
|
295
299
|
phase:2,\
|
|
296
300
|
block,\
|
|
@@ -304,9 +308,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
304
308
|
tag:'attack-rce',\
|
|
305
309
|
tag:'paranoia-level/1',\
|
|
306
310
|
tag:'OWASP_CRS',\
|
|
311
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
307
312
|
tag:'capec/1000/152/248/88',\
|
|
308
313
|
tag:'PCI/6.5.2',\
|
|
309
|
-
ver:'OWASP_CRS/4.
|
|
314
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
310
315
|
severity:'CRITICAL',\
|
|
311
316
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
312
317
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -337,7 +342,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
337
342
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
338
343
|
# crs-toolchain regex update 932140
|
|
339
344
|
#
|
|
340
|
-
SecRule REQUEST_COOKIES
|
|
345
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in\(.*\)[\s\x0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" \
|
|
341
346
|
"id:932140,\
|
|
342
347
|
phase:2,\
|
|
343
348
|
block,\
|
|
@@ -351,22 +356,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
351
356
|
tag:'attack-rce',\
|
|
352
357
|
tag:'paranoia-level/1',\
|
|
353
358
|
tag:'OWASP_CRS',\
|
|
359
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
354
360
|
tag:'capec/1000/152/248/88',\
|
|
355
361
|
tag:'PCI/6.5.2',\
|
|
356
|
-
ver:'OWASP_CRS/4.
|
|
362
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
357
363
|
severity:'CRITICAL',\
|
|
358
364
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
359
365
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
360
366
|
|
|
361
367
|
|
|
362
368
|
# [ Unix shell expressions - Bash Tilde expansion ]
|
|
369
|
+
# This rule has a stricter sibling: 932271
|
|
363
370
|
#
|
|
364
371
|
# Detects the following patterns which are common in Unix shell scripts
|
|
365
372
|
# and one-liners:
|
|
366
373
|
#
|
|
367
374
|
# ~+ $PWD
|
|
368
375
|
# ~- $OLDPWD
|
|
369
|
-
# ~4 fourth directory entry on the stack from the top
|
|
370
376
|
# ~-2 second directory entry on the stack from the top
|
|
371
377
|
# ~+2 second directory entry on the stack from the bottom
|
|
372
378
|
#
|
|
@@ -377,7 +383,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
377
383
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
378
384
|
# crs-toolchain regex update 932270
|
|
379
385
|
#
|
|
380
|
-
SecRule REQUEST_COOKIES
|
|
386
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[\+\-](?:$|[0-9]+)" \
|
|
381
387
|
"id:932270,\
|
|
382
388
|
phase:2,\
|
|
383
389
|
block,\
|
|
@@ -391,8 +397,43 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
391
397
|
tag:'attack-rce',\
|
|
392
398
|
tag:'paranoia-level/1',\
|
|
393
399
|
tag:'OWASP_CRS',\
|
|
400
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
401
|
+
tag:'capec/1000/152/248/88',\
|
|
402
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
403
|
+
severity:'CRITICAL',\
|
|
404
|
+
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
405
|
+
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
406
|
+
|
|
407
|
+
|
|
408
|
+
# [ Unix shell expressions - brace expansion ]
|
|
409
|
+
#
|
|
410
|
+
# Detects the following patterns which are common in Unix shell scripts
|
|
411
|
+
# and one-liners:
|
|
412
|
+
#
|
|
413
|
+
# {,ip,a}
|
|
414
|
+
# c{a,oun}t
|
|
415
|
+
# {,ifconfig}
|
|
416
|
+
# {,ifconfig,eth0}
|
|
417
|
+
# {l,-lh}s
|
|
418
|
+
#
|
|
419
|
+
#
|
|
420
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[0-9A-Z_a-z]*,[,\-0-9A-Z_a-z]+\}" \
|
|
421
|
+
"id:932280,\
|
|
422
|
+
phase:2,\
|
|
423
|
+
block,\
|
|
424
|
+
capture,\
|
|
425
|
+
t:none,\
|
|
426
|
+
msg:'Remote Command Execution: Brace Expansion Found',\
|
|
427
|
+
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
|
428
|
+
tag:'application-multi',\
|
|
429
|
+
tag:'language-shell',\
|
|
430
|
+
tag:'platform-unix',\
|
|
431
|
+
tag:'attack-rce',\
|
|
432
|
+
tag:'paranoia-level/1',\
|
|
433
|
+
tag:'OWASP_CRS',\
|
|
434
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
394
435
|
tag:'capec/1000/152/248/88',\
|
|
395
|
-
ver:'OWASP_CRS/4.
|
|
436
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
396
437
|
severity:'CRITICAL',\
|
|
397
438
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
398
439
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -457,7 +498,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
457
498
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
458
499
|
# crs-toolchain regex update 932250
|
|
459
500
|
#
|
|
460
|
-
SecRule REQUEST_COOKIES
|
|
501
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)(?:[\s\x0b&\),<>\|]|$)" \
|
|
461
502
|
"id:932250,\
|
|
462
503
|
phase:2,\
|
|
463
504
|
block,\
|
|
@@ -471,9 +512,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
471
512
|
tag:'attack-rce',\
|
|
472
513
|
tag:'paranoia-level/1',\
|
|
473
514
|
tag:'OWASP_CRS',\
|
|
515
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
474
516
|
tag:'capec/1000/152/248/88',\
|
|
475
517
|
tag:'PCI/6.5.2',\
|
|
476
|
-
ver:'OWASP_CRS/4.
