@abtnode/router-provider 1.16.46-beta-20250703-024219-4029ee97 → 1.16.46-beta-20250704-234926-09d872ad
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/nginx/includes/security/crs4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +1 -1
- package/lib/nginx/includes/security/crs4/rules/REQUEST-901-INITIALIZATION.conf +42 -40
- package/lib/nginx/includes/security/crs4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +4 -4
- package/lib/nginx/includes/security/crs4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +12 -11
- package/lib/nginx/includes/security/crs4/rules/REQUEST-913-SCANNER-DETECTION.conf +12 -11
- package/lib/nginx/includes/security/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +127 -148
- package/lib/nginx/includes/security/crs4/rules/REQUEST-921-PROTOCOL-ATTACK.conf +80 -35
- package/lib/nginx/includes/security/crs4/rules/REQUEST-922-MULTIPART-ATTACK.conf +12 -6
- package/lib/nginx/includes/security/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +22 -17
- package/lib/nginx/includes/security/crs4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +20 -15
- package/lib/nginx/includes/security/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +254 -86
- package/lib/nginx/includes/security/crs4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +172 -65
- package/lib/nginx/includes/security/crs4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf +65 -29
- package/lib/nginx/includes/security/crs4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +114 -78
- package/lib/nginx/includes/security/crs4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +182 -120
- package/lib/nginx/includes/security/crs4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +19 -16
- package/lib/nginx/includes/security/crs4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +48 -34
- package/lib/nginx/includes/security/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf +30 -30
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-950-DATA-LEAKAGES.conf +20 -15
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +47 -29
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +15 -36
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +20 -15
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +22 -17
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-955-WEB-SHELLS.conf +92 -43
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +30 -30
- package/lib/nginx/includes/security/crs4/rules/RESPONSE-980-CORRELATION.conf +23 -23
- package/lib/nginx/includes/security/crs4/rules/java-classes.data +11 -0
- package/lib/nginx/includes/security/crs4/rules/lfi-os-files.data +227 -15
- package/lib/nginx/includes/security/crs4/rules/php-function-names-933150.data +0 -7
- package/lib/nginx/includes/security/crs4/rules/restricted-files.data +250 -29
- package/lib/nginx/includes/security/crs4/rules/restricted-upload.data +200 -26
- package/lib/nginx/includes/security/crs4/rules/unix-shell-builtins.data +20 -0
- package/lib/nginx/includes/security/crs4/rules/unix-shell.data +39 -18
- package/lib/nginx/includes/security/crs4/rules/web-shells-asp.data +23 -0
- package/package.json +9 -9
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# ------------------------------------------------------------------------
|
|
2
|
-
# OWASP CRS ver.4.
|
|
2
|
+
# OWASP CRS ver.4.16.0
|
|
3
3
|
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
|
4
|
-
# Copyright (c) 2021-
|
|
4
|
+
# Copyright (c) 2021-2025 CRS project. All rights reserved.
|
|
5
5
|
#
|
|
6
6
|
# The OWASP CRS is distributed under
|
|
7
7
|
# Apache Software License (ASL) version 2
|
|
@@ -14,8 +14,8 @@
|
|
|
14
14
|
|
|
15
15
|
|
|
16
16
|
|
|
17
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
18
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
17
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
18
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
19
19
|
#
|
|
20
20
|
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
|
21
21
|
#
|
|
@@ -43,7 +43,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'O
|
|
|
43
43
|
#
|
|
44
44
|
# Ref: https://github.com/libinjection/libinjection
|
|
45
45
|
#
|
|
46
|
-
SecRule REQUEST_COOKIES
|
|
46
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \
|
|
47
47
|
"id:942100,\
|
|
48
48
|
phase:2,\
|
|
49
49
|
block,\
|
|
@@ -57,9 +57,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|
|
57
57
|
tag:'attack-sqli',\
|
|
58
58
|
tag:'paranoia-level/1',\
|
|
59
59
|
tag:'OWASP_CRS',\
|
|
60
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
60
61
|
tag:'capec/1000/152/248/66',\
|
|
61
62
|
tag:'PCI/6.5.2',\
|
|
62
|
-
ver:'OWASP_CRS/4.
|
|
63
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
63
64
|
severity:'CRITICAL',\
|
|
64
65
|
multiMatch,\
|
|
65
66
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
|
@@ -74,7 +75,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|
|
74
75
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
75
76
|
# crs-toolchain regex update 942140
|
|
76
77
|
#
|
|
77
|
-
SecRule REQUEST_COOKIES
|
|
78
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*\(|(?:information_schema|m(?:aster\.\.sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql\.db)|northwind|pg_(?:catalog|toast)|tempdb)\b|s(?:chema(?:_name\b|[^0-9A-Z_a-z]*\()|(?:qlite_(?:temp_)?master|ys(?:aux|\.database_name))\b))" \
|
|
78
79
|
"id:942140,\
|
|
79
80
|
phase:2,\
|
|
80
81
|
block,\
|
|
@@ -88,9 +89,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
88
89
|
tag:'attack-sqli',\
|
|
89
90
|
tag:'paranoia-level/1',\
|
|
90
91
|
tag:'OWASP_CRS',\
|
|
92
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
91
93
|
tag:'capec/1000/152/248/66',\
|
|
92
94
|
tag:'PCI/6.5.2',\
|
|
93
|
-
ver:'OWASP_CRS/4.
|
|
95
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
94
96
|
severity:'CRITICAL',\
|
|
95
97
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
96
98
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -107,7 +109,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
107
109
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
108
110
|
# crs-toolchain regex update 942151
|
|
109
111
|
#
|
|
110
|
-
SecRule REQUEST_COOKIES
|
|
112
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
|
|
111
113
|
"id:942151,\
|
|
112
114
|
phase:2,\
|
|
113
115
|
block,\
|
|
@@ -121,9 +123,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
121
123
|
tag:'attack-sqli',\
|
|
122
124
|
tag:'paranoia-level/1',\
|
|
123
125
|
tag:'OWASP_CRS',\
|
|
126
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
124
127
|
tag:'capec/1000/152/248/66',\
|
|
125
128
|
tag:'PCI/6.5.2',\
|
|
126
|
-
ver:'OWASP_CRS/4.
|
|
129
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
127
130
|
severity:'CRITICAL',\
|
|
128
131
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
129
132
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -151,7 +154,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
151
154
|
# A positive side effect is that it prevents certain DoS attacks via the directives
|
|
152
155
|
# described above.
|
|
153
156
|
#
|
|
154
|
-
SecRule REQUEST_FILENAME|REQUEST_COOKIES
|
|
157
|
+
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" \
|
|
155
158
|
"id:942160,\
|
|
156
159
|
phase:2,\
|
|
157
160
|
block,\
|
|
@@ -166,8 +169,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|
|
166
169
|
tag:'attack-sqli',\
|
|
167
170
|
tag:'paranoia-level/1',\
|
|
168
171
|
tag:'OWASP_CRS',\
|
|
172
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
169
173
|
tag:'capec/1000/152/248/66',\
|
|
170
|
-
ver:'OWASP_CRS/4.
|
|
174
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
171
175
|
severity:'CRITICAL',\
|
|
172
176
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
173
177
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -177,7 +181,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|
|
177
181
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
178
182
|
# crs-toolchain regex update 942170
|
|
179
183
|
#
|
|
180
|
-
SecRule REQUEST_COOKIES
|
|
184
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:select|;)[\s\x0b]+(?:benchmark|if|sleep)[\s\x0b]*?\([\s\x0b]*?\(?[\s\x0b]*?[0-9A-Z_a-z]+" \
|
|
181
185
|
"id:942170,\
|
|
182
186
|
phase:2,\
|
|
183
187
|
block,\
|
|
@@ -191,9 +195,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
191
195
|
tag:'attack-sqli',\
|
|
192
196
|
tag:'paranoia-level/1',\
|
|
193
197
|
tag:'OWASP_CRS',\
|
|
198
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
194
199
|
tag:'capec/1000/152/248/66',\
|
|
195
200
|
tag:'PCI/6.5.2',\
|
|
196
|
-
ver:'OWASP_CRS/4.
|
|
201
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
197
202
|
severity:'CRITICAL',\
|
|
198
203
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
199
204
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -203,7 +208,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
203
208
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
204
209
|
# crs-toolchain regex update 942190
|
|
205
210
|
#
|
|
206
|
-
SecRule REQUEST_COOKIES
|
|
211
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\x0b]*![\s\x0b]*[\"'0-9A-Z_-z]|;?[\s\x0b]*(?:having|select|union\b[\s\x0b]*(?:all|(?:distin|sele)ct))\b[\s\x0b]*[^\s\x0b])|\b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[\s\x0b]*?|select.*?[0-9A-Z_a-z]?user)\(|exec(?:ute)?[\s\x0b]+master\.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[\s\x0b\+]+(?:dump|out)file[\s\x0b]*?[\"'`]|union(?:[\s\x0b]select[\s\x0b]@|[\s\x0b\(0-9A-Z_a-z]*?select))|[\s\x0b]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[\s\x0b]*?\(" \
|
|
207
212
|
"id:942190,\
|
|
208
213
|
phase:2,\
|
|
209
214
|
block,\
|
|
@@ -217,9 +222,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
217
222
|
tag:'attack-sqli',\
|
|
218
223
|
tag:'paranoia-level/1',\
|
|
219
224
|
tag:'OWASP_CRS',\
|
|
225
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
220
226
|
tag:'capec/1000/152/248/66',\
|
|
221
227
|
tag:'PCI/6.5.2',\
|
|
222
|
-
ver:'OWASP_CRS/4.
