From c1ba71ab164fe16f50d783d794977330b1129263 Mon Sep 17 00:00:00 2001 From: Greg Wroblewski Date: Tue, 5 Feb 2013 16:36:29 -0800 Subject: [PATCH 1/2] Fixed files overwriting in installer; added OWASP CRS. --- iis/ModSecurityIIS/Installer/XUnzip.cpp | 2 + iis/ModSecurityIIS/owasp_crs/.gitignore | 2 + iis/ModSecurityIIS/owasp_crs/CHANGELOG | 816 ++++ iis/ModSecurityIIS/owasp_crs/INSTALL | 93 + iis/ModSecurityIIS/owasp_crs/LICENSE | 201 + iis/ModSecurityIIS/owasp_crs/README.md | 25 + .../owasp_crs/activated_rules/README | 49 + .../modsecurity_35_bad_robots.data | 145 + .../modsecurity_35_scanners.data | 35 + .../modsecurity_40_generic_attacks.data | 445 +++ .../modsecurity_41_sql_injection_attacks.data | 282 ++ .../modsecurity_crs_23_request_limits.conf | 49 + .../modsecurity_crs_30_http_policy.conf | 102 + .../modsecurity_crs_35_bad_robots.conf | 30 + .../modsecurity_crs_40_generic_attacks.conf | 236 ++ ...security_crs_41_sql_injection_attacks.conf | 245 ++ .../modsecurity_crs_41_xss_attacks.conf | 491 +++ .../modsecurity_crs_42_tight_security.conf | 25 + .../modsecurity_crs_45_trojans.conf | 35 + .../modsecurity_crs_47_common_exceptions.conf | 40 + .../base_rules/modsecurity_35_bad_robots.data | 145 + .../base_rules/modsecurity_35_scanners.data | 35 + .../modsecurity_40_generic_attacks.data | 445 +++ .../modsecurity_41_sql_injection_attacks.data | 282 ++ .../base_rules/modsecurity_50_outbound.data | 92 + .../modsecurity_50_outbound_malware.data | 2947 ++++++++++++++ ...odsecurity_crs_20_protocol_violations.conf | 539 +++ ...modsecurity_crs_21_protocol_anomalies.conf | 108 + .../modsecurity_crs_23_request_limits.conf | 49 + .../modsecurity_crs_30_http_policy.conf | 102 + .../modsecurity_crs_35_bad_robots.conf | 30 + .../modsecurity_crs_40_generic_attacks.conf | 236 ++ ...security_crs_41_sql_injection_attacks.conf | 245 ++ .../modsecurity_crs_41_xss_attacks.conf | 491 +++ .../modsecurity_crs_42_tight_security.conf | 25 + .../modsecurity_crs_45_trojans.conf | 35 + .../modsecurity_crs_47_common_exceptions.conf | 40 + ...urity_crs_48_local_exceptions.conf.example | 59 + .../modsecurity_crs_49_inbound_blocking.conf | 35 + .../modsecurity_crs_50_outbound.conf | 138 + .../modsecurity_crs_59_outbound_blocking.conf | 27 + .../modsecurity_crs_60_correlation.conf | 42 + .../modsecurity_crs_11_brute_force.conf | 62 + .../modsecurity_crs_11_dos_protection.conf | 46 + .../modsecurity_crs_11_proxy_abuse.conf | 28 + ...odsecurity_crs_11_slow_dos_protection.conf | 35 + ...odsecurity_crs_16_scanner_integration.conf | 33 + .../modsecurity_crs_25_cc_track_pan.conf | 22 + ...0_appsensor_detection_point_2.0_setup.conf | 57 + ...detection_point_2.1_request_exception.conf | 136 + ...psensor_detection_point_2.9_honeytrap.conf | 32 + ..._40_appsensor_detection_point_3.0_end.conf | 11 + ...urity_crs_40_http_parameter_pollution.conf | 42 + .../modsecurity_crs_41_advanced_filters.conf | 370 ++ .../modsecurity_crs_42_csp_enforcement.conf | 49 + .../modsecurity_crs_45_char_anomaly.conf | 59 + ...odsecurity_crs_46_scanner_integration.conf | 24 + .../modsecurity_crs_48_bayes_analysis.conf | 17 + ...modsecurity_crs_55_response_profiling.conf | 27 + .../modsecurity_crs_56_pvi_checks.conf | 13 + .../modsecurity_crs_61_ip_forensics.conf | 41 + iis/ModSecurityIIS/owasp_crs/id-range | 1 + .../lua/advanced_filter_converter.lua | 798 ++++ .../appsensor_request_exception_enforce.lua | 251 ++ .../appsensor_request_exception_profile.lua | 789 ++++ .../owasp_crs/lua/arachni_integration.lua | 205 + .../owasp_crs/lua/bayes_check_spam.lua | 91 + .../owasp_crs/lua/bayes_train_ham.lua | 34 + .../owasp_crs/lua/bayes_train_spam.lua | 67 + .../owasp_crs/lua/gather_ip_data.lua | 37 + iis/ModSecurityIIS/owasp_crs/lua/osvdb.lua | 25 + .../owasp_crs/lua/profile_page_scripts.lua | 38 + iis/ModSecurityIIS/owasp_crs/modsecurity.conf | 214 + .../owasp_crs/modsecurity_crs_10_setup.conf | 428 ++ .../modsecurity_crs_10_setup.conf.example | 428 ++ .../owasp_crs/modsecurity_iis.conf | 3 + .../modsecurity_42_comment_spam.data | 42 + .../modsecurity_crs_10_ignore_static.conf | 47 + .../modsecurity_crs_11_avs_traffic.conf | 31 + .../modsecurity_crs_13_xml_enabler.conf | 18 + ...curity_crs_16_authentication_tracking.conf | 38 + .../modsecurity_crs_16_session_hijacking.conf | 51 + .../modsecurity_crs_16_username_tracking.conf | 35 + .../modsecurity_crs_25_cc_known.conf | 110 + .../modsecurity_crs_42_comment_spam.conf | 47 + .../modsecurity_crs_43_csrf_protection.conf | 109 + .../modsecurity_crs_46_av_scanning.conf | 17 + ...dsecurity_crs_47_skip_outbound_checks.conf | 21 + .../modsecurity_crs_49_header_tagging.conf | 52 + ...odsecurity_crs_55_application_defects.conf | 190 + .../modsecurity_crs_55_marketing.conf | 22 + .../modsecurity_46_slr_et_joomla.data | 45 + .../slr_rules/modsecurity_46_slr_et_lfi.data | 162 + .../modsecurity_46_slr_et_phpbb.data | 10 + .../slr_rules/modsecurity_46_slr_et_rfi.data | 485 +++ .../slr_rules/modsecurity_46_slr_et_sqli.data | 398 ++ .../modsecurity_46_slr_et_wordpress.data | 41 + .../slr_rules/modsecurity_46_slr_et_xss.data | 179 + ...security_crs_46_slr_et_joomla_attacks.conf | 1661 ++++++++ ...modsecurity_crs_46_slr_et_lfi_attacks.conf | 1187 ++++++ ...dsecurity_crs_46_slr_et_phpbb_attacks.conf | 150 + ...modsecurity_crs_46_slr_et_rfi_attacks.conf | 3442 ++++++++++++++++ ...odsecurity_crs_46_slr_et_sqli_attacks.conf | 3447 +++++++++++++++++ ...urity_crs_46_slr_et_wordpress_attacks.conf | 564 +++ ...modsecurity_crs_46_slr_et_xss_attacks.conf | 1278 ++++++ iis/ModSecurityIIS/owasp_crs/util/README | 39 + .../owasp_crs/util/arachni2modsec.pl | 318 ++ .../owasp_crs/util/honeypot_sensor/README.md | 14 + .../mlogc-honeypot-sensor.conf | 98 + .../modsecurity_crs_10_honeypot.conf | 31 + .../owasp_crs/util/regression_tests/INSTALL | 21 + .../owasp_crs/util/regression_tests/README | 105 + .../modsecurity_crs_59_header_tagging.conf | 38 + .../util/regression_tests/rulestest.conf | 20 + .../util/regression_tests/rulestest.pl | 936 +++++ ...dsecurity_crs_20_protocol_violations.tests | 599 +++ ...odsecurity_crs_21_protocol_anomalies.tests | 126 + .../modsecurity_crs_23_request_limits.tests | 113 + .../modsecurity_crs_30_http_policy.tests | 119 + .../tests/modsecurity_crs_35_bad_robots.tests | 82 + .../modsecurity_crs_40_generic_attacks.tests | 393 ++ ...ecurity_crs_41_sql_injection_attacks.tests | 208 + .../tests/modsecurity_crs_50_outbound.tests | 140 + .../util/regression_tests/testserver.cgi | 18 + .../owasp_crs/util/rules-updater-example.conf | 24 + .../owasp_crs/util/rules-updater.pl | 454 +++ .../owasp_crs/util/rules-updater.pl.in | 454 +++ .../owasp_crs/util/runAV/common.c | 653 ++++ .../owasp_crs/util/runAV/common.h | 99 + iis/ModSecurityIIS/owasp_crs/util/runAV/comp | 2 + .../owasp_crs/util/runAV/runAV-clamd.c | 48 + .../owasp_crs/util/runAV/runAV.c | 48 + iis/ModSecurityIIS/owasp_crs/util/runav.pl | 40 + .../owasp_crs/util/zap2modsec.pl | 318 ++ 134 files changed, 33445 insertions(+) create mode 100644 iis/ModSecurityIIS/owasp_crs/.gitignore create mode 100644 iis/ModSecurityIIS/owasp_crs/CHANGELOG create mode 100644 iis/ModSecurityIIS/owasp_crs/INSTALL create mode 100644 iis/ModSecurityIIS/owasp_crs/LICENSE create mode 100644 iis/ModSecurityIIS/owasp_crs/README.md create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/README create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_bad_robots.data create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_scanners.data create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_40_generic_attacks.data create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_41_sql_injection_attacks.data create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_23_request_limits.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_30_http_policy.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_35_bad_robots.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_40_generic_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_41_xss_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_42_tight_security.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_45_trojans.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_47_common_exceptions.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_bad_robots.data create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_scanners.data create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_40_generic_attacks.data create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_41_sql_injection_attacks.data create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound.data create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound_malware.data create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_20_protocol_violations.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_23_request_limits.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_30_http_policy.