|
|
518
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
477
519
|
severity:'CRITICAL',\
|
|
478
520
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
479
521
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -516,7 +558,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
516
558
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
517
559
|
# crs-toolchain regex update 932260
|
|
518
560
|
#
|
|
519
|
-
SecRule REQUEST_COOKIES
|
|
561
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|rj(?:-register|disp)|tobm(?:[\s\x0b&\),<>\|]|$))|b(?:ase(?:32|64|nc)|(?:lkid|yobu)(?:[\s\x0b&\),<>\|]|$)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)(?:[\s\x0b&\),<>\|]|$)|ef-|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$))|pass)|lang\+\+|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|mm(?:[\s\x0b&\),<>\|]|$)|proc)|(?:p(?:an|io)|scli)(?:[\s\x0b&\),<>\|]|$))|d(?:(?:iff|mesg|vips)(?:[\s\x0b&\),<>\|]|$)|o(?:as(?:[\s\x0b&\),<>\|]|$)|cker-)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)(?:[\s\x0b&\),<>\|]|$))|f(?:d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|grep(?:[\s\x0b&\),<>\|]|$)|iletest|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|unzip)|(?:htop|jexec)(?:[\s\x0b&\),<>\|]|$)|i(?:(?:conv|ftop)(?:[\s\x0b&\),<>\|]|$)|pp(?:eveprinter|find|tool))|l(?:ast(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|wp-download|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:(?:ilq|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:fifo|nod(?:[\s\x0b&\),<>\|]|$)|temp)|locate|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg(?:[\s\x0b&\),<>\|]|$))|p(?:d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|ksh(?:[\s\x0b&\),<>\|]|$))|(?:er(?:f|l5?)|(?:ft|gre)p|igz|(?:op|ush)d|s(?:ed|ql))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|k(?:exec|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:boot(?:[\s\x0b&\),<>\|]|$)|alpath)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|user)|sync(?:-ssl|[\s\x0b&\),<>\|]|$))|s(?:(?:diff|ftp|lsh|ocat)(?:[\s\x0b&\),<>\|]|$)|e(?:ndmail(?:[\s\x0b&\),<>\|]|$)|t(?:env|sid))|h(?:\.distrib|uf(?:[\s\x0b&\),<>\|]|$))|pwd\.db|td(?:err|in(?:[\s\x0b&\),<>\|]|$)|out)|udo(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:ing|traceroute))|elnet|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$)))|u(?:n(?:(?:iq|rar|xz)(?:[\s\x0b&\),<>\|]|$)|lz(?:4(?:[\s\x0b&\),<>\|]|$)|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|w(?:get(?:[\s\x0b&\),<>\|]|$)|hoami)|x(?:(?:args|etex|more|pad|term)(?:[\s\x0b&\),<>\|]|$)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|std(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less)))" \
|
|
520
562
|
"id:932260,\
|
|
521
563
|
phase:2,\
|
|
522
564
|
block,\
|
|
@@ -530,9 +572,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
530
572
|
tag:'attack-rce',\
|
|
531
573
|
tag:'paranoia-level/1',\
|
|
532
574
|
tag:'OWASP_CRS',\
|
|
575
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
533
576
|
tag:'capec/1000/152/248/88',\
|
|
534
577
|
tag:'PCI/6.5.2',\
|
|
535
|
-
ver:'OWASP_CRS/4.
|
|
578
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
536
579
|
severity:'CRITICAL',\
|
|
537
580
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
538
581
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -552,7 +595,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
552
595
|
# This rule has stricter siblings:
|
|
553
596
|
# * 932331 (PL3)
|
|
554
597
|
#
|
|
555
|
-
SecRule REQUEST_COOKIES
|
|
598
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" \
|
|
556
599
|
"id:932330,\
|
|
557
600
|
phase:2,\
|
|
558
601
|
block,\
|
|
@@ -566,9 +609,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
566
609
|
tag:'attack-rce',\
|
|
567
610
|
tag:'paranoia-level/1',\
|
|
568
611
|
tag:'OWASP_CRS',\
|
|
612
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
569
613
|
tag:'capec/1000/152/248/88',\
|
|
570
614
|
tag:'PCI/6.5.2',\
|
|
571
|
-
ver:'OWASP_CRS/4.
|
|
615
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
572
616
|
severity:'CRITICAL',\
|
|
573
617
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
574
618
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -593,7 +637,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
593
637
|
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
|
594
638
|
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
|
595
639
|
|
|
596
|
-
SecRule REQUEST_COOKIES
|
|
640
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \
|
|
597
641
|
"id:932160,\
|
|
598
642
|
phase:2,\
|
|
599
643
|
block,\
|
|
@@ -607,9 +651,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
607
651
|
tag:'attack-rce',\
|
|
608
652
|
tag:'paranoia-level/1',\
|
|
609
653
|
tag:'OWASP_CRS',\
|
|
654
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
610
655
|
tag:'capec/1000/152/248/88',\
|
|
611
656
|
tag:'PCI/6.5.2',\
|
|
612
|
-
ver:'OWASP_CRS/4.
|
|
657
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
613
658
|
severity:'CRITICAL',\
|
|
614
659
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
615
660
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -638,9 +683,10 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
|
|
|
638
683
|
tag:'attack-rce',\
|
|
639
684
|
tag:'paranoia-level/1',\
|
|
640
685
|
tag:'OWASP_CRS',\
|
|
686
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
641
687
|
tag:'capec/1000/152/248/88',\
|
|
642
688
|
tag:'PCI/6.5.2',\
|
|
643
|
-
ver:'OWASP_CRS/4.