|
|
228
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
223
229
|
severity:'CRITICAL',\
|
|
224
230
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
225
231
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -227,7 +233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
227
233
|
# Magic number crash in PHP strtod from 2011:
|
|
228
234
|
# https://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/
|
|
229
235
|
|
|
230
|
-
SecRule REQUEST_COOKIES
|
|
236
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" \
|
|
231
237
|
"id:942220,\
|
|
232
238
|
phase:2,\
|
|
233
239
|
block,\
|
|
@@ -241,9 +247,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
241
247
|
tag:'attack-sqli',\
|
|
242
248
|
tag:'paranoia-level/1',\
|
|
243
249
|
tag:'OWASP_CRS',\
|
|
250
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
244
251
|
tag:'capec/1000/152/248/66',\
|
|
245
252
|
tag:'PCI/6.5.2',\
|
|
246
|
-
ver:'OWASP_CRS/4.
|
|
253
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
247
254
|
severity:'CRITICAL',\
|
|
248
255
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
249
256
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -253,7 +260,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
253
260
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
254
261
|
# crs-toolchain regex update 942230
|
|
255
262
|
#
|
|
256
|
-
SecRule REQUEST_COOKIES
|
|
263
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\(\)]case[\s\x0b]+when.*?then|\)[\s\x0b]*?like[\s\x0b]*?\(|select.*?having[\s\x0b]*?[^\s\x0b]+[\s\x0b]*?[^\s\x0b0-9A-Z_a-z]|if[\s\x0b]?\([0-9A-Z_a-z]+[\s\x0b]*?[<->~]" \
|
|
257
264
|
"id:942230,\
|
|
258
265
|
phase:2,\
|
|
259
266
|
block,\
|
|
@@ -267,9 +274,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
267
274
|
tag:'attack-sqli',\
|
|
268
275
|
tag:'paranoia-level/1',\
|
|
269
276
|
tag:'OWASP_CRS',\
|
|
277
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
270
278
|
tag:'capec/1000/152/248/66',\
|
|
271
279
|
tag:'PCI/6.5.2',\
|
|
272
|
-
ver:'OWASP_CRS/4.
|
|
280
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
273
281
|
severity:'CRITICAL',\
|
|
274
282
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
275
283
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -279,7 +287,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
279
287
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
280
288
|
# crs-toolchain regex update 942240
|
|
281
289
|
#
|
|
282
|
-
SecRule REQUEST_COOKIES
|
|
290
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)alter[\s\x0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\s\x0b]+set[\s\x0b]+[0-9A-Z_a-z]+|[\"'`](?:;*?[\s\x0b]*?waitfor[\s\x0b]+(?:time|delay)[\s\x0b]+[\"'`]|;.*?:[\s\x0b]*?goto)" \
|
|
283
291
|
"id:942240,\
|
|
284
292
|
phase:2,\
|
|
285
293
|
block,\
|
|
@@ -293,14 +301,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
293
301
|
tag:'attack-sqli',\
|
|
294
302
|
tag:'paranoia-level/1',\
|
|
295
303
|
tag:'OWASP_CRS',\
|
|
304
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
296
305
|
tag:'capec/1000/152/248/66',\
|
|
297
306
|
tag:'PCI/6.5.2',\
|
|
298
|
-
ver:'OWASP_CRS/4.
|
|
307
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
299
308
|
severity:'CRITICAL',\
|
|
300
309
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
301
310
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
302
311
|
|
|
303
|
-
SecRule REQUEST_COOKIES
|
|
312
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \
|
|
304
313
|
"id:942250,\
|
|
305
314
|
phase:2,\
|
|
306
315
|
block,\
|
|
@@ -314,14 +323,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
314
323
|
tag:'attack-sqli',\
|
|
315
324
|
tag:'paranoia-level/1',\
|
|
316
325
|
tag:'OWASP_CRS',\
|
|
326
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
317
327
|
tag:'capec/1000/152/248/66',\
|
|
318
328
|
tag:'PCI/6.5.2',\
|
|
319
|
-
ver:'OWASP_CRS/4.
|
|
329
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
320
330
|
severity:'CRITICAL',\
|
|
321
331
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
322
332
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
323
333
|
|
|
324
|
-
SecRule REQUEST_COOKIES
|
|
334
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \
|
|
325
335
|
"id:942270,\
|
|
326
336
|
phase:2,\
|
|
327
337
|
block,\
|
|
@@ -335,9 +345,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
335
345
|
tag:'attack-sqli',\
|
|
336
346
|
tag:'paranoia-level/1',\
|
|
337
347
|
tag:'OWASP_CRS',\
|
|
348
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
338
349
|
tag:'capec/1000/152/248/66',\
|
|
339
350
|
tag:'PCI/6.5.2',\
|
|
340
|
-
ver:'OWASP_CRS/4.
|
|
351
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
341
352
|
severity:'CRITICAL',\
|
|
342
353
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
343
354
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -347,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
347
358
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
348
359
|
# crs-toolchain regex update 942280
|
|
349
360
|
#
|
|
350
|
-
SecRule REQUEST_COOKIES
|
|
361
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)select[\s\x0b]*?pg_sleep|waitfor[\s\x0b]*?delay[\s\x0b]?[\"'`]+[\s\x0b]?[0-9]|;[\s\x0b]*?shutdown[\s\x0b]*?(?:[#;\{]|/\*|--)" \
|
|
351
362
|
"id:942280,\
|
|
352
363
|
phase:2,\
|
|
353
364
|
block,\
|
|
@@ -361,9 +372,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
361
372
|
tag:'attack-sqli',\
|
|
362
373
|
tag:'paranoia-level/1',\
|
|
363
374
|
tag:'OWASP_CRS',\
|
|
375
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
364
376
|
tag:'capec/1000/152/248/66',\
|
|
365
377
|
tag:'PCI/6.5.2',\
|
|
366
|
-
ver:'OWASP_CRS/4.
|
|
378
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
367
379
|
severity:'CRITICAL',\
|
|
368
380
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
369
381
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -373,7 +385,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
373
385
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
374
386
|
# crs-toolchain regex update 942290
|
|
375
387
|
#
|
|
376
|
-
SecRule REQUEST_COOKIES
|
|
388
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\[?\$(?:a(?:bs|c(?:cumulator|osh?)|dd(?:ToSet)?|ll(?:ElementsTrue)?|n(?:d|yElementTrue)|rray(?:ElemA|ToObjec)t|sinh?|tan[2h]?|vg)|b(?:etween|i(?:narySize|t(?:And|Not|(?:O|Xo)r)?)|ottomN?|sonSize|ucket(?:Auto)?)|c(?:eil|mp|o(?:n(?:cat(?:Arrays)?|d|vert)|sh?|unt|variance(?:Po|Sam)p)|urrentDate)|d(?:a(?:te(?:Add|Diff|From(?:Parts|String)|Subtract|T(?:o(?:Parts|String)|runc))|yOf(?:Month|Week|Year))|e(?:greesToRadians|nseRank|rivative)|iv(?:ide)?|ocumentNumber)|e(?:(?:a|lemMat)ch|q|x(?:ists|p(?:MovingAvg|r)?))|f(?:i(?:lter|rstN?)|loor|unction)|g(?:etField|roup|te?)|(?:hou|xo|yea)r|i(?:fNull|n(?:c|dexOf(?:Array|Bytes|CP)|tegral)?|s(?:Array|Number|o(?:DayOfWeek|Week(?:Year)?)))|jsonSchema|l(?:astN?|et|i(?:ke|(?:nearFil|tera)l)|n|o(?:cf|g(?:10)?)|t(?:e|rim)?)|m(?:a(?:p|xN?)|e(?:dian|rgeObjects|ta)|i(?:llisecond|n(?:N|ute)?)|o(?:d|nth)|ul(?:tiply)?)|n(?:atural|e|in|o[rt])|o(?:bjectToArray|r)|p(?:ercentile|o(?:[pw]|sition)|roject|u(?:ll(?:All)?|sh))|r(?:a(?:diansToDegrees|n(?:[dk]|ge))|e(?:(?:duc|nam)e|gex(?:Find(?:All)?|Match)?|place(?:All|One)|verseArray)|ound|trim)|s(?:(?:ampleRat|lic)e|e(?:cond|t(?:Difference|(?:Equal|WindowField)s|Field|I(?:ntersection|sSubset)|OnInsert|Union)?)|(?:hif|pli|qr)t|i(?:nh?|ze)|ort(?:Array)?|t(?:dDev(?:Po|Sam)p|r(?:Len(?:Bytes|CP)|casecmp))|u(?:b(?:str(?:Bytes|CP)?|tract)|m)|witch)|t(?:anh?|ext|o(?:Bool|D(?:(?:at|oubl)e|ecimal)|HashedIndexKey|Int|Lo(?:ng|wer)|ObjectId|String|U(?:UID|pper)|pN?)|r(?:im|unc)|s(?:Increment|Second)|ype)|unset|w(?:eek|here)|zip)\]?" \
|
|
377
389
|
"id:942290,\
|
|
378
390
|
phase:2,\
|
|
379
391
|
block,\
|
|
@@ -387,9 +399,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
387
399
|
tag:'attack-sqli',\
|
|
388
400
|
tag:'paranoia-level/1',\
|
|
389
401
|
tag:'OWASP_CRS',\
|
|
402
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
390
403
|
tag:'capec/1000/152/248/66',\
|
|
391
404
|
tag:'PCI/6.5.2',\
|
|
392
|
-
ver:'OWASP_CRS/4.
