Created
June 15, 2023 14:47
-
-
Save peterkellydev/86e31ed03a07e8d5fead51664456b750 to your computer and use it in GitHub Desktop.
broken CRS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
data: | |
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example: | | |
# ------------------------------------------------------------------------ | |
# OWASP ModSecurity Core Rule Set ver.3.3.4 | |
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. | |
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. | |
# | |
# The OWASP ModSecurity Core Rule Set is distributed under | |
# Apache Software License (ASL) version 2 | |
# Please see the enclosed LICENSE file for full details. | |
# ------------------------------------------------------------------------ | |
# | |
# The purpose of this file is to hold LOCAL exceptions for your site. The | |
# types of rules that would go into this file are one where you want to | |
# short-circuit inspection and allow certain transactions to pass through | |
# inspection or if you want to alter rules that are applied. | |
# | |
# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a | |
# very specific reason. Files affixed with the .example extension are designed | |
# to contain user created/modified data. The '.example'. extension should be | |
# renamed to end in .conf. The advantage of this is that when OWASP CRS is | |
# updated, the updates will not overwrite a user generated configuration file. | |
# | |
# As a result of this design paradigm users are encouraged NOT to directly | |
# modify rules. Instead they should use this | |
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the | |
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using | |
# methods similar to the examples specified below. | |
# | |
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and | |
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity | |
# effectively maintains two different context: startup, and per transaction. | |
# As a rule, directives are processed within the startup context. While they | |
# can affect the per transaction context they generally remain fixed during the | |
# execution of ModSecurity. | |
# | |
# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById | |
# directive or one of its siblings would have to be placed AFTER the rule is | |
# listed, otherwise it will not have knowledge of the rules existence (since | |
# these rules are read in at the same time). This means that when using | |
# directives that effect SecRules, these exceptions should be placed AFTER all | |
# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is | |
# designed such that it loads LAST. | |
# | |
# Conversely, ModSecurity supports several actions that can change the state of | |
# the underlying configuration during the per transaction context, this is when | |
# rules are being processed. Generally, these are accomplished by using the | |
# 'ctl' action. As these are part of a rule, they will be evaluated in the | |
# order rules are applied (by physical location, considering phases). As a | |
# result of this ordering a 'ctl' action should be placed with consideration to | |
# when it will be executed. This is particularly relevant for the 'ctl' options | |
# that involve modifying ID's (such as ruleRemoveById). In these cases it is | |
# important that such rules are placed BEFORE the rule ID they will affect. | |
# Unlike the setup context, by the time we process rules in the per-transaction | |
# context, we are already aware of all the rule ID's. It is by this logic that | |
# we include rules such as this BEFORE all the remaining rules. As a result | |
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST. | |
# | |
# As a general rule: | |
# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS | |
# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS | |
# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS | |
# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS | |
# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS | |
# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS | |
# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS | |
# | |
# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS | |
# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS | |
# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS | |
# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS | |
# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS | |
# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS | |
# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS | |
# | |
# | |
# What follows are a group of examples that show you how to perform rule | |
# exclusions. | |
# | |
# | |
# Example Exclusion Rule: Disable inspection for an authorized client | |
# | |
# This ruleset allows you to control how ModSecurity will handle traffic | |
# originating from Authorized Vulnerability Scanning (AVS) sources. See | |
# related blog post - | |
# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html | |
# | |
# White-list ASV network block (no blocking or logging of AVS traffic) Update | |
# IP network block as appropriate for your AVS traffic | |
# | |
# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP | |
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ | |
# "id:1000,\ | |
# phase:1,\ | |
# pass,\ | |
# nolog,\ | |
# ctl:ruleEngine=Off" | |
# | |
# | |
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection | |
# for an individual rule | |
# | |
# This rule shows how to conditionally exclude the "password" | |
# parameter for rule 942100 when the REQUEST_URI is /index.php | |
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection | |
# | |
# SecRule REQUEST_URI "@beginsWith /index.php" \ | |
# "id:1001,\ | |
# phase:1,\ | |
# pass,\ | |
# nolog,\ | |
# ctl:ruleRemoveTargetById=942100;ARGS:password" | |
# | |
# | |
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection | |
# for only certain attacks | |
# | |
# Attack rules within the CRS are tagged, with tags such as 'attack-lfi', | |
# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera. | |
# | |
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd | |
# for all rules tagged attack-sqli | |
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ | |
# "id:1002,\ | |
# phase:2,\ | |
# pass,\ | |
# nolog,\ | |
# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd" | |
# | |
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection | |
# for all CRS rules | |
# | |
# This rule illustrates that we can use tagging very effectively to whitelist a | |
# common false positive across an entire ModSecurity instance. This can be done | |
# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT | |
# affect custom rules. | |
# | |
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd | |
# for all CRS rules | |
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ | |
# "id:1003,\ | |
# phase:2,\ | |
# pass,\ | |
# nolog,\ | |
# ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" | |
# | |
# Example Exclusion Rule: Removing a range of rules | |
# | |
# This rule illustrates that we can remove a rule range via a ctl action. | |
# This uses the fact, that rules are grouped by topic in rule files covering | |
# a certain id range. | |
# | |
# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules | |
# SecRule REQUEST_FILENAME "@beginsWith /admin" \ | |
# "id:1004,\ | |
# phase:2,\ | |
# pass,\ | |
# nolog,\ | |
# ctl:ruleRemoveById=941000-942999" | |
# | |
# | |
# The application specific rule exclusion files | |
# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf | |
# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf | |
# bring additional examples which can be useful then tuning a service. | |
REQUEST-901-INITIALIZATION.conf: | | |
# ------------------------------------------------------------------------ | |
# OWASP ModSecurity Core Rule Set ver.3.3.4 | |
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. | |
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. | |
# | |
# The OWASP ModSecurity Core Rule Set is distributed under | |
# Apache Software License (ASL) version 2 | |
# Please see the enclosed LICENSE file for full details. | |
# ------------------------------------------------------------------------ | |
# | |
# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules | |
# and performs preparatory actions. It also fixes errors and omissions | |
# of variable definitions in the file crs-setup.conf. | |
# The setup.conf can and should be edited by the user, this file | |
# is part of the CRS installation and should not be altered. | |
# | |
# | |
# -=[ Rules Version []=- | |
# | |
# Rule version data is added to the "Producer" line of Section H of the Audit log: | |
# | |
# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. | |
# | |
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature | |
# | |
SecComponentSignature "OWASP_CRS/3.3.4" | |
# | |
# -=[ Default setup values []=- | |
# | |
# The CRS checks the tx.crs_setup_version variable to ensure that the setup | |
# file is included at the correct time. This detects situations where | |
# necessary settings are not defined, for instance if the file | |
# inclusion order is incorrect, or if the user has forgotten to | |
# include the crs-setup.conf file. | |
# | |
# If you are upgrading from an earlier version of the CRS and you are | |
# getting this error, please make a new copy of the setup template | |
# crs-setup.conf.example to crs-setup.conf, and re-apply your policy | |
# changes. There have been many changes in settings syntax from CRS2 | |
# to CRS3, so an old setup file may cause unwanted behavior. | |
# | |
# If you are not planning to use the crs-setup.conf template, you must | |
# manually set the tx.crs_setup_version variable before including | |
# the CRS rules/* files. | |
# | |
# The variable is a numerical representation of the CRS version number. | |
# E.g., v3.0.0 is represented as 300. | |
# | |
SecRule &TX:crs_setup_version "@eq 0" \ | |
"id:901001,\ | |
phase:1,\ | |
deny,\ | |
status:500,\ | |
log,\ | |
auditlog,\ | |
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL'" | |
# | |
# -=[ Default setup values []=- | |
# | |
# Some constructs or individual rules will fail if certain parameters | |
# are not set in the setup.conf file. The following rules will catch | |
# these cases and assign sane default values. | |
# | |
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) | |
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ | |
"id:901100,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.inbound_anomaly_score_threshold=5'" | |
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf) | |
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ | |
"id:901110,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.outbound_anomaly_score_threshold=4'" | |
# Default Paranoia Level (rule 900000 in setup.conf) | |
SecRule &TX:paranoia_level "@eq 0" \ | |
"id:901120,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.paranoia_level=1'" | |
# Default Executing Paranoia Level (rule 900000 in setup.conf) | |
SecRule &TX:executing_paranoia_level "@eq 0" \ | |
"id:901125,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'" | |
# Default Sampling Percentage (rule 900400 in setup.conf) | |
SecRule &TX:sampling_percentage "@eq 0" \ | |
"id:901130,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.sampling_percentage=100'" | |
# Default Anomaly Scores (rule 900100 in setup.conf) | |
SecRule &TX:critical_anomaly_score "@eq 0" \ | |
"id:901140,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.critical_anomaly_score=5'" | |
SecRule &TX:error_anomaly_score "@eq 0" \ | |
"id:901141,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.error_anomaly_score=4'" | |
SecRule &TX:warning_anomaly_score "@eq 0" \ | |
"id:901142,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.warning_anomaly_score=3'" | |
SecRule &TX:notice_anomaly_score "@eq 0" \ | |
"id:901143,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.notice_anomaly_score=2'" | |
# Default do_reput_block | |
SecRule &TX:do_reput_block "@eq 0" \ | |
"id:901150,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.do_reput_block=0'" | |
# Default block duration | |
SecRule &TX:reput_block_duration "@eq 0" \ | |
"id:901152,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.reput_block_duration=300'" | |
# Default HTTP policy: allowed_methods (rule 900200) | |
SecRule &TX:allowed_methods "@eq 0" \ | |
"id:901160,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" | |
# Default HTTP policy: allowed_request_content_type (rule 900220) | |
SecRule &TX:allowed_request_content_type "@eq 0" \ | |
"id:901162,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" | |
# Default HTTP policy: allowed_request_content_type_charset (rule 900270) | |
SecRule &TX:allowed_request_content_type_charset "@eq 0" \ | |
"id:901168,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" | |
# Default HTTP policy: allowed_http_versions (rule 900230) | |
SecRule &TX:allowed_http_versions "@eq 0" \ | |
"id:901163,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" | |
# Default HTTP policy: restricted_extensions (rule 900240) | |
SecRule &TX:restricted_extensions "@eq 0" \ | |
"id:901164,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" | |
# Default HTTP policy: restricted_headers (rule 900250) | |
SecRule &TX:restricted_headers "@eq 0" \ | |
"id:901165,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'" | |
# Default HTTP policy: static_extensions (rule 900260) | |
SecRule &TX:static_extensions "@eq 0" \ | |
"id:901166,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" | |
# Default enforcing of body processor URLENCODED | |
SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ | |
"id:901167,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.enforce_bodyproc_urlencoded=0'" | |
# | |
# -=[ Initialize internal variables []=- | |
# | |
# Initialize anomaly scoring variables. | |
# All _score variables start at 0, and are incremented by the various rules | |
# upon detection of a possible attack. | |
# sql_error_match is used for shortcutting rules for performance reasons. | |
SecAction \ | |
"id:901200,\ | |
phase:1,\ | |
pass,\ | |
t:none,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.anomaly_score=0',\ | |
setvar:'tx.anomaly_score_pl1=0',\ | |
setvar:'tx.anomaly_score_pl2=0',\ | |
setvar:'tx.anomaly_score_pl3=0',\ | |
setvar:'tx.anomaly_score_pl4=0',\ | |
setvar:'tx.sql_injection_score=0',\ | |
setvar:'tx.xss_score=0',\ | |
setvar:'tx.rfi_score=0',\ | |
setvar:'tx.lfi_score=0',\ | |
setvar:'tx.rce_score=0',\ | |
setvar:'tx.php_injection_score=0',\ | |
setvar:'tx.http_violation_score=0',\ | |
setvar:'tx.session_fixation_score=0',\ | |
setvar:'tx.inbound_anomaly_score=0',\ | |
setvar:'tx.outbound_anomaly_score=0',\ | |
setvar:'tx.outbound_anomaly_score_pl1=0',\ | |
setvar:'tx.outbound_anomaly_score_pl2=0',\ | |
setvar:'tx.outbound_anomaly_score_pl3=0',\ | |
setvar:'tx.outbound_anomaly_score_pl4=0',\ | |
setvar:'tx.sql_error_match=0'" | |
# | |
# -=[ Initialize collections []=- | |
# | |
# Create both Global and IP collections for rules to use. | |
# There are some CRS rules that assume that these two collections | |
# have already been initiated. | |
# | |
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ | |
"id:901318,\ | |
phase:1,\ | |
pass,\ | |
t:none,t:sha1,t:hexEncode,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'tx.ua_hash=%{MATCHED_VAR}'" | |
SecAction \ | |
"id:901321,\ | |
phase:1,\ | |
pass,\ | |
t:none,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
initcol:global=global,\ | |
initcol:ip=%{remote_addr}_%{tx.ua_hash},\ | |
setvar:'tx.real_ip=%{remote_addr}'" | |
# | |
# -=[ Initialize Correct Body Processing []=- | |
# | |
# Force request body variable and optionally request body processor | |
# | |
# Force body variable | |
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ | |
"id:901340,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
noauditlog,\ | |
msg:'Enabling body inspection',\ | |
tag:'paranoia-level/1',\ | |
ctl:forceRequestBodyVariable=On,\ | |
ver:'OWASP_CRS/3.3.4'" | |
# Force body processor URLENCODED | |
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ | |
"id:901350,\ | |
phase:1,\ | |
pass,\ | |
t:none,t:urlDecodeUni,\ | |
nolog,\ | |
noauditlog,\ | |
msg:'Enabling forced body inspection for ASCII content',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
chain" | |
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ | |
"ctl:requestBodyProcessor=URLENCODED" | |
# | |
# -=[ Easing In / Sampling Percentage ]=- | |
# | |
# This is used to send only a limited percentage of requests into the Core | |
# Rule Set. The selection is based on TX.sampling_percentage and a pseudo | |
# random number calculated below. | |
# | |
# Use this to ease into a new Core Rules installation with an existing | |
# productive service. | |
# | |
# See | |
# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/ | |