|
|
689
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
644
690
|
severity:'CRITICAL',\
|
|
645
691
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
646
692
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -659,9 +705,10 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
|
|
|
659
705
|
tag:'attack-rce',\
|
|
660
706
|
tag:'paranoia-level/1',\
|
|
661
707
|
tag:'OWASP_CRS',\
|
|
708
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
662
709
|
tag:'capec/1000/152/248/88',\
|
|
663
710
|
tag:'PCI/6.5.2',\
|
|
664
|
-
ver:'OWASP_CRS/4.
|
|
711
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
665
712
|
severity:'CRITICAL',\
|
|
666
713
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
667
714
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -687,7 +734,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
|
|
|
687
734
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
688
735
|
# crs-toolchain regex update 932175
|
|
689
736
|
#
|
|
690
|
-
SecRule REQUEST_COOKIES
|
|
737
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s\b[\s\x0b]+(?:[\+\-][a-z]+\+?[\s\x0b]+)?[!\"%',-\.0-9@-Z_a-z]+=[^\s\x0b]" \
|
|
691
738
|
"id:932175,\
|
|
692
739
|
phase:2,\
|
|
693
740
|
block,\
|
|
@@ -701,9 +748,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
701
748
|
tag:'attack-rce',\
|
|
702
749
|
tag:'paranoia-level/1',\
|
|
703
750
|
tag:'OWASP_CRS',\
|
|
751
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
704
752
|
tag:'capec/1000/152/248/88',\
|
|
705
753
|
tag:'PCI/6.5.2',\
|
|
706
|
-
ver:'OWASP_CRS/4.
|
|
754
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
707
755
|
severity:'CRITICAL',\
|
|
708
756
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
709
757
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -735,9 +783,10 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|
|
735
783
|
tag:'attack-rce',\
|
|
736
784
|
tag:'paranoia-level/1',\
|
|
737
785
|
tag:'OWASP_CRS',\
|
|
786
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
738
787
|
tag:'capec/1000/152/248/88',\
|
|
739
788
|
tag:'PCI/6.5.2',\
|
|
740
|
-
ver:'OWASP_CRS/4.
|
|
789
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
741
790
|
severity:'CRITICAL',\
|
|
742
791
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
743
792
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -815,7 +864,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|
|
815
864
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
816
865
|
# crs-toolchain regex update 932370
|
|
817
866
|
#
|
|
818
|
-
SecRule REQUEST_COOKIES
|
|
867
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:[^\x5c]*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|(?:s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l|t[\"\^]*b[\"\^]*r[\"\^]*o[\"\^]*k)[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\x0b,\./;<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\x0b,\./;<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\x0b,\./;<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
|
|
819
868
|
"id:932370,\
|
|
820
869
|
phase:2,\
|
|
821
870
|
block,\
|
|
@@ -829,9 +878,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
829
878
|
tag:'attack-rce',\
|
|
830
879
|
tag:'paranoia-level/1',\
|
|
831
880
|
tag:'OWASP_CRS',\
|
|
881
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
832
882
|
tag:'capec/1000/152/248/88',\
|
|
833
883
|
tag:'PCI/6.5.2',\
|
|
834
|
-
ver:'OWASP_CRS/4.
|
|
884
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
835
885
|
severity:'CRITICAL',\
|
|
836
886
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
837
887
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -852,7 +902,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
852
902
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
853
903
|
# crs-toolchain regex update 932380
|
|
854
904
|
#
|
|
855
|
-
SecRule REQUEST_COOKIES
|
|
905
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:[^\x5c]*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[qr])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
|
|
856
906
|
"id:932380,\
|
|
857
907
|
phase:2,\
|
|
858
908
|
block,\
|
|
@@ -866,20 +916,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
866
916
|
tag:'attack-rce',\
|
|
867
917
|
tag:'paranoia-level/1',\
|
|
868
918
|
tag:'OWASP_CRS',\
|
|
919
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
869
920
|
tag:'capec/1000/152/248/88',\
|
|
870
921
|
tag:'PCI/6.5.2',\
|
|
871
|
-
ver:'OWASP_CRS/4.
|
|
922
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
872
923
|
severity:'CRITICAL',\
|
|
873
924
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
874
925
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
875
926
|
|
|
876
927
|
|
|
877
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
878
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
928
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
929
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
879
930
|
#
|
|
880
931
|
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
|
881
932
|
#
|
|
882
933
|
|
|
934
|
+
# This rule is a stricter sibling to 932370
|
|
935
|
+
#
|
|
936
|
+
# This rule contains additional commands that are not matched at PL-1 due to being false positive prone or common english words.
|
|
937
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:[^\x5c]*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*a[\"\^]*t[\"\^]*[\s\x0b,\./;<>].*(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
|
|
938
|
+
"id:932371,\
|
|
939
|
+
phase:2,\
|
|
940
|
+
block,\
|
|
941
|
+
capture,\
|
|
942
|
+
t:none,\
|
|
943
|
+
msg:'Remote Command Execution: Windows Command Injection',\
|
|
944
|
+
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
|
945
|
+
tag:'application-multi',\
|
|
946
|
+
tag:'language-shell',\
|
|
947
|
+
tag:'platform-windows',\
|
|
948
|
+
tag:'attack-rce',\
|
|
949
|
+
tag:'paranoia-level/2',\
|
|
950
|
+
tag:'OWASP_CRS',\
|
|
951
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
952
|
+
tag:'capec/1000/152/248/88',\
|
|
953
|
+
tag:'PCI/6.5.2',\
|
|
954
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
955
|
+
severity:'CRITICAL',\
|
|
956
|
+
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
957
|
+
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
958
|
+
|
|
883
959
|
# [ Unix command injection ]
|
|
884
960
|
#
|
|
885
961
|
# This rule targets pefix + the source command (dot character) at PL2.
|
|
@@ -918,7 +994,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'O
|
|
|
918
994
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
919
995
|
# crs-toolchain regex update 932231
|
|
920
996
|
#
|
|
921
|
-
SecRule REQUEST_COOKIES
|
|
997
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \
|
|
922
998
|
"id:932231,\
|
|
923
999
|
phase:2,\
|
|
924
1000
|
block,\
|
|
@@ -932,9 +1008,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
932
1008
|
tag:'attack-rce',\
|
|
933
1009
|
tag:'paranoia-level/2',\
|
|
934
1010
|
tag:'OWASP_CRS',\
|
|
1011
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
935
1012
|
tag:'capec/1000/152/248/88',\
|
|
936
1013
|
tag:'PCI/6.5.2',\
|
|
937
|
-
ver:'OWASP_CRS/4.