|
|
405
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
393
406
|
severity:'CRITICAL',\
|
|
394
407
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
395
408
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -402,7 +415,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
402
415
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
403
416
|
# crs-toolchain regex update 942320
|
|
404
417
|
#
|
|
405
|
-
SecRule REQUEST_COOKIES
|
|
418
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\x0b]+(?:function|procedure)[\s\x0b]*?[0-9A-Z_a-z]+[\s\x0b]*?\([\s\x0b]*?\)[\s\x0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\x0b]*?[0-9A-Z_a-z]+|iv[\s\x0b]*?\([\+\-]*[\s\x0b\.0-9]+,[\+\-]*[\s\x0b\.0-9]+\))|exec[\s\x0b]*?\([\s\x0b]*?@|(?:lo_(?:impor|ge)t|procedure[\s\x0b]+analyse)[\s\x0b]*?\(|;[\s\x0b]*?(?:declare|open)[\s\x0b]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\x0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" \
|
|
406
419
|
"id:942320,\
|
|
407
420
|
phase:2,\
|
|
408
421
|
block,\
|
|
@@ -416,9 +429,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
416
429
|
tag:'attack-sqli',\
|
|
417
430
|
tag:'paranoia-level/1',\
|
|
418
431
|
tag:'OWASP_CRS',\
|
|
432
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
419
433
|
tag:'capec/1000/152/248/66',\
|
|
420
434
|
tag:'PCI/6.5.2',\
|
|
421
|
-
ver:'OWASP_CRS/4.
|
|
435
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
422
436
|
severity:'CRITICAL',\
|
|
423
437
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
424
438
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -428,7 +442,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
428
442
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
429
443
|
# crs-toolchain regex update 942350
|
|
430
444
|
#
|
|
431
|
-
SecRule REQUEST_COOKIES
|
|
445
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\x0b]+function[\s\x0b].+[\s\x0b]returns|;[\s\x0b]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\b[\s\x0b]*?[\(\[]?[0-9A-Z_a-z]{2,}" \
|
|
432
446
|
"id:942350,\
|
|
433
447
|
phase:2,\
|
|
434
448
|
block,\
|
|
@@ -442,9 +456,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
442
456
|
tag:'attack-sqli',\
|
|
443
457
|
tag:'paranoia-level/1',\
|
|
444
458
|
tag:'OWASP_CRS',\
|
|
459
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
445
460
|
tag:'capec/1000/152/248/66',\
|
|
446
461
|
tag:'PCI/6.5.2',\
|
|
447
|
-
ver:'OWASP_CRS/4.
|
|
462
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
448
463
|
severity:'CRITICAL',\
|
|
449
464
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
450
465
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -467,7 +482,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
467
482
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
468
483
|
# crs-toolchain regex update 942360
|
|
469
484
|
#
|
|
470
|
-
SecRule REQUEST_COOKIES
|
|
485
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\x0b]+(?:char|group_concat|load_file)\b[\s\x0b]*\(?|end[\s\x0b]*?\);)|[\s\x0b\(]load_file[\s\x0b]*?\(|[\"'`][\s\x0b]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\s\x0b]+as\b[\s\x0b]*[\"'0-9A-Z_-z]+[\s\x0b]*\bfrom|^[^A-Z_a-z]+[\s\x0b]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\x0b]+[0-9A-Z_a-z]+|u(?:pdate[\s\x0b]+[0-9A-Z_a-z]+|nion[\s\x0b]*(?:all|(?:sele|distin)ct)\b)|alter[\s\x0b]*(?:a(?:(?:ggregat|pplication[\s\x0b]*rol)e|s(?:sembl|ymmetric[\s\x0b]*ke)y|u(?:dit|thorization)|vailability[\s\x0b]*group)|b(?:roker[\s\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\s\x0b]*key)|terialized)|e(?:ssage[\s\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\x0b]*schema|srobject))\b)" \
|
|
471
486
|
"id:942360,\
|
|
472
487
|
phase:2,\
|
|
473
488
|
block,\
|
|
@@ -481,9 +496,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
481
496
|
tag:'attack-sqli',\
|
|
482
497
|
tag:'paranoia-level/1',\
|
|
483
498
|
tag:'OWASP_CRS',\
|
|
499
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
484
500
|
tag:'capec/1000/152/248/66',\
|
|
485
501
|
tag:'PCI/6.5.2',\
|
|
486
|
-
ver:'OWASP_CRS/4.
|
|
502
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
487
503
|
severity:'CRITICAL',\
|
|
488
504
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
489
505
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -508,7 +524,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
508
524
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
509
525
|
# crs-toolchain regex update 942500
|
|
510
526
|
#
|
|
511
|
-
SecRule REQUEST_COOKIES
|
|
527
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)/\*[\s\x0b]*?[!\+](?:[\s\x0b\(\)\-0-9=A-Z_a-z]+)?\*/" \
|
|
512
528
|
"id:942500,\
|
|
513
529
|
phase:2,\
|
|
514
530
|
block,\
|
|
@@ -522,9 +538,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
522
538
|
tag:'attack-sqli',\
|
|
523
539
|
tag:'paranoia-level/1',\
|
|
524
540
|
tag:'OWASP_CRS',\
|
|
541
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
525
542
|
tag:'capec/1000/152/248/66',\
|
|
526
543
|
tag:'PCI/6.5.2',\
|
|
527
|
-
ver:'OWASP_CRS/4.
|
|
544
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
528
545
|
severity:'CRITICAL',\
|
|
529
546
|
multiMatch,\
|
|
530
547
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
@@ -545,7 +562,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
545
562
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
546
563
|
# crs-toolchain regex update 942540
|
|
547
564
|
#
|
|
548
|
-
SecRule REQUEST_COOKIES
|
|
565
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[\s\x0b]*;" \
|
|
549
566
|
"id:942540,\
|
|
550
567
|
phase:2,\
|
|
551
568
|
block,\
|
|
@@ -558,10 +575,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
558
575
|
tag:'platform-multi',\
|
|
559
576
|
tag:'attack-sqli',\
|
|
560
577
|
tag:'OWASP_CRS',\
|
|
578
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
561
579
|
tag:'paranoia-level/1',\
|
|
562
580
|
tag:'capec/1000/152/248/66',\
|
|
563
581
|
tag:'PCI/6.5.2',\
|
|
564
|
-
ver:'OWASP_CRS/4.
|
|
582
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
565
583
|
severity:'CRITICAL',\
|
|
566
584
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
567
585
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -575,7 +593,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
575
593
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
576
594
|
# crs-toolchain regex update 942560
|
|
577
595
|
#
|
|
578
|
-
SecRule REQUEST_COOKIES
|
|
596
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)1\.e(?:[\(\),]|\.[\$0-9A-Z_a-z])" \
|
|
579
597
|
"id:942560,\
|
|
580
598
|
phase:2,\
|
|
581
599
|
block,\
|
|
@@ -588,9 +606,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
588
606
|
tag:'attack-sqli',\
|
|
589
607
|
tag:'paranoia-level/1',\
|
|
590
608
|
tag:'OWASP_CRS',\
|
|
609
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
591
610
|
tag:'capec/1000/152/248/66',\
|
|
592
611
|
tag:'PCI/6.5.2',\
|
|
593
|
-
ver:'OWASP_CRS/4.
|
|
612
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
594
613
|
severity:'CRITICAL',\
|
|
595
614
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
596
615
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@@ -604,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
604
623
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
605
624
|
# crs-toolchain regex update 942550
|
|
606
625
|
#
|
|
607
|
-
SecRule REQUEST_FILENAME|REQUEST_COOKIES
|
|
626
|
+
SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" \
|
|
608
627
|
"id:942550,\
|
|
609
628
|
phase:2,\
|
|
610
629
|
block,\
|
|
@@ -617,16 +636,17 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|
|
617
636
|
tag:'attack-sqli',\
|
|
618
637
|
tag:'paranoia-level/1',\
|
|
619
638
|
tag:'OWASP_CRS',\
|
|
639
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
620
640
|
tag:'capec/1000/152/248/66',\
|
|
621
641
|
tag:'PCI/6.5.2',\
|
|
622
|
-
ver:'OWASP_CRS/4.