# | |
# | |
# Generate the pseudo random number | |
# | |
# ATTENTION: This is no cryptographically secure random number. It's just | |
# a cheap way to get some random number suitable for sampling. | |
# | |
# We take the entropy contained in the UNIQUE_ID. We hash that variable and | |
# take the first integer numbers out of it. Theoretically, it is possible | |
# there are no integers in a sha1 hash. We make sure we get two | |
# integer numbers by taking the last two digits from the DURATION counter | |
# (in microseconds). | |
# Finally, leading zeros are removed from the two-digit random number. | |
# | |
SecRule TX:sampling_percentage "@eq 100" \ | |
"id:901400,\ | |
phase:1,\ | |
pass,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
skipAfter:END-SAMPLING" | |
SecRule UNIQUE_ID "@rx ^." \ | |
"id:901410,\ | |
phase:1,\ | |
pass,\ | |
t:sha1,t:hexEncode,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'" | |
SecRule DURATION "@rx (..)$" \ | |
"id:901420,\ | |
phase:1,\ | |
pass,\ | |
capture,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'" | |
SecRule TX:sampling_rnd100 "@rx ^[a-f[]*([0-9[])[a-f[]*([0-9[])" \ | |
"id:901430,\ | |
phase:1,\ | |
pass,\ | |
capture,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" | |
SecRule TX:sampling_rnd100 "@rx ^0([0-9[])" \ | |
"id:901440,\ | |
phase:1,\ | |
pass,\ | |
capture,\ | |
nolog,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
setvar:'TX.sampling_rnd100=%{TX.1}'" | |
# | |
# Sampling decision | |
# | |
# If a request is allowed to pass without being checked by the CRS, there is no | |
# entry in the audit log (for performance reasons), but an error log entry is | |
# being written. If you want to disable the error log entry, then issue the | |
# following directive somewhere after the inclusion of the CRS | |
# (E.g., RESPONSE-999-EXCEPTIONS.conf). | |
# | |
# SecRuleUpdateActionById 901450 "nolog" | |
# | |
SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ | |
"id:901450,\ | |
phase:1,\ | |
pass,\ | |
log,\ | |
noauditlog,\ | |
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ | |
ctl:ruleEngine=Off,\ | |
ver:'OWASP_CRS/3.3.4'" | |
SecMarker "END-SAMPLING" | |
# | |
# Configuration Plausibility Checks | |
# | |
# Make sure executing paranoia level is not lower than paranoia level | |
SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \ | |
"id:901500,\ | |
phase:1,\ | |
deny,\ | |
status:500,\ | |
t:none,\ | |
log,\ | |
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ | |
ver:'OWASP_CRS/3.3.4'" | |
REQUEST-920-PROTOCOL-ENFORCEMENT.conf: | | |
# ------------------------------------------------------------------------ | |
# OWASP ModSecurity Core Rule Set ver.3.3.4 | |
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. | |
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. | |
# | |
# The OWASP ModSecurity Core Rule Set is distributed under | |
# Apache Software License (ASL) version 2 | |
# Please see the enclosed LICENSE file for full details. | |
# ------------------------------------------------------------------------ | |
# | |
# Some protocol violations are common in application layer attacks. | |
# Validating HTTP requests eliminates a large number of application layer attacks. | |
# | |
# The purpose of this rules file is to enforce HTTP RFC requirements that state how | |
# the client is supposed to interact with the server. | |
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html | |
# | |
# -= Paranoia Level 0 (empty) =- (apply unconditionally) | |
# | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
# | |
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) | |
# | |
# | |
# Validate request line against the format specified in the HTTP RFC | |
# | |
# -=[ Rule Logic []=- | |
# | |
# Uses rule negation against the regex for positive security. The regex specifies the proper | |
# construction of URI request lines such as: | |
# | |
# "http:" "//" host [ ":" port [] [ abs_path [ "?" query ]] | |
# | |
# It also outlines proper construction for CONNECT, OPTIONS and GET requests. | |
# | |
# -=[ References []=- | |
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 | |
# http://capec.mitre.org/data/definitions/272.html | |
# | |
SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z[]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ | |
"id:920100,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Invalid HTTP Request Line',\ | |
logdata:'%{request_line}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# Identify multipart/form-data name evasion attempts | |
# | |
# There are possible impedance mismatches between how | |
# ModSecurity interprets multipart file names and how | |
# a destination app server such as PHP might parse the | |
# Content-Disposition data: | |
# | |
# filename-parm := "filename" "=" value | |
# | |
# -=[ Rule Logic []=- | |
# These rules check for the existence of the ' " ; = meta-characters in | |
# either the file or file name variables. | |
# HTML entities may lead to false positives, why they are allowed on PL1. | |
# Negative look behind assertions allow frequently used entities &_; | |
# | |
# -=[ Targets, characters and html entities []=- | |
# | |
# 920120: PL1 : FILES_NAMES, FILES | |
# ['\";=] but allowed: | |
# &[aAoOuUyY[]uml); &[aAeEiIoOuU[]circ; &[eEiIoOuUyY[]acute; | |
# &[aAeEiIoOuU[]grave; &[cC[]cedil; &[aAnNoO[]tilde; & ' | |
# | |
# 920121: PL2 : FILES_NAMES, FILES | |
# ['\";=] : ' " ; = meta-characters | |
# | |
# Not supported by re2 (?<!re). | |
# | |
# -=[ References []=- | |
# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000 | |
# http://www.ietf.org/rfc/rfc2183.txt | |
# | |
SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY[]uml)|&(?:[aAeEiIoOuU[]circ)|&(?:[eEiIoOuUyY[]acute)|&(?:[aAeEiIoOuU[]grave)|&(?:[cC[]cedil)|&(?:[aAnNoO[]tilde)|&(?:amp)|&(?:apos));|['\"=]" \ | |
"id:920120,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Attempted multipart/form-data bypass',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Accept only digits in content length | |
# | |
# -=[ Rule Logic []=- | |
# This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header | |
# is NOT all digits, then it will match. | |
# | |
# -=[ References []=- | |
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 | |
# | |
SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ | |
"id:920160,\ | |
phase:1,\ | |
block,\ | |
t:none,\ | |
msg:'Content-Length HTTP header is not numeric',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Do not accept GET or HEAD requests with bodies | |
# HTTP standard allows GET requests to have a body but this | |
# feature is not used in real life. Attackers could try to force | |
# a request body on an unsuspecting web applications. | |
# | |
# -=[ Rule Logic []=- | |
# This is a chained rule that first checks the Request Method. If it is a | |
# GET or HEAD method, then it checks for the existence of a Content-Length | |
# header. If the header exists and its payload is either not a 0 digit or not | |
# empty, then it will match. | |
# | |
# -=[ References []=- | |
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3 | |
# | |
SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ | |
"id:920170,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'GET or HEAD Request with Body Content',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# This is a sibling of rule 920170 | |
# | |
SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ | |
"id:920171,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'GET or HEAD Request with Transfer-Encoding',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Require Content-Length or Transfer-Encoding to be provided with | |
# every POST request if the protocol version is not HTTP/2. | |
# | |
# In case of HTTP/2, see the RFC7540 8.1 p52: | |
# HTTP/2 does not use the Transfer-Encoding: chunked anymore, because | |
# the underlying transport protocol is already using data frames with | |
# known length. | |
# | |
# -=[ Rule Logic []=- | |
# This chained rule checks if the protocol is not HTTP/2, then checks | |
# request method is POST, if so, it checks that a Content-Length or | |
# Transfer-Encoding headers are also present. | |
# | |
SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \ | |
"id:920180,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'POST without Content-Length or Transfer-Encoding headers',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule REQUEST_METHOD "@streq POST" \ | |
"chain" | |
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \ | |
"chain" | |
SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \ | |
"setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length | |
# header field in any message that contains a Transfer-Encoding header | |
# field. | |
# | |
# Related to 920170, 920171 and 920180. | |
# | |
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ | |
"id:920181,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Content-Length and Transfer-Encoding headers present.',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# Range Header Check | |
# | |
# RFC7233 2.1 p6: | |
# "A byte-range-spec is invalid if the last-byte-pos value is present | |
# and less than the first-byte-pos." | |
# | |
# -=[ Rule Logic []=- | |
# This rule compares the first and second byte ranges and flags | |
# when the first value is greater than the second. | |
# | |
# -=[ References []=- | |
# https://tools.ietf.org/html/rfc7233 | |
# https://seclists.org/fulldisclosure/2011/Aug/175 | |
# | |
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ | |
"id:920190,\ | |
phase:2,\ | |
block,\ | |
capture,\ | |
t:none,\ | |
msg:'Range: Invalid Last Byte Value',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule TX:2 "@lt %{tx.1}" \ | |
"setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# Broken/Malicious clients often have duplicate or conflicting headers | |
# Automated programs and bots often do not obey the HTTP RFC | |
# | |
# -=[ Rule Logic []=- | |
# This rule inspects the Connection header and looks for duplicates of the | |
# keep-alive and close options. | |
# | |
# -=[ References []=- | |
# http://www.bad-behavior.ioerror.us/about/ | |
# https://tools.ietf.org/html/rfc7233 | |
# | |
SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \ | |
"id:920210,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Multiple/Conflicting Connection Header Data Found',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# Check URL encodings | |
# | |
# -=[ Rule Logic []=- | |
# There are two different chained rules. We need to separate them as we are inspecting two | |
# different variables - REQUEST_URI and REQUEST_BODY. For REQUEST_BODY, we only want to | |
# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding. | |
# | |
# -=[ References []=- | |
# http://www.ietf.org/rfc/rfc1738.txt | |
# | |
# -=[ Example payload []=- | |
# http://localhost/?s=a%20b%20c%'/ | |
# reason: %'/ is not a valid url encoding | |
# | |
SecRule REQUEST_URI "@rx \x25" \ | |
"id:920220,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'URL Encoding Abuse Attack Attempt',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153/267/72',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule REQUEST_URI "@validateUrlEncoding" \ | |
"setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \ | |
"id:920240,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'URL Encoding Abuse Attack Attempt',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153/267/72',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule REQUEST_BODY "@rx \x25" \ | |
"chain" | |
SecRule REQUEST_BODY "@validateUrlEncoding" \ | |
"setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# Check UTF encoding | |
# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise | |
# it will result in false positives. | |
# | |
# -=[ Rule Logic []=- | |
# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING | |
# variable in the crs-setup.conf file. | |
# | |
SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ | |
"id:920250,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'UTF8 Encoding Abuse Attack Attempt',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153/267',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \ | |
"setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# Disallow use of full-width unicode as decoding evasions may be possible. | |
# | |
# -=[ Rule Logic []=- | |
# This rule looks for full-width encoding by looking for %u followed by 2 'f' | |
# characters and then 2 hex characters. It is a vulnerability that affected | |
# IIS circa 2007. | |
# The rule will trigger on %uXXXX formatted chars that are full or half | |
# width, as explained above. This %uXXXX format is passed as a raw parameter | |
# and is (seemingly only) accepted by IIS (5.0, 6.0, 7.0, and 8.0). Other | |
# webservers will only process unicode chars presented as hex UTF-8 bytes. | |
# | |
# -=[ References []=- | |
# http://www.kb.cert.org/vuls/id/739224 | |
# https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html | |
# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719 | |
# | |
SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF[]{2}[0-9a-fA-F[]{2}" \ | |
"id:920260,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Unicode Full/Half Width Abuse Attack Attempt',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-iis',\ | |
tag:'platform-windows',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153/267/72',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# | |
# Restrict type of characters sent | |
# | |
# This is a rule with multiple stricter siblings that grows more | |
# restrictive in higher paranoia levels. | |
# | |
# -=[ Rule Logic []=- | |
# This rule uses the @validateByteRange operator to restrict the request | |
# payloads. | |
# | |
# -=[ Targets and ASCII Ranges []=- | |
# | |
# 920270: PL1 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES | |
# ASCII 1-255 : Full ASCII range without null character | |
# | |
# 920271: PL2 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES | |
# ASCII 9,10,13,32-126,128-255 : Full visible ASCII range, tab, newline | |
# | |
# 920272: PL3 : REQUEST_URI, REQUEST_HEADERS, ARGS, ARGS_NAMES and REQUEST_BODY | |
# ASCII 32-36,38-126 : Visible lower ASCII range without percent symbol | |
# | |
# 920273: PL4 : ARGS, ARGS_NAMES and REQUEST_BODY | |
# ASCII 38,44-46,48-58,61,65-90,95,97-122 | |
# A-Z a-z 0-9 = - _ . , : & | |
# | |
# 920274: PL4 : REQUEST_HEADERS without User-Agent, Referer and Cookie | |
# ASCII 32,34,38,42-59,61,65-90,95,97-122 | |
# A-Z a-z 0-9 = - _ . , : & " * + / SPACE | |
# | |
# REQUEST_URI and REQUEST_HEADERS User-Agent, Referer and Cookie are very hard | |
# to restrict beyond the limits in 920272. | |
# | |
# 920274 generally has few positives. However, it would detect rare attacks | |
# on Accept request headers and friends. | |
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \ | |
"id:920270,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Invalid character in request (null character)',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Do not accept requests without common headers. | |
# All normal web browsers include Host, User-Agent and Accept headers. | |
# Implies either an attacker or a legitimate automation client. | |
# | |
# | |
# Missing/Empty Host Header | |
# | |
# -=[ Rule Logic []=- | |
# These rules will first check to see if a Host header is present. | |
# The second check is to see if a Host header exists but is empty. | |
# | |
SecRule &REQUEST_HEADERS:Host "@eq 0" \ | |
"id:920280,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Request Missing a Host Header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/6.5.10',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ | |
skipAfter:END-HOST-CHECK" | |
SecRule REQUEST_HEADERS:Host "@rx ^$" \ | |
"id:920290,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Empty Host Header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
SecMarker "END-HOST-CHECK" | |
# | |
# Empty Accept Header | |
# | |
# -=[ Rule Logic []=- | |
# This rule checks if an Accept header exists, but has an empty value. | |
# This is only allowed in combination with the OPTIONS method. | |
# Additionally, there are some clients sending empty Accept headers. | |
# They are covered in another chained rule checking the User-Agent. | |
# This technique demands a separate rule to detect an empty | |
# Accept header if there is no user agent. This is checked via | |
# the separate rule 920311. | |
# | |
# Exclude some common broken clients sending empty Accept header: | |
# "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0" (CRS issue #515) | |
# "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0" (CRS issue #366) | |
# | |
# -=[ References []=- | |
# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/366 | |
# | |
SecRule REQUEST_HEADERS:Accept "@rx ^$" \ | |
"id:920310,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Request Has an Empty Accept Header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'NOTICE',\ | |
chain" | |
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ | |
"chain" | |
SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'" | |
# | |
# This rule is a sibling of rule 920310. | |
# | |
SecRule REQUEST_HEADERS:Accept "@rx ^$" \ | |
"id:920311,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Request Has an Empty Accept Header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'NOTICE',\ | |
chain" | |