|
|
1014
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
938
1015
|
severity:'CRITICAL',\
|
|
939
1016
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
940
1017
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -965,9 +1042,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.
|
|
|
965
1042
|
tag:'attack-rce',\
|
|
966
1043
|
tag:'paranoia-level/2',\
|
|
967
1044
|
tag:'OWASP_CRS',\
|
|
1045
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
968
1046
|
tag:'capec/1000/152/248/88',\
|
|
969
1047
|
tag:'PCI/6.5.2',\
|
|
970
|
-
ver:'OWASP_CRS/4.
|
|
1048
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
971
1049
|
severity:'CRITICAL',\
|
|
972
1050
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
973
1051
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1000,7 +1078,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.
|
|
|
1000
1078
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1001
1079
|
# crs-toolchain regex update 932200
|
|
1002
1080
|
#
|
|
1003
|
-
SecRule REQUEST_COOKIES
|
|
1081
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{]" \
|
|
1004
1082
|
"id:932200,\
|
|
1005
1083
|
phase:2,\
|
|
1006
1084
|
block,\
|
|
@@ -1014,16 +1092,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1014
1092
|
tag:'attack-rce',\
|
|
1015
1093
|
tag:'paranoia-level/2',\
|
|
1016
1094
|
tag:'OWASP_CRS',\
|
|
1095
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1017
1096
|
tag:'capec/1000/152/248/88',\
|
|
1018
1097
|
tag:'PCI/6.5.2',\
|
|
1019
|
-
ver:'OWASP_CRS/4.
|
|
1098
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1020
1099
|
severity:'CRITICAL',\
|
|
1021
1100
|
setvar:'tx.932200_matched_var_name=%{matched_var_name}',\
|
|
1022
1101
|
chain"
|
|
1023
|
-
SecRule
|
|
1102
|
+
SecRule MATCHED_VARS "@rx /" \
|
|
1024
1103
|
"t:none,\
|
|
1025
1104
|
chain"
|
|
1026
|
-
SecRule
|
|
1105
|
+
SecRule MATCHED_VARS "@rx \s" \
|
|
1027
1106
|
"t:none,\
|
|
1028
1107
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1029
1108
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1056,9 +1135,10 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \
|
|
|
1056
1135
|
tag:'attack-rce',\
|
|
1057
1136
|
tag:'paranoia-level/2',\
|
|
1058
1137
|
tag:'OWASP_CRS',\
|
|
1138
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1059
1139
|
tag:'capec/1000/152/248/88',\
|
|
1060
1140
|
tag:'PCI/6.5.2',\
|
|
1061
|
-
ver:'OWASP_CRS/4.
|
|
1141
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1062
1142
|
severity:'CRITICAL',\
|
|
1063
1143
|
setvar:'tx.932205_matched_var_name=%{matched_var_name}',\
|
|
1064
1144
|
chain"
|
|
@@ -1099,16 +1179,17 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*
|
|
|
1099
1179
|
tag:'attack-rce',\
|
|
1100
1180
|
tag:'paranoia-level/2',\
|
|
1101
1181
|
tag:'OWASP_CRS',\
|
|
1182
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1102
1183
|
tag:'capec/1000/152/248/88',\
|
|
1103
1184
|
tag:'PCI/6.5.2',\
|
|
1104
|
-
ver:'OWASP_CRS/4.
|
|
1185
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1105
1186
|
severity:'CRITICAL',\
|
|
1106
1187
|
setvar:'tx.932206_matched_var_name=%{matched_var_name}',\
|
|
1107
1188
|
chain"
|
|
1108
|
-
SecRule
|
|
1189
|
+
SecRule MATCHED_VARS "@rx /" \
|
|
1109
1190
|
"t:none,\
|
|
1110
1191
|
chain"
|
|
1111
|
-
SecRule
|
|
1192
|
+
SecRule MATCHED_VARS "@rx \s" \
|
|
1112
1193
|
"t:none,\
|
|
1113
1194
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1114
1195
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1118,7 +1199,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*
|
|
|
1118
1199
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1119
1200
|
# crs-toolchain regex update 932220
|
|
1120
1201
|
#
|
|
1121
|
-
SecRule REQUEST_COOKIES
|
|
1202
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[bx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cp]|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[gu]|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|l)|(?:v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))" \
|
|
1122
1203
|
"id:932220,\
|
|
1123
1204
|
phase:2,\
|
|
1124
1205
|
block,\
|
|
@@ -1132,9 +1213,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1132
1213
|
tag:'attack-rce',\
|
|
1133
1214
|
tag:'paranoia-level/2',\
|
|
1134
1215
|
tag:'OWASP_CRS',\
|
|
1216
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1135
1217
|
tag:'capec/1000/152/248/88',\
|
|
1136
1218
|
tag:'PCI/6.5.2',\
|
|
1137
|
-
ver:'OWASP_CRS/4.
|
|
1219
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1138
1220
|
severity:'CRITICAL',\
|
|
1139
1221
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1140
1222
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1181,7 +1263,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1181
1263
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1182
1264
|
# crs-toolchain regex update 932240
|
|
1183
1265
|
#
|
|
1184
|
-
SecRule REQUEST_COOKIES
|
|
1266
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\s\x0b]*[\"'][^\s\x0b\"']+[\"']|(?:[\"'][\"']+|[\[-\]]+|\$+[!#\*\-0-9\?@\x5c_a-\{]+|``|[\$<>]\(\))[\s\x0b]*)[\-0-9_a-z]+" \
|
|
1185
1267
|
"id:932240,\
|
|
1186
1268
|
phase:2,\
|
|
1187
1269
|
block,\
|
|
@@ -1195,18 +1277,53 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
|
|
|
1195
1277
|
tag:'attack-rce',\
|
|
1196
1278
|
tag:'paranoia-level/2',\
|
|
1197
1279
|
tag:'OWASP_CRS',\
|
|
1280
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1198
1281
|
tag:'capec/1000/152/248/88',\
|
|
1199
1282
|
tag:'PCI/6.5.2',\
|
|
1200
|
-
ver:'OWASP_CRS/4.
|
|
1283
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1201
1284
|
severity:'CRITICAL',\
|
|
1202
1285
|
setvar:'tx.932240_matched_var_name=%{matched_var_name}',\
|
|
1203
1286
|
chain"
|
|
1204
|
-
SecRule
|
|
1287
|
+
SecRule MATCHED_VARS "!@rx [0-9]\s*\'\s*[0-9]" \
|
|
1205
1288
|
"t:none,\
|
|
1206
1289
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1207
1290
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
1208
1291
|
|
|
1209
1292
|
|
|
1293
|
+
# [ Unix shell expressions - Bash Brace expansion ]
|
|
1294
|
+
#
|
|
1295
|
+
# This rule is a stricter sibling of rule 932280. It matches non-whitspace characters between braces,
|
|
1296
|
+
# as an extension of rule 932280, which only detects alphanumeric and underscore characters. This rule detects the following
|
|
1297
|
+
# patterns which are used in Unix shell scripts and one-liners:
|
|
1298
|
+
#
|
|
1299
|
+
# {,echo,#test}
|
|
1300
|
+
# {,cd,/etc,}
|
|
1301
|
+
# {,$'whoami',}
|
|
1302
|
+
# {,$"whoami",}
|
|
1303
|
+
# {,/?s?/?i?/c?t,/e??/p??s??,}
|
|
1304
|
+
#
|
|
1305
|
+
#
|
|
1306
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[^\s\x0b,]*,[^\s\x0b]+\}" \
|
|
1307
|
+
"id:932281,\
|
|
1308
|
+
phase:2,\
|
|
1309
|
+
block,\
|
|
1310
|
+
capture,\
|
|
1311
|
+
t:none,\
|
|
1312
|
+
msg:'Remote Command Execution: Brace Expansion Found',\
|
|
1313
|
+
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
|
1314
|
+
tag:'application-multi',\
|
|
1315
|
+
tag:'language-shell',\
|
|
1316
|
+
tag:'platform-unix',\
|
|
1317
|
+
tag:'attack-rce',\
|
|
1318
|
+
tag:'paranoia-level/2',\
|
|
1319
|
+
tag:'OWASP_CRS',\
|
|
1320
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1321
|
+
tag:'capec/1000/152/248/88',\
|
|
1322
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1323
|
+
severity:'CRITICAL',\
|
|
1324
|
+
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1325
|
+
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
1326
|
+
|
|
1210
1327
|
|
|
1211
1328
|
|
|
1212
1329
|
# [ Sqlite System Command Execution ]
|
|
@@ -1224,7 +1341,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
|
|
|
1224
1341
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1225
1342
|
# crs-toolchain regex update 932210
|
|
1226
1343
|
#
|
|
1227
|
-
SecRule REQUEST_COOKIES
|
|
1344
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\x0b]*\.[\s\x0b]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" \
|
|
1228
1345
|
"id:932210,\
|
|
1229
1346
|
phase:2,\
|
|
1230
1347
|
block,\
|
|
@@ -1237,9 +1354,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1237
1354
|
tag:'attack-rce',\
|
|
1238
1355
|
tag:'paranoia-level/2',\
|
|
1239
1356
|
tag:'OWASP_CRS',\
|
|
1357
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1240
1358
|
tag:'capec/1000/152/248/88',\
|
|
1241
1359
|
tag:'PCI/6.5.2',\
|
|
1242
|
-
ver:'OWASP_CRS/4.