|
|
642
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
623
643
|
severity:'CRITICAL',\
|
|
624
644
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
625
645
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
626
646
|
|
|
627
647
|
|
|
628
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
629
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
648
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
649
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
630
650
|
#
|
|
631
651
|
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
|
632
652
|
#
|
|
@@ -657,9 +677,10 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[!=]=|&&|\|\||->|>[=>]|
|
|
|
657
677
|
tag:'attack-sqli',\
|
|
658
678
|
tag:'paranoia-level/2',\
|
|
659
679
|
tag:'OWASP_CRS',\
|
|
680
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
660
681
|
tag:'capec/1000/152/248/66',\
|
|
661
682
|
tag:'PCI/6.5.2',\
|
|
662
|
-
ver:'OWASP_CRS/4.
|
|
683
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
663
684
|
severity:'CRITICAL',\
|
|
664
685
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
665
686
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -698,9 +719,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
|
|
|
698
719
|
tag:'attack-sqli',\
|
|
699
720
|
tag:'paranoia-level/2',\
|
|
700
721
|
tag:'OWASP_CRS',\
|
|
722
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
701
723
|
tag:'capec/1000/152/248/66',\
|
|
702
724
|
tag:'PCI/6.5.2',\
|
|
703
|
-
ver:'OWASP_CRS/4.
|
|
725
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
704
726
|
severity:'CRITICAL',\
|
|
705
727
|
setvar:'tx.942130_matched_var_name=%{matched_var_name}',\
|
|
706
728
|
chain"
|
|
@@ -734,9 +756,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
|
|
|
734
756
|
tag:'attack-sqli',\
|
|
735
757
|
tag:'paranoia-level/2',\
|
|
736
758
|
tag:'OWASP_CRS',\
|
|
759
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
737
760
|
tag:'capec/1000/152/248/66',\
|
|
738
761
|
tag:'PCI/6.5.2',\
|
|
739
|
-
ver:'OWASP_CRS/4.
|
|
762
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
740
763
|
severity:'CRITICAL',\
|
|
741
764
|
multiMatch,\
|
|
742
765
|
setvar:'tx.942131_matched_var_name=%{matched_var_name}',\
|
|
@@ -757,7 +780,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
|
|
|
757
780
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
758
781
|
# crs-toolchain regex update 942150
|
|
759
782
|
#
|
|
760
|
-
SecRule REQUEST_COOKIES
|
|
783
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\(" \
|
|
761
784
|
"id:942150,\
|
|
762
785
|
phase:2,\
|
|
763
786
|
block,\
|
|
@@ -771,9 +794,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
771
794
|
tag:'attack-sqli',\
|
|
772
795
|
tag:'paranoia-level/2',\
|
|
773
796
|
tag:'OWASP_CRS',\
|
|
797
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
774
798
|
tag:'capec/1000/152/248/66',\
|
|
775
799
|
tag:'PCI/6.5.2',\
|
|
776
|
-
ver:'OWASP_CRS/4.
|
|
800
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
777
801
|
severity:'CRITICAL',\
|
|
778
802
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
779
803
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -800,7 +824,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
800
824
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
801
825
|
# crs-toolchain regex update 942180
|
|
802
826
|
#
|
|
803
|
-
SecRule REQUEST_COOKIES
|
|
827
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:/\*)+[\"'`]+[\s\x0b]?(?:--|[#\{]|/\*)?|[\"'`](?:[\s\x0b]*(?:(?:x?or|and|div|like|between)[\s\x0b\-0-9A-Z_a-z]+[\(\)\+-\-<->][\s\x0b]*[\"'0-9`]|[!=\|](?:[\s\x0b!\+\-0-9=]+[^\[]*[\"'\(`].*|[\s\x0b!0-9=]+[^0-9]*[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'\(0-9A-Z_-z]|;)|(?:[<>~]+|[\s\x0b]*[^\s\x0b0-9A-Z_a-z]?=[\s\x0b]*|[^0-9A-Z_a-z]*?[\+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][\s\x0b]+[\"'`][\s\x0b]+[0-9]|^admin[\s\x0b]*?[\"'`]|[\s\x0b\"'\(`][\s\x0b]*?glob[^0-9A-Z_a-z]+[\"'\(0-9A-Z_-z]|[\s\x0b]is[\s\x0b]*?0[^0-9A-Z_a-z]|where[\s\x0b][\s\x0b,-\.0-9A-Z_a-z]+[\s\x0b]=" \
|
|
804
828
|
"id:942180,\
|
|
805
829
|
phase:2,\
|
|
806
830
|
block,\
|
|
@@ -814,9 +838,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
814
838
|
tag:'attack-sqli',\
|
|
815
839
|
tag:'paranoia-level/2',\
|
|
816
840
|
tag:'OWASP_CRS',\
|
|
841
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
817
842
|
tag:'capec/1000/152/248/66',\
|
|
818
843
|
tag:'PCI/6.5.2',\
|
|
819
|
-
ver:'OWASP_CRS/4.
|
|
844
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
820
845
|
severity:'CRITICAL',\
|
|
821
846
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
822
847
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -829,7 +854,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
829
854
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
830
855
|
# crs-toolchain regex update 942200
|
|
831
856
|
#
|
|
832
|
-
SecRule REQUEST_COOKIES
|
|
857
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\x0b]*?\([\s\x0b]*?space[\s\x0b]*?\(" \
|
|
833
858
|
"id:942200,\
|
|
834
859
|
phase:2,\
|
|
835
860
|
block,\
|
|
@@ -843,9 +868,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|
|
843
868
|
tag:'attack-sqli',\
|
|
844
869
|
tag:'paranoia-level/2',\
|
|
845
870
|
tag:'OWASP_CRS',\
|
|
871
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
846
872
|
tag:'capec/1000/152/248/66',\
|
|
847
873
|
tag:'PCI/6.5.2',\
|
|
848
|
-
ver:'OWASP_CRS/4.
|
|
874
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
849
875
|
severity:'CRITICAL',\
|
|
850
876
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
851
877
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -858,7 +884,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|
|
858
884
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
859
885
|
# crs-toolchain regex update 942210
|
|
860
886
|
#
|
|
861
|
-
SecRule REQUEST_COOKIES
|
|
887
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:&&|\|\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\s\x0b\(]+[0-9A-Z_a-z]+[\s\x0b\)]*?[!\+=]+[\s\x0b0-9]*?[\"'-\)=`]|[0-9](?:[\s\x0b]*?(?:and|between|div|like|x?or)[\s\x0b]*?[0-9]+[\s\x0b]*?[\+\-]|[\s\x0b]+group[\s\x0b]+by.+\()|/[0-9A-Z_a-z]+;?[\s\x0b]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\s\x0b]*?(?:alter|drop|(?:insert|update)[\s\x0b]*?[0-9A-Z_a-z]{2,})|@.+=[\s\x0b]*?\([\s\x0b]*?select|[^0-9A-Z_a-z]SET[\s\x0b]*?@[0-9A-Z_a-z]+" \
|
|
862
888
|
"id:942210,\
|
|
863
889
|
phase:2,\
|
|
864
890
|
block,\
|
|
@@ -872,9 +898,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
872
898
|
tag:'attack-sqli',\
|
|
873
899
|
tag:'paranoia-level/2',\
|
|
874
900
|
tag:'OWASP_CRS',\
|
|
901
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
875
902
|
tag:'capec/1000/152/248/66',\
|
|
876
903
|
tag:'PCI/6.5.2',\
|
|
877
|
-
ver:'OWASP_CRS/4.
|
|
904
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
878
905
|
severity:'CRITICAL',\
|
|
879
906
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
880
907
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -884,7 +911,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
884
911
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
885
912
|
# crs-toolchain regex update 942260
|
|
886
913
|
#
|
|
887
|
-
SecRule REQUEST_COOKIES
|
|
914
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)[\s\x0b]+[\s\x0b0-9A-Z_a-z]+=[\s\x0b]*?[0-9A-Z_a-z]+[\s\x0b]*?having[\s\x0b]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][\s\x0b]+like[\s\x0b]+[\"'`]|like[\s\x0b]*?[\"'`]%|select[\s\x0b]+?[\s\x0b\"'-\),-\.0-9A-\[\]_-z]+from[\s\x0b]+" \
|
|
888
915
|
"id:942260,\
|
|
889
916
|
phase:2,\
|
|
890
917
|
block,\
|
|
@@ -898,9 +925,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
898
925
|
tag:'attack-sqli',\
|
|
899
926
|
tag:'paranoia-level/2',\
|
|
900
927
|
tag:'OWASP_CRS',\
|
|
928
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
901
929
|
tag:'capec/1000/152/248/66',\
|
|
902
930
|
tag:'PCI/6.5.2',\
|
|
903
|
-
ver:'OWASP_CRS/4.