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ | |
"chain" | |
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'" | |
# | |
# Empty User-Agent Header | |
# | |
# -=[ Rule Logic []=- | |
# This rules will check to see if the User-Agent header is empty. | |
# | |
# Note that there is a second rule, 920320, which will check for | |
# the existence of the User-Agent header. | |
# | |
SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ | |
"id:920330,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Empty User Agent Header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'NOTICE',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'" | |
# | |
# Missing Content-Type Header with Request Body | |
# | |
# -=[ Rule Logic[]=- | |
# This rule will first check to see if the value of the Content-Length header is | |
# non-equal to 0. The chained rule is then checking the existence of the | |
# Content-Type header. The RFCs do not state there must be a | |
# Content-Type header. However, a request missing a Content-Header is a | |
# strong indication of a non-compliant browser. | |
# | |
# Also, omitting the CT header allows to bypass the Request Body Processor | |
# unless you set the optional tx.enforce_bodyproc_urlencoded variable. | |
# | |
# Note: in default settings, this behavior only provides a NOTICE and will | |
# not cause a request to be blocked. However, in paranoia level 2 or | |
# higher, we run sibling 920341, which DOES block these requests. | |
# | |
# -=[ References []=- | |
# http://httpwg.org/specs/rfc7231.html#header.content-type | |
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ | |
"id:920340,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Request Containing Content, but Missing Content-Type header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'NOTICE',\ | |
chain" | |
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'" | |
# Check that the host header is not an IP address | |
# This is not an HTTP RFC violation but it is indicative of automated client access. | |
# Many web-based worms propagate by scanning IP address blocks. | |
# | |
# -=[ Rule Logic []=- | |
# This rule triggers if the Host header contains all digits (and possible port) | |
# | |
# -=[ References []=- | |
# https://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx | |
# | |
SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \ | |
"id:920350,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Host header is a numeric IP address',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/6.5.10',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'" | |
# In most cases, you should expect a certain volume of each a request on your | |
# website. For example, a request with 400 arguments, can be suspicious. | |
# This file creates limitations on the request. | |
# | |
# TODO Look at the rules in this file, and define the sizes you'd like to enforce. | |
# Note that most of the rules are commented out by default. | |
# Uncomment the rules you need | |
# | |
# | |
# Maximum number of arguments in request limited | |
# | |
SecRule &TX:MAX_NUM_ARGS "@eq 1" \ | |
"id:920380,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Too many arguments in request',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule &ARGS "@gt %{tx.max_num_args}" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
## -- Arguments limits -- | |
# | |
# Limit argument name length | |
# | |
SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ | |
"id:920360,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Argument name too long',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \ | |
"t:none,t:length,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Limit argument value length | |
# | |
# This rule is also triggered by an Apache Struts Remote Code Execution exploit: | |
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] | |
# | |
SecRule &TX:ARG_LENGTH "@eq 1" \ | |
"id:920370,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Argument value too long',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule ARGS "@gt %{tx.arg_length}" \ | |
"t:none,t:length,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Limit arguments total length | |
# | |
SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \ | |
"id:920390,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Total arguments size exceeded',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# -- File upload limits -- | |
# | |
# Individual file size is limited | |
SecRule &TX:MAX_FILE_SIZE "@eq 1" \ | |
"id:920400,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Uploaded file size too large',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ | |
"chain" | |
SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Combined file size is limited | |
# | |
SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ | |
"id:920410,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Total uploaded files size too large',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Restrict which content-types we accept. | |
# | |
# Restrict Content-Type header to established patterns. | |
# | |
# This provides generic whitelist protection against vulnerabilities like | |
# Apache Struts Content-Type arbitrary command execution (CVE-2017-5638). | |
# | |
# Examples of allowed patterns: | |
# - text/plain | |
# - text/plain; charset="UTF-8" | |
# - multipart/form-data; boundary=----WebKitFormBoundary12345 | |
# | |
SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w.()+,/:=?<>@-]+)*$" \ | |
"id:920470,\ | |
phase:1,\ | |
block,\ | |
t:none,t:lowercase,\ | |
msg:'Illegal Content-Type header',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153',\ | |
tag:'PCI/12.1',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# In case Content-Type header can be parsed, check the mime-type against | |
# the policy defined in the 'allowed_request_content_type' variable. | |
# To change your policy, edit crs-setup.conf and activate rule 900220. | |
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ | |
"id:920420,\ | |
phase:2,\ | |
block,\ | |
capture,\ | |
t:none,\ | |
msg:'Request content type is not allowed by policy',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153',\ | |
tag:'PCI/12.1',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.content_type=|%{tx.0}|',\ | |
chain" | |
SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ | |
"t:lowercase,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Restrict charset parameter within the content-type header | |
# | |
SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ | |
"id:920480,\ | |
phase:1,\ | |
block,\ | |
capture,\ | |
t:none,t:lowercase,\ | |
msg:'Request content type charset is not allowed by policy',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153',\ | |
tag:'PCI/12.1',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \ | |
"t:none,\ | |
ctl:forceRequestBodyVariable=On,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Restrict charset parameter inside content type header to occur max once. | |
# | |
SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ | |
"id:920530,\ | |
phase:1,\ | |
block,\ | |
t:none,t:lowercase,\ | |
msg:'Multiple charsets detected in content type header',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153',\ | |
tag:'PCI/12.1',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Restrict protocol versions. | |
# | |
SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ | |
"id:920430,\ | |
phase:1,\ | |
block,\ | |
t:none,\ | |
msg:'HTTP protocol version is not allowed by policy',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/6.5.10',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Restrict file extension | |
# | |
SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ | |
"id:920440,\ | |
phase:2,\ | |
block,\ | |
capture,\ | |
t:none,\ | |
msg:'URL file extension is restricted by policy',\ | |
logdata:'%{TX.0}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/6.5.10',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.extension=.%{tx.1}/',\ | |
chain" | |
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ | |
"t:none,t:urlDecodeUni,t:lowercase,\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Backup or "working" file extension | |
# example: index.php~, /index.php~/foo/ | |
# | |
SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ | |
"id:920500,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Attempt to access a backup or working file',\ | |
logdata:'%{TX.0}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/6.5.10',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Restricted HTTP headers | |
# | |
# -=[ Rule Logic []=- | |
# The use of certain headers is restricted. They are listed in the variable | |
# TX.restricted_headers. | |
# | |
# The headers are transformed into lowercase before the match. In order to | |
# make sure that only complete header names are matching, the names in | |
# TX.restricted_headers are wrapped in slashes. This guarantees that the | |
# header Range (-> /range/) is not matching the restricted header | |
# /content-range/ for example. | |
# | |
# This is a chained rule, where the first rule fills a set of variables of the | |
# form TX.header_name_<HEADER_NAME>. The second rule is then executed for all | |
# variables of the form TX.header_name_<HEADER_NAME>. | |
# | |
# As a consequence of the construction of the rule, the alert message and the | |
# alert data will not display the original header name Content-Range, but | |
# /content-range/ instead. | |
# | |
# | |
# -=[ References []=- | |
# https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) | |
# | |
SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ | |
"id:920450,\ | |
phase:2,\ | |
block,\ | |
capture,\ | |
t:none,t:lowercase,\ | |
msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ | |
logdata:'Restricted header detected: %{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/12.1',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ | |
chain" | |
SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \ | |
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
# | |
# Restrict response charsets that we allow. | |
# The following rules make sure that the response will be in an ASCII-compatible charset that | |
# phase 4 rules can properly understand and block. | |
# | |
# | |
# Some servers rely on the request Accept header to determine what charset to respond with. | |
# This rule restricts these to familiar charsets. | |
# | |
# Regular expression generated from util/regexp-assemble/data/920600.data. | |
# To update the regular expression run the following shell script | |
# (consult util/regexp-assemble/README.md for details): | |
# util/regexp-assemble/regexp-assemble.py update 920600 | |
# | |
SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \ | |
"id:920600,\ | |
phase:1,\ | |
block,\ | |
t:none,t:lowercase,\ | |
msg:'Illegal Accept header: charset parameter',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/1',\ | |
tag:'OWASP_CRS',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
# | |
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) | |
# | |
# | |
# -=[ Rule Logic []=- | |
# | |
# Check the number of range fields in the Range request header. | |
# | |
# An excessive number of Range request headers can be used to DoS a server. | |
# The original CVE proposed an arbitrary upper limit of 5 range fields. | |
# | |
# Several clients are known to request PDF fields with up to 62 range | |
# fields. Therefore the standard rule does not cover PDF files. This is | |
# performed in two separate (stricter) siblings of this rule. | |
# | |
# 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs | |
# 920201: PL2: Limit of 62 range header fields for PDFs | |
# 920202: PL4: Limit of 5 range header fields for PDFs | |
# | |
# -=[ References []=- | |
# https://httpd.apache.org/security/CVE-2011-3192.txt | |
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ | |
"id:920200,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Range: Too many fields (6 or more)',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/2',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule REQUEST_BASENAME "!@endsWith .pdf" \ | |
"setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" | |
# | |
# This is a sibling of rule 920200 | |
# | |
SecRule REQUEST_BASENAME "@endsWith .pdf" \ | |
"id:920201,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Range: Too many fields for pdf request (63 or more)',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/2',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ | |
"setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" | |
SecRule ARGS "@rx %[0-9a-fA-F[]{2}" \ | |
"id:920230,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Multiple URL Encoding Detected',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/255/153/267/120',\ | |
tag:'paranoia-level/2',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'" | |
# | |
# Missing Accept Header | |
# | |
# -=[ Rule Logic []=- | |
# This rule generates a notice if the Accept header is missing. | |
# | |
# Notice: The rule tries to avoid known false positives by ignoring | |
# OPTIONS requests coming from known offending User-Agents via two | |
# chained rules. | |
# As ModSecurity only reports the match of the last matching rule, | |
# the alert is misleading. | |
# | |
SecRule &REQUEST_HEADERS:Accept "@eq 0" \ | |
"id:920300,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Request Missing an Accept Header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/6.5.10',\ | |
tag:'paranoia-level/2',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'NOTICE',\ | |
chain" | |
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ | |
"chain" | |
SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" | |
# | |
# PL2: This is a stricter sibling of 920270. | |
# | |
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \ | |
"id:920271,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Invalid character in request (non printable characters)',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/2',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" | |
# | |
# Missing User-Agent Header | |
# | |
# -=[ Rule Logic []=- | |
# This rules will check to see if there is a User-Agent header or not. | |
# | |
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ | |
"id:920320,\ | |
phase:2,\ | |
pass,\ | |
t:none,\ | |
msg:'Missing User Agent Header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'PCI/6.5.10',\ | |
tag:'paranoia-level/2',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'NOTICE',\ | |
setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'" | |
# | |
# PL2: This is a stricter sibling of 920120. | |
# | |
SecRule FILES_NAMES|FILES "@rx ['\";=]" \ | |
"id:920121,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Attempted multipart/form-data bypass',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/2',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" | |
# | |
# PL2: Block on Missing Content-Type Header with Request Body | |
# This is a stricter sibling of rule 920340. | |
# | |
# -=[ References []=- | |
# http://httpwg.org/specs/rfc7231.html#header.content-type | |
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ | |
"id:920341,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Request Containing Content Requires Content-Type header',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/2',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
# | |
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) | |
# | |
# | |
# PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range | |
# | |
# This rule is also triggered by the following exploit(s): | |
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] | |
# | |
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \ | |
"id:920272,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Invalid character in request (outside of printable chars below ascii 127)',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/3',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" | |
# | |
# PL3: The little known x-up-devcap-post-charset request header can be used to submit | |
# a request with a different encoding as an alternative to the charset parameter in | |
# the Content-Type header. This can be used to circumvent charset restrictions on | |
# the Content-Type header in ASP.NET. | |
# Note that this only works in combination with a User-Agent prefix. | |
# | |
# This rule is based on a blog post by Soroush Dalili at | |
# https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ | |
# | |
SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ | |
"id:920490,\ | |
phase:1,\ | |
block,\ | |
t:none,\ | |
msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'language-aspnet',\ | |
tag:'platform-windows',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/3',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ | |
"t:none,\ | |
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" | |