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_35_bad_robots.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_40_generic_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_xss_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_42_tight_security.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_45_trojans.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_47_common_exceptions.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_49_inbound_blocking.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_50_outbound.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_59_outbound_blocking.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_60_correlation.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_brute_force.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_dos_protection.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_proxy_abuse.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_11_slow_dos_protection.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_16_scanner_integration.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_25_cc_track_pan.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_appsensor_detection_point_3.0_end.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_40_http_parameter_pollution.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_41_advanced_filters.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_42_csp_enforcement.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_45_char_anomaly.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_46_scanner_integration.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_48_bayes_analysis.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_55_response_profiling.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_56_pvi_checks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/experimental_rules/modsecurity_crs_61_ip_forensics.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/id-range create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/advanced_filter_converter.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/appsensor_request_exception_enforce.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/appsensor_request_exception_profile.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/arachni_integration.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/bayes_check_spam.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/bayes_train_ham.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/bayes_train_spam.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/gather_ip_data.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/osvdb.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/lua/profile_page_scripts.lua create mode 100644 iis/ModSecurityIIS/owasp_crs/modsecurity.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/modsecurity_crs_10_setup.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/modsecurity_crs_10_setup.conf.example create mode 100644 iis/ModSecurityIIS/owasp_crs/modsecurity_iis.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_42_comment_spam.data create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_10_ignore_static.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_11_avs_traffic.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_13_xml_enabler.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_authentication_tracking.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_session_hijacking.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_username_tracking.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_25_cc_known.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_42_comment_spam.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_43_csrf_protection.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_46_av_scanning.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_49_header_tagging.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_55_application_defects.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_55_marketing.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_joomla.data create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_lfi.data create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_phpbb.data create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_rfi.data create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_sqli.data create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_wordpress.data create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_46_slr_et_xss.data create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_joomla_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_lfi_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_phpbb_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/util/README create mode 100644 iis/ModSecurityIIS/owasp_crs/util/arachni2modsec.pl create mode 100644 iis/ModSecurityIIS/owasp_crs/util/honeypot_sensor/README.md create mode 100644 iis/ModSecurityIIS/owasp_crs/util/honeypot_sensor/mlogc-honeypot-sensor.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/util/honeypot_sensor/modsecurity_crs_10_honeypot.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/INSTALL create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/README create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/modsecurity_crs_59_header_tagging.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/rulestest.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/rulestest.pl create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_20_protocol_violations.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_21_protocol_anomalies.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_23_request_limits.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_30_http_policy.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_35_bad_robots.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_40_generic_attacks.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_41_sql_injection_attacks.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/tests/modsecurity_crs_50_outbound.tests create mode 100644 iis/ModSecurityIIS/owasp_crs/util/regression_tests/testserver.cgi create mode 100644 iis/ModSecurityIIS/owasp_crs/util/rules-updater-example.conf create mode 100644 iis/ModSecurityIIS/owasp_crs/util/rules-updater.pl create mode 100644 iis/ModSecurityIIS/owasp_crs/util/rules-updater.pl.in create mode 100644 iis/ModSecurityIIS/owasp_crs/util/runAV/common.c create mode 100644 iis/ModSecurityIIS/owasp_crs/util/runAV/common.h create mode 100644 iis/ModSecurityIIS/owasp_crs/util/runAV/comp create mode 100644 iis/ModSecurityIIS/owasp_crs/util/runAV/runAV-clamd.c create mode 100644 iis/ModSecurityIIS/owasp_crs/util/runAV/runAV.c create mode 100644 iis/ModSecurityIIS/owasp_crs/util/runav.pl create mode 100644 iis/ModSecurityIIS/owasp_crs/util/zap2modsec.pl diff --git a/iis/ModSecurityIIS/Installer/XUnzip.cpp b/iis/ModSecurityIIS/Installer/XUnzip.cpp index d84710a7ad..bee1b85ecb 100644 --- a/iis/ModSecurityIIS/Installer/XUnzip.cpp +++ b/iis/ModSecurityIIS/Installer/XUnzip.cpp @@ -4132,6 +4132,8 @@ ZRESULT TUnzip::Unzip(int index,void *dst,unsigned int len,DWORD flags) TCHAR dstfull[MAX_PATH]; _tcscpy(dstfull, rootdir); _tcscat(dstfull, (const TCHAR *)dst); + SetFileAttributes( dstfull, GetFileAttributes(dstfull) & ~FILE_ATTRIBUTE_READONLY); + ::DeleteFile(dstfull); h = ::CreateFile(dstfull, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, ze.attr, NULL); } diff --git a/iis/ModSecurityIIS/owasp_crs/.gitignore b/iis/ModSecurityIIS/owasp_crs/.gitignore new file mode 100644 index 0000000000..3819313818 --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/.gitignore @@ -0,0 +1,2 @@ +*.swp +*.swo diff --git a/iis/ModSecurityIIS/owasp_crs/CHANGELOG b/iis/ModSecurityIIS/owasp_crs/CHANGELOG new file mode 100644 index 0000000000..267db5a623 --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/CHANGELOG @@ -0,0 +1,816 @@ +== OWASP ModSecurity Core Rule Set (CRS) JIRA CHANGELOG == +* https://www.modsecurity.org/tracker/browse/CORERULES + + + +== Version 2.2.6 - 09/14/2012 == + +Improvements: +* Started rule formatting update for better readability +* Added maturity and accuracy action data to each rule +* Updated rule revision (rev) action +* Added rule version (ver) action +* Added more regression tests (util/regression_tests/) +* Modified Rule ID 960342 to block large file attachments in phase:1 +* Removed all PARANOID rule checks +* Added new Session Fixation rules + +Bug Fixes: +* Fixed missing ending double-quotes in XSS rules file +* Moved SecDefaultAction setting from phase:2 to phase:1 +* Fixed Session Hijacking SessionID Regex + https://www.modsecurity.org/tracker/browse/CORERULES-79 +* Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME + https://www.modsecurity.org/tracker/browse/CORERULES-78 + +== Version 2.2.5 - 06/14/2012 == + + +Improvements: +* Renamed main