|
|
931
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
904
932
|
severity:'CRITICAL',\
|
|
905
933
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
906
934
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -910,7 +938,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
910
938
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
911
939
|
# crs-toolchain regex update 942300
|
|
912
940
|
#
|
|
913
|
-
SecRule REQUEST_COOKIES
|
|
941
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\x0b]*?when[\s\x0b]*?[0-9]+[\s\x0b]*?then|[\"'`][\s\x0b]*?(?:[#\{]|--)|/\*![\s\x0b]?[0-9]+|\b(?:(?:binary|cha?r)[\s\x0b]*?\([\s\x0b]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\x0b]+[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\x0b]*?[0-9A-Z_a-z]+\(" \
|
|
914
942
|
"id:942300,\
|
|
915
943
|
phase:2,\
|
|
916
944
|
block,\
|
|
@@ -924,9 +952,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
924
952
|
tag:'attack-sqli',\
|
|
925
953
|
tag:'paranoia-level/2',\
|
|
926
954
|
tag:'OWASP_CRS',\
|
|
955
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
927
956
|
tag:'capec/1000/152/248/66',\
|
|
928
957
|
tag:'PCI/6.5.2',\
|
|
929
|
-
ver:'OWASP_CRS/4.
|
|
958
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
930
959
|
severity:'CRITICAL',\
|
|
931
960
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
932
961
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -936,7 +965,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
936
965
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
937
966
|
# crs-toolchain regex update 942310
|
|
938
967
|
#
|
|
939
|
-
SecRule REQUEST_COOKIES
|
|
968
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\([\s\x0b]*?select[\s\x0b]*?[0-9A-Z_a-z]+|coalesce|order[\s\x0b]+by[\s\x0b]+if[0-9A-Z_a-z]*?)[\s\x0b]*?\(|\*/from|\+[\s\x0b]*?[0-9]+[\s\x0b]*?\+[\s\x0b]*?@|[0-9A-Z_a-z][\"'`][\s\x0b]*?(?:(?:[\+\-=@\|]+[\s\x0b]+?)+|[\+\-=@\|]+)[\(0-9]|@@[0-9A-Z_a-z]+[\s\x0b]*?[^\s\x0b0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[\s\x0b]*?(?:if|while|begin)|[\s\x0b0-9]+=[\s\x0b]*?[0-9])|[\s\x0b\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\s\x0b\(]" \
|
|
940
969
|
"id:942310,\
|
|
941
970
|
phase:2,\
|
|
942
971
|
block,\
|
|
@@ -950,9 +979,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
950
979
|
tag:'attack-sqli',\
|
|
951
980
|
tag:'paranoia-level/2',\
|
|
952
981
|
tag:'OWASP_CRS',\
|
|
982
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
953
983
|
tag:'capec/1000/152/248/66',\
|
|
954
984
|
tag:'PCI/6.5.2',\
|
|
955
|
-
ver:'OWASP_CRS/4.
|
|
985
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
956
986
|
severity:'CRITICAL',\
|
|
957
987
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
958
988
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -970,7 +1000,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
970
1000
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
971
1001
|
# crs-toolchain regex update 942330
|
|
972
1002
|
#
|
|
973
|
-
SecRule REQUEST_COOKIES
|
|
1003
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?\b(?:x?or|div|like|between|and)\b[\s\x0b]*?[\"'`]?[0-9]|\x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'\x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[\s\x0b]*?\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)\b[\s\x0b]*?[\"'0-9A-Z_-z][!&\(\)\+-\.@])|[^\s\x0b0-9A-Z_a-z][0-9A-Z_a-z]+[\s\x0b]*?[\-\|][\s\x0b]*?[\"'`][\s\x0b]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\s\x0b]+(?:and|x?or|div|like|between)\b[\s\x0b]*?[\"'0-9`]+|[\-0-9A-Z_a-z]+[\s\x0b](?:and|x?or|div|like|between)\b[\s\x0b]*?[^\s\x0b0-9A-Z_a-z])|[^\s\x0b0-:A-Z_a-z][\s\x0b]*?[0-9][^0-9A-Z_a-z]+[^\s\x0b0-9A-Z_a-z][\s\x0b]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" \
|
|
974
1004
|
"id:942330,\
|
|
975
1005
|
phase:2,\
|
|
976
1006
|
block,\
|
|
@@ -984,9 +1014,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
984
1014
|
tag:'attack-sqli',\
|
|
985
1015
|
tag:'paranoia-level/2',\
|
|
986
1016
|
tag:'OWASP_CRS',\
|
|
1017
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
987
1018
|
tag:'capec/1000/152/248/66',\
|
|
988
1019
|
tag:'PCI/6.5.2',\
|
|
989
|
-
ver:'OWASP_CRS/4.
|
|
1020
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
990
1021
|
severity:'CRITICAL',\
|
|
991
1022
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
992
1023
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -999,7 +1030,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
999
1030
|
# Note that part of 942340.data is already optimized, to avoid a
|
|
1000
1031
|
# Regexp::Assemble behaviour, where the regex is not optimized very nicely.
|
|
1001
1032
|
#
|
|
1002
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)in[\s\x0b]*?\(+[\s\x0b]*?select|(?:(?:
|
|
1033
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)in[\s\x0b]*?\(+[\s\x0b]*?select|(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[\s\x0b]+|(?:\|\||&&)[\s\x0b]*?)[\s\x0b\+0-9A-Z_a-z]+(?:regexp[\s\x0b]*?\(|sounds[\s\x0b]+like[\s\x0b]*?[\"'`]|[0-9=]+x)|[\"'`](?:[\s\x0b]*?(?:(?:[0-9]+[\s\x0b]*?(?:--|#)|is[\s\x0b]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[\.0-9]+[\s\x0b]*?[^0-9A-Z_a-z].*?[\"'`])|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[\s\x0b]+|(?:\|\||&&)[\s\x0b]*?)(?:array[\s\x0b]*?\[|(?:tru|fals)e\b|[0-9A-Z_a-z]+(?:[\s\x0b]*?!?~|[\s\x0b]+(?:not[\s\x0b]+)?similar[\s\x0b]+to[\s\x0b]+))|[%&<->\^]+[0-9]+[\s\x0b]*?(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)=)|(?:[^0-9A-Z_a-z]+[\+\-0-9A-Z_a-z]+[\s\x0b]*?=[\s\x0b]*?[0-9][^0-9A-Z_a-z]+|\|?[\-0-9A-Z_a-z]{3,}[^\s\x0b,\.0-9A-Z_a-z]+)[\"'`])|\bexcept[\s\x0b]+(?:select\b|values[\s\x0b]*?\()" \
|
|
1003
1034
|
"id:942340,\
|
|
1004
1035
|
phase:2,\
|
|
1005
1036
|
block,\
|
|
@@ -1013,9 +1044,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1013
1044
|
tag:'attack-sqli',\
|
|
1014
1045
|
tag:'paranoia-level/2',\
|
|
1015
1046
|
tag:'OWASP_CRS',\
|
|
1047
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1016
1048
|
tag:'capec/1000/152/248/66',\
|
|
1017
1049
|
tag:'PCI/6.5.2',\
|
|
1018
|
-
ver:'OWASP_CRS/4.
|
|
1050
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1019
1051
|
severity:'CRITICAL',\
|
|
1020
1052
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1021
1053
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1024,7 +1056,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1024
1056
|
# The keywords 'alter' and 'union' led to false positives.
|
|
1025
1057
|
# Therefore they have been moved to PL2 and the keywords have been extended on PL1.
|
|
1026
1058
|
#
|
|
1027
|
-
SecRule REQUEST_COOKIES
|
|
1059
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:^[\W\d]+\s*?(?:alter|union)\b)" \
|
|
1028
1060
|
"id:942361,\
|
|
1029
1061
|
phase:2,\
|
|
1030
1062
|
block,\
|
|
@@ -1038,9 +1070,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1038
1070
|
tag:'attack-sqli',\
|
|
1039
1071
|
tag:'paranoia-level/2',\
|
|
1040
1072
|
tag:'OWASP_CRS',\
|
|
1073
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1041
1074
|
tag:'capec/1000/152/248/66',\
|
|
1042
1075
|
tag:'PCI/6.5.2',\
|
|
1043
|
-
ver:'OWASP_CRS/4.
|
|
1076
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1044
1077
|
severity:'CRITICAL',\
|
|
1045
1078
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1046
1079
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1054,7 +1087,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1054
1087
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1055
1088
|
# crs-toolchain regex update 942362
|
|
1056
1089
|
#
|
|
1057
|
-
SecRule REQUEST_COOKIES
|
|
1090
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\x0b]+(?:char|group_concat|load_file)[\s\x0b]?\(?|end[\s\x0b]*?\);|[\s\x0b\(]load_file[\s\x0b]*?\(|[\"'`][\s\x0b]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\s\x0b]+as\b[\s\x0b]*[\"'0-9A-Z_-z]+[\s\x0b]*\bfrom|^[^A-Z_a-z]+[\s\x0b]*?(?:create[\s\x0b]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\s\x0b]*(?:all|(?:sele|distin)ct))|alter[\s\x0b]*(?:a(?:(?:ggregat|pplication[\s\x0b]*rol)e|s(?:sembl|ymmetric[\s\x0b]*ke)y|u(?:dit|thorization)|vailability[\s\x0b]*group)|b(?:roker[\s\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\s\x0b]*key)|terialized)|e(?:ssage[\s\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\x0b]*schema|srobject)))\b)" \
|
|
1058
1091
|
"id:942362,\
|
|
1059
1092
|
phase:2,\
|
|
1060
1093
|
block,\
|
|
@@ -1068,9 +1101,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1068
1101
|
tag:'attack-sqli',\
|
|
1069
1102
|
tag:'paranoia-level/2',\
|
|
1070
1103
|
tag:'OWASP_CRS',\
|
|
1104
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1071
1105
|
tag:'capec/1000/152/248/66',\
|
|
1072
1106
|
tag:'PCI/6.5.2',\
|
|
1073
|
-
ver:'OWASP_CRS/4.