|
|
1360
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1361
|
+
severity:'CRITICAL',\
|
|
1362
|
+
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1363
|
+
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
1364
|
+
|
|
1365
|
+
# [ Unix shell expressions - Bash Tilde expansion ]
|
|
1366
|
+
# This rule is a sibling of rule 932270
|
|
1367
|
+
#
|
|
1368
|
+
# Detects the following patterns which are common in Unix shell scripts
|
|
1369
|
+
# and one-liners:
|
|
1370
|
+
#
|
|
1371
|
+
# ~4 fourth directory entry on the stack from the top
|
|
1372
|
+
#
|
|
1373
|
+
# Reference - https://linuxsimply.com/bash-scripting-tutorial/expansion/tilde-expansion/
|
|
1374
|
+
#
|
|
1375
|
+
# Regular expression generated from regex-assembly/932271.ra.
|
|
1376
|
+
# To update the regular expression run the following shell script
|
|
1377
|
+
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1378
|
+
# crs-toolchain regex update 932271
|
|
1379
|
+
#
|
|
1380
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[0-9]+" \
|
|
1381
|
+
"id:932271,\
|
|
1382
|
+
phase:2,\
|
|
1383
|
+
block,\
|
|
1384
|
+
capture,\
|
|
1385
|
+
t:none,t:cmdLine,\
|
|
1386
|
+
msg:'Remote Command Execution: Unix Shell Expression Found',\
|
|
1387
|
+
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
|
1388
|
+
tag:'application-multi',\
|
|
1389
|
+
tag:'language-shell',\
|
|
1390
|
+
tag:'platform-unix',\
|
|
1391
|
+
tag:'attack-rce',\
|
|
1392
|
+
tag:'paranoia-level/2',\
|
|
1393
|
+
tag:'OWASP_CRS',\
|
|
1394
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1395
|
+
tag:'capec/1000/152/248/88',\
|
|
1396
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1243
1397
|
severity:'CRITICAL',\
|
|
1244
1398
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1245
1399
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1266,7 +1420,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1266
1420
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1267
1421
|
# crs-toolchain regex update 932300
|
|
1268
1422
|
#
|
|
1269
|
-
SecRule REQUEST_COOKIES
|
|
1423
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\r\n.*?\b(?:E(?:HLO[\s\x0b][\-\.a-z]{1,255}|XPN[\s\x0b].{1,64})|HELO[\s\x0b][\-\.a-z]{1,255}|MAIL[\s\x0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[\s\x0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\b)|VRFY[\s\x0b].{1,64}(?:[\s\x0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[\s\x0b][\-0-9_a-z]{1,20}[\s\x0b](?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=|STARTTLS\b|NOOP\b(?:[\s\x0b].{1,255})?)" \
|
|
1270
1424
|
"id:932300,\
|
|
1271
1425
|
phase:2,\
|
|
1272
1426
|
block,\
|
|
@@ -1279,9 +1433,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1279
1433
|
tag:'attack-rce',\
|
|
1280
1434
|
tag:'paranoia-level/2',\
|
|
1281
1435
|
tag:'OWASP_CRS',\
|
|
1436
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1282
1437
|
tag:'capec/137/134',\
|
|
1283
1438
|
tag:'PCI/6.5.2',\
|
|
1284
|
-
ver:'OWASP_CRS/4.
|
|
1439
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1285
1440
|
severity:'CRITICAL',\
|
|
1286
1441
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1287
1442
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1299,7 +1454,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1299
1454
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1300
1455
|
# crs-toolchain regex update 932310
|
|
1301
1456
|
#
|
|
1302
|
-
SecRule REQUEST_COOKIES
|
|
1457
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"#%&\*\--9A-Z\x5c_a-z]+)?(?: \([ \x5ca-z]+\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"#\*\.-9A-Z_a-z~]+)? (?:[\"%&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%&\*\--9A-Z\x5c_a-z]+)? \((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\)|ETACL (?:[\"%&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eiklpr-twx]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%&\*\--9A-Z\x5c_a-z]+)?)" \
|
|
1303
1458
|
"id:932310,\
|
|
1304
1459
|
phase:2,\
|
|
1305
1460
|
block,\
|
|
@@ -1311,9 +1466,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1311
1466
|
tag:'attack-rce',\
|
|
1312
1467
|
tag:'paranoia-level/2',\
|
|
1313
1468
|
tag:'OWASP_CRS',\
|
|
1469
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1314
1470
|
tag:'capec/137/134',\
|
|
1315
1471
|
tag:'PCI/6.5.2',\
|
|
1316
|
-
ver:'OWASP_CRS/4.
|
|
1472
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1317
1473
|
severity:'CRITICAL',\
|
|
1318
1474
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1319
1475
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1333,7 +1489,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1333
1489
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1334
1490
|
# crs-toolchain regex update 932320
|
|
1335
1491
|
#
|
|
1336
|
-
SecRule REQUEST_COOKIES
|
|
1492
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9_a-z]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" \
|
|
1337
1493
|
"id:932320,\
|
|
1338
1494
|
phase:2,\
|
|
1339
1495
|
block,\
|
|
@@ -1345,9 +1501,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1345
1501
|
tag:'attack-rce',\
|
|
1346
1502
|
tag:'paranoia-level/2',\
|
|
1347
1503
|
tag:'OWASP_CRS',\
|
|
1504
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1348
1505
|
tag:'capec/137/134',\
|
|
1349
1506
|
tag:'PCI/6.5.2',\
|
|
1350
|
-
ver:'OWASP_CRS/4.
|
|
1507
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1351
1508
|
severity:'CRITICAL',\
|
|
1352
1509
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1353
1510
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1393,7 +1550,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1393
1550
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1394
1551
|
# crs-toolchain regex update 932236
|
|
1395
1552
|
#
|
|
1396
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|an|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:(?:t|rl)[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:[\s\x0b&\)<>\|]|rep)|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[^\s\x0b]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
|
|
1553
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:(?:t|rl)(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|inks|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:[\s\x0b&\),<>\|]|$|4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:3m|c|atch|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))" \
|
|
1397
1554
|
"id:932236,\
|
|
1398
1555
|
phase:2,\
|
|
1399
1556
|
block,\
|
|
@@ -1407,9 +1564,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1407
1564
|
tag:'attack-rce',\
|
|
1408
1565
|
tag:'paranoia-level/2',\
|
|
1409
1566
|
tag:'OWASP_CRS',\
|
|
1567
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1410
1568
|
tag:'capec/1000/152/248/88',\
|
|
1411
1569
|
tag:'PCI/6.5.2',\
|
|
1412
|
-
ver:'OWASP_CRS/4.