# | |
# Cache-Control Request Header whitelist | |
# | |
# -=[ Rule Logic []=- | |
# This rule aims to strictly whitelist the Cache-Control request header | |
# values and to blocks all violations. This should be useful to intercept | |
# "bad bot" and tools that impersonate a real browser but with wrong request | |
# header setup. | |
# | |
# The regular expression used on this rule tries to match multiple directives | |
# in a single value, for example: "max-stale=1, max-age=2". This leads us to | |
# use a regular expression that accepts a trailing comma to keep compatibility | |
# with all regex engines and not PCRE only. For example: "max-stale=1, max-age=2, " | |
# | |
# Moreover, this regular expression allows duplicate directives sequence like: | |
# "max-stale, max-stale=1, no-cache, no-cache". | |
# | |
# Standard Cache-Control directives that can be used by the client: | |
# - max-age=<seconds> | |
# - max-stale[=<seconds>] | |
# - min-fresh=<seconds> | |
# - no-cache | |
# - no-store | |
# - no-transform | |
# - only-if-cached | |
# | |
# References: | |
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control | |
# - https://regex101.com/r/CZ0Hxu/22 | |
# | |
SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ | |
"id:920510,\ | |
phase:1,\ | |
block,\ | |
t:none,\ | |
msg:'Invalid Cache-Control request header',\ | |
logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'header-whitelist',\ | |
tag:'paranoia-level/3',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
chain" | |
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9[]+|min-fresh=[0-9[]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9[]+)?)(\s*\,\s*|$)){1,7}$" \ | |
"setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
# | |
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) | |
# | |
# | |
# This is a stricter sibling of rule 920200 | |
# | |
SecRule REQUEST_BASENAME "@endsWith .pdf" \ | |
"id:920202,\ | |
phase:2,\ | |
block,\ | |
t:none,\ | |
msg:'Range: Too many fields for pdf request (6 or more)',\ | |
logdata:'%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/4',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'WARNING',\ | |
chain" | |
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ | |
"setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}'" | |
# | |
# This is a stricter sibling of 920270. | |
# | |
# This rule is also triggered by the following exploit(s): | |
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] | |
# | |
SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \ | |
"id:920273,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Invalid character in request (outside of very strict set)',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/4',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" | |
# | |
# This is a stricter sibling of 920270. | |
# | |
SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ | |
"id:920274,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Invalid character in request headers (outside of very strict set)',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/4',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" | |
# | |
# This is a stricter sibling of 920270. | |
# The 'Sec-Fetch-User' header may contain the '?' (63) character. | |
# Therefore we exclude this header from rule 920274 which forbids '?'. | |
# https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user | |
# | |
SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,65-90,95,97-122" \ | |
"id:920275,\ | |
phase:2,\ | |
block,\ | |
t:none,t:urlDecodeUni,\ | |
msg:'Invalid character in request headers (outside of very strict set)',\ | |
logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/210/272',\ | |
tag:'paranoia-level/4',\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" | |
# -=[ Abnormal Character Escapes []=- | |
# | |
# [ Rule Logic [] | |
# Consider the following payload: arg=cat+/e\tc/pa\ssw\d | |
# Here, \s and \d were only used to obfuscate the string passwd and a lot of | |
# parsers will silently ignore the non-necessary escapes. The case with \t is | |
# a bit different though, as \t is a natural escape for the TAB character, | |
# so we will avoid this (and \n, \r, etc.). | |
# | |
# This rule aims to detect non-necessary, abnormal escapes. You could say it is | |
# a nice way to forbid the backslash character where it is not needed. | |
# | |
# This is a new rule at paranoia level 4. We expect quite a few false positives | |
# for this rule and we will later evaluate if the rule makes any sense at all. | |
# The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs | |
# to be useful and false positives remain at a reasonable level, then it might | |
# be shifted to PL3 in a future release, where it would be the only rule | |
# covering the backslash escape. | |
# | |
# We forbid backslashes followed by a list of basic ascii characters - unless | |
# the backslash is preceded by another backslash. | |
# | |
# This rule is also triggered by the following exploit(s): | |
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] | |
# | |
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdeghijklmpqwxyz123456789[]" \ | |
"id:920460,\ | |
phase:2,\ | |
block,\ | |
capture,\ | |
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ | |
log,\ | |
msg:'Abnormal character escapes in request',\ | |
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ | |
tag:'application-multi',\ | |
tag:'language-multi',\ | |
tag:'platform-multi',\ | |
tag:'attack-protocol',\ | |
tag:'paranoia-level/4',\ | |
tag:'OWASP_CRS',\ | |
tag:'capec/1000/153/267',\ | |
ctl:auditLogParts=+E,\ | |
ver:'OWASP_CRS/3.3.4',\ | |
severity:'CRITICAL',\ | |
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ | |
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'" | |
# | |
# -= Paranoia Levels Finished =- | |
# | |
SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" | |
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example: | | |
# ------------------------------------------------------------------------ | |
# OWASP ModSecurity Core Rule Set ver.3.3.4 | |
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. | |
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. | |
# | |
# The OWASP ModSecurity Core Rule Set is distributed under | |
# Apache Software License (ASL) version 2 | |
# Please see the enclosed LICENSE file for full details. | |
# ------------------------------------------------------------------------ | |
# | |
# The purpose of this file is to hold LOCAL exceptions for your site. | |
# The types of rules that would go into this file are one where you want | |
# to unconditionally disable rules or modify their actions during startup. | |
# | |
# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example | |
# for a description of the rule exclusions mechanism and the correct | |
# use of this file. | |
# | |
# | |
# Example Exclusion Rule: To unconditionally disable a rule ID | |
# | |
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection | |
# SecRuleRemoveById 942100 | |
# Example Exclusion Rule: Remove a group of rules | |
# | |
# ModSecurity Rule Exclusion: Disable PHP injection rules | |
# SecRuleRemoveByTag "attack-injection-php" | |
# | |
# Example Exclusion Rule: To unconditionally remove parameter "foo" from | |
# inspection for SQLi rules | |
# | |
# ModSecurity Rule Exclusion: disable sqli rules for parameter foo. | |
# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo" | |
# -- [[ Changing the Disruptive Action for Anomaly Mode []] -- | |
# | |
# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf | |
# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores | |
# against your policy. To apply a disruptive action, they overwrite the default | |
# actions specified in SecDefaultAction (setup.conf) with a 'deny' action. | |
# This 'deny' is by default paired with a 'status:403' action. | |
# | |
# In order to change the disruptive action from 'deny' to something else, | |
# you must use SecRuleUpdateActionByID directives AFTER the CRS rules | |
# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file. | |
# | |
# These actions only apply when using Anomaly Mode. | |
# | |
# Default action: block with error 403 | |
# (No configuration needed in this file if you want the default behavior.) | |
# | |
# Example: redirect back to the homepage on blocking | |
# | |
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'" | |
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'" | |
# Example: redirect to another URL on blocking | |
# | |
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'" | |
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'" | |
# Example: send an error 404 | |
# | |
# SecRuleUpdateActionById 949110 "t:none,deny,status:404" | |
# SecRuleUpdateActionById 959100 "t:none,deny,status:404" | |
# Example: drop the connection (best for DoS attacks) | |
# | |
# SecRuleUpdateActionById 949110 "t:none,drop" | |
# SecRuleUpdateActionById 959100 "t:none,drop" | |
crawlers-user-agents.data: | | |
# Search engine crawlers and other bots | |
# crawler | |
# https://80legs.com/ | |
80legs | |
# site ripper | |
# http://www.softbytelabs.com/en/BlackWidow/ | |
black widow | |
blackwidow | |
# crawler | |
# 2006 | |
prowebwalker | |
# generic crawler | |
pymills-spider/ | |
# SEO | |
# https://ahrefs.com/robot | |
AhrefsBot | |
# people database | |
# https://pipl.com/bot/ | |
PiplBot | |
# advertising targeting | |
# https://www.grapeshot.com/crawler/ | |
GrapeshotCrawler/2.0 | |
grapeFX | |
# SEO | |
# http://www.searchmetrics.com/searchmetricsbot/ | |
SearchmetricsBot | |
# SEO | |
# https://www.semrush.com/bot/ | |
SemrushBot | |
# SEO | |
# https://moz.com/help/guides/moz-procedures/what-is-rogerbot | |
rogerbot | |
# SEO | |
# http://www.majestic12.co.uk/projects/dsearch/mj12bot.php | |
MJ12bot | |
# news service | |
Owlin bot | |
# misbehaving spider | |
Lingewoud-550-Spyder | |
# https://www.wappalyzer.com/ | |
Wappalyzer | |
crs-setup.conf: | | |
# ------------------------------------------------------------------------ | |
# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 | |
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. | |
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. | |
# | |
# The OWASP ModSecurity Core Rule Set is distributed under | |
# Apache Software License (ASL) version 2 | |
# Please see the enclosed LICENSE file for full details. | |
# ------------------------------------------------------------------------ | |
# | |
# -- [[ Introduction []] -------------------------------------------------------- | |
# | |
# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack | |
# detection rules that provide a base level of protection for any web | |
# application. They are written for the open source, cross-platform | |
# ModSecurity Web Application Firewall. | |
# | |
# See also: | |
# https://coreruleset.org/ | |
# https://github.com/coreruleset/coreruleset | |
# https://owasp.org/www-project-modsecurity-core-rule-set/ | |
# | |
# | |
# -- [[ System Requirements []] ------------------------------------------------- | |
# | |
# CRS requires ModSecurity version 2.8.0 or above. | |
# We recommend to always use the newest ModSecurity version. | |
# | |
# The configuration directives/settings in this file are used to control | |
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main | |
# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, | |
# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. | |
# | |
# The CRS assumes that modsecurity.conf has been loaded. It is bundled with | |
# ModSecurity. If you don't have it, you can get it from: | |
# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended | |
# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended | |
# | |
# The order of file inclusion in your webserver configuration should always be: | |
# 1. modsecurity.conf | |
# 2. crs-setup.conf (this file) | |
# 3. rules/*.conf (the CRS rule files) | |
# | |
# Please refer to the INSTALL file for detailed installation instructions. | |
# | |
# | |
# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained []] --------------- | |
# | |
# The CRS can run in two modes: | |
# | |
# -- [[ Anomaly Scoring Mode (default) ]] -- | |
# In CRS3, anomaly mode is the default and recommended mode, since it gives the | |
# most accurate log information and offers the most flexibility in setting your | |
# blocking policies. It is also called "collaborative detection mode". | |
# In this mode, each matching rule increases an 'anomaly score'. | |
# At the conclusion of the inbound rules, and again at the conclusion of the | |
# outbound rules, the anomaly score is checked, and the blocking evaluation | |
# rules apply a disruptive action, by default returning an error 403. | |
# | |
# -- [[ Self-Contained Mode []] -- | |
# In this mode, rules apply an action instantly. This was the CRS2 default. | |
# It can lower resource usage, at the cost of less flexibility in blocking policy | |
# and less informative audit logs (only the first detected threat is logged). | |
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). | |
# The first rule that matches will execute this action. In most cases this will | |
# cause evaluation to stop after the first rule has matched, similar to how many | |
# IDSs function. | |
# | |
# -- [[ Alert Logging Control []] -- | |
# In the mode configuration, you must also adjust the desired logging options. | |
# There are three common options for dealing with logging. By default CRS enables | |
# logging to the webserver error log (or Event viewer) plus detailed logging to | |
# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). | |
# | |
# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" | |
# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" | |
# - To log *only* to the error log file, use: "log,noauditlog" | |
# | |
# Examples for the various modes follow. | |
# You must leave one of the following options enabled. | |
# Note that you must specify the same line for phase:1 and phase:2. | |
# | |
# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log | |
# - By default, offending requests are blocked with an error 403 response. | |
# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example | |
# and review section 'Changing the Disruptive Action for Anomaly Mode'. | |
# - In Apache, you can use ErrorDocument to show a friendly error page or | |
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html | |
# | |
#SecDefaultAction "phase:1,log,auditlog,pass" | |
#SecDefaultAction "phase:2,log,auditlog,pass" | |
# Example: Anomaly Scoring mode, log only to ModSecurity audit log | |
# - By default, offending requests are blocked with an error 403 response. | |
# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example | |
# and review section 'Changing the Disruptive Action for Anomaly Mode'. | |
# - In Apache, you can use ErrorDocument to show a friendly error page or | |
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html | |
# | |
# SecDefaultAction "phase:1,nolog,auditlog,pass" | |
# SecDefaultAction "phase:2,nolog,auditlog,pass" | |
# Example: Self-contained mode, return error 403 on blocking | |
# - In this configuration the default disruptive action becomes 'deny'. After a | |
# rule triggers, it will stop processing the request and return an error 403. | |
# - You can also use a different error status, such as 404, 406, et cetera. | |
# - In Apache, you can use ErrorDocument to show a friendly error page or | |
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html | |
# | |
SecDefaultAction "phase:1,log,auditlog,deny,status:403" | |
SecDefaultAction "phase:2,log,auditlog,deny,status:403" | |
# Example: Self-contained mode, redirect back to homepage on blocking | |
# - In this configuration the 'tag' action includes the Host header data in the | |
# log. This helps to identify which virtual host triggered the rule (if any). | |
# - Note that this might cause redirect loops in some situations; for example | |
# if a Cookie or User-Agent header is blocked, it will also be blocked when | |
# the client subsequently tries to access the homepage. You can also redirect | |
# to another custom URL. | |
# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" | |
# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" | |