|
|
1107
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1074
1108
|
severity:'CRITICAL',\
|
|
1075
1109
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1076
1110
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1086,7 +1120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1086
1120
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1087
1121
|
# crs-toolchain regex update 942370
|
|
1088
1122
|
#
|
|
1089
|
-
SecRule REQUEST_COOKIES
|
|
1123
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\x0b]*?(?:(?:\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[\s\x0b][^0-9]+[\-0-9A-Z_a-z]+.*?)[0-9]|[^\s\x0b0-9\?A-Z_a-z]+[\s\x0b]*?[^\s\x0b0-9A-Z_a-z]+[\s\x0b]*?[\"'`]|[^\s\x0b0-9A-Z_a-z]+[\s\x0b]*?[^A-Z_a-z].*?(?:#|--))|.*?\*[\s\x0b]*?[0-9])|\^[\"'`]|[%\(-\+\-<>][\-0-9A-Z_a-z]+[^\s\x0b0-9A-Z_a-z]+[\"'`][^,]" \
|
|
1090
1124
|
"id:942370,\
|
|
1091
1125
|
phase:2,\
|
|
1092
1126
|
block,\
|
|
@@ -1100,9 +1134,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|
|
1100
1134
|
tag:'attack-sqli',\
|
|
1101
1135
|
tag:'paranoia-level/2',\
|
|
1102
1136
|
tag:'OWASP_CRS',\
|
|
1137
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1103
1138
|
tag:'capec/1000/152/248/66',\
|
|
1104
1139
|
tag:'PCI/6.5.2',\
|
|
1105
|
-
ver:'OWASP_CRS/4.
|
|
1140
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1106
1141
|
severity:'CRITICAL',\
|
|
1107
1142
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1108
1143
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1112,7 +1147,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|
|
1112
1147
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1113
1148
|
# crs-toolchain regex update 942380
|
|
1114
1149
|
#
|
|
1115
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1150
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:having\b(?:[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[\s\x0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\?\[]+))|ex(?:ecute(?:\(|[\s\x0b]{1,5}[\$\.0-9A-Z_a-z]{1,5}[\s\x0b]{0,3})|ists[\s\x0b]*?\([\s\x0b]*?select\b)|(?:create[\s\x0b]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\()|select.*?case|from.*?limit|order[\s\x0b]by|exists[\s\x0b](?:[\s\x0b]select|s(?:elect[^\s\x0b](?:if(?:null)?[\s\x0b]\(|top|concat)|ystem[\s\x0b]\()|\bhaving\b[\s\x0b]+[0-9]{1,10}|'[^=]{1,10}')" \
|
|
1116
1151
|
"id:942380,\
|
|
1117
1152
|
phase:2,\
|
|
1118
1153
|
block,\
|
|
@@ -1126,9 +1161,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1126
1161
|
tag:'attack-sqli',\
|
|
1127
1162
|
tag:'paranoia-level/2',\
|
|
1128
1163
|
tag:'OWASP_CRS',\
|
|
1164
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1129
1165
|
tag:'capec/1000/152/248/66',\
|
|
1130
1166
|
tag:'PCI/6.5.2',\
|
|
1131
|
-
ver:'OWASP_CRS/4.
|
|
1167
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1132
1168
|
severity:'CRITICAL',\
|
|
1133
1169
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1134
1170
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1138,7 +1174,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1138
1174
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1139
1175
|
# crs-toolchain regex update 942390
|
|
1140
1176
|
#
|
|
1141
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1177
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:or\b(?:[\s\x0b]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\s\x0b]?[<->]+|[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|xor\b[\s\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\x0b]*?[<->])?)|'[\s\x0b]+x?or[\s\x0b]+.{1,20}[!\+\-<->]" \
|
|
1142
1178
|
"id:942390,\
|
|
1143
1179
|
phase:2,\
|
|
1144
1180
|
block,\
|
|
@@ -1152,9 +1188,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1152
1188
|
tag:'attack-sqli',\
|
|
1153
1189
|
tag:'paranoia-level/2',\
|
|
1154
1190
|
tag:'OWASP_CRS',\
|
|
1191
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1155
1192
|
tag:'capec/1000/152/248/66',\
|
|
1156
1193
|
tag:'PCI/6.5.2',\
|
|
1157
|
-
ver:'OWASP_CRS/4.
|
|
1194
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1158
1195
|
severity:'CRITICAL',\
|
|
1159
1196
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1160
1197
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1164,7 +1201,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1164
1201
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1165
1202
|
# crs-toolchain regex update 942400
|
|
1166
1203
|
#
|
|
1167
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1204
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\band\b(?:[\s\x0b]+(?:[0-9]{1,10}[\s\x0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" \
|
|
1168
1205
|
"id:942400,\
|
|
1169
1206
|
phase:2,\
|
|
1170
1207
|
block,\
|
|
@@ -1178,9 +1215,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1178
1215
|
tag:'attack-sqli',\
|
|
1179
1216
|
tag:'paranoia-level/2',\
|
|
1180
1217
|
tag:'OWASP_CRS',\
|
|
1218
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1181
1219
|
tag:'capec/1000/152/248/66',\
|
|
1182
1220
|
tag:'PCI/6.5.2',\
|
|
1183
|
-
ver:'OWASP_CRS/4.
|
|
1221
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1184
1222
|
severity:'CRITICAL',\
|
|
1185
1223
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1186
1224
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1195,7 +1233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1195
1233
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1196
1234
|
# crs-toolchain regex update 942410
|
|
1197
1235
|
#
|
|
1198
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1236
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[12]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\(" \
|
|
1199
1237
|
"id:942410,\
|
|
1200
1238
|
phase:2,\
|
|
1201
1239
|
block,\
|
|
@@ -1209,9 +1247,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1209
1247
|
tag:'attack-sqli',\
|
|
1210
1248
|
tag:'paranoia-level/2',\
|
|
1211
1249
|
tag:'OWASP_CRS',\
|
|
1250
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1212
1251
|
tag:'capec/1000/152/248/66',\
|
|
1213
1252
|
tag:'PCI/6.5.2',\
|
|
1214
|
-
ver:'OWASP_CRS/4.
|
|
1253
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1215
1254
|
severity:'CRITICAL',\
|
|
1216
1255
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1217
1256
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1224,7 +1263,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1224
1263
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1225
1264
|
# crs-toolchain regex update 942470
|
|
1226
1265
|
#
|
|
1227
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1266
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" \
|
|
1228
1267
|
"id:942470,\
|
|
1229
1268
|
phase:2,\
|
|
1230
1269
|
block,\
|
|
@@ -1238,9 +1277,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1238
1277
|
tag:'attack-sqli',\
|
|
1239
1278
|
tag:'paranoia-level/2',\
|
|
1240
1279
|
tag:'OWASP_CRS',\
|
|
1280
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1241
1281
|
tag:'capec/1000/152/248/66',\
|
|
1242
1282
|
tag:'PCI/6.5.2',\
|
|
1243
|
-
ver:'OWASP_CRS/4.
|
|
1283
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1244
1284
|
severity:'CRITICAL',\
|
|
1245
1285
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1246
1286
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1253,7 +1293,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1253
1293
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1254
1294
|
# crs-toolchain regex update 942480
|
|
1255
1295
|
#
|
|
1256
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1296
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\.|elete\b[^0-9A-Z_a-z]*?\bfrom)|(?:group\b.*?\bby\b.{1,100}?\bhav|overlay\b[^0-9A-Z_a-z]*?\(.*?\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\b[^0-9A-Z_a-z]*?\bjoin|sert\b[^0-9A-Z_a-z]*?\binto|to\b[^0-9A-Z_a-z]*?\b(?:dump|out)file)|load\b[^0-9A-Z_a-z]*?\bdata\b.*?\binfile|s(?:elect\b.{1,100}?\b(?:(?:.*?\bdump\b.*|(?:count|length)\b.{1,100}?)\bfrom|(?:data_typ|from\b.{1,100}?\bwher)e|instr|to(?:_(?:cha|numbe)r|p\b.{1,100}?\bfrom))|ys_context)|u(?:nion\b.{1,100}?\bselect|tl_inaddr))\b|print\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\(a|@@version|;[^0-9A-Z_a-z]*?\b(?:drop|shutdown))\b|'(?:dbo|msdasql|s(?:a|qloledb))'" \
|
|
1257
1297
|
"id:942480,\
|
|
1258
1298
|
phase:2,\
|
|
1259
1299
|
block,\
|
|
@@ -1267,9 +1307,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1267
1307
|
tag:'attack-sqli',\
|
|
1268
1308
|
tag:'paranoia-level/2',\
|
|
1269
1309
|
tag:'OWASP_CRS',\
|
|
1310
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1270
1311
|
tag:'capec/1000/152/248/66',\
|
|
1271
1312
|
tag:'PCI/6.5.2',\
|
|
1272
|
-
ver:'OWASP_CRS/4.