config file to modsecurity_crs_10_setup.conf +* Updated the rule IDs to start from CRS reserved range: 900000 +* Updated rule formatting for readibility +* Updated the CSRF rules to use UNIQUE_ID as the token source +* Added the zap2modsec.pl script to the /util directory which converts + OWASP ZAP Scanner XML data into ModSecurity Virtual Patches +* Updated the Directory Traversal Signatures to include more obfuscated data +* Added Arachni Scanner Integration Lua script/rules files + +Bug Fixes: +* Added forceRequestBodyVariable action to rule ID 960904 +* Updated the anomaly scoring value for rule ID 960000 to critical + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) +* Updated Content-Type check to fix possible evasion with @within + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) + + +== Version 2.2.4 - 03/14/2012 == + + +Improvements: +* Added Location and Set-Cookie checks to Response Splitting rule ID 950910 +* Added a README file to the activated_rules directory +* Consolidate a number of SQL Injection rules into optimized regexs +* Removed multiMatch and replaceComments from SQL Injection rules +* Updated the SQLi regexs for greediness +* Updated the SQLi setvar anomaly score values to use macro expansion +* Removed PARANOID mode rules + +Bug Fixes: +* Fixed missing comma before severity action in rules 958291, 958230 and 958231 +* Fixed duplidate rule IDs + + +== Version 2.2.3 - 12/19/2011 == + + +Improvements: +* Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies +* Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#charset +* Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#header + +Bug Fixes: +* Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to + rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). +* Updated the regex and added tags for RFI rules. + + +== Version 2.2.2 - 09/28/2011 == + + +Improvements: +* Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points +* Added new Range header detection checks to prevent Apache DoS +* Added new Security Scanner User-Agent strings +* Added example script to the /util directory to convert Arachni DAST scanner + XML data into ModSecurity virtual patching rules. +* Updated the SQLi Character Anomaly Detection Rules +* Added Host header info to the RESOURCE collection key for AppSensor profiling rules + +Bug Fixes: +* Fixed action list for XSS rules (replaced pass,nolog,auditlog with block) +* Fixed Request Limit rules by removing & from variables +* Fixed Session Hijacking IP/UA hash captures +* Updated the SQLi regex for rule ID 981242 + + +== Version 2.2.1 - 07/20/2011 == + + +Improvements: +* Extensive SQL Injection signature updates as a result of the SQLi Challenge + http://www.modsecurity.org/demo/challenge.html +* Updated the SQL Error message detection in reponse bodies +* Updated SQL Injection signatures to include more DB functions +* Updated the WEAK SQL Injection signatures +* Added tag AppSensor/RE8 to rule ID 960018 + +Bug Fixes: +* Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches + https://www.modsecurity.org/tracker/browse/CORERULES-70 +* Fixed Session Hijacking rules to properly capture IP address network hashes. +* Added the multiMatch action to the SQLi rules +* Fixed a false negative logic flaw within the advanced_filter_converter.lua script +* Fixed missing : in id action in DoS ruleset. +* Updated rule ID 971150 signature to remove ; + + +== Version 2.2.0 - 05/26/2011 == + + +Improvements: +* Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2) + http://www.apache.org/licenses/LICENSE-2.0.txt +* Created new INSTALL file outlining quick config setup +* Added a new rule regression testing framework to the /util directory +* Added new activated_rules directory which will allow users to place symlinks pointing + to files they want to run. This allows for easier Apache Include wild-carding +* Adding in new RULE_MATURITY and RULE_ACCURACY tags +* Adding in a check for X-Forwarded-For source IP when creating IP collection +* Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) + http://websecuritytool.codeplex.com/wikipage?title=Checks#charset +* Added new AppSensor rules to experimental_dir + https://www.owasp.org/index.php/AppSensor_DetectionPoints +* Added new Generic Malicious JS checks in outbound content +* Added experimental IP Forensic rules to gather Client hostname/whois info + http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +* Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules + http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html +* Global collection in the 10 file now uses the Host Request Header as the collection key. + This allows for per-site global collections. +* Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties. + This includes both converted web rules from Emerging Threats (ET) and from SLR Team. +* Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB +* Added experimental rules for detecting Open Proxy Abuse + http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html +* Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API + http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html +* Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227) +* Added new SQLi detection rules (959070, 959071 and 959072) +* Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data + https://www.modsecurity.org/tracker/browse/CORERULES-64 + +Bug Fixes: +* Assigned IDs to all active SecRules/SecActions +* Removed rule inversion (!) from rule ID 960902 +* Fixed false negative issue in Response Splitting Rule +* Fixed false negative issue with @validateByteRange check +* Updated the TARGETS lising for rule ID 950908 +* Updated TX data for REQBODY processing +* Changed the pass action to block in the RFI rules in the 40 generic file +* Updated RFI regex to catch IP address usage in hostname + https://www.modsecurity.org/tracker/browse/CORERULES-68 +* Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods. +* Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions. + They will now inherit the settings from the SecDefaultAction + + +== Version 2.1.2 - 02/17/2011 == + + +Improvements: +* Added experimental real-time application profiling ruleset. +* Added experimental Lua script for profiling the # of page scripts, iframes, etc.. + which will help to identify successful XSS attacks and planting of malware links. +* Added new CSRF detection rule which will trigger if a subsequent request comes too + quickly (need to use the Ignore Static Content rules). + +Bug Fixes: +* Added missing " in the skipAfter SecAction in the CC Detection rule set + + +== Version 2.1.1 - 12/30/2010 == + + +Bug Fixes: +* Updated the 10 config conf file to add in pass action to User-Agent rule +* Updated the CSRF ruleset to conditionally do content injection - if the + csrf token was created by the session hijacking conf file +* Updated the session hijacking conf file to only enforce rules if a SessionID + Cookie was submitted +* Fixed macro expansion setvar bug in the restricted file extension rule +* Moved the comment spam data file into the optional_rules directory + + +== Version 2.1.0 - 12/29/2010 == + + +Improvements: +* Added Experimental Lua Converter script to normalize payloads. Based on + PHPIDS Converter code and it used with the advanced filters conf file. +* Changed the name of PHPIDS converted rules to Advanced Filters +* Added Ignore Static Content (Performance enhancement) rule set +* Added XML Enabler (Web Services) rule set which will parse XML data +* Added Authorized Vulnerability Scanning (AVS) Whitelist rule set +* Added Denial of Service (DoS) Protection rule set +* Added Slow HTTP DoS (Connection Consumption) Protection rule set +* Added Brute Force Attack Protection rule set +* Added Session Hijacking Detection rule set +* Added Username Tracking rule set +* Added Authentication Tracking rule set +* Added Anti-Virus Scanning of File Attachments rule set +* Added AV Scanning program to /util directory +* Added Credit Card Usage Tracking/Leakage Prevention rule set +* Added experimental CC Track/PAN Leakage Prevention rule set +* Added an experimental_rules directory to hold new BETA rules +* Moved the local exceptions conf file back into base_rules dirctory however + it has a ".example" extension to prevent overwriting customized versions + when upgrading +* Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to + the experimental_rules directory +* Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will + help to make collections a bit more unique + + + +== Version 2.0.10 - 11/29/2010 == + + +Improvements: +* Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS + is running in traditional mode. + +Bug Fixes: +* Moved all skipAfter actions in chained rules to chain starter SecRules + https://www.modsecurity.org/tracker/browse/MODSEC-159 +* Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs + + + +== Version 2.0.9 - 11/17/2010 == + + +Improvements: +* Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that + it will not overwrite existing config settings. Users should rename this file to activate + it. +* Traditional detection mode is now the current default +* Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode + by editing the modsecurity_crs_10_config.conf file +* Updated the disruptive actions in most rules to use "block" action instead of "pass". This + is to allow for the toggling between traditional vs. anomaly scoring modes. +* Removed logging actions from most rules so that it can be controlled from the SecDefaultAction + setting in the modsecurity_crs_10_config.conf file +* Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match + what is used in the PHPIDS rules. These still have the same factor of severity even though + the numbers themselves are smaller. +* Updated the 49 and 59 blocking rules to include the matched logdata +* Updated the TAG data to further classify attack/vuln categories. +* Updated the SQL Injection filters to detect more boolean logic attacks +* Moved some files to optional_rules directory (phpids, Emerging Threats rules) + +Bug Fixes: +* Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote + https://www.modsecurity.org/tracker/browse/CORERULES-63 +* Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher) + https://www.modsecurity.org/tracker/browse/MODSEC-159 +* Fixed restricted file extension bug with macro expansion + https://www.modsecurity.org/tracker/browse/CORERULES-60 +* Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that + it matches what is being set in the sql injection conf file +* Fixed typo in SQL Injection regexs - missing backslash for word boundary (b) + https://www.modsecurity.org/tracker/browse/CORERULES-62 + + +== Version 2.0.8 - 08/27/2010 == + + +Improvements: +* Updated the PHPIDS filters +* Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..) +* Updated the SQL Injection fitlers to account for different quotes +* Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file +* Added Rule ID 950109 to detect multiple URL encodings +* Added two experimental rules to detect anomalous use of special characters + +Bug Fixes: +* Fixed Encoding Detection RegEx (950107 and 950108) +* Fixed rules-updater.pl script to better handle whitespace + https://www.modsecurity.org/tracker/browse/MODSEC-167 +* Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf + https://www.modsecurity.org/tracker/browse/CORERULES-55 +* Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file + https://www.modsecurity.org/tracker/browse/CORERULES-54 +* Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives + https://www.modsecurity.org/tracker/browse/CORERULES-29 + + +== Version 2.0.7 - 06/4/2010 == + + +Improvements: +* Added CSRF Protection Ruleset which will use Content Injection to add javascript to + specific outbound data and then validate the csrf token on subsequent requests. +* Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie + flags +* Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied + data being echoed back to user unchanged. +* Added rules-updater.pl script and configuration file to allow users to automatically + download CRS rules from the CRS rules repository. +* Added new SQLi keyword for ciel() and reverse() functions. +* Updated the PHPIDS filters + + +Bug Fixes: +* Fixed false positives for Request Header Name matching in the 30 file by + adding boundary characters. +* Added missing pass actions to @pmFromFile prequalifier rules +* Added backslash to SQLi regex + https://www.modsecurity.org/tracker/browse/CORERULES-41 +* Fixed hard coded anomaly score in PHPIDS filter file + https://www.modsecurity.org/tracker/browse/CORERULES-45 +* Fixed restricted_extension false positive by adding boundary characters + + +== Version 2.0.6 - 02/26/2010 == + + +Bug Fixes: +* Added missing transformation functions to SQLi rules. + https://www.modsecurity.org/tracker/browse/CORERULES-32 +* Fixed duplicate rule IDs. + https://www.modsecurity.org/tracker/browse/CORERULES-33 +* Fixed typo in @pmFromFile in the Comment SPAM rules + https://www.modsecurity.org/tracker/browse/CORERULES-34 +* Added macro expansion to Restricted Headers rule + https://www.modsecurity.org/tracker/browse/CORERULES-35 +* Fixed misspelled SecMarker + https://www.modsecurity.org/tracker/browse/CORERULES-36 +* Fixed missing chain action in Content-Type header check + https://www.modsecurity.org/tracker/browse/CORERULES-37 +* Update phpids filters to use pass action instead of block + + +== Version 2.0.5 - 02/01/2010 == + + +Improvements: +* Removed previous 10 config files as they may conflict with local customized Mod configs. +* Added a new 10 config file that allows the user to globally set TX variables to turn on/off + PARANOID_MODE inspection, set anomaly score levels and http policies. + Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. +* Added Rule Logic and Reference links to rules descriptions. +* Added Rule IDs to all rules. +* Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification +* Removed Apache limit directives from the 23 file +* Added macro expansion to 23 file checks. +* Added @pmFromFile check to 35 bad robots file +* Added malicious UA strings to 35 bad robots check +* Created an experimental rules file +* Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection +* Removed TX inspections for generic attacks and reverted to standard ARGS inspection + https://www.modsecurity.org/tracker/browse/MODSEC-120 +* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other + variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) +* Moved converted ET Snort rules to the /optional_rules directory +* Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the + request headers. +* Updated Inbound blocking conf file to use macro expansion from the 10 config file settings +* Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking. +* Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators. +* Updated the SPAMMER RBL check rules logic to only check once per IP/Day. +* Added new outbound malware link detection rules. +* Added PHP "call_user_func" to blacklist + Identified by SOGETI ESEC R&D + +Bug Fixes: +* Removed Non-numeric Rule IDs + https://www.modsecurity.org/tracker/browse/CORERULES-28 +* Updated the variable list on SQLi rules. +* Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring + and blocking + + +== Version 2.0.4 - 11/30/2009 == + + +Improvements: +* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) +* Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found + then search more generically in request_body|request_uri_raw +* Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean + exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the + anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate + alerts for any variable matches that exist. + +Bug Fixes: +* Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of + phase:4 which would allow for blocking based on information leakage issues. + + +== Version 2.0.3 - 11/05/2009 == + + +Improvements: +* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) +* Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php) +* Added new rules to identify multipart/form-data bypass attempts +* Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts + +Bug Fixes: +* Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives + https://www.modsecurity.org/tracker/browse/CORERULES-17 +* Added new variable locations to the phpids filters + https://www.modsecurity.org/tracker/browse/CORERULES-19 +* Use of transformation functions can cause false negatives - added multiMatch action to phpids rules + https://www.modsecurity.org/tracker/browse/CORERULES-20 +* Fixed multipart parsing evasion issues by adding strict parsing rules + https://www.modsecurity.org/tracker/browse/CORERULES-21 +* Fixed typo in xss rules (missing |) + https://www.modsecurity.org/tracker/browse/CORERULES-22 +* Fixed regex text in IE8 XSS filters (changed to lowercase) + https://www.modsecurity.org/tracker/browse/CORERULES-23 + + +== Version 2.0.2 - 09/11/2009 == + + +Improvements: +* Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) + https://www.modsecurity.org/tracker/browse/CORERULES-13 + +Bug Fixes: +* Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla. + https://www.modsecurity.org/tracker/browse/CORERULES-15 + + +== Version 2.0.1 - 08/07/2009 == + + +Improvements: +* Updated the transformation functions used in the XSS/SQLi rules to improve performance + https://www.modsecurity.org/tracker/browse/CORERULES-10 + +* Updated the variable/target list in the XSS rules + https://www.modsecurity.org/tracker/browse/CORERULES-11 + +* Added XSS Filters from IE8 + https://www.modsecurity.org/tracker/browse/CORERULES-12 + +Bug Fixes: +* Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule. + https://www.modsecurity.org/tracker/browse/CORERULES-9 + + +== Version 2.0.0 - 07/29/2009 == + + +New Rules & Features: +* Fine Grained Policy + The rules have been split to having one signature per rule instead of having + all signatures combined into one optimized regular expression. + This should allow you to modify/disable events based on specific patterns + instead of having to deal with the whole rule. +* Converted Snort Rules + Emerging Threat web attack rules have been converted. + http://www.emergingthreats.net/ +* Anomaly Scoring Mode Option + The rules have been updated to include anomaly scoring variables which allow + you to evaluate the score at the end of phase:2 and phase:5 and decide on what + logging and disruptive actions to take based on the score. +* Correlated Events + There are rules in phase:5 that will provide some correlation between inbound + events and outbound events and will provide a result of successful atttack or + attempted attack. +* Updated Severity Ratings + The severity ratings in the rules have been updated to the following: + - 0: Emergency - is generated from correlation where there is an inbound attack and + an outbound leakage. + - 1: Alert - is generated from correlation where there is an inbound attack and an + outbound application level error. + - 2: Critical - is the highest severity level possible without correlation. It is + normally generated by the web attack rules (40 level files). + - 3: Error - is generated mostly from outbound leakabe rules (50 level files). + - 4: Warning - is generated by malicious client rules (35 level files). + - 5: Notice - is generated by the Protocol policy and anomaly files. + - 6: Info - is generated by the search engine clients (55 marketing file). +* Updated Comment SPAM Protections + Updated rules to include RBL lookups and client fingerprinting concepts from + Bad Behavior (www.bad-behavior.ioerror.us) +* Creation of Global Collection + Automatically create a Global collection in the *10* config file. Other rules + can then access it. +* Use of Block Action + Updated the rules to use the "block" action. This allows the Admin to globally + set the desired block action once with SecDefaultAction in the *10* config file + rather than having to edit the disruptive actions in all of the rules or for + the need to have multiple versions of the rules (blocking vs. non-blocking). +* "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name." + http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +* Added new generic RFI detection rules. + http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html +* "Possibly malicious iframe tag in output" (Rules 981001,981002) + Planting invisible iframes in a site can be used by attackers to point users + from the victim site to their malicious site. This is actually as if the + user was visiting the attacker's site himself, causing the user's browser to + process the content in the attacker's site. + +New Events: +* Rule 960019 - Expect Header Not Allowed. +* Rule 960020 - Pragma Header Requires Cache-Control Header +* Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character + as it is reserved for use as a fragment identifier within the html page. +* Rule 958291 - Range: field exists and begins with 0. +* Rule 958292 - Invalid Request Header Found. +* Rule 958293 - Lowercase Via Request Header Found. +* Rule 958294 - Common SPAM Proxies found in Via Request Header. +* Rule 958295 - Multiple/Conflicting Connection Header Data Found. +* Rule 958296 - Request Indicates a SPAM client accessed the Site. +* Rule 958297 - Common SPAM/Email Harvester crawler. +* Rule 958298 - Common SPAM/Email Harvester crawler + +Bug Fixes: +* Rule 950107 - Split the rule into 2 separate rules to factor in the + Content-Type when inspecting the REQUEST_BODY variable. +* Rule 960017 - Bug fix for when having port in the host header. +* Rule 960014 - Bug fix to correlate the SERVER_NAME variable. +* Rule 950801 - Increased the logic so that the rule will only run if the web site + uses UTF-8 Encoding. +* Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and + allow the IPv6 loopback address +* Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG + and to identify offsite hosts by comparing the ARG URI to the Host + header. Due to this rule now being stronger, moved it from optional + tight security rule to *40* generic attacks file. + +Other Fixes: +* Added more HTTP Protocol violations to *20* file. +* Set the SecDefaultAction in the *10* config file to log/pass (This was the + default setting, however this sets it explicitly. +* Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This + was added so that when running the SecRuleEngine in DetectionOnly mode, it will + not deny response bodies that go over the size restrictions. +* Changed SecServerSignature to "Apache/1.3.28" +* Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have + BEGIN and END SecMarkers for rule groups to more accurately allow moving to + proper locations. +* Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion. + This removes the need for some SecAction/SkipAfter rules. +* Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier + rules and chained rules). + + +== Version 1.6.1 - 2008/04/22 == + + +* Fixed a bug where phases and transformations where not specified explicitly + in rules. The issue affected a significant number of rules, and we strongly + recommend to upgrade. + + +== Version 1.6.0 - 2008/02/19 == + + +New Rulesets & Features: +* 42 - Tight Security + This ruleset contains currently 2 rules which are considered highly prone + to FPs. They take care of Path Traversal attacks, and RFI attacks. This + ruleset is included in the optional_rulesets dir +* 42 - Comment Spam + Comment Spam is used by the spammers to increase their rating in search + engines by posting links to their site in other sites that allow posting + of comments and messages. The rules in this ruleset will work against that. + (Requires ModSecurity 2.5) +* Tags + A single type of attack is often detected by multiple rules. The new alert + classification tags solve this issue by providing an alternative alert type + indication and can serve for filtering and analysis of audit logs. + The classification tags are hierarchical with slashes separating levels. + Usually there are two levels with the top level describing the alert group + and the lower level denoting the alert type itself, for example: + WEB_ATTACK/SQL_INJECTION. + +False Positives Fixes: +* Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs +* Rule 950107 - Will look for invalid url decoding in variables that are not + automatically url decoded + +Additional rules logic: +* Using the new "logdata" action for logging the matched signature in rules +* When logging an event once, init the collection only if the alert needs to log +* Using the new operator @pm as a qualifier before large rules to enhance + performance (Requires ModSecurity 2.5) +* SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not + only 1=1. (Thanks to Marc Stern for the idea) +* New XSS signatures - iframe & flash XSS + + + +== Version 1.5.1 - 2007/12/6 == + + +False Positives Fixes: +* Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /) + +New Events: +* 960019 - Detect HTTP/0.9 Requests + HTTP/0.9 request are not common these days. This rule will log by default, + and block in the blocking version of file 21 + +Other Fixes: +* File 40, Rules 950004,950005 - Repaired the correction for the double + url decoding problem +* File 55 contained empty regular expressions. Fixed. + + +== Version 1.5 - 2007/11/23 == + + +New Rulesets: +* 23 - Request Limits + "Judging by appearances". This rulesets contains rules blocking based on + the size of the request, for example, a request with too many arguments + will be denied. + +Default policy changes: +* XML protection off by default +* BLOCKING dir renamed to optional_rules +* Ruleset 55 (marketing) is now optional (added to the optional_rules dir) +* Ruleset 21 - The exception for apache internal monitor will not log anymore + +New Events: +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +Additional rules logic: +* 950001 - New signature: delete from +* 950007 - New signature: waitfor delay + +False Positives Fixes: +* 950006 - Will not be looking for /cc pattern in User-Agent header +* 950002 - "Internet Explorer" signature removed +* Double decoding bug used to cause FPs. Some of the parameters are already + url-decoded by apache. This caused FPs when the rule performed another + url-decoding transformation. The rules have been split so that parameters + already decoded by apache will not be decoded by the rules anymore. +* 960911 - Expression is much more permissive now +* 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding, + then you should