Skip to content

Commit

Permalink
Update: [Sun Dec 29 23:20:18 UTC 2024]
Browse files Browse the repository at this point in the history
  • Loading branch information
@github-actions
github-actions[bot] committed Dec 29, 2024
1 parent 36f08db commit 3760d3d
Show file tree
Hide file tree
Showing 35 changed files with 17,032 additions and 1,232 deletions.
212 changes: 96 additions & 116 deletions owasp_rules.json
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions waf_patterns/apache/attack.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'attack att
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
4,517 changes: 3,847 additions & 670 deletions waf_patterns/apache/bots.conf
View file

Large diffs are not rendered by default.

19 changes: 8 additions & 11 deletions waf_patterns/apache/enforcement.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'enforcemen
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^d+$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^0?$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
Expand All @@ -29,13 +29,13 @@ SecRule REQUEST_URI "@rx (d+)-(d+)" "id:1000,phase:1,deny,status:403,log,msg:'en
SecRule REQUEST_URI "@lt %{tx.1}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx x25" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(.*)/(?:[^?]+)?(?.*)?$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^.*%.*.[^sv.]+$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?i)application/x-www-form-urlencoded" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx x25" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUtf8Encoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx (?i)%uff[0-9a-f]{2}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx %u[fF]{2}[0-9a-fA-F]{2}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 1-255" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
Expand All @@ -62,10 +62,10 @@ SecRule REQUEST_URI "@rx ^(?i)multipart/form-data" "id:1000,phase:1,deny,status:
SecRule REQUEST_URI "@gt %{tx.max_file_size}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt %{tx.combined_file_sizes}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^[^;s]+" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx charsets*=s*[" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx charsets*=s*["']?([^;"'s]+)" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx charset.*?charset" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_http_versions}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
Expand All @@ -75,7 +75,7 @@ SecRule REQUEST_URI "@rx .[^.~]+~(?:/.*|)$" "id:1000,phase:1,deny,status:403,log
SecRule REQUEST_URI "@rx ^.*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within %{tx.restricted_headers_basic}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt 50" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@streq JSON" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx (?i)x5cu[0-9a-f]{4}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@contains #" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
Expand All @@ -89,14 +89,11 @@ SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" "id:1000,phase:1,
SecRule REQUEST_URI "@rx %[0-9a-fA-F]{2}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 9,10,13,32-126,128-255" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ['" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ['";=]" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^0$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^.*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within %{tx.restricted_headers_extended}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?i)application/x-www-form-urlencoded" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx x25" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 32-36,38-126" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
Expand Down
9 changes: 5 additions & 4 deletions waf_patterns/apache/generic.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,17 @@ SecRuleEngine On

SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@pmFromFile ssrf.data" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx Process[sv]*.[sv]*spawn[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx ^data:(?:(?:*|[^!-" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx [s*constructors*]" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx @{.*}" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
Expand Down
1 change: 0 additions & 1 deletion waf_patterns/apache/initialization.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,5 @@ SecRule REQUEST_URI "@eq 1" "id:1000,phase:1,deny,status:403,log,msg:'initializa
SecRule REQUEST_URI "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 100" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@rx ^[a-f]*([0-9])[a-f]*([0-9])" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "nolog" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@lt %{tx.sampling_percentage}" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@lt %{tx.blocking_paranoia_level}" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
Loading

0 comments on commit 3760d3d

Please sign in to comment.