|
|
1313
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1273
1314
|
severity:'CRITICAL',\
|
|
1274
1315
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1275
1316
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1308,9 +1349,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|
|
1308
1349
|
tag:'attack-sqli',\
|
|
1309
1350
|
tag:'paranoia-level/2',\
|
|
1310
1351
|
tag:'OWASP_CRS',\
|
|
1352
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1311
1353
|
tag:'capec/1000/152/248/66',\
|
|
1312
1354
|
tag:'PCI/6.5.2',\
|
|
1313
|
-
ver:'OWASP_CRS/4.
|
|
1355
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1314
1356
|
severity:'WARNING',\
|
|
1315
1357
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
|
|
1316
1358
|
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
|
@@ -1327,8 +1369,9 @@ SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \
|
|
|
1327
1369
|
t:none,\
|
|
1328
1370
|
nolog,\
|
|
1329
1371
|
tag:'OWASP_CRS',\
|
|
1372
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1330
1373
|
ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\
|
|
1331
|
-
ver:'OWASP_CRS/4.
|
|
1374
|
+
ver:'OWASP_CRS/4.16.0'"
|
|
1332
1375
|
|
|
1333
1376
|
#
|
|
1334
1377
|
# -=[ Exclusion rule for 942440 ]=-
|
|
@@ -1342,8 +1385,9 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \
|
|
|
1342
1385
|
t:none,\
|
|
1343
1386
|
nolog,\
|
|
1344
1387
|
tag:'OWASP_CRS',\
|
|
1388
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1345
1389
|
ctl:ruleRemoveTargetById=942440;ARGS:gclid,\
|
|
1346
|
-
ver:'OWASP_CRS/4.
|
|
1390
|
+
ver:'OWASP_CRS/4.16.0'"
|
|
1347
1391
|
|
|
1348
1392
|
#
|
|
1349
1393
|
# -=[ Detect SQL Comment Sequences ]=-
|
|
@@ -1381,7 +1425,7 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \
|
|
|
1381
1425
|
# crs-toolchain regex update 942440
|
|
1382
1426
|
# crs-toolchain regex update 942440-chain1
|
|
1383
1427
|
#
|
|
1384
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1428
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\x0b]|[^\-]*?-)|[^&\-]#.*?[\s\x0b]|;?\x00" \
|
|
1385
1429
|
"id:942440,\
|
|
1386
1430
|
phase:2,\
|
|
1387
1431
|
block,\
|
|
@@ -1395,9 +1439,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1395
1439
|
tag:'attack-sqli',\
|
|
1396
1440
|
tag:'paranoia-level/2',\
|
|
1397
1441
|
tag:'OWASP_CRS',\
|
|
1442
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1398
1443
|
tag:'capec/1000/152/248/66',\
|
|
1399
1444
|
tag:'PCI/6.5.2',\
|
|
1400
|
-
ver:'OWASP_CRS/4.
|
|
1445
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1401
1446
|
severity:'CRITICAL',\
|
|
1402
1447
|
chain"
|
|
1403
1448
|
SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
|
|
@@ -1412,7 +1457,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1412
1457
|
# Hex encoding detection:
|
|
1413
1458
|
# (?i:\b0x[a-f\d]{3,}) will match any 3 or more hex bytes after "0x", together forming a hexadecimal payload(e.g 0xf00, 0xf00d and so on)
|
|
1414
1459
|
#
|
|
1415
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1460
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" \
|
|
1416
1461
|
"id:942450,\
|
|
1417
1462
|
phase:2,\
|
|
1418
1463
|
block,\
|
|
@@ -1426,9 +1471,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1426
1471
|
tag:'attack-sqli',\
|
|
1427
1472
|
tag:'paranoia-level/2',\
|
|
1428
1473
|
tag:'OWASP_CRS',\
|
|
1474
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1429
1475
|
tag:'capec/1000/152/248/66',\
|
|
1430
1476
|
tag:'PCI/6.5.2',\
|
|
1431
|
-
ver:'OWASP_CRS/4.
|
|
1477
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1432
1478
|
severity:'CRITICAL',\
|
|
1433
1479
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1434
1480
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1459,7 +1505,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1459
1505
|
# ('if'). That rule runs in paranoia level 3 or higher since it is prone to
|
|
1460
1506
|
# false positives in natural text.
|
|
1461
1507
|
#
|
|
1462
|
-
SecRule REQUEST_COOKIES
|
|
1508
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:`(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" \
|
|
1463
1509
|
"id:942510,\
|
|
1464
1510
|
phase:2,\
|
|
1465
1511
|
block,\
|
|
@@ -1473,9 +1519,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1473
1519
|
tag:'attack-sqli',\
|
|
1474
1520
|
tag:'paranoia-level/2',\
|
|
1475
1521
|
tag:'OWASP_CRS',\
|
|
1522
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1476
1523
|
tag:'capec/1000/152/248/66',\
|
|
1477
1524
|
tag:'PCI/6.5.2',\
|
|
1478
|
-
ver:'OWASP_CRS/4.
|
|
1525
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1479
1526
|
severity:'CRITICAL',\
|
|
1480
1527
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1481
1528
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1486,7 +1533,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1486
1533
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
1487
1534
|
# crs-toolchain regex update 942520
|
|
1488
1535
|
#
|
|
1489
|
-
SecRule REQUEST_COOKIES
|
|
1536
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:is[\s\x0b]+not|not[\s\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\x0b]+like)\b|[%&\*\+\-/<->\^\|]{1,3})" \
|
|
1490
1537
|
"id:942520,\
|
|
1491
1538
|
phase:2,\
|
|
1492
1539
|
block,\
|
|
@@ -1500,9 +1547,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1500
1547
|
tag:'attack-sqli',\
|
|
1501
1548
|
tag:'paranoia-level/2',\
|
|
1502
1549
|
tag:'OWASP_CRS',\
|
|
1550
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1503
1551
|
tag:'capec/1000/152/248/66',\
|
|
1504
1552
|
tag:'PCI/6.5.2',\
|
|
1505
|
-
ver:'OWASP_CRS/4.
|
|
1553
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1506
1554
|
severity:'CRITICAL',\
|
|
1507
1555
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1508
1556
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1533,9 +1581,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
|
|
|
1533
1581
|
tag:'attack-sqli',\
|
|
1534
1582
|
tag:'paranoia-level/2',\
|
|
1535
1583
|
tag:'OWASP_CRS',\
|
|
1584
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1536
1585
|
tag:'capec/1000/152/248/66',\
|
|
1537
1586
|
tag:'PCI/6.5.2',\
|
|
1538
|
-
ver:'OWASP_CRS/4.
|
|
1587
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1539
1588
|
severity:'CRITICAL',\
|
|
1540
1589
|
setvar:'tx.942521_matched_var_name=%{matched_var_name}',\
|
|
1541
1590
|
chain"
|
|
@@ -1561,9 +1610,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
|
|
|
1561
1610
|
tag:'attack-sqli',\
|
|
1562
1611
|
tag:'paranoia-level/2',\
|
|
1563
1612
|
tag:'OWASP_CRS',\
|
|
1613
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1564
1614
|
tag:'capec/1000/152/248/66',\
|
|
1565
1615
|
tag:'PCI/6.5.2',\
|
|
1566
|
-
ver:'OWASP_CRS/4.
|
|
1616
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1567
1617
|
severity:'CRITICAL',\
|
|
1568
1618
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1569
1619
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1599,9 +1649,10 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
|
|
|
1599
1649
|
tag:'attack-sqli',\
|
|
1600
1650
|
tag:'paranoia-level/2',\
|
|
1601
1651
|
tag:'OWASP_CRS',\
|
|
1652
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1602
1653
|
tag:'capec/1000/152/248/66',\
|
|
1603
1654
|
tag:'PCI/6.5.2',\
|
|
1604
|
-
ver:'OWASP_CRS/4.
|
|
1655
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1605
1656
|
severity:'CRITICAL',\
|
|
1606
1657
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1607
1658
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1631,9 +1682,10 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
|
|
|
1631
1682
|
tag:'attack-sqli',\
|
|
1632
1683
|
tag:'paranoia-level/2',\
|
|
1633
1684
|
tag:'OWASP_CRS',\
|
|
1685
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1634
1686
|
tag:'capec/1000/152/248/66',\
|
|
1635
1687
|
tag:'PCI/6.5.2',\
|
|
1636
|
-
ver:'OWASP_CRS/4.