uncomment this rule (in file 20) + + +version 1.4.3 - 2007/07/21 + + +New Events: +* 950012 - HTTP Request Smuggling + For more info on this attack: + http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +False Positives Fixes: +* 950107 - Will allow a % sign in the middle of a string as well +* 960911 - A more accurate expression based on the rfc: + http://www.ietf.org/rfc/rfc2396.txt +* 950015 - Will not look for http/ pattern in the request headers + +Additional rules logic: +* Since Apache applies scope directives only after ModSecurity phase 1 + this directives cannot be used to exclude phase 1 rules. Therefore + we moved all inspection rules to phase 2. + + + +version 1.4 build 2 - 2007/05/17 + + +New Feature: +* Search for signatures in XML content + XML Content will be parsed and ispected for signatures + +New Events: +* 950116 - Unicode Full/Half Width Abuse Attack Attempt + Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden + http://www.kb.cert.org/vuls/id/739224 +* 960911 - Invalid HTTP request line + Enforce request line to be valid, i.e.: +* 960904 - Request Missing Content-Type (when there is content) + When a request contains content, the content-type must be specified. If not, the content will not be inspected +* 970018 - IIS installed in default location (any drive) + Log once if IIS in installed in the /Inetpub directory (on any drive, not only C) +* 950019 - Email Injection + Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails + +Regular expressions fixes: +* Further optimization of some regular expressions (using the non-greediness operator) + The non-greediness operator, , prevents excessive backtracking + +FP fixes: +* Rule 950107 - Will allow a parameter to end in a % sign from now on + + +version 1.4 - 2007/05/02 + + +New Events: +* 970021 - WebLogic information disclosure + Matching of "JSP compile error" in the response body, will trigger this rule, with severity 4 (Warning) +* 950015,950910,950911 - HTTP Response Splitting + Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: + http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf +ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: +* 960902 - Content-Encoding in request not supported + Any incoming compressed request will be denied +* 960903 - Content-Encoding in response not suppoted + An outgoing compressed response will be logged to alert, but ONLY ONCE. + +False Positives Fixes: +* Removed <.exe>,<.shtml> from restricted extensions +* Will not be looking for SQL Injection signatures , in the Via request header +* Excluded Referer header from SQL injection, XSS and command injection rules +* Excluded X-OS-Prefs header from command injection rule +* Will be looking for command injection signatures in + REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. +* Allowing charset specification in the Content-Type + +Additional rules logic: +* Corrected match of OPTIONS method in event 960015 +* Changed location for event 960014 (proxy access) to REQUEST_URI_RAW +* Moved all rules apart from method inspection from phase 1 to phase 2 - + This will enable viewing content if such a rule triggers as well as setting + exceptions using Apache scope tags. +* Added match for double quote in addition to single quote for signature (SQL Injection) +* Added 1=1 signature (SQL Injection) + + +version 1.3.2 build 4 2007/01/17 + + +Fixed apache 2.4 dummy requests exclusion +Added persistent PDF UXSS detection rule + + +== Version 1.3.2 build 3 2007/01/10 == + + +Fixed regular expression in rule 960010 (file #30) to allow multipart form data +content + + +== Version 1.3.2 - 2006/12/27 == + + +New events: +* 960037 Directory is restricted by policy +* 960038 HTTP header is restricted by policy + +Regular expressions fixes: +* Regular expressions with @ at end of beginning (for example "@import) +* Regular expressions with un-escaped "." +* Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) +* The command injection wget is not searched in the UA header as it has different meaning there. +* LDAP Fixed to reduce FPs: + + More accurate regular expressions + + high bit characters not accpeted between signature tokens. +* Do not detect /usr/local/apache/conf/crs/base_rules/GsbMalware.dat + lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data + lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data + lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data + lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data + lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf + lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_config.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf + lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf + lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf + lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf + lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf + lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf + lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf + lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf + lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf + lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf + lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example + lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf + lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf + + + 3) Add the following line to your httpd.conf (assuming + you've placed the rule files into conf/crs/): + + + Include conf/crs/modsecurity_crs_10_config.conf + Include conf/crs/activated_rules/*.conf + + + 3) Restart web server. + + 4) Make sure your web sites are still running fine. + + 5) Simulate an attack against the web server. Then check + the attack was correctly logged in the Apache error log, + ModSecurity debug log (if you enabled it) and ModSecurity + audit log (if you enabled it). + + diff --git a/iis/ModSecurityIIS/owasp_crs/LICENSE b/iis/ModSecurityIIS/owasp_crs/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/iis/ModSecurityIIS/owasp_crs/README.md b/iis/ModSecurityIIS/owasp_crs/README.md new file mode 100644 index 0000000000..1c7a8bc2ee --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/README.md @@ -0,0 +1,25 @@ +# OWASP ModSecurity Core Rule Set (CRS) + +ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Trustwave's SpiderLabs is sponsoring and maintaining a free certified rule set for the community. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the OWASP ModSecurity Core Rule Set provides generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity™. + +## Licensing +(c) 2006-2012 Trustwave + +The ModSecurity Core Rule Set is provided to you under the terms and +conditions of Apache Software License Version 2 (ASLv2) + +http://www.apache.org/licenses/LICENSE-2.0.txt + +## Mail-List +For more information refer to the OWASP Core Rule Set Project page at +http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project + +Core Rules Mail-list - +Suscribe here: https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set +Archive: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/ + +## Downloading + +You can manually download the latest CRS from the GitHub Repo: +https://github.com/SpiderLabs/owasp-modsecurity-crs + diff --git a/iis/ModSecurityIIS/owasp_crs/activated_rules/README b/iis/ModSecurityIIS/owasp_crs/activated_rules/README new file mode 100644 index 0000000000..758f8db513 --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/activated_rules/README @@ -0,0 +1,49 @@ + Enable the CRS rules files you want to use by creating symlinks under the + "activated_rules" directory location. You will want to create symlinks for the + following: + + 1) The main modsecurity_crs_10_config.conf file + 2) Any rules from the base_rules directory + 3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories. + + $ pwd + /usr/local/apache/conf/crs + $ ls + CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules + LICENSE base_rules modsecurity_crs_10_config.conf.example util + README experimental_rules modsecurity_crs_15_customrules.conf + activated_rules lua optional_rules + $ sudo ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf + $ for f in `ls base_rules/` ; do sudo ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done + $ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done + $ ls -l activated_rules + total 216 + lrwxr-xr-x 1 root wheel 52 May 17 14:01 GsbMalware.dat -> /usr/local/apache/conf/crs/base_rules/GsbMalware.dat + lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data + lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data + lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data + lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data + lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf + lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_config.