Skip to content

Commit

Permalink
Update: [Thu Jan 9 00:26:35 UTC 2025]
Browse files Browse the repository at this point in the history
  • Loading branch information
@github-actions
github-actions[bot] committed Jan 9, 2025
1 parent ed5a5bc commit 0c41e95
Show file tree
Hide file tree
Showing 40 changed files with 2,677 additions and 2,677 deletions.
2,462 changes: 1,231 additions & 1,231 deletions owasp_rules.json
View file

Large diffs are not rendered by default.

34 changes: 17 additions & 17 deletions waf_patterns/apache/attack.conf
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
# Apache ModSecurity rules for ATTACK
SecRuleEngine On

SecRule REQUEST_URI "\[nr\]" "id:1039,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1047,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1046,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1035,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1053,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1044,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1040,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1037,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1038,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1045,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1041,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1052,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1036,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1034,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1033,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1042,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1043,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1258,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1249,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1255,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1260,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1262,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1261,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1125,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1256,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1124,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1253,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1263,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1250,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1251,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1254,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1257,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1259,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1252,phase:1,deny,status:403,log,msg:'attack attack detected'"
16 changes: 8 additions & 8 deletions waf_patterns/apache/correlation.conf
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# Apache ModSecurity rules for CORRELATION
SecRuleEngine On

SecRule REQUEST_URI "@eq\ 0" "id:1297,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1301,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1298,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1300,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1295,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1299,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ 5" "id:1296,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1302,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1039,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1040,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ 5" "id:1036,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1041,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1035,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1038,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1042,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1037,phase:1,deny,status:403,log,msg:'correlation attack detected'"
Loading

0 comments on commit 0c41e95

Please sign in to comment.