|
|
1570
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1413
1571
|
severity:'CRITICAL',\
|
|
1414
1572
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1415
1573
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1455,7 +1613,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1455
1613
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1456
1614
|
# crs-toolchain regex update 932239
|
|
1457
1615
|
#
|
|
1458
|
-
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:[\s\x0b&\)<>\|]|rep)|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:c|a(?:ll|tch)[\s\x0b&\)<>\|]|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
|
|
1616
|
+
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:[\s\x0b&\),<>\|]|$|4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:c|atch)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))" \
|
|
1459
1617
|
"id:932239,\
|
|
1460
1618
|
phase:1,\
|
|
1461
1619
|
block,\
|
|
@@ -1469,9 +1627,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)
|
|
|
1469
1627
|
tag:'attack-rce',\
|
|
1470
1628
|
tag:'paranoia-level/2',\
|
|
1471
1629
|
tag:'OWASP_CRS',\
|
|
1630
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1472
1631
|
tag:'capec/1000/152/248/88',\
|
|
1473
1632
|
tag:'PCI/6.5.2',\
|
|
1474
|
-
ver:'OWASP_CRS/4.
|
|
1633
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1475
1634
|
severity:'CRITICAL',\
|
|
1476
1635
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1477
1636
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1504,16 +1663,17 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she
|
|
|
1504
1663
|
tag:'attack-rce',\
|
|
1505
1664
|
tag:'paranoia-level/2',\
|
|
1506
1665
|
tag:'OWASP_CRS',\
|
|
1666
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1507
1667
|
tag:'capec/1000/152/248/88',\
|
|
1508
1668
|
tag:'PCI/6.5.2',\
|
|
1509
|
-
ver:'OWASP_CRS/4.
|
|
1669
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1510
1670
|
severity:'CRITICAL',\
|
|
1511
1671
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1512
1672
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
1513
1673
|
|
|
1514
1674
|
|
|
1515
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
1516
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
1675
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
1676
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
1517
1677
|
#
|
|
1518
1678
|
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
|
1519
1679
|
#
|
|
@@ -1556,7 +1716,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'O
|
|
|
1556
1716
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1557
1717
|
# crs-toolchain regex update 932232
|
|
1558
1718
|
#
|
|
1559
|
-
SecRule REQUEST_COOKIES
|
|
1719
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))\b" \
|
|
1560
1720
|
"id:932232,\
|
|
1561
1721
|
phase:2,\
|
|
1562
1722
|
block,\
|
|
@@ -1570,9 +1730,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1570
1730
|
tag:'attack-rce',\
|
|
1571
1731
|
tag:'paranoia-level/3',\
|
|
1572
1732
|
tag:'OWASP_CRS',\
|
|
1733
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1573
1734
|
tag:'capec/1000/152/248/88',\
|
|
1574
1735
|
tag:'PCI/6.5.2',\
|
|
1575
|
-
ver:'OWASP_CRS/4.
|
|
1736
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1576
1737
|
severity:'CRITICAL',\
|
|
1577
1738
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1578
1739
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1613,7 +1774,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1613
1774
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1614
1775
|
# crs-toolchain regex update 932237
|
|
1615
1776
|
#
|
|
1616
|
-
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
|
|
1777
|
+
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get|itude(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\),<>\|]|$|obm(?:[\s\x0b&\),<>\|]|$))|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)(?:[\s\x0b&\),<>\|]|$)|nf(?:[\s\x0b&\),<>\|]|$)?|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:[bd]|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|(?:(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)(?:[\s\x0b&\),<>\|]|$)|h(?:(?:d|up|ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:d|rb|conv|nstall)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:[\s\x0b&\),<>\|]|$|4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke|wk)(?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:(?:re|unt)(?:[\s\x0b&\),<>\|]|$)|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|hp(?:[\s\x0b&\),<>\|]|$|-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|s(?:[\s\x0b&\),<>\|]|$|(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|me(?:[\s\x0b&\),<>\|]|$|datectl|out(?:[\s\x0b&\),<>\|]|$)))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\x0b&\),<>\|]|$|m(?:[\s\x0b&\),<>\|]|$|diff)|(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:[\s\x0b&\),<>\|]|$|(?:c|a(?:ll|tch))(?:[\s\x0b&\),<>\|]|$)|h(?:o(?:[\s\x0b&\),<>\|]|$|ami|is(?:[\s\x0b&\),<>\|]|$))?|iptail(?:[\s\x0b&\),<>\|]|$))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))(?:\b|[^0-9A-Z_a-z])" \
|
|
1617
1778
|
"id:932237,\
|
|
1618
1779
|
phase:1,\
|
|
1619
1780
|
block,\
|
|
@@ -1627,9 +1788,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
|
|
|
1627
1788
|
tag:'attack-rce',\
|
|
1628
1789
|
tag:'paranoia-level/3',\
|
|
1629
1790
|
tag:'OWASP_CRS',\
|
|
1791
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1630
1792
|
tag:'capec/1000/152/248/88',\
|
|
1631
1793
|
tag:'PCI/6.5.2',\
|
|
1632
|
-
ver:'OWASP_CRS/4.
|
|
1794
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1633
1795
|
severity:'CRITICAL',\
|
|
1634
1796
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1635
1797
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1670,7 +1832,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
|
|
|
1670
1832
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1671
1833
|
# crs-toolchain regex update 932238
|
|
1672
1834
|
#
|
|
1673
|
-
SecRule REQUEST_COOKIES
|
|
1835
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))" \
|
|
1674
1836
|
"id:932238,\
|
|
1675
1837
|
phase:2,\
|
|
1676
1838
|
block,\
|
|
@@ -1684,9 +1846,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1684
1846
|
tag:'attack-rce',\
|
|
1685
1847
|
tag:'paranoia-level/3',\
|
|
1686
1848
|
tag:'OWASP_CRS',\
|
|
1849
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1687
1850
|
tag:'capec/1000/152/248/88',\
|
|
1688
1851
|
tag:'PCI/6.5.2',\
|
|
1689
|
-
ver:'OWASP_CRS/4.