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf + lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf + lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf + lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf + lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf + lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf + lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf + lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf + lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf + lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf + lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example + lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf + lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf + lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf + lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf + diff --git a/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_bad_robots.data b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_bad_robots.data new file mode 100644 index 0000000000..d6eae499b9 --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_bad_robots.data @@ -0,0 +1,145 @@ +webmole +wisenutbot +prowebwalker +hanzoweb +email +toata dragostea mea pentru diavola +gameBoy, powered by nintendo +missigua +poe-component-client +emailsiphon +adsarobot +under the rainbow 2. +nessus +floodgate +email extractor +webaltbot +contactbot/ +butch__2.1.1 +pe 1.4 +indy library +autoemailspider +mozilla/3.mozilla/2.01 +fantombrowser +digout4uagent +panscient.com +telesoft +; widows +converacrawler +www.weblogs.com +murzillo compatible +isc systems irc search 2.1 +emailmagnet +microsoft url control +datacha0s +emailwolf +production bot +sitesnagger +webbandit +web by mail +faxobot +grub crawler +jakarta +eirgrabber +webemailextrac +extractorpro +attache +educate search vxb +8484 boston project +franklin locator +nokia-waptoolkit +mailto:craftbot@yahoo.com +full web bot +pcbrowser +psurf +user-Agent +pleasecrawl/1. +kenjin spider +gecko/25 +no browser +webster pro +wep Search 00 +grub-client +fastlwspider +this is an exploit +contentsmartz +teleport pro +dts agent +nikto +morzilla +via +atomic_email_hunter +program shareware 1.0. +ecollector +emailcollect +china local browse 2. +backdoor +stress test +foobar/ +emailreaper +xmlrpc exploit +compatible ; msie +s.t.a.l.k.e.r. +compatible- +webvulnscan +nameofagent +copyrightcheck +advanced email extractor +surveybot +compatible ;. +searchbot admin@google +wordpress/4.01 +webemailextract +larbin@unspecified +turing machine +zeus +windows-update-agent +morfeus fucking scanner +user-agent: +voideye +mosiac 1 +chinaclaw +newt activeX; win32 +web downloader +safexplorer tl +agdm79@mail.ru +cheesebot +hhjhj@yahoo +fiddler +psycheclone +microsoft internet explorer/5.0 +core-project/1 +atspider +copyguard +neuralbot/0.2 +wordpress hash grabber +amiga-aweb/3.4 +packrat +rsync +crescent internet toolpak +security scan +vadixbot +concealed defense +a href= +bwh3_user_agent +internet ninja +microsoft url +emailharvest +shai +wisebot +internet exploiter sux +wells search ii +webroot +digimarc webreader +botversion +black hole +windows xp 5 +w3mir +pmafind +athens +hl_ftien_spider + injection +takeout +eo browse +cherrypicker +internet-exprorer diff --git a/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_scanners.data b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_scanners.data new file mode 100644 index 0000000000..67e5d0b31b --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_35_scanners.data @@ -0,0 +1,35 @@ +grabber +cgichk +bsqlbf +mozilla/4.0 (compatible) +sqlmap +mozilla/4.0 (compatible; msie 6.0; win32) +mozilla/5.0 sf// +nessus +arachni +metis +sql power injector +bilbo +absinthe +black widow +n-stealth +brutus +webtrends security analyzer +netsparker +python-httplib2 +jaascois +pmafind +.nasl +nsauditor +paros +dirbuster +pangolin +nmap nse +sqlninja +nikto +webinspect +blackwidow +grendel-scan +havij +w3af +hydra diff --git a/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_40_generic_attacks.data b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_40_generic_attacks.data new file mode 100644 index 0000000000..4ce8a36c5b --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_40_generic_attacks.data @@ -0,0 +1,445 @@ +set-cookie +.cookie +expiressys.user_objects +sys.user_triggers +@@spid +msysaces +instr +sys.user_views +mysql. +sys.tab +charindex +locate +sys.user_catalog +constraint_type +msysobjects +attnotnull +select +sys.user_tables +sys.user_constraints +sys.user_tab_columns +waitfor +sys.all_tables +msysrelationships +msyscolumns +msysqueriessubstr +xtype +textpos +all_objects +rownum +sysfilegroups +sysprocesses +user_group +sysobjects +systables +user_tables +pg_attribute +column_id +user_password +user_users +attrelid +user_tab_columns +table_name +pg_class +user_constraints +user_objects +object_type +sysconstraints +mb_users +column_name +atttypid +substring +object_id +syscat +sysibm +user_ind_columns +syscolumns +sysdba +object_name +sqrt +insert +date +instr +floor +autonomous_transaction +print +encode +coalesce +if +degrees +release_lock +procedure_analyse +password +least +cr32 +subdate +xp_filelist +owa_util +trim +xp_regenumkeys +charset +ciel +bit_or +delete +time +month +xp_execresultset +round +dba_users +is +master_pos_wait +decode +unhex +char_length +strcmp +rtrim +'sa' +version +ord +xp_makecab +truncate +last +concat +coercibility +right +length +ascii +var_samp +char +extract +get_ +bit_length +xp_regread +export_set +aes_decrypt +name_const +left +conv +bin +not_in +infile +substr +uuid +is_srvrolemember +var_pop +ln +aes_encrypt +outfile +current_date +quote +in +user +locate +@@version +exp +current_timestamp +sql_longvarchar +values +subtime +xp_loginconfig +sin +xp_regaddmultistring +replace +tan +xmltype +character_length +cast +current_time +varchar +position +to_number +addtime +mid +found_rows +stddev +xp_availablemedia +substring +dumpfile +isnull +cot +select +concat_ws +convert +uncompress +radians +uncompressed_length +acos +'sqloledb' +dbms_pipe.receive_message +utl_http +cieling +row_count +benchmark +sec_to_time +sysdate +hour +current_user +utc_ +curdate +nvarchar +schema +data_type +lcase +inner +make_set +day +tbcreator +sum +sign +adddate +ltrim +variance +weight_string +second +microsecond +system_user +abs +ifnull +minute +unix_timestamp +collation +curtime +lower +repeat +sp_oacreate +group_concat +sp_execute +xp_ntsec +xp_regdeletekey +drop +quarter +local +str_to_date +nullif +from_ +old_password +xp_regdeletevalue +asin +oct +load_file +sp_password +bit_xor +xp_regremovemultistring +chr +avg +std +openquery +makedate +database +updatexml +datediff +now +year +mod +bit_and +lpad +xp_enumdsn +max +period_ +soundex +shutdown +bit_count +field +connection_id +sha +default +interval +xp_dirtree +reverse +ucase +compress +xp_terminate_process +md5 +rpad +session_user +find_in_set +dump +convert_tz +having +des_ +greatest +xp_regenumvalues +utl_file +cos +log +pi +sql_variant +encrypt +upper +rand +week +min +xp_cmdshell +'msdasql' +space +sp_executesql +elt +pow +'dbo' +sp_makewebtask +dbms_java +to_ +format +xp_regwrite +sp_helpjscript +onsubmit +copyparentfolder +document +javascript +meta +onchange +onmove +onkeydown +onkeyup +activexobject +onerror +onmouseup +ecmascript +bexpression +onmouseover +vbscript: +>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:'981319',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + +# +# -=[ SQL Tautologies ]=- +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`´’‘\(\)]*?)([\d\w]++)([\s'\"`´’‘\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*?)(?!\2)([\d\w]+)))" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: SQL Tautology Detected.',id:'950901',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + +# +# -=[ Detect DB Names ]=- +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)|s(?:ys(?:\.database_name|aux)|chema(?:\W*\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\W*\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + + +# +# SQL Keyword Anomaly Scoring +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'" +SecRule TX:SQLI_SELECT_STATEMENT "@contains select" "phase:2,id:'981301',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains show" "phase:2,id:'981302',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains top" "phase:2,id:'981303',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains distinct" "phase:2,id:'981304',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains from" "phase:2,id:'981305',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains dual" "phase:2,id:'981306',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains where" "phase:2,id:'981307',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains group by" "phase:2,id:'981308',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains order by" "phase:2,id:'981309',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains having" "phase:2,id:'981310',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains limit" "phase:2,id:'981311',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains offset" "phase:2,id:'981312',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains union" "phase:2,id:'981313',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains union all" "phase:2,id:'981314',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains rownum as" "phase:2,id:'981315',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT "@contains (case" "phase:2,id:'981316',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1" +SecRule TX:SQLI_SELECT_STATEMENT_COUNT "@ge 3" "phase:2,t:none,block,id:'981317',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',msg:'SQL SELECT Statement Anomaly Detection Alert',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + + +# +# Blind SQL injection +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.