# | |
# -- [[ Paranoia Level Initialization []] --------------------------------------- | |
# | |
# The Paranoia Level (PL) setting allows you to choose the desired level | |
# of rule checks that will add to your anomaly scores. | |
# | |
# With each paranoia level increase, the CRS enables additional rules | |
# giving you a higher level of security. However, higher paranoia levels | |
# also increase the possibility of blocking some legitimate traffic due to | |
# false alarms (also named false positives or FPs). If you use higher | |
# paranoia levels, it is likely that you will need to add some exclusion | |
# rules for certain requests and applications receiving complex input. | |
# | |
# - A paranoia level of 1 is default. In this level, most core rules | |
# are enabled. PL1 is advised for beginners, installations | |
# covering many different sites and applications, and for setups | |
# with standard security requirements. | |
# At PL1 you should face FPs rarely. If you encounter FPs, please | |
# open an issue on the CRS GitHub site and don't forget to attach your | |
# complete Audit Log record for the request with the issue. | |
# - Paranoia level 2 includes many extra rules, for instance enabling | |
# many regexp-based SQL and XSS injection protections, and adding | |
# extra keywords checked for code injections. PL2 is advised | |
# for moderate to experienced users desiring more complete coverage | |
# and for installations with elevated security requirements. | |
# PL2 comes with some FPs which you need to handle. | |
# - Paranoia level 3 enables more rules and keyword lists, and tweaks | |
# limits on special characters used. PL3 is aimed at users experienced | |
# at the handling of FPs and at installations with a high security | |
# requirement. | |
# - Paranoia level 4 further restricts special characters. | |
# The highest level is advised for experienced users protecting | |
# installations with very high security requirements. Running PL4 will | |
# likely produce a very high number of FPs which have to be | |
# treated before the site can go productive. | |
# | |
# All rules will log their PL to the audit log; | |
# example: [tag "paranoia-level/2"]. This allows you to deduct from the | |
# audit log how the WAF behavior is affected by paranoia level. | |
# | |
# It is important to also look into the variable | |
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) | |
# defined below. Enabling it closes a possible bypass of CRS. | |
# | |
# Uncomment this rule to change the default: | |
# | |
#SecAction \ | |
# "id:900000,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.blocking_paranoia_level=1" | |
# It is possible to execute rules from a higher paranoia level but not include | |
# them in the anomaly scoring. This allows you to take a well-tuned system on | |
# paranoia level 1 and add rules from paranoia level 2 without having to fear | |
# the new rules would lead to false positives that raise your score above the | |
# threshold. | |
# This optional feature is enabled by uncommenting the following rule and | |
# setting the tx.detection_paranoia_level. | |
# Technically, rules up to the level defined in tx.detection_paranoia_level | |
# will be executed, but only the rules up to tx.blocking_paranoia_level affect the | |
# anomaly scores. | |
# By default, tx.detection_paranoia_level is set to tx.blocking_paranoia_level. | |
# tx.detection_paranoia_level must not be lower than tx.blocking_paranoia_level. | |
# | |
# Please notice that setting tx.detection_paranoia_level to a higher paranoia | |
# level results in a performance impact that is equally high as setting | |
# tx.blocking_paranoia_level to said level. | |
# | |
#SecAction \ | |
# "id:900001,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.detection_paranoia_level=1" | |
# | |
# -- [[ Enforce Body Processor URLENCODED []] ----------------------------------- | |
# | |
# ModSecurity selects the body processor based on the Content-Type request | |
# header. But clients are not always setting the Content-Type header for their | |
# request body payloads. This will leave ModSecurity with limited vision into | |
# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the | |
# URLENCODED body processor in these situations. This is off by default, as it | |
# implies a change of the behaviour of ModSecurity beyond CRS (the body | |
# processor applies to all rules, not only CRS) and because it may lead to | |
# false positives already on paranoia level 1. However, enabling this variable | |
# closes a possible bypass of CRS so it should be considered. | |
# | |
# Uncomment this rule to change the default: | |
# | |
#SecAction \ | |
# "id:900010,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.enforce_bodyproc_urlencoded=1" | |
# | |
# -- [[ Anomaly Scoring Mode Severity Levels []] -------------------------------- | |
# | |
# Each rule in the CRS has an associated severity level. | |
# These are the default scoring points for each severity level. | |
# These settings will be used to increment the anomaly score if a rule matches. | |
# You may adjust these points to your liking, but this is usually not needed. | |
# | |
# - CRITICAL severity: Anomaly Score of 5. | |
# Mostly generated by the application attack rules (93x and 94x files). | |
# - ERROR severity: Anomaly Score of 4. | |
# Generated mostly from outbound leakage rules (95x files). | |
# - WARNING severity: Anomaly Score of 3. | |
# Generated mostly by malicious client rules (91x files). | |
# - NOTICE severity: Anomaly Score of 2. | |
# Generated mostly by the protocol rules (92x files). | |
# | |
# In anomaly mode, these scores are cumulative. | |
# So it's possible for a request to hit multiple rules. | |
# | |
# (Note: In this file, we use 'phase:1' to set CRS configuration variables. | |
# In general, 'phase:request' is used. However, we want to make absolutely sure | |
# that all configuration variables are set before the CRS rules are processed.) | |
# | |
#SecAction \ | |
# "id:900100,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.critical_anomaly_score=5,\ | |
# setvar:tx.error_anomaly_score=4,\ | |
# setvar:tx.warning_anomaly_score=3,\ | |
# setvar:tx.notice_anomaly_score=2" | |
# | |
# -- [[ Anomaly Scoring Mode Blocking Threshold Levels []] ---------------------- | |
# | |
# Here, you can specify at which cumulative anomaly score an inbound request, | |
# or outbound response, gets blocked. | |
# | |
# Most detected inbound threats will give a critical score of 5. | |
# Smaller violations, like violations of protocol/standards, carry lower scores. | |
# | |
# [ At default value [] | |
# If you keep the blocking thresholds at the defaults, the CRS will work | |
# similarly to previous CRS versions: a single critical rule match will cause | |
# the request to be blocked and logged. | |
# | |
# [ Using higher values [] | |
# If you want to make the CRS less sensitive, you can increase the blocking | |
# thresholds, for instance to 7 (which would require multiple rule matches | |
# before blocking) or 10 (which would require at least two critical alerts - or | |
# a combination of many lesser alerts), or even higher. However, increasing the | |
# thresholds might cause some attacks to bypass the CRS rules or your policies. | |
# | |
# [ New deployment strategy: Starting high and decreasing [] | |
# It is a common practice to start a fresh CRS installation with elevated | |
# anomaly scoring thresholds (>100) and then lower the limits as your | |
# confidence in the setup grows. You may also look into the Sampling | |
# Percentage section below for a different strategy to ease into a new | |
# CRS installation. | |
# | |
# [ Anomaly Threshold / Paranoia Level Quadrant ] | |
# | |
# High Anomaly Limit | High Anomaly Limit | |
# Low Paranoia Level | High Paranoia Level | |
# -> Fresh Site | -> Experimental Site | |
# ------------------------------------------------------ | |
# Low Anomaly Limit | Low Anomaly Limit | |
# Low Paranoia Level | High Paranoia Level | |
# -> Standard Site | -> High Security Site | |
# | |
# Uncomment this rule to change the defaults: | |
# | |
#SecAction \ | |
# "id:900110,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.inbound_anomaly_score_threshold=5,\ | |
# setvar:tx.outbound_anomaly_score_threshold=4" | |
# | |
# -- [[ Application Specific Rule Exclusions []] -------------------------------- | |
# | |
# CRS 3.x contained exclusion packages to tweak the CRS for use with common | |
# web applications, lowering the number of false positives. | |
# | |
# In CRS 4, these are no longer part of the CRS itself, but they are available | |
# as "CRS plugins". Some plugins improve support for web applications, and others | |
# may bring new functionality. Plugins are not installed by default, but can be | |
# downloaded from the plugin registry: | |
# https://github.com/coreruleset/plugin-registry | |
# | |
# For detailed information about using and installing plugins, please see: | |
# https://coreruleset.org/docs/configuring/plugins/ | |
# | |
# -- [[ Anomaly Score Reporting Level []] --------------------------------------- | |
# | |
# When a request is blocked due to the anomaly score meeting or exceeding the | |
# anomaly threshold then the blocking rule will also report the anomaly score. | |
# This applies to the separate inbound and outbound anomaly scores. | |
# | |
# In phase 5, there are additional rules that can perform additional reporting | |
# of anomaly scores with a verbosity that depends on the reporting level defined | |
# below. | |
# | |
# By setting the reporting level you control whether you want additional | |
# reporting beyond the blocking rule or not and, if yes, which requests should | |
# be covered. The higher the reporting level, the more verbose the reporting is. | |
# | |
# There are 6 reporting levels: | |
# | |
# 0 - Reporting disabled | |
# 1 - Reporting for requests with a blocking anomaly score >= a threshold | |
# 2 - Reporting for requests with a detection anomaly score >= a threshold | |
# 3 - Reporting for requests with a blocking anomaly score greater than 0 | |
# 4 - Reporting for requests with a detection anomaly score greater than 0 | |
# 5 - Reporting for all requests | |
# | |
# Note: Reporting levels 1 and 2 make it possible to differentiate between | |
# requests that are blocked and requests that are *not* blocked but would have | |
# been blocked if the blocking PL was equal to detection PL. This may be useful | |
# for certain FP tuning methodologies, for example moving to a higher PL. | |
# | |
# A value of 5 can be useful on platforms where you are interested in logging | |
# non-scoring requests, yet it is not possible to report this information in | |
# the request/access log. This applies to Nginx, for example. | |
# | |
#SecAction \ | |
# "id:900115,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.reporting_level=4" | |
# | |
# -- [[ Early Anomaly Scoring Mode Blocking []] ------------------------------ | |
# | |
# The anomaly scores for the request and the responses are generally summed up | |
# and evaluated at the end of phase:2 and at the end of phase:4 respectively. | |
# However, it is possible to enable an early evaluation of these anomaly scores | |
# at the end of phase:1 and at the end of phase:3. | |
# | |
# If a request (or a response) hits the anomaly threshold in this early | |
# evaluation, then blocking happens immediately (if blocking is enabled) and | |
# the phase 2 (and phase 4 respectively) will no longer be executed. | |
# | |
# Enable the rule 900120 that sets the variable tx.early_blocking to 1 in order | |
# to enable early blocking. The variable tx.early_blocking is set to 0 by | |
# default. Early blocking is thus disabled by default. | |
# | |
# Please note that early blocking will hide potential alerts from you. This | |
# means that a payload that would appear in an alert in phase 2 (or phase 4) | |
# does not get evaluated if the request is being blocked early. So when you | |
# disabled early blocking again at some point in the future, then new alerts | |
# from phase 2 might pop up. | |
#SecAction \ | |
# "id:900120,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.early_blocking=1" | |
# | |
# -- [[ HTTP Policy Settings []] ------------------------------------------------ | |
# | |
# This section defines your policies for the HTTP protocol, such as: | |
# - allowed HTTP versions, HTTP methods, allowed request Content-Types | |
# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) | |
# | |
# These variables are used in the following rule files: | |
# - REQUEST-911-METHOD-ENFORCEMENT.conf | |
# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf | |
# HTTP methods that a client is allowed to use. | |
# Default: GET HEAD POST OPTIONS | |
# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE | |
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK | |
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK | |
# Uncomment this rule to change the default. | |
#SecAction \ | |
# "id:900200,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" | |
# Content-Types that a client is allowed to send in a request. | |
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| | |
# |text/xml| |application/xml| |application/soap+xml| |application/json| | |
# |application/cloudevents+json| |application/cloudevents-batch+json| | |
# | |
# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator | |
# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom | |
# Content-Type with lowercase. | |
# | |
# Bypass Warning: some applications may not rely on the content-type request header in order | |
# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML | |
# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any | |
# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..) | |
# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain" | |
# content type may still be interpreted as JSON by a backend application but would not trigger the | |
# JSON body parser at the WAF, leading to a bypass. | |
# | |
# To prevent blocking request with not allowed content-type by default, you can create an exclusion | |
# rule that removes rule 920420. For example: | |
# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \ | |
# "id:1234,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# ctl:ruleRemoveById=920420,\ | |
# chain" | |
# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none" | |
# | |
# Uncomment this rule to change the default. | |
# | |
#SecAction \ | |
# "id:900220,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" | |
# Allowed HTTP versions. | |
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 | |
# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 | |
# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so | |
# we include both version strings by default. | |
# Uncomment this rule to change the default. | |
#SecAction \ | |
# "id:900230,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" | |
# Forbidden file extensions. | |
# Guards against unintended exposure of development/configuration files. | |
# Default: .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ | |
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ | |
# Note that .axd was removed due to false positives (see PR 1925). | |
# | |
# To additionally guard against configuration/install archive files from being | |
# accidentally exposed, common archive file extensions can be added to the | |
# restricted extensions list. An example list of common archive file extensions | |
# is presented below: | |
# .7z/ .br/ .bz/ .bz2/ .cab/ .cpio/ .gz/ .img/ .iso/ .jar/ .rar/ .tar/ .tbz2/ .tgz/ .txz/ .xz/ .zip/ .zst/ | |
# (Source: https://en.wikipedia.org/wiki/List_of_archive_formats) | |
# | |
# Uncomment this rule to change the default. | |
#SecAction \ | |
# "id:900240,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" | |
# Forbidden request headers. | |
# Header names should be lowercase, enclosed by /slashes/ as delimiters. | |
# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ | |
# | |
# Note: Accept-Charset is a deprecated header that should not be used by clients and | |
# ignored by servers. It can be used for a response WAF bypass, by asking for a charset | |
# that the WAF cannot decode. | |
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset | |
# | |
# Note: Content-Encoding is used to list any encodings that have been applied to the | |
# original payload. It is only used for compression, which isn't supported by CRS by | |
# default since it blocks newlines and null bytes inside the request body. Most | |
# compression algorithms require at least null bytes per RFC. Blocking it shouldn't | |
# break anything and increases security since ModSecurity is incapable of properly | |
# scanning compressed request bodies. | |
# | |
# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org | |
# | |
# Uncomment this rule to change the default. | |
#SecAction \ | |
# "id:900250,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'" | |
# Content-Types charsets that a client is allowed to send in a request. | |
# The content-types are enclosed by |pipes| as delimiters to guarantee exact matches. | |
# Default: |utf-8| |iso-8859-1| |iso-8859-15| |windows-1252| | |
# Uncomment this rule to change the default. | |
#SecAction \ | |
# "id:900280,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" | |
# | |
# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- | |
# | |
# Here you can define optional limits on HTTP get/post parameters and uploads. | |
# This can help to prevent application specific DoS attacks. | |
# | |
# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. | |
# Beware of blocking legitimate traffic when enabling these limits. | |
# | |
# Block request if number of arguments is too high | |
# Default: unlimited | |
# Example: 255 | |
# Uncomment this rule to set a limit. | |
#SecAction \ | |
# "id:900300,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.max_num_args=255" | |
# Block request if the length of any argument name is too high | |
# Default: unlimited | |
# Example: 100 | |
# Uncomment this rule to set a limit. | |
#SecAction \ | |
# "id:900310,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.arg_name_length=100" | |
# Block request if the length of any argument value is too high | |
# Default: unlimited | |
# Example: 400 | |
# Uncomment this rule to set a limit. | |
#SecAction \ | |