|
|
1852
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1690
1853
|
severity:'CRITICAL',\
|
|
1691
1854
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1692
1855
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1720,9 +1883,10 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
|
|
|
1720
1883
|
tag:'attack-rce',\
|
|
1721
1884
|
tag:'paranoia-level/3',\
|
|
1722
1885
|
tag:'OWASP_CRS',\
|
|
1886
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1723
1887
|
tag:'capec/1000/152/248/88',\
|
|
1724
1888
|
tag:'PCI/6.5.2',\
|
|
1725
|
-
ver:'OWASP_CRS/4.
|
|
1889
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1726
1890
|
severity:'CRITICAL',\
|
|
1727
1891
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1728
1892
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1742,7 +1906,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
|
|
|
1742
1906
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1743
1907
|
# crs-toolchain regex update 932301
|
|
1744
1908
|
#
|
|
1745
|
-
SecRule REQUEST_COOKIES
|
|
1909
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" \
|
|
1746
1910
|
"id:932301,\
|
|
1747
1911
|
phase:2,\
|
|
1748
1912
|
block,\
|
|
@@ -1754,9 +1918,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1754
1918
|
tag:'attack-rce',\
|
|
1755
1919
|
tag:'paranoia-level/3',\
|
|
1756
1920
|
tag:'OWASP_CRS',\
|
|
1921
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1757
1922
|
tag:'capec/137/134',\
|
|
1758
1923
|
tag:'PCI/6.5.2',\
|
|
1759
|
-
ver:'OWASP_CRS/4.
|
|
1924
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1760
1925
|
severity:'CRITICAL',\
|
|
1761
1926
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1762
1927
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1775,7 +1940,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1775
1940
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1776
1941
|
# crs-toolchain regex update 932311
|
|
1777
1942
|
#
|
|
1778
|
-
SecRule REQUEST_COOKIES
|
|
1943
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"#%&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"#%&\*\-\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"#%&\*\-\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"#\*\--9A-Z\x5c_a-z~]+? [\"#%&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\-\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"#%&\*\--9A-Z\x5c_a-z]+? [\"#%&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"#%&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\-\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))?|ARTTLS)|UBSCRIBE [\"#%&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"#%&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" \
|
|
1779
1944
|
"id:932311,\
|
|
1780
1945
|
phase:2,\
|
|
1781
1946
|
block,\
|
|
@@ -1787,9 +1952,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1787
1952
|
tag:'attack-rce',\
|
|
1788
1953
|
tag:'paranoia-level/3',\
|
|
1789
1954
|
tag:'OWASP_CRS',\
|
|
1955
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1790
1956
|
tag:'capec/137/134',\
|
|
1791
1957
|
tag:'PCI/6.5.2',\
|
|
1792
|
-
ver:'OWASP_CRS/4.
|
|
1958
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1793
1959
|
severity:'CRITICAL',\
|
|
1794
1960
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1795
1961
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1808,7 +1974,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1808
1974
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1809
1975
|
# crs-toolchain regex update 932321
|
|
1810
1976
|
#
|
|
1811
|
-
SecRule REQUEST_COOKIES
|
|
1977
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)" \
|
|
1812
1978
|
"id:932321,\
|
|
1813
1979
|
phase:2,\
|
|
1814
1980
|
block,\
|
|
@@ -1820,9 +1986,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1820
1986
|
tag:'attack-rce',\
|
|
1821
1987
|
tag:'paranoia-level/3',\
|
|
1822
1988
|
tag:'OWASP_CRS',\
|
|
1989
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1823
1990
|
tag:'capec/137/134',\
|
|
1824
1991
|
tag:'PCI/6.5.2',\
|
|
1825
|
-
ver:'OWASP_CRS/4.
|
|
1992
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1826
1993
|
severity:'CRITICAL',\
|
|
1827
1994
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1828
1995
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1840,7 +2007,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1840
2007
|
# The last request will invoke /usr/bin/cc, which is otherwise blocked by 932250.
|
|
1841
2008
|
#
|
|
1842
2009
|
# Neither !1 nor !! is necessarily valid speech, but blocking either of them is much more likely to cause false-positives than 932330.
|
|
1843
|
-
SecRule REQUEST_COOKIES
|
|
2010
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" \
|
|
1844
2011
|
"id:932331,\
|
|
1845
2012
|
phase:2,\
|
|
1846
2013
|
block,\
|
|
@@ -1853,16 +2020,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1853
2020
|
tag:'attack-rce',\
|
|
1854
2021
|
tag:'paranoia-level/3',\
|
|
1855
2022
|
tag:'OWASP_CRS',\
|
|
2023
|
+
tag:'OWASP_CRS/ATTACK-RCE',\
|
|
1856
2024
|
tag:'capec/1000/152/248/88',\
|
|
1857
2025
|
tag:'PCI/6.5.2',\
|
|
1858
|
-
ver:'OWASP_CRS/4.
|
|
2026
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1859
2027
|
severity:'CRITICAL',\
|
|
1860
2028
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
1861
2029
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
1862
2030
|
|
|
1863
2031
|
|
|
1864
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
1865
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
2032
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
2033
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
|
1866
2034
|
#
|
|
1867
2035
|
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
|
1868
2036
|
#
|