(db|user))|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)|\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\W+\bchar|mb_users|rownum)\b|t(?:able_name\b|extpos\W+\()))" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'Blind SQL Injection Attack',id:'950007',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + + +# +# SQL injection +# + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*\(|llation\W*\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'950001',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959070',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959071',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via "(?i:\b(?:coalesce\b|root\@))" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,id:'950908',msg:'SQL Injection Attack.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \ + "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959073',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" + + +# +# [ SQL Injection Character Anomaly Usage ] +# +# These rules attempted to gauge when there is an exccesive use of +# meta-characters within a single parameter payload. +# +# The most likely false positive instances will be free-form text fields. +# Adjust the the @ge operator value appropriately for your site. Increasing +# the score will reduce false positives but may also decrease detection of +# obfuscated attack payloads. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" + +SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" + + +# +# -=[ PHPIDS - Converted SQLI Filters ]=- +# +# https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml +# + +# +# Example Payloads Detected: +# ------------------------- +# IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1)) +# SELECT pg_sleep(10); +# IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ‘root’; +# select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' ); +# ------------------------- +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects blind sqli tests using sleep() or benchmark().',id:'981272',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + + +# +# Example Payloads Detected: +# ------------------------- +# ' or 1=1# +# ') or ('1'='1-- +# 1 OR \'1\'!=0 +# aaa\' or (1)=(1) #!asd +# aaa\' OR (1) IS NOT NULL #!asd +# ' =+ ' +# asd' =- (-'asd') -- -a +# aa" =+ - "0 +# aa' LIKE 0 -- -a +# aa' LIKE md5(1) or '1 +# asd"or-1="-1 +# asd"or!1="!1 +# asd"or!(1)="1 +# asd" or ascii(1)="49 +# asd' or md5(5)^'1 +# \"asd" or 1="1 +# ' or id= 1 having 1 #1 ! +# ' or id= 2-1 having 1 #1 ! +# aa'or BINARY 1= '1 +# aa'like-'aa +# ------------------------- +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?i:\d[\"'`´’‘]\s+[\"'`´’‘]\s+\d)|(?:^admin\s*?[\"'`´’‘]|(\/\*)+[\"'`´’‘]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]?=\s*?[\"'`´’‘])|(?:[\"'`´’‘]\W*?[+=]+\W*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[!=|][\d\s!=+-]+.*?[\"'`´’‘(].*?$)|(?:[\"'`´’‘]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´’‘]\s*?like\W+[\w\"'`´’‘(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´’‘][<>~]+[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'981244',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\sexec\s+xp_cmdshell)|(?:[\"'`´’‘]\s*?!\s*?[\"'`´’‘\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`´’‘];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MSSQL code execution and information gathering attempts',id:'981255',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`´’‘][\"'`´’‘](?:[\"'`´’‘].*?[\"'`´’‘]|\Z|[^\"'`´’‘]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'981257',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`´’‘=()]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 1/2',id:'981248',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.60738585072007e-308|1e309)$))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for intiger overflow attacks, these are taken from skipfish, except 2.2.60738585072007e-308 is the \"magic number\" crash',id:'981277',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'981250',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects conditional SQL injection attempts',id:'981241',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:alter\s*?\w+.*?character\s+set\s+\w+)|([\"'`´’‘];\s*?waitfor\s+time\s+[\"'`´’‘])|(?:[\"'`´’‘];.*?:\s*?goto))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'981252',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´’‘])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'981256',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select)|(?:\w+\s+like\s+[\"'`´’‘])|(?:like\s*?[\"'`´’‘]\%)|(?:[\"'`´’‘]\s*?like\W*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having)|(?:[\"'`´’‘]\s*?\*\s*?\w+\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´’‘]*?\s*?\w+\W+\w)|(?:select\s*?[\[\]()\s\w\.,\"'`´’‘-]+from)|(?:find_in_set\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'981245',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:'981276',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`´’‘]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'981254',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Finds basic MongoDB SQL injection attempts',id:'981270',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`´’‘]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'981240',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`´’‘]\s*?(?:[-+=|@]+\s*?)+[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`´’‘]\w)|(?:[\"'`´’‘];\s*?(?:if|while|begin))|(?:[\"'`´’‘][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 2/2',id:'981249',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'981253',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s*?[\"'`´’‘]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`´’‘]$)|(?:(?:^[\"'`´’‘\\\\]*?(?:[\d\"'`´’‘]+|[^\"'`´’‘]+[\"'`´’‘]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`´’‘][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`´’‘]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`´’‘\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`´’‘].)|(?:\Winformation_schema|table_name\W))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 1/2',id:'981242',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`´’‘]|[=\d]+x))|([\"'`´’‘]\s*?\d\s*?(?:--|#))|(?:[\"'`´’‘][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`´’‘]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?\d.+[\"'`´’‘]?\w)|(?:[\"'`´’‘]\|?[\w-]{3,}[^\w\s.,]+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'981246',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:create\s+function\s+\w+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'981251',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\d\W]\s+as\s*?[\"'`´’‘\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´’‘]\s+regexp\W)|(?:[\s(]load_file\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'981247',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´’‘]\d)|(?:\^[\"'`´’‘])|(?:^[\w\s\"'`´’‘-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´’‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´’‘].*?\*\s*?\d)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´’‘][^,]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 2/2',id:'981243',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" diff --git a/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_41_xss_attacks.conf b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_41_xss_attacks.conf new file mode 100644 index 0000000000..5b5c734545 --- /dev/null +++ b/iis/ModSecurityIIS/owasp_crs/activated_rules/modsecurity_crs_41_xss_attacks.conf @@ -0,0 +1,491 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set ver.2.2.6 +# Copyright (C) 2006-2012 Trustwave All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# XSS +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: +# +# +#