# "id:900320,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.arg_length=400" | |
# Block request if the total length of all combined arguments is too high | |
# Default: unlimited | |
# Example: 64000 | |
# Uncomment this rule to set a limit. | |
#SecAction \ | |
# "id:900330,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.total_arg_length=64000" | |
# Block request if the file size of any individual uploaded file is too high | |
# Default: unlimited | |
# Example: 1048576 | |
# Uncomment this rule to set a limit. | |
#SecAction \ | |
# "id:900340,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.max_file_size=1048576" | |
# Block request if the total size of all combined uploaded files is too high | |
# Default: unlimited | |
# Example: 1048576 | |
# Uncomment this rule to set a limit. | |
#SecAction \ | |
# "id:900350,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.combined_file_sizes=1048576" | |
# | |
# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- | |
# | |
# Adding the Core Rule Set to an existing productive site can lead to false | |
# positives, unexpected performance issues and other undesired side effects. | |
# | |
# It can be beneficial to test the water first by enabling the CRS for a | |
# limited number of requests only and then, when you have solved the issues (if | |
# any) and you have confidence in the setup, to raise the ratio of requests | |
# being sent into the ruleset. | |
# | |
# Adjust the percentage of requests that are funnelled into the Core Rules by | |
# setting TX.sampling_percentage below. The default is 100, meaning that every | |
# request gets checked by the CRS. The selection of requests, which are going | |
# to be checked, is based on a pseudo random number generated by ModSecurity. | |
# | |
# If a request is allowed to pass without being checked by the CRS, there is no | |
# entry in the audit log (for performance reasons), but an error log entry is | |
# written. If you want to disable the error log entry, then issue the | |
# following directive somewhere after the inclusion of the CRS | |
# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). | |
# | |
# SecRuleUpdateActionById 901450 "nolog" | |
# | |
# ATTENTION: If this TX.sampling_percentage is below 100, then some of the | |
# requests will bypass the Core Rules completely and you lose the ability to | |
# protect your service with ModSecurity. | |
# | |
# Uncomment this rule to enable this feature: | |
# | |
#SecAction "id:900400,\ | |
# phase:1,\ | |
# pass,\ | |
# nolog,\ | |
# setvar:tx.sampling_percentage=100" | |
# | |
# -- [[ Check UTF-8 encoding []] ------------------------------------------------ | |
# | |
# The CRS can optionally check request contents for invalid UTF-8 encoding. | |
# We only want to apply this check if UTF-8 encoding is actually used by the | |
# site; otherwise it will result in false positives. | |
# | |
# Uncomment this rule to use this feature: | |
# | |
#SecAction \ | |
# "id:900950,\ | |
# phase:1,\ | |
# nolog,\ | |
# pass,\ | |
# t:none,\ | |
# setvar:tx.crs_validate_utf8_encoding=1" | |
# | |
# -- [[ Collection timeout []] -------------------------------------------------- | |
# | |
# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) | |
# to a lower setting which is appropriate to most sites. | |
# This increases performance by cleaning out stale collection (block) entries. | |
# | |
# This value should be greater than or equal to any block durations or timeouts | |
# set by plugins that make use of ModSecurity's persistent collections (e.g. the | |
# DoS protection and IP reputation plugins). | |
# | |
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecCollectionTimeout | |
# Please keep this directive uncommented. | |
# Default: 600 (10 minutes) | |
SecCollectionTimeout 600 | |
# | |
# -- [[ End of setup []] -------------------------------------------------------- | |
# | |
# The CRS checks the tx.crs_setup_version variable to ensure that the setup | |
# has been loaded. If you are not planning to use this setup template, | |
# you must manually set the tx.crs_setup_version variable before including | |
# the CRS rules/* files. | |
# | |
# The variable is a numerical representation of the CRS version number. | |
# E.g., v3.0.0 is represented as 300. | |
# | |
SecAction \ | |
"id:900990,\ | |
phase:1,\ | |
nolog,\ | |
pass,\ | |
t:none,\ | |
setvar:tx.crs_setup_version=400" | |
iis-errors.data: | | |
<h2 style="font:8pt/11pt verdana; color:000000">HTTP 403.6 - Forbidden: IP address rejected<br> | |
<TITLE>500 Internal Server Error</TITLE> | |
Microsoft VBScript runtime (0x8 | |
error '800 | |
Application uses a value of the wrong type for the current operation | |
Microsoft VBScript compilation (0x8 | |
Microsoft VBScript compilation error | |
Microsoft .NET Framework Version: | |
A trappable error occurred in an external object. The script cannot continue running | |
Microsoft VBScript runtime Error | |
>Syntax error in string in query expression | |
ADODB.Command | |
Object required: ' | |
java-classes.data: | | |
com.opensymphony.xwork2 | |
com.sun.org.apache | |
java.io.BufferedInputStream | |
java.io.BufferedReader | |
java.io.ByteArrayInputStream | |
java.io.ByteArrayOutputStream | |
java.io.CharArrayReader | |
java.io.DataInputStream | |
java.io.File | |
java.io.FileOutputStream | |
java.io.FilePermission | |
java.io.FileWriter | |
java.io.FilterInputStream | |
java.io.FilterOutputStream | |
java.io.FilterReader | |
java.io.InputStream | |
java.io.InputStreamReader | |
java.io.LineNumberReader | |
java.io.ObjectOutputStream | |
java.io.OutputStream | |
java.io.PipedOutputStream | |
java.io.PipedReader | |
java.io.PrintStream | |
java.io.PushbackInputStream | |
java.io.Reader | |
java.io.StringReader | |
java.lang.Class | |
java.lang.Integer | |
java.lang.Number | |
java.lang.Object | |
java.lang.Process | |
java.lang.ProcessBuilder | |
java.lang.reflect | |
java.lang.Runtime | |
java.lang.String | |
java.lang.StringBuilder | |
java.lang.System | |
javax.script.ScriptEngineManager | |
org.apache.commons | |
org.apache.struts | |
org.apache.struts2 | |
org.omg.CORBA | |
java.beans.XMLDecode | |
java-code-leakages.data: | | |
<jsp: | |
javax.servlet | |
.addheader | |
.createtextfile | |
.getfile | |
.loadfromfile | |
response.binarywrite | |
response.write | |
scripting.filesystemobject | |
server.createobject | |
server.execute | |
server.htmlencode | |
server.mappath | |
server.urlencode | |
vbscript.encode | |
wscript.network | |
wscript.shell | |
java-errors.data: | | |
[java.lang. | |
class java.lang. | |
java.lang.NullPointerException | |
java.rmi.ServerException | |
at java.lang. | |
onclick="toggle('full exception chain stacktrace')" | |
at org.apache.catalina | |
at org.apache.coyote. | |
at org.apache.tomcat. | |
at org.apache.jasper. | |
lfi-os-files.data: | | |
# Apache | |
# (no slash; also guards against old.htaccess, old.htpasswd, etc.) | |
.htaccess | |
.htdigest | |
.htpasswd | |
# dotfiles (keep in sync with restricted-files.data) | |
.aptitude/config | |
.bash_config | |
.bash_history | |
.bash_logout | |
.bash_profile | |
.bashrc | |
.cache/notify-osd.log | |
.config/odesk/odesk team.conf | |
.cshrc | |
.drush/ | |
.gitconfig | |
.gnupg/ | |
.hplip/hplip.conf | |
.ksh_history | |
.lesshst | |
.lftp/ | |
.lhistory | |
.lldb-history | |
.local/share/mc/ | |
.my.cnf | |
.mysql_history | |
.nano_history | |
.node_repl_history | |
.nsr | |
.pearrc | |
.php_history | |
.pki/ | |
.profile | |
.psql_history | |
.python_history | |
.rediscli_history | |
.Rhistory | |
.sh_history | |
.sqlite_history | |
.ssh/authorized_keys | |
.ssh/config | |
.ssh/id_dsa | |
.ssh/id_dsa.pub | |
.ssh/id_rsa | |
.ssh/id_rsa.pub | |
.ssh/identity | |
.ssh/identity.pub | |
.ssh/known_hosts | |
.subversion/auth | |
.subversion/config | |
.subversion/servers | |
.tconn/tconn.conf | |
.tcshrc | |
.vidalia/vidalia.conf | |
.viminfo | |
.vimrc | |
.xauthority | |
.zhistory | |
.zshrc | |
.zsh_history | |
etc/redis.conf | |
etc/redis-sentinel.conf | |
etc/php.ini | |
bin/php.ini | |
etc/httpd/php.ini | |
usr/lib/php.ini | |
usr/lib/php/php.ini | |
usr/local/etc/php.ini | |
usr/local/lib/php.ini | |
usr/local/php/lib/php.ini | |
usr/local/php4/lib/php.ini | |
usr/local/php5/lib/php.ini | |
usr/local/apache/conf/php.ini | |
etc/php4.4/fcgi/php.ini | |
etc/php4/apache/php.ini | |
etc/php4/apache2/php.ini | |
etc/php5/apache/php.ini | |
etc/php5/apache2/php.ini | |
etc/php/php.ini | |
etc/php/php4/php.ini | |
etc/php/apache/php.ini | |
etc/php/apache2/php.ini | |
web/conf/php.ini | |
usr/local/zend/etc/php.ini | |
opt/xampp/etc/php.ini | |
var/local/www/conf/php.ini | |
etc/php/cgi/php.ini | |
etc/php4/cgi/php.ini | |
etc/php5/cgi/php.ini | |
home2/bin/stable/apache/php.ini | |
home/bin/stable/apache/php.ini | |
etc/httpd/conf.d/php.conf | |
php5/php.ini | |
php4/php.ini | |
php/php.ini | |
windows/php.ini | |
winnt/php.ini | |
apache/php/php.ini | |
xampp/apache/bin/php.ini | |
netserver/bin/stable/apache/php.ini | |
volumes/macintosh_hd1/usr/local/php/lib/php.ini | |
etc/mono/1.0/machine.config | |
etc/mono/2.0/machine.config | |
etc/mono/2.0/web.config | |
etc/mono/config | |
usr/local/cpanel/logs/stats_log | |
usr/local/cpanel/logs/access_log | |
usr/local/cpanel/logs/error_log | |
usr/local/cpanel/logs/license_log | |
usr/local/cpanel/logs/login_log | |
var/cpanel/cpanel.config | |
var/log/sw-cp-server/error_log | |
usr/local/psa/admin/logs/httpsd_access_log | |
usr/local/psa/admin/logs/panel.log | |
var/log/sso/sso.log | |
usr/local/psa/admin/conf/php.ini | |
etc/sw-cp-server/applications.d/plesk.conf | |
usr/local/psa/admin/conf/site_isolation_settings.ini | |
usr/local/sb/config | |
etc/sw-cp-server/applications.d/00-sso-cpserver.conf | |
etc/sso/sso_config.ini | |
etc/mysql/conf.d/old_passwords.cnf | |
var/log/mysql/mysql-bin.log | |
var/log/mysql/mysql-bin.index | |
var/log/mysql/data/mysql-bin.index | |
var/log/mysql.log | |
var/log/mysql.err | |
var/log/mysqlderror.log | |
var/log/mysql/mysql.log | |
var/log/mysql/mysql-slow.log | |
var/log/mysql-bin.index | |
var/log/data/mysql-bin.index | |
var/mysql.log | |
var/mysql-bin.index | |
var/data/mysql-bin.index | |
program files/mysql/mysql server 5.0/data/{host}.err | |
program files/mysql/mysql server 5.0/data/mysql.log | |
program files/mysql/mysql server 5.0/data/mysql.err | |
program files/mysql/mysql server 5.0/data/mysql-bin.log | |
program files/mysql/mysql server 5.0/data/mysql-bin.index | |
program files/mysql/data/{host}.err | |
program files/mysql/data/mysql.log | |
program files/mysql/data/mysql.err | |
program files/mysql/data/mysql-bin.log | |
program files/mysql/data/mysql-bin.index | |
mysql/data/{host}.err | |
mysql/data/mysql.log | |
mysql/data/mysql.err | |
mysql/data/mysql-bin.log | |
mysql/data/mysql-bin.index | |
usr/local/mysql/data/mysql.log | |
usr/local/mysql/data/mysql.err | |
usr/local/mysql/data/mysql-bin.log | |
usr/local/mysql/data/mysql-slow.log | |
usr/local/mysql/data/mysqlderror.log | |
usr/local/mysql/data/{host}.err | |
usr/local/mysql/data/mysql-bin.index | |
var/lib/mysql/my.cnf | |
etc/mysql/my.cnf | |
etc/my.cnf | |
program files/mysql/mysql server 5.0/my.ini | |
program files/mysql/mysql server 5.0/my.cnf | |
program files/mysql/my.ini | |
program files/mysql/my.cnf | |
mysql/my.ini | |
mysql/my.cnf | |
mysql/bin/my.ini | |
var/postgresql/log/postgresql.log | |
var/log/postgresql/postgresql.log | |
var/log/postgres/pg_backup.log | |
var/log/postgres/postgres.log | |
var/log/postgresql.log | |
var/log/pgsql/pgsql.log | |
var/log/postgresql/postgresql-8.1-main.log | |
var/log/postgresql/postgresql-8.3-main.log | |
var/log/postgresql/postgresql-8.4-main.log | |
var/log/postgresql/postgresql-9.0-main.log | |
var/log/postgresql/postgresql-9.1-main.log | |
var/log/pgsql8.log | |
var/log/postgresql/postgres.log | |
var/log/pgsql_log | |
var/log/postgresql/main.log | |
var/log/cron/var/log/postgres.log | |
usr/internet/pgsql/data/postmaster.log | |
usr/local/pgsql/data/postgresql.log | |
usr/local/pgsql/data/pg_log | |
postgresql/log/pgadmin.log | |
var/lib/pgsql/data/postgresql.conf | |
var/postgresql/db/postgresql.conf | |
var/nm2/postgresql.conf | |
usr/local/pgsql/data/postgresql.conf | |
usr/local/pgsql/data/pg_hba.conf | |
usr/internet/pgsql/data/pg_hba.conf | |
usr/local/pgsql/data/passwd | |
usr/local/pgsql/bin/pg_passwd | |
etc/postgresql/postgresql.conf | |
etc/postgresql/pg_hba.conf | |
home/postgres/data/postgresql.conf | |
home/postgres/data/pg_version | |
home/postgres/data/pg_ident.conf | |
home/postgres/data/pg_hba.conf | |
program files/postgresql/8.3/data/pg_hba.conf | |
program files/postgresql/8.3/data/pg_ident.conf | |
program files/postgresql/8.3/data/postgresql.conf | |
program files/postgresql/8.4/data/pg_hba.conf | |
program files/postgresql/8.4/data/pg_ident.conf | |
program files/postgresql/8.4/data/postgresql.conf | |
program files/postgresql/9.0/data/pg_hba.conf | |
program files/postgresql/9.0/data/pg_ident.conf | |
program files/postgresql/9.0/data/postgresql.conf | |
program files/postgresql/9.1/data/pg_hba.conf | |
program files/postgresql/9.1/data/pg_ident.conf | |
program files/postgresql/9.1/data/postgresql.conf | |
wamp/logs/access.log | |
wamp/logs/apache_error.log | |
wamp/logs/genquery.log | |
wamp/logs/mysql.log | |
wamp/logs/slowquery.log | |
wamp/bin/apache/apache2.2.22/logs/access.log | |
wamp/bin/apache/apache2.2.22/logs/error.log | |
wamp/bin/apache/apache2.2.21/logs/access.log | |
wamp/bin/apache/apache2.2.21/logs/error.log | |
wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index | |
wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index | |
wamp/bin/apache/apache2.2.21/conf/httpd.conf | |
wamp/bin/apache/apache2.2.22/conf/httpd.conf | |
wamp/bin/apache/apache2.2.21/wampserver.conf | |
wamp/bin/apache/apache2.2.22/wampserver.conf | |
wamp/bin/apache/apache2.2.22/conf/wampserver.conf | |
wamp/bin/mysql/mysql5.5.24/my.ini | |
wamp/bin/mysql/mysql5.5.24/wampserver.conf | |
wamp/bin/mysql/mysql5.5.16/my.ini | |
wamp/bin/mysql/mysql5.5.16/wampserver.conf | |
wamp/bin/php/php5.3.8/php.ini | |
wamp/bin/php/php5.4.3/php.ini | |
xampp/apache/logs/access.log | |
xampp/apache/logs/error.log | |
xampp/mysql/data/mysql-bin.index | |
xampp/mysql/data/mysql.err | |
xampp/mysql/data/{host}.err | |
xampp/sendmail/sendmail.log | |
xampp/apache/conf/httpd.conf | |
xampp/filezillaftp/filezilla server.xml | |
xampp/mercurymail/mercury.ini | |
xampp/php/php.ini | |
xampp/phpmyadmin/config.inc.php | |
xampp/sendmail/sendmail.ini | |
xampp/webalizer/webalizer.conf | |
opt/lampp/etc/httpd.conf | |
xampp/htdocs/aca.txt | |
xampp/htdocs/admin.php | |
xampp/htdocs/leer.txt | |
usr/local/apache/logs/audit_log | |
usr/local/apache2/logs/audit_log | |
logs/security_debug_log | |
logs/security_log | |
usr/local/apache/conf/modsec.conf | |
usr/local/apache2/conf/modsec.conf | |
winnt/system32/logfiles/msftpsvc | |
winnt/system32/logfiles/msftpsvc1 | |
winnt/system32/logfiles/msftpsvc2 | |
windows/system32/logfiles/msftpsvc | |
windows/system32/logfiles/msftpsvc1 | |
windows/system32/logfiles/msftpsvc2 | |
etc/logrotate.d/proftpd | |
www/logs/proftpd.system.log | |
var/log/proftpd | |
var/log/proftpd/xferlog.legacy | |
var/log/proftpd.access_log | |
var/log/proftpd.xferlog | |
etc/pam.d/proftpd | |
etc/proftp.conf | |
etc/protpd/proftpd.conf | |
etc/vhcs2/proftpd/proftpd.conf | |
etc/proftpd/modules.conf | |
var/log/vsftpd.log | |
etc/vsftpd.chroot_list | |
etc/logrotate.d/vsftpd.log | |
etc/vsftpd/vsftpd.conf | |
etc/vsftpd.conf | |
etc/chrootusers | |
var/log/xferlog | |
var/adm/log/xferlog | |
etc/wu-ftpd/ftpaccess | |
etc/wu-ftpd/ftphosts | |
etc/wu-ftpd/ftpusers | |
var/log/pure-ftpd/pure-ftpd.log | |
logs/pure-ftpd.log | |
var/log/pureftpd.log | |
usr/sbin/pure-config.pl | |
usr/etc/pure-ftpd.conf | |
etc/pure-ftpd/pure-ftpd.conf | |
usr/local/etc/pure-ftpd.conf | |
usr/local/etc/pureftpd.pdb | |
usr/local/pureftpd/etc/pureftpd.pdb | |
usr/local/pureftpd/sbin/pure-config.pl | |
usr/local/pureftpd/etc/pure-ftpd.conf | |
etc/pure-ftpd.conf | |
etc/pure-ftpd/pure-ftpd.pdb | |
etc/pureftpd.pdb | |
etc/pureftpd.passwd | |
etc/pure-ftpd/pureftpd.pdb | |
usr/ports/ftp/pure-ftpd/pure-ftpd.conf | |
usr/ports/ftp/pure-ftpd/pureftpd.pdb | |
usr/ports/ftp/pure-ftpd/pureftpd.passwd | |
usr/ports/net/pure-ftpd/pure-ftpd.conf | |
usr/ports/net/pure-ftpd/pureftpd.pdb | |
usr/ports/net/pure-ftpd/pureftpd.passwd | |
usr/pkgsrc/net/pureftpd/pure-ftpd.conf | |
usr/pkgsrc/net/pureftpd/pureftpd.pdb | |
usr/pkgsrc/net/pureftpd/pureftpd.passwd | |
usr/ports/contrib/pure-ftpd/pure-ftpd.conf | |
usr/ports/contrib/pure-ftpd/pureftpd.pdb | |
usr/ports/contrib/pure-ftpd/pureftpd.passwd | |
var/log/muddleftpd | |
usr/sbin/mudlogd | |
etc/muddleftpd/mudlog | |
etc/muddleftpd.com | |
etc/muddleftpd/mudlogd.conf | |
etc/muddleftpd/muddleftpd.conf | |
var/log/muddleftpd.conf | |
usr/sbin/mudpasswd | |
etc/muddleftpd/muddleftpd.passwd | |
etc/muddleftpd/passwd | |
var/log/ftp-proxy/ftp-proxy.log | |
var/log/ftp-proxy | |
var/log/ftplog | |
etc/logrotate.d/ftp | |
etc/ftpchroot | |
etc/ftphosts | |
etc/ftpusers | |