|
|
1688
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1637
1689
|
severity:'CRITICAL',\
|
|
1638
1690
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1639
1691
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
@@ -1661,17 +1713,18 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0
|
|
|
1661
1713
|
tag:'attack-sqli',\
|
|
1662
1714
|
tag:'paranoia-level/2',\
|
|
1663
1715
|
tag:'OWASP_CRS',\
|
|
1716
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1664
1717
|
tag:'capec/1000/152/248/66',\
|
|
1665
1718
|
tag:'PCI/6.5.2',\
|
|
1666
|
-
ver:'OWASP_CRS/4.
|
|
1719
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1667
1720
|
severity:'CRITICAL',\
|
|
1668
1721
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1669
1722
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
1670
1723
|
|
|
1671
1724
|
|
|
1672
1725
|
|
|
1673
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
1674
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
1726
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
1727
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
1675
1728
|
#
|
|
1676
1729
|
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
|
1677
1730
|
#
|
|
@@ -1687,7 +1740,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'O
|
|
|
1687
1740
|
#
|
|
1688
1741
|
# This is a stricter sibling of rule 942250.
|
|
1689
1742
|
#
|
|
1690
|
-
SecRule REQUEST_COOKIES
|
|
1743
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W+\d*?\s*?\bhaving\b\s*?[^\s\-]" \
|
|
1691
1744
|
"id:942251,\
|
|
1692
1745
|
phase:2,\
|
|
1693
1746
|
block,\
|
|
@@ -1701,9 +1754,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1701
1754
|
tag:'attack-sqli',\
|
|
1702
1755
|
tag:'paranoia-level/3',\
|
|
1703
1756
|
tag:'OWASP_CRS',\
|
|
1757
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1704
1758
|
tag:'capec/1000/152/248/66',\
|
|
1705
1759
|
tag:'PCI/6.5.2',\
|
|
1706
|
-
ver:'OWASP_CRS/4.
|
|
1760
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1707
1761
|
severity:'CRITICAL',\
|
|
1708
1762
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1709
1763
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1711,7 +1765,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1711
1765
|
# This rule is a stricter sibling of 942330. See that rule for a
|
|
1712
1766
|
# description and overview.
|
|
1713
1767
|
#
|
|
1714
|
-
SecRule REQUEST_COOKIES
|
|
1768
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d]" \
|
|
1715
1769
|
"id:942490,\
|
|
1716
1770
|
phase:2,\
|
|
1717
1771
|
block,\
|
|
@@ -1725,9 +1779,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1725
1779
|
tag:'attack-sqli',\
|
|
1726
1780
|
tag:'paranoia-level/3',\
|
|
1727
1781
|
tag:'OWASP_CRS',\
|
|
1782
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1728
1783
|
tag:'capec/1000/152/248/66',\
|
|
1729
1784
|
tag:'PCI/6.5.2',\
|
|
1730
|
-
ver:'OWASP_CRS/4.
|
|
1785
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1731
1786
|
severity:'CRITICAL',\
|
|
1732
1787
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1733
1788
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1751,7 +1806,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1751
1806
|
# SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:foo_id"
|
|
1752
1807
|
#
|
|
1753
1808
|
|
|
1754
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1809
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" \
|
|
1755
1810
|
"id:942420,\
|
|
1756
1811
|
phase:1,\
|
|
1757
1812
|
block,\
|
|
@@ -1765,9 +1820,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1765
1820
|
tag:'attack-sqli',\
|
|
1766
1821
|
tag:'paranoia-level/3',\
|
|
1767
1822
|
tag:'OWASP_CRS',\
|
|
1823
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1768
1824
|
tag:'capec/1000/152/248/66',\
|
|
1769
1825
|
tag:'PCI/6.5.2',\
|
|
1770
|
-
ver:'OWASP_CRS/4.
|
|
1826
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1771
1827
|
severity:'WARNING',\
|
|
1772
1828
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
|
1773
1829
|
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
|
@@ -1794,9 +1850,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|
|
1794
1850
|
tag:'attack-sqli',\
|
|
1795
1851
|
tag:'paranoia-level/3',\
|
|
1796
1852
|
tag:'OWASP_CRS',\
|
|
1853
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1797
1854
|
tag:'capec/1000/152/248/66',\
|
|
1798
1855
|
tag:'PCI/6.5.2',\
|
|
1799
|
-
ver:'OWASP_CRS/4.
|
|
1856
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1800
1857
|
severity:'WARNING',\
|
|
1801
1858
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
|
1802
1859
|
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
|
@@ -1824,9 +1881,10 @@ SecRule ARGS "@rx \W{4}" \
|
|
|
1824
1881
|
tag:'attack-sqli',\
|
|
1825
1882
|
tag:'paranoia-level/3',\
|
|
1826
1883
|
tag:'OWASP_CRS',\
|
|
1884
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1827
1885
|
tag:'capec/1000/152/248/66',\
|
|
1828
1886
|
tag:'PCI/6.5.2',\
|
|
1829
|
-
ver:'OWASP_CRS/4.
|
|
1887
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1830
1888
|
severity:'WARNING',\
|
|
1831
1889
|
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
|
|
1832
1890
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
|
|
@@ -1858,7 +1916,7 @@ SecRule ARGS "@rx \W{4}" \
|
|
|
1858
1916
|
# false positives in natural text is still present but lower than this
|
|
1859
1917
|
# rule.
|
|
1860
1918
|
#
|
|
1861
|
-
SecRule REQUEST_COOKIES
|
|
1919
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:'(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" \
|
|
1862
1920
|
"id:942511,\
|
|
1863
1921
|
phase:2,\
|
|
1864
1922
|
block,\
|
|
@@ -1872,9 +1930,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1872
1930
|
tag:'attack-sqli',\
|
|
1873
1931
|
tag:'paranoia-level/3',\
|
|
1874
1932
|
tag:'OWASP_CRS',\
|
|
1933
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1875
1934
|
tag:'capec/1000/152/248/66',\
|
|
1876
1935
|
tag:'PCI/6.5.2',\
|
|
1877
|
-
ver:'OWASP_CRS/4.
|
|
1936
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1878
1937
|
severity:'CRITICAL',\
|
|
1879
1938
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1880
1939
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
@@ -1887,7 +1946,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1887
1946
|
#
|
|
1888
1947
|
# Bug Bounty example: email=admin@juice-sh.op';&password=foo
|
|
1889
1948
|
#
|
|
1890
|
-
SecRule REQUEST_COOKIES
|
|
1949
|
+
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ';" \
|
|
1891
1950
|
"id:942530,\
|
|
1892
1951
|
phase:2,\
|
|
1893
1952
|
block,\
|
|
@@ -1901,16 +1960,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|
|
1901
1960
|
tag:'attack-sqli',\
|
|
1902
1961
|
tag:'paranoia-level/3',\
|
|
1903
1962
|
tag:'OWASP_CRS',\
|
|
1963
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1904
1964
|
tag:'capec/1000/152/248/66',\
|
|
1905
1965
|
tag:'PCI/6.5.2',\
|
|
1906
|
-
ver:'OWASP_CRS/4.
|
|
1966
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1907
1967
|
severity:'CRITICAL',\
|
|
1908
1968
|
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
|
1909
1969
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
1910
1970
|
|
|
1911
1971
|
|
|
1912
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
1913
|
-
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.
|
|
1972
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
1973
|
+
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.16.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
|
1914
1974
|
#
|
|
1915
1975
|
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
|
1916
1976
|
#
|
|
@@ -1921,7 +1981,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'O
|
|
|
1921
1981
|
# This is a stricter sibling of rule 942420.
|
|
1922
1982
|
#
|
|
1923
1983
|
|
|
1924
|
-
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/
|
|
1984
|
+
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" \
|
|
1925
1985
|
"id:942421,\
|
|
1926
1986
|
phase:1,\
|
|
1927
1987
|
block,\
|
|
@@ -1935,9 +1995,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|
|
1935
1995
|
tag:'attack-sqli',\
|
|
1936
1996
|
tag:'paranoia-level/4',\
|
|
1937
1997
|
tag:'OWASP_CRS',\
|
|
1998
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1938
1999
|
tag:'capec/1000/152/248/66',\
|
|
1939
2000
|
tag:'PCI/6.5.2',\
|
|
1940
|
-
ver:'OWASP_CRS/4.
|
|
2001
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1941
2002
|
severity:'WARNING',\
|
|
1942
2003
|
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
|
1943
2004
|
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
|
@@ -1964,9 +2025,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|
|
1964
2025
|
tag:'attack-sqli',\
|
|
1965
2026
|
tag:'paranoia-level/4',\
|
|
1966
2027
|
tag:'OWASP_CRS',\
|
|
2028
|
+
tag:'OWASP_CRS/ATTACK-SQLI',\
|
|
1967
2029
|
tag:'capec/1000/152/248/66',\
|
|
1968
2030
|
tag:'PCI/6.5.2',\
|
|
1969
|
-
ver:'OWASP_CRS/4.
|
|
2031
|
+
ver:'OWASP_CRS/4.16.0',\
|
|
1970
2032
|
severity:'WARNING',\
|
|
1971
2033
|
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
|
1972
2034
|
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|