var/log/exim_mainlog | |
var/log/exim/mainlog | |
var/log/maillog | |
var/log/exim_paniclog | |
var/log/exim/paniclog | |
var/log/exim/rejectlog | |
var/log/exim_rejectlog | |
winnt/system32/logfiles/smtpsvc | |
winnt/system32/logfiles/smtpsvc1 | |
winnt/system32/logfiles/smtpsvc2 | |
winnt/system32/logfiles/smtpsvc3 | |
winnt/system32/logfiles/smtpsvc4 | |
winnt/system32/logfiles/smtpsvc5 | |
windows/system32/logfiles/smtpsvc | |
windows/system32/logfiles/smtpsvc1 | |
windows/system32/logfiles/smtpsvc2 | |
windows/system32/logfiles/smtpsvc3 | |
windows/system32/logfiles/smtpsvc4 | |
windows/system32/logfiles/smtpsvc5 | |
etc/osxhttpd/osxhttpd.conf | |
system/library/webobjects/adaptors/apache2.2/apache.conf | |
etc/apache2/sites-available/default | |
etc/apache2/sites-available/default-ssl | |
etc/apache2/sites-enabled/000-default | |
etc/apache2/sites-enabled/default | |
etc/apache2/apache2.conf | |
etc/apache2/ports.conf | |
usr/local/etc/apache/httpd.conf | |
usr/pkg/etc/httpd/httpd.conf | |
usr/pkg/etc/httpd/httpd-default.conf | |
usr/pkg/etc/httpd/httpd-vhosts.conf | |
etc/httpd/mod_php.conf | |
etc/httpd/extra/httpd-ssl.conf | |
etc/rc.d/rc.httpd | |
usr/local/apache/conf/httpd.conf.default | |
usr/local/apache/conf/access.conf | |
usr/local/apache22/conf/httpd.conf | |
usr/local/apache22/httpd.conf | |
usr/local/etc/apache22/conf/httpd.conf | |
usr/local/apps/apache22/conf/httpd.conf | |
etc/apache22/conf/httpd.conf | |
etc/apache22/httpd.conf | |
opt/apache22/conf/httpd.conf | |
usr/local/etc/apache2/vhosts.conf | |
usr/local/apache/conf/vhosts.conf | |
usr/local/apache2/conf/vhosts.conf | |
usr/local/apache/conf/vhosts-custom.conf | |
usr/local/apache2/conf/vhosts-custom.conf | |
etc/apache/default-server.conf | |
etc/apache2/default-server.conf | |
usr/local/apache2/conf/extra/httpd-ssl.conf | |
usr/local/apache2/conf/ssl.conf | |
etc/httpd/conf.d | |
usr/local/etc/apache22/httpd.conf | |
usr/local/etc/apache2/httpd.conf | |
etc/apache2/httpd2.conf | |
etc/apache2/ssl-global.conf | |
etc/apache2/vhosts.d/00_default_vhost.conf | |
apache/conf/httpd.conf | |
etc/apache/httpd.conf | |
etc/httpd/conf | |
http/httpd.conf | |
usr/local/apache1.3/conf/httpd.conf | |
usr/local/etc/httpd/conf | |
var/apache/conf/httpd.conf | |
var/www/conf | |
www/apache/conf/httpd.conf | |
www/conf/httpd.conf | |
etc/init.d | |
etc/apache/access.conf | |
etc/rc.conf | |
www/logs/freebsddiary-error.log | |
www/logs/freebsddiary-access_log | |
library/webserver/documents/index.html | |
library/webserver/documents/index.htm | |
library/webserver/documents/default.html | |
library/webserver/documents/default.htm | |
library/webserver/documents/index.php | |
library/webserver/documents/default.php | |
var/log/webmin/miniserv.log | |
usr/local/etc/webmin/miniserv.conf | |
etc/webmin/miniserv.conf | |
usr/local/etc/webmin/miniserv.users | |
etc/webmin/miniserv.users | |
winnt/system32/logfiles/w3svc/inetsvn1.log | |
winnt/system32/logfiles/w3svc1/inetsvn1.log | |
winnt/system32/logfiles/w3svc2/inetsvn1.log | |
winnt/system32/logfiles/w3svc3/inetsvn1.log | |
windows/system32/logfiles/w3svc/inetsvn1.log | |
windows/system32/logfiles/w3svc1/inetsvn1.log | |
windows/system32/logfiles/w3svc2/inetsvn1.log | |
windows/system32/logfiles/w3svc3/inetsvn1.log | |
var/log/httpd/access_log | |
var/log/httpd/error_log | |
apache/logs/error.log | |
apache/logs/access.log | |
apache2/logs/error.log | |
apache2/logs/access.log | |
logs/error.log | |
logs/access.log | |
etc/httpd/logs/access_log | |
etc/httpd/logs/access.log | |
etc/httpd/logs/error_log | |
etc/httpd/logs/error.log | |
usr/local/apache/logs/access_log | |
usr/local/apache/logs/access.log | |
usr/local/apache/logs/error_log | |
usr/local/apache/logs/error.log | |
usr/local/apache2/logs/access_log | |
usr/local/apache2/logs/access.log | |
usr/local/apache2/logs/error_log | |
usr/local/apache2/logs/error.log | |
var/www/logs/access_log | |
var/www/logs/access.log | |
var/www/logs/error_log | |
var/www/logs/error.log | |
var/log/httpd/access.log | |
var/log/httpd/error.log | |
var/log/apache/access_log | |
var/log/apache/access.log | |
var/log/apache/error_log | |
var/log/apache/error.log | |
var/log/apache2/access_log | |
var/log/apache2/access.log | |
var/log/apache2/error_log | |
var/log/apache2/error.log | |
var/log/access_log | |
var/log/access.log | |
var/log/error_log | |
var/log/error.log | |
opt/lampp/logs/access_log | |
opt/lampp/logs/error_log | |
opt/xampp/logs/access_log | |
opt/xampp/logs/error_log | |
opt/lampp/logs/access.log | |
opt/lampp/logs/error.log | |
opt/xampp/logs/access.log | |
opt/xampp/logs/error.log | |
program files/apache group/apache/logs/access.log | |
program files/apache group/apache/logs/error.log | |
program files/apache software foundation/apache2.2/logs/error.log | |
program files/apache software foundation/apache2.2/logs/access.log | |
opt/apache/apache.conf | |
opt/apache/conf/apache.conf | |
opt/apache2/apache.conf | |
opt/apache2/conf/apache.conf | |
opt/httpd/apache.conf | |
opt/httpd/conf/apache.conf | |
etc/httpd/apache.conf | |
etc/apache2/apache.conf | |
etc/httpd/conf/apache.conf | |
usr/local/apache/apache.conf | |
usr/local/apache/conf/apache.conf | |
usr/local/apache2/apache.conf | |
usr/local/apache2/conf/apache.conf | |
usr/local/php/apache.conf.php | |
usr/local/php4/apache.conf.php | |
usr/local/php5/apache.conf.php | |
usr/local/php/apache.conf | |
usr/local/php4/apache.conf | |
usr/local/php5/apache.conf | |
private/etc/httpd/apache.conf | |
opt/apache/apache2.conf | |
opt/apache/conf/apache2.conf | |
opt/apache2/apache2.conf | |
opt/apache2/conf/apache2.conf | |
opt/httpd/apache2.conf | |
opt/httpd/conf/apache2.conf | |
etc/httpd/apache2.conf | |
etc/httpd/conf/apache2.conf | |
usr/local/apache/apache2.conf | |
usr/local/apache/conf/apache2.conf | |
usr/local/apache2/apache2.conf | |
usr/local/apache2/conf/apache2.conf | |
usr/local/php/apache2.conf.php | |
usr/local/php4/apache2.conf.php | |
usr/local/php5/apache2.conf.php | |
usr/local/php/apache2.conf | |
usr/local/php4/apache2.conf | |
usr/local/php5/apache2.conf | |
private/etc/httpd/apache2.conf | |
usr/local/apache/conf/httpd.conf | |
usr/local/apache2/conf/httpd.conf | |
etc/httpd/conf/httpd.conf | |
etc/apache/apache.conf | |
etc/apache/conf/httpd.conf | |
etc/apache2/httpd.conf | |
usr/apache2/conf/httpd.conf | |
usr/apache/conf/httpd.conf | |
usr/local/etc/apache/conf/httpd.conf | |
usr/local/apache/httpd.conf | |
usr/local/apache2/httpd.conf | |
usr/local/httpd/conf/httpd.conf | |
usr/local/etc/apache2/conf/httpd.conf | |
usr/local/etc/httpd/conf/httpd.conf | |
usr/local/apps/apache2/conf/httpd.conf | |
usr/local/apps/apache/conf/httpd.conf | |
usr/local/php/httpd.conf.php | |
usr/local/php4/httpd.conf.php | |
usr/local/php5/httpd.conf.php | |
usr/local/php/httpd.conf | |
usr/local/php4/httpd.conf | |
usr/local/php5/httpd.conf | |
etc/apache2/conf/httpd.conf | |
etc/http/conf/httpd.conf | |
etc/httpd/httpd.conf | |
etc/http/httpd.conf | |
etc/httpd.conf | |
opt/apache/conf/httpd.conf | |
opt/apache2/conf/httpd.conf | |
var/www/conf/httpd.conf | |
private/etc/httpd/httpd.conf | |
private/etc/httpd/httpd.conf.default | |
etc/apache2/vhosts.d/default_vhost.include | |
etc/apache2/conf.d/charset | |
etc/apache2/conf.d/security | |
etc/apache2/envvars | |
etc/apache2/mods-available/autoindex.conf | |
etc/apache2/mods-available/deflate.conf | |
etc/apache2/mods-available/dir.conf | |
etc/apache2/mods-available/mem_cache.conf | |
etc/apache2/mods-available/mime.conf | |
etc/apache2/mods-available/proxy.conf | |
etc/apache2/mods-available/setenvif.conf | |
etc/apache2/mods-available/ssl.conf | |
etc/apache2/mods-enabled/alias.conf | |
etc/apache2/mods-enabled/deflate.conf | |
etc/apache2/mods-enabled/dir.conf | |
etc/apache2/mods-enabled/mime.conf | |
etc/apache2/mods-enabled/negotiation.conf | |
etc/apache2/mods-enabled/php5.conf | |
etc/apache2/mods-enabled/status.conf | |
program files/apache group/apache/conf/httpd.conf | |
program files/apache group/apache2/conf/httpd.conf | |
program files/xampp/apache/conf/apache.conf | |
program files/xampp/apache/conf/apache2.conf | |
program files/xampp/apache/conf/httpd.conf | |
program files/apache group/apache/apache.conf | |
program files/apache group/apache/conf/apache.conf | |
program files/apache group/apache2/conf/apache.conf | |
program files/apache group/apache/apache2.conf | |
program files/apache group/apache/conf/apache2.conf | |
program files/apache group/apache2/conf/apache2.conf | |
program files/apache software foundation/apache2.2/conf/httpd.conf | |
volumes/macintosh_hd1/opt/httpd/conf/httpd.conf | |
volumes/macintosh_hd1/opt/apache/conf/httpd.conf | |
volumes/macintosh_hd1/opt/apache2/conf/httpd.conf | |
volumes/macintosh_hd1/usr/local/php/httpd.conf.php | |
volumes/macintosh_hd1/usr/local/php4/httpd.conf.php | |
volumes/macintosh_hd1/usr/local/php5/httpd.conf.php | |
volumes/webbackup/opt/apache2/conf/httpd.conf | |
volumes/webbackup/private/etc/httpd/httpd.conf | |
volumes/webbackup/private/etc/httpd/httpd.conf.default | |
usr/local/etc/apache/vhosts.conf | |
usr/local/jakarta/tomcat/conf/jakarta.conf | |
usr/local/jakarta/tomcat/conf/server.xml | |
usr/local/jakarta/tomcat/conf/context.xml | |
usr/local/jakarta/tomcat/conf/workers.properties | |
usr/local/jakarta/tomcat/conf/logging.properties | |
usr/local/jakarta/dist/tomcat/conf/jakarta.conf | |
usr/local/jakarta/dist/tomcat/conf/server.xml | |
usr/local/jakarta/dist/tomcat/conf/context.xml | |
usr/local/jakarta/dist/tomcat/conf/workers.properties | |
usr/local/jakarta/dist/tomcat/conf/logging.properties | |
usr/share/tomcat6/conf/server.xml | |
usr/share/tomcat6/conf/context.xml | |
usr/share/tomcat6/conf/workers.properties | |
usr/share/tomcat6/conf/logging.properties | |
var/log/tomcat6/catalina.out | |
var/cpanel/tomcat.options | |
usr/local/jakarta/tomcat/logs/catalina.out | |
usr/local/jakarta/tomcat/logs/catalina.err | |
opt/tomcat/logs/catalina.out | |
opt/tomcat/logs/catalina.err | |
usr/share/logs/catalina.out | |
usr/share/logs/catalina.err | |
usr/share/tomcat/logs/catalina.out | |
usr/share/tomcat/logs/catalina.err | |
usr/share/tomcat6/logs/catalina.out | |
usr/share/tomcat6/logs/catalina.err | |
usr/local/apache/logs/mod_jk.log | |
usr/local/jakarta/tomcat/logs/mod_jk.log | |
usr/local/jakarta/dist/tomcat/logs/mod_jk.log | |
opt/[jboss[]/server/default/conf/jboss-minimal.xml | |
opt/[jboss[]/server/default/conf/jboss-service.xml | |
opt/[jboss[]/server/default/conf/jndi.properties | |
opt/[jboss[]/server/default/conf/log4j.xml | |
opt/[jboss[]/server/default/conf/login-config.xml | |
opt/[jboss[]/server/default/conf/standardjaws.xml | |
opt/[jboss[]/server/default/conf/standardjboss.xml | |
opt/[jboss[]/server/default/conf/server.log.properties | |
opt/[jboss[]/server/default/deploy/jboss-logging.xml | |
usr/local/[jboss[]/server/default/conf/jboss-minimal.xml | |
usr/local/[jboss[]/server/default/conf/jboss-service.xml | |
usr/local/[jboss[]/server/default/conf/jndi.properties | |
usr/local/[jboss[]/server/default/conf/log4j.xml | |
usr/local/[jboss[]/server/default/conf/login-config.xml | |
usr/local/[jboss[]/server/default/conf/standardjaws.xml | |
usr/local/[jboss[]/server/default/conf/standardjboss.xml | |
usr/local/[jboss[]/server/default/conf/server.log.properties | |
usr/local/[jboss[]/server/default/deploy/jboss-logging.xml | |
private/tmp/[jboss[]/server/default/conf/jboss-minimal.xml | |
private/tmp/[jboss[]/server/default/conf/jboss-service.xml | |
private/tmp/[jboss[]/server/default/conf/jndi.properties | |
private/tmp/[jboss[]/server/default/conf/log4j.xml | |
private/tmp/[jboss[]/server/default/conf/login-config.xml | |
private/tmp/[jboss[]/server/default/conf/standardjaws.xml | |
private/tmp/[jboss[]/server/default/conf/standardjboss.xml | |
private/tmp/[jboss[]/server/default/conf/server.log.properties | |
private/tmp/[jboss[]/server/default/deploy/jboss-logging.xml | |
tmp/[jboss[]/server/default/conf/jboss-minimal.xml | |
tmp/[jboss[]/server/default/conf/jboss-service.xml | |
tmp/[jboss[]/server/default/conf/jndi.properties | |
tmp/[jboss[]/server/default/conf/log4j.xml | |
tmp/[jboss[]/server/default/conf/login-config.xml | |
tmp/[jboss[]/server/default/conf/standardjaws.xml | |
tmp/[jboss[]/server/default/conf/standardjboss.xml | |
tmp/[jboss[]/server/default/conf/server.log.properties | |
tmp/[jboss[]/server/default/deploy/jboss-logging.xml | |
program files/[jboss[]/server/default/conf/jboss-minimal.xml | |
program files/[jboss[]/server/default/conf/jboss-service.xml | |
program files/[jboss[]/server/default/conf/jndi.properties | |
program files/[jboss[]/server/default/conf/log4j.xml | |
program files/[jboss[]/server/default/conf/login-config.xml | |
program files/[jboss[]/server/default/conf/standardjaws.xml | |
program files/[jboss[]/server/default/conf/standardjboss.xml | |
program files/[jboss[]/server/default/conf/server.log.properties | |
program files/[jboss[]/server/default/deploy/jboss-logging.xml | |
[jboss[]/server/default/conf/jboss-minimal.xml | |
[jboss[]/server/default/conf/jboss-service.xml | |
[jboss[]/server/default/conf/jndi.properties | |
[jboss[]/server/default/conf/log4j.xml | |
[jboss[]/server/default/conf/login-config.xml | |
[jboss[]/server/default/conf/standardjaws.xml | |
[jboss[]/server/default/conf/standardjboss.xml | |
[jboss[]/server/default/conf/server.log.properties | |
[jboss[]/server/default/deploy/jboss-logging.xml | |
opt/[jboss[]/server/default/log/server.log | |
opt/[jboss[]/server/default/log/boot.log | |
usr/local/[jboss[]/server/default/log/server.log | |
usr/local/[jboss[]/server/default/log/boot.log | |
private/tmp/[jboss[]/server/default/log/server.log | |
private/tmp/[jboss[]/server/default/log/boot.log | |
tmp/[jboss[]/server/default/log/server.log | |
tmp/[jboss[]/server/default/log/boot.log | |
program files/[jboss[]/server/default/log/server.log | |
program files/[jboss[]/server/default/log/boot.log | |
[jboss[]/server/default/log/server.log | |
[jboss[]/server/default/log/boot.log | |
var/log/lighttpd.error.log | |
var/log/lighttpd.access.log | |
var/lighttpd.log | |
var/logs/access.log | |
var/log/lighttpd/ | |
var/log/lighttpd/error.log | |
var/log/lighttpd/access.www.log | |
var/log/lighttpd/error.www.log | |
var/log/lighttpd/access.log | |
usr/local/apache2/logs/lighttpd.error.log | |
usr/local/apache2/logs/lighttpd.log | |
usr/local/apache/logs/lighttpd.error.log | |
usr/local/apache/logs/lighttpd.log | |
usr/local/lighttpd/log/lighttpd.error.log | |
usr/local/lighttpd/log/access.log | |
var/log/lighttpd/{domain}/access.log | |
var/log/lighttpd/{domain}/error.log | |
usr/home/user/var/log/lighttpd.error.log | |
usr/home/user/var/log/apache.log | |
home/user/lighttpd/lighttpd.conf | |
usr/home/user/lighttpd/lighttpd.conf | |
etc/lighttpd/lighthttpd.conf | |
usr/local/etc/lighttpd.conf | |
usr/local/lighttpd/conf/lighttpd.conf | |
usr/local/etc/lighttpd.conf.new | |
var/www/.lighttpdpassword | |
var/log/nginx/access_log | |
var/log/nginx/error_log | |
var/log/nginx/access.log | |
var/log/nginx/error.log | |
var/log/nginx.access_log | |
var/log/nginx.error_log | |
logs/access_log | |
logs/error_log | |
etc/nginx/nginx.conf | |
usr/local/etc/nginx/nginx.conf | |
usr/local/nginx/conf/nginx.conf | |
usr/local/zeus/web/global.cfg | |
usr/local/zeus/web/log/errors | |
opt/lsws/conf/httpd_conf.xml | |
usr/local/lsws/conf/httpd_conf.xml | |
opt/lsws/logs/error.log | |
opt/lsws/logs/access.log | |
usr/local/lsws/logs/error.log | |
usr/local/logs/access.log | |
usr/local/samba/lib/log.user | |
usr/local/logs/samba.log | |
var/log/samba/log.smbd | |
var/log/samba/log.nmbd | |
var/log/samba.log | |
var/log/samba.log1 | |
var/log/samba.log2 | |
var/log/log.smb | |
etc/samba/netlogon | |
etc/smbpasswd | |
etc/smb.conf | |
etc/samba/dhcp.conf | |
etc/samba/smb.conf | |
etc/samba/samba.conf | |
etc/samba/smb.conf.user | |
etc/samba/smbpasswd | |
etc/samba/smbusers | |
etc/samba/private/smbpasswd | |
usr/local/etc/smb.conf | |
usr/local/samba/lib/smb.conf.user | |
etc/dhcp3/dhclient.conf | |
etc/dhcp3/dhcpd.conf | |
etc/dhcp/dhclient.conf | |
program files/vidalia bundle/polipo/polipo.conf | |
etc/tor/tor-tsocks.conf | |
etc/stunnel/stunnel.conf | |
etc/tsocks.conf | |
etc/tinyproxy/tinyproxy.conf | |
etc/miredo-server.conf | |
etc/miredo.conf | |
etc/miredo/miredo-server.conf | |
etc/miredo/miredo.conf | |
etc/wicd/dhclient.conf.template.default | |
etc/wicd/manager-settings.conf | |
etc/wicd/wired-settings.conf | |
etc/wicd/wireless-settings.conf | |
var/log/ipfw.log | |
var/log/ipfw | |
var/log/ipfw/ipfw.log | |
var/log/ipfw.today | |
etc/ipfw.rules | |
etc/ipfw.conf | |
etc/firewall.rules | |
winnt/system32/logfiles/firewall/pfirewall.log | |
winnt/system32/logfiles/firewall/pfirewall.log.old | |
windows/system32/logfiles/firewall/pfirewall.log | |
windows/system32/logfiles/firewall/pfirewall.log.old | |
etc/clamav/clamd.conf | |
etc/clamav/freshclam.conf | |
etc/x11/xorg.conf | |
etc/x11/xorg.conf-vesa | |
etc/x11/xorg.conf-vmware | |
etc/x11/xorg.conf.beforevmwaretoolsinstall | |
etc/x11/xorg.conf.orig | |
etc/bluetooth/input.conf | |
etc/bluetooth/main.conf | |
etc/bluetooth/network.conf | |
etc/bluetooth/rfcomm.conf | |
proc/self/environ | |
proc/self/mounts | |
proc/self/stat | |
proc/self/status | |
proc/self/cmdline | |
proc/self/fd/0 | |
proc/self/fd/1 | |
proc/self/fd/2 | |
proc/self/fd/3 | |
proc/self/fd/4 | |
proc/self/fd/5 | |
proc/self/fd/6 | |
proc/self/fd/7 | |
proc/self/fd/8 | |
proc/self/fd/9 | |
proc/self/fd/10 | |
proc/self/fd/11 | |
proc/self/fd/12 | |
proc/self/fd/13 | |
proc/self/fd/14 | |
proc/self/fd/15 | |
proc/version | |
proc/devices | |
proc/cpuinfo | |
proc/meminfo | |
proc/net/tcp | |
proc/net/udp | |
etc/bash_completion.d/debconf | |
root/.bash_logout | |
root/.bash_history | |
root/.bash_config | |
root/.bashrc | |
etc/bash.bashrc | |
var/adm/syslog | |
var/adm/sulog | |
var/adm/utmp | |
var/adm/utmpx | |
var/adm/wtmp | |
var/adm/wtmpx | |
var/adm/lastlog/username | |
usr/spool/lp/log | |
var/adm/lp/lpd-errs | |
usr/lib/cron/log | |
var/adm/loginlog | |
var/adm/pacct | |
var/adm/dtmp | |
var/adm/acct/sum/loginlog | |
var/adm/x0msgs | |
var/adm/crash/vmcore | |
var/adm/crash/unix | |
etc/newsyslog.conf | |
var/adm/qacct | |
var/adm/ras/errlog | |
var/adm/ras/bootlog | |
var/adm/cron/log | |
etc/utmp | |
etc/security/lastlog | |
etc/security/failedlogin | |
usr/spool/mqueue/syslog | |
var/adm/messages | |
var/adm/aculogs | |
var/adm/aculog | |
var/adm/vold.log | |
var/adm/log/asppp.log | |
var/log/poplog | |
var/log/authlog | |
var/lp/logs/lpsched | |
var/lp/logs/lpnet | |
var/lp/logs/requests | |
var/cron/log | |
var/saf/_log | |
var/saf/port/log | |
var/log/news.all | |
var/log/news/news.all | |
var/log/news/news.crit | |
var/log/news/news.err | |
var/log/news/news.notice | |
var/log/news/suck.err | |
var/log/news/suck.notice | |
var/log/messages | |
var/log/messages.1 | |
var/log/user.log | |
var/log/user.log.1 | |
var/log/auth.log | |
var/log/pm-powersave.log | |
var/log/xorg.0.log | |
var/log/daemon.log | |
var/log/daemon.log.1 | |
var/log/kern.log | |
var/log/kern.log.1 | |
var/log/mail.err | |
var/log/mail.info | |
var/log/mail.warn | |
var/log/ufw.log | |
var/log/boot.log | |
var/log/syslog | |
var/log/syslog.1 | |
tmp/access.log | |
etc/sensors.conf | |
etc/sensors3.conf | |
etc/host.conf | |
etc/pam.conf | |
etc/resolv.conf | |
etc/apt/apt.conf | |
etc/inetd.conf | |
etc/syslog.conf | |
etc/sysctl.conf | |
etc/sysctl.d/10-console-messages.conf | |
etc/sysctl.d/10-network-security.conf | |
etc/sysctl.d/10-process-security.conf | |
etc/sysctl.d/wine.sysctl.conf | |
etc/security/access.conf | |
etc/security/group.conf | |
etc/security/limits.conf | |
etc/security/namespace.conf | |
etc/security/pam_env.conf | |
etc/security/sepermit.conf | |
etc/security/time.conf | |
etc/ssh/sshd_config | |
etc/adduser.conf | |
etc/deluser.conf | |
etc/avahi/avahi-daemon.conf | |
etc/ca-certificates.conf | |
etc/ca-certificates.conf.dpkg-old | |
etc/casper.conf | |
etc/chkrootkit.conf | |
etc/debconf.conf | |
etc/dns2tcpd.conf | |
etc/e2fsck.conf | |
etc/esound/esd.conf | |
etc/etter.conf | |
etc/fuse.conf | |
etc/foremost.conf | |
etc/hdparm.conf | |
etc/kernel-img.conf | |
etc/kernel-pkg.conf | |
etc/ld.so.conf | |
etc/ltrace.conf | |
etc/mail/sendmail.conf | |
etc/manpath.config | |
etc/kbd/config | |
etc/ldap/ldap.conf | |
etc/logrotate.conf | |
etc/mtools.conf | |
etc/smi.conf | |
etc/updatedb.conf | |
etc/pulse/client.conf | |
usr/share/adduser/adduser.conf | |
etc/hostname | |
etc/networks | |
etc/timezone | |
etc/modules | |
etc/passwd | |
etc/passwd~ | |
etc/passwd- | |
etc/shadow | |
etc/shadow~ | |
etc/shadow- | |
etc/fstab | |
etc/motd | |
etc/hosts | |
etc/group | |
etc/group- | |
etc/alias | |
etc/crontab | |
etc/crypttab | |
etc/exports | |
etc/mtab | |
etc/hosts.allow | |
etc/hosts.deny | |
etc/os-release | |
etc/password.master | |
etc/profile | |
etc/default/grub | |
etc/resolvconf/update-libc.d/sendmail | |
etc/inittab | |
etc/issue | |
etc/issue.net | |
etc/login.defs | |
etc/sudoers | |
etc/sysconfig/network-scripts/ifcfg-eth0 | |
etc/redhat-release | |
etc/debian_version | |
etc/fedora-release | |
etc/mandrake-release | |
etc/slackware-release | |
etc/suse-release | |
etc/security/group | |
etc/security/passwd | |
etc/security/user | |
etc/security/environ | |
etc/security/limits | |
etc/security/opasswd | |
boot/grub/grub.cfg | |
boot/grub/menu.lst | |
root/.ksh_history | |
root/.xauthority | |
usr/lib/security/mkuser.default | |
var/log/squirrelmail.log | |
var/log/apache2/squirrelmail.log | |
var/log/apache2/squirrelmail.err.log | |
var/lib/squirrelmail/prefs/squirrelmail.log | |
var/log/mail.log | |
etc/squirrelmail/apache.conf | |
etc/squirrelmail/config_local.php | |
etc/squirrelmail/default_pref | |
etc/squirrelmail/index.php | |
etc/squirrelmail/config_default.php | |
etc/squirrelmail/config.php | |
etc/squirrelmail/filters_setup.php | |
etc/squirrelmail/sqspell_config.php | |
etc/squirrelmail/config/config.php | |
etc/httpd/conf.d/squirrelmail.conf | |
usr/share/squirrelmail/config/config.php | |
private/etc/squirrelmail/config/config.php | |
srv/www/htdos/squirrelmail/config/config.php | |
var/www/squirrelmail/config/config.php | |
var/www/html/squirrelmail/config/config.php | |
var/www/html/squirrelmail-1.2.9/config/config.php | |
usr/share/squirrelmail/plugins/squirrel_logger/setup.php | |
usr/local/squirrelmail/www/readme | |
windows/system32/drivers/etc/hosts | |
windows/system32/drivers/etc/lmhosts.sam | |
windows/system32/drivers/etc/networks | |
windows/system32/drivers/etc/protocol | |
windows/system32/drivers/etc/services | |
/boot.ini | |
windows/debug/netsetup.log | |
windows/comsetup.log | |
windows/repair/setup.log | |
windows/setupact.log | |
windows/setupapi.log | |
windows/setuperr.log | |
windows/updspapi.log | |
windows/wmsetup.log | |
windows/windowsupdate.log | |
windows/odbc.ini | |
usr/local/psa/admin/htdocs/domains/databases/phpmyadmin/libraries/config.default.php | |
etc/apache2/conf.d/phpmyadmin.conf | |
etc/phpmyadmin/config.inc.php | |
etc/openldap/ldap.conf | |
etc/cups/acroread.conf | |
etc/cups/cupsd.conf | |
etc/cups/cupsd.conf.default | |
etc/cups/pdftops.conf | |
etc/cups/printers.conf | |
windows/system32/macromed/flash/flashinstall.log | |
windows/system32/macromed/flash/install.log | |
etc/cvs-cron.conf | |
etc/cvs-pserver.conf | |
etc/subversion/config | |
etc/modprobe.d/vmware-tools.conf | |
etc/updatedb.conf.beforevmwaretoolsinstall | |
etc/vmware-tools/config | |
etc/vmware-tools/tpvmlp.conf | |
etc/vmware-tools/vmware-tools-libraries.conf | |
var/log/vmware/hostd.log | |
var/log/vmware/hostd-1.log | |
# Wordpress | |
wp-config.php | |
wp-config.bak | |
wp-config.old | |
wp-config.temp | |
wp-config.tmp | |
wp-config.txt | |
# Symfony | |
config.yml | |
config_dev.yml | |
config_prod.yml | |
config_test.yml | |
parameters.yml | |
routing.yml | |
security.yml | |
services.yml | |
# Drupal | |
sites/default/default.settings.php | |
sites/default/settings.php | |
sites/default/settings.local.php | |
# Magento | |
app/etc/local.xml | |
# Sublime Text | |
sftp-config.json | |
# ASP.NET | |
Web.config | |
# vBulletin | |
includes/config.php | |
# OSCommerce | |
includes/configure.php | |
# phpMyAdmin | |
config.inc.php | |
# MediaWiki | |
LocalSettings.php | |
# MyBB | |
inc/config.php | |
# TYPO3 | |
typo3conf/localconf.php | |
# Laravel | |
# Note: these entries might be benign in REQUEST_FILENAME | |
config/app.php | |
config/custom.php | |
config/database.php | |
# Joomla | |
# Note: this string might be benign in REQUEST_FILENAME | |
/configuration.php | |
# phpBB | |
# Note: this string might be benign in REQUEST_FILENAME | |
/config.php | |
#Missing Debian based sensitive directories | |
var/mail/www-data | |
etc/network/ | |
etc/init/ | |
#IIS | |
inetpub/wwwroot/global.asa | |
system32/inetsrv/config/applicationhost.config | |
system32/inetsrv/config/administration.config | |
system32/inetsrv/config/redirection.config | |
#Windows files | |
system32/config/default | |
system32/config/sam | |
system32/config/system | |
system32/config/software | |
winnt/repair/sam._ | |
# Node | |
package.json | |
package-lock.json | |
gruntfile.js | |
npm-debug.log | |
ormconfig.json | |
tsconfig.json | |
webpack.config.js | |
yarn.lock | |
modsecdefault.conf: "\n# -- Rule engine initialization ----------------------------------------------\n\n# | |
Enable ModSecurity, attaching it to every transaction. Use detection\n# only to | |
start with, because that minimises the chances of post-installation\n# disruption.\n#\n#SecRuleEngine | |
DetectionOnly\nSecRuleEngine On\n\n\n# -- Request body handling ---------------------------------------------------\n\n# | |
Allow ModSecurity to access request bodies. If you don't, ModSecurity\n# won't | |
be able to see any POST parameters, which opens a large security\n# hole for attackers | |
to exploit.\n#\nSecRequestBodyAccess On\n\n\n# Enable XML request body parser.\n# | |
Initiate XML Processor in case of xml content-type\n#\nSecRule REQUEST_HEADERS:Content-Type | |
\"text/xml\" \\\n \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"\n\n# | |
Enable JSON request body parser.\n# Initiate JSON Processor in case of JSON content-type; | |
change accordingly\n# if your application does not use 'application/json'\n#\nSecRule | |
REQUEST_HEADERS:Content-Type \"application/json\" \\\n \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"\n\n# | |
Maximum request body size we will accept for buffering. If you support\n# file | |
uploads then the value given on the first line has to be as large\n# as the largest | |
file you are willing to accept. The second value refers\n# to the size of data, | |
with files excluded. You want to keep that value as\n# low as practical.\n#\n\n# | |
Store up to 128 KB of request body data in memory. When the multipart\n# parser | |
reachers this limit, it will start using your hard disk for\n# storage. That is | |
slow, but unavoidable.\n#\n\n# What do do if the request body size is above our | |
configured limit.\n# Keep in mind that this setting will automatically be set | |
to ProcessPartial\n# when SecRuleEngine is set to DetectionOnly mode in order | |
to minimize\n# disruptions when initially deploying ModSecurity.\n#\nSecRequestBodyLimitAction | |
Reject\n\n# Verify that we've correctly processed the request body.\n# As a rule | |
of thumb, when failing to process a request body\n# you should reject the request | |
(when deployed in blocking mode)\n# or log a high-severity alert (when deployed | |
in detection-only mode).\n#\nSecRule REQBODY_ERROR \"!@eq 0\" \\\n\"id:'200002', | |
phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"\n\n# | |
By default be strict with what we accept in the multipart/form-data\n# request | |
body. If the rule below proves to be too strict for your\n# environment consider | |
changing it to detection-only. You are encouraged\n# _not_ to remove it altogether.\n#\nSecRule | |
MULTIPART_STRICT_ERROR \"!@eq 0\" \\\n\"id:'200003',phase:2,t:none,log,deny,status:400, | |
\\\nmsg:'Multipart request body failed strict validation: \\\nPE %{REQBODY_PROCESSOR_ERROR}, | |
\\\nBQ %{MULTIPART_BOUNDARY_QUOTED}, \\\nBW %{MULTIPART_BOUNDARY_WHITESPACE}, | |
\\\nDB %{MULTIPART_DATA_BEFORE}, \\\nDA %{MULTIPART_DATA_AFTER}, \\\nHF %{MULTIPART_HEADER_FOLDING}, | |
\\\nLF %{MULTIPART_LF_LINE}, \\\nSM %{MULTIPART_MISSING_SEMICOLON}, \\\nIQ %{MULTIPART_INVALID_QUOTING}, | |
\\\nIP %{MULTIPART_INVALID_PART}, \\\nIH %{MULTIPART_INVALID_HEADER_FOLDING}, | |
\\\nFL %{MULTIPART_FILE_LIMIT_EXCEEDED}'\"\n\n# Did we see anything that might | |
be a boundary?\n#\nSecRule MULTIPART_UNMATCHED_BOUNDARY \"!@eq 0\" \\\n\"id:'200004',phase:2,t:none,log,deny,msg:'Multipart | |
parser detected a possible unmatched boundary.'\"\n\n# PCRE Tuning\n# We want | |
to avoid a potential RegEx DoS condition\n#\nSecPcreMatchLimit 1000\nSecPcreMatchLimitRecursion | |
1000\n\n# Some internal errors will set flags in TX and we will need to look for | |
these.\n# All of these are prefixed with \"MSC_\". The following flags currently | |
exist:\n#\n# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.\n#\nSecRule | |
TX:/^MSC_/ \"!@streq 0\" \\\n \"id:'200005',phase:2,t:none,deny,msg:'ModSecurity | |
internal error flagged: %{MATCHED_VAR_NAME}'\"\n\n\n# -- Response body handling | |
--------------------------------------------------\n\n# Allow ModSecurity to access | |
response bodies. \n# You should have this directive enabled in order to identify | |
errors\n# and data leakage issues.\n# \n# Do keep in mind that enabling this directive | |
does increases both\n# memory consumption and response latency.\n#\nSecResponseBodyAccess | |
On\n\n# Which response MIME types do you want to inspect? You should adjust the\n# | |
configuration below to catch documents but avoid static files\n# (e.g., images | |
and archives).\n#\nSecResponseBodyMimeType text/plain text/html text/xml\n\n# | |
Buffer response bodies of up to 512 KB in length.\nSecResponseBodyLimit 524288\n\n# | |
What happens when we encounter a response body larger than the configured\n# limit? | |
By default, we process what we have and let the rest through.\n# That's somewhat | |
less secure, but does not break any legitimate pages.\n#\nSecResponseBodyLimitAction | |
ProcessPartial\n\n\n# -- Filesystem configuration ------------------------------------------------\n\n# | |
The location where ModSecurity stores temporary files (for example, when\n# it | |
needs to handle a file upload that is larger than the configured limit).\n# \n# | |
This default setting is chosen due to all systems have /tmp available however, | |
\n# this is less than ideal. It is recommended that you specify a location that's | |
private.\n#\nSecTmpDir /tmp/\n\n# The location where ModSecurity will keep its | |
persistent data. This default setting \n# is chosen due to all systems have /tmp | |
available however, it\n# too should be updated to a place that other users can't | |
access.\n#\nSecDataDir /tmp/\n\n\n# -- File uploads handling configuration -------------------------------------\n\n# | |
The location where ModSecurity stores intercepted uploaded files. This\n# location | |
must be private to ModSecurity. You don't want other users on\n# the server to | |
access the files, do you?\n#\n#SecUploadDir /opt/modsecurity/var/upload/\n\n# | |
By default, only keep the files that were determined to be unusual\n# in some | |
way (by an external inspection script). For this to work you\n# will also need | |
at least one file inspection rule.\n#\n#SecUploadKeepFiles RelevantOnly\n\n# Uploaded | |
files are by default created with permissions that do not allow\n# any other user | |
to access them. You may need to relax that if you want to\n# interface ModSecurity | |
to an external program (e.g., an anti-virus).\n#\n#SecUploadFileMode 0600\n\n\n# | |
-- Debug log configuration -------------------------------------------------\n\n# | |
The default debug log configuration is to duplicate the error, warning\n# and | |
notice messages from the error log.\n#\n#SecDebugLog /opt/modsecurity/var/log/debug.log\n#SecDebugLogLevel | |
3\nSecDebugLog /tmp/modsecurity_debug.log\nSecDebugLogLevel 9\n\n\n# -- Audit | |
log configuration -------------------------------------------------\n\n# Log the | |
transactions that are marked by a rule, as well as those that\n# trigger a server | |
error (determined by a 5xx or 4xx, excluding 404, \n# level response status codes).\n#\nSecAuditEngine | |
RelevantOnly\nSecAuditLogRelevantStatus \"^(?:5|4(?!04))\"\n\n# Log everything | |
we know about a transaction.\nSecAuditLogParts ABIJDEFHZ\n\n# Use a single file | |
for logging. This is much easier to look at, but\n# assumes that you will use | |
the audit log only ocassionally.\n#\nSecAuditLogType Serial\nSecAuditLog /tmp/modsec_audit.log\n\n# | |
Specify the path for concurrent audit logging.\n#SecAuditLogStorageDir /opt/modsecurity/var/audit/\n\n\n# | |
-- Miscellaneous -----------------------------------------------------------\n\n# | |
Use the most commonly used application/x-www-form-urlencoded parameter\n# separator. | |
There's probably only one application somewhere that uses\n# something else so | |
don't expect to change this value.\n#\nSecArgumentSeparator &\n\n# Settle on version | |
0 (zero) cookies, as that is what most applications\n# use. Using an incorrect | |
cookie version may open your installation to\n# evasion attacks (against the rules | |
that examine named cookies).\n#\nSecCookieFormat 0\n\n# Specify your Unicode Code | |
Point.\n# This mapping is used by the t:urlDecodeUni transformation function\n# | |
to properly map encoded data to your language. Properly setting\n# these directives | |
helps to reduce false positives and negatives.\n#\n#SecUnicodeMapFile unicode.mapping | |
20127\n\n# Improve the quality of ModSecurity by sharing information about your\n# | |
current ModSecurity version and dependencies versions.\n# The following information | |
will be shared: ModSecurity version,\n# Web Server version, APR version, PCRE | |
version, Lua version, Libxml2\n# version, Anonymous unique id for host.\nSecStatusEngine | |
On\n\n" | |
kind: ConfigMap | |
metadata: | |
creationTimestamp: "2023-06-13T13:04:36Z" | |
name: modsecurity-ruleset | |
namespace: tigera-operator | |
resourceVersion: "476696" | |
uid: 30a56ed6-1603-45d6-a5e5-062951892872 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment