test-rules

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# The purpose of this file is to hold LOCAL exceptions for your site.  The
# types of rules that would go into this file are one where you want to
# short-circuit inspection and allow certain transactions to pass through
# inspection or if you want to alter rules that are applied.
#
# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
# very specific reason. Files affixed with the .example extension are designed
# to contain user created/modified data. The '.example'. extension should be
# renamed to end in .conf. The advantage of this is that when OWASP CRS is
# updated, the updates will not overwrite a user generated configuration file.
#
# As a result of this design paradigm users are encouraged NOT to directly
# modify rules. Instead they should use this
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
# methods similar to the examples specified below.
#
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
# effectively maintains two different context: startup, and per transaction.
# As a rule, directives are processed within the startup context. While they
# can affect the per transaction context they generally remain fixed during the
# execution of ModSecurity.
#
# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
# directive or one of its siblings would have to be placed AFTER the rule is
# listed, otherwise it will not have knowledge of the rules existence (since
# these rules are read in at the same time). This means that when using
# directives that effect SecRules, these exceptions should be placed AFTER all
# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
# designed such that it loads LAST.
#
# Conversely, ModSecurity supports several actions that can change the state of
# the underlying configuration during the per transaction context, this is when
# rules are being processed. Generally, these are accomplished by using the
# 'ctl' action. As these are part of a rule, they will be evaluated in the
# order rules are applied (by physical location, considering phases). As a
# result of this ordering a 'ctl' action should be placed with consideration to
# when it will be executed. This is particularly relevant for the 'ctl' options
# that involve modifying ID's (such as ruleRemoveById). In these cases it is
# important that such rules are placed BEFORE the rule ID they will affect.
# Unlike the setup context, by the time we process rules in the per-transaction
# context, we are already aware of all the rule ID's. It is by this logic that
# we include rules such as this BEFORE all the remaining rules.  As a result
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
#
# As a general rule:
# ctl:ruleEngine            -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveById        -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByMsg       -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveByTag       -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetById  -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
#
# SecRuleRemoveById         -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByMsg        -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleRemoveByTag        -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateActionById   -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetById   -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByMsg  -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
# SecRuleUpdateTargetByTag  -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
#
#
# What follows are a group of examples that show you how to perform rule
# exclusions.
#
#
# Example Exclusion Rule: Disable inspection for an authorized client
#
# This ruleset allows you to control how ModSecurity will handle traffic
# originating from Authorized Vulnerability Scanning (AVS) sources.  See
# related blog post -
# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
#
# White-list ASV network block (no blocking or logging of AVS traffic) Update
# IP network block as appropriate for your AVS traffic
#
# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
#     "phase:1,id:1000,pass,nolog,ctl:ruleEngine=Off"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
#                         for an individual rule
#
# This rule shows how to conditionally exclude the "password"
# parameter for rule 942100 when the REQUEST_URI is /index.php
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
#
# SecRule REQUEST_URI "@beginsWith /index.php" \
#    "id:1001,phase:1,pass,nolog, \
#     ctl:ruleRemoveTargetById=942100;ARGS:password"
#
#
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
#                         for only certain attacks
#
# Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
#                             for all rules tagged attack-sqli
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
#     "id:1002,phase:request,pass,nolog,\
#     ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
#

# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
#                         for all CRS rules
#
# This rule illustrates that we can use tagging very effectively to whitelist a
# common false positive across an entire ModSecurity instance. This can be done
# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
# affect custom rules.
#
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
#                             for all CRS rules
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
#     "id:1003,phase:request,pass,nolog,\
#     ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"

#
# Example Exclusion Rule: Removing a range of rules
#
# This rule illustrates that we can remove a rule range via a ctl action.
# This uses the fact, that rules are grouped by topic in rule files covering
# a certain id range.
#
# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
# SecRule REQUEST_FILENAME "@beginsWith /admin" \
#     "id:1004,phase:request,pass,nolog,\
#     ctl:ruleRemoveById=941000-942999"
#
#
# The application specific rule exclusion files
# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
# bring additional examples which can be useful then tuning a service.
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules
# and performs preparatory actions. It also fixes errors and omissions
# of variable definitions in the file crs-setup.conf.
# The setup.conf can and should be edited by the user, this file
# is part of the CRS installation and should not be altered.
#


#
# -=[ Rules Version ]=-
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.0.2"

#
# -=[ Default setup values ]=-
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# file is included at the correct time. This detects situations where
# necessary settings are not defined, for instance if the file
# inclusion order is incorrect, or if the user has forgotten to
# include the crs-setup.conf file.
#
# If you are upgrading from an earlier version of the CRS and you are
# getting this error, please make a new copy of the setup template
# crs-setup.conf.example to crs-setup.conf, and re-apply your policy
# changes. There have been many changes in settings syntax from CRS2
# to CRS3, so an old setup file may cause unwanted behavior.
#
# If you are not planning to use the crs-setup.conf template, you must
# manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#

SecRule &TX:crs_setup_version "@eq 0" \
    "id:901001,\
    phase:1,\
    auditlog,\
    log,\
    deny,\
    status:500,\
    severity:CRITICAL,\
    msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'"


#
# -=[ Default setup values ]=-
#
# Some constructs or individual rules will fail if certain parameters
# are not set in the setup.conf file. The following rules will catch
# these cases and assign sane default values.
#

# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
    "id:901100,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.inbound_anomaly_score_threshold=5"

# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
    "id:901110,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.outbound_anomaly_score_threshold=4"

# Default Paranoia Level (rule 900000 in setup.conf)
SecRule &TX:paranoia_level "@eq 0" \
    "id:901120,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.paranoia_level=1"

# Default Sampling Percentage (rule 900400 in setup.conf)
SecRule &TX:sampling_percentage "@eq 0" \
    "id:901130,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.sampling_percentage=100"

# Default Anomaly Scores (rule 900100 in setup.conf)
SecRule &TX:critical_anomaly_score "@eq 0" \
    "id:901140,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.critical_anomaly_score=5"

SecRule &TX:error_anomaly_score "@eq 0" \
    "id:901141,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.error_anomaly_score=4"

SecRule &TX:warning_anomaly_score "@eq 0" \
    "id:901142,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.warning_anomaly_score=3"

SecRule &TX:notice_anomaly_score "@eq 0" \
    "id:901143,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.notice_anomaly_score=2"

# Default do_reput_block
SecRule &TX:do_reput_block "@eq 0" \
    "id:901150,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.do_reput_block=0"

# Default block duration
SecRule &TX:reput_block_duration "@eq 0" \
    "id:901152,\
    phase:1,\
    pass,\
    nolog,\
    setvar:tx.reput_block_duration=300"

# Default HTTP policy: allowed_methods (rule 900200)
SecRule &TX:allowed_methods "@eq 0" \
    "id:901160,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"

# Default HTTP policy: allowed_request_content_type (rule 900220)
SecRule &TX:allowed_request_content_type "@eq 0" \
    "id:901162,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"

# Default HTTP policy: allowed_http_versions (rule 900230)
SecRule &TX:allowed_http_versions "@eq 0" \
    "id:901163,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"

# Default HTTP policy: restricted_extensions (rule 900240)
SecRule &TX:restricted_extensions "@eq 0" \
    "id:901164,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"

# Default HTTP policy: restricted_headers (rule 900250)
SecRule &TX:restricted_headers "@eq 0" \
    "id:901165,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"

# Default HTTP policy: static_extensions (rule 900260)
SecRule &TX:static_extensions "@eq 0" \
    "id:901166,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"


#
# -=[ Initialize internal variables ]=-
#

# Initialize anomaly scoring variables.
# All _score variables start at 0, and are incremented by the various rules
# upon detection of a possible attack.
# sql_error_match is used for shortcutting rules for performance reasons.

SecAction \
 "id:901200,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.anomaly_score=0,\
  setvar:tx.sql_injection_score=0,\
  setvar:tx.xss_score=0,\
  setvar:tx.rfi_score=0,\
  setvar:tx.lfi_score=0,\
  setvar:tx.rce_score=0,\
  setvar:tx.php_injection_score=0,\
  setvar:tx.http_violation_score=0,\
  setvar:tx.session_fixation_score=0,\
  setvar:tx.inbound_anomaly_score=0,\
  setvar:tx.outbound_anomaly_score=0,\
  setvar:tx.sql_error_match=0"


#
# -=[ Initialize collections ]=-
#
# Create both Global and IP collections for rules to use.
# There are some CRS rules that assume that these two collections
# have already been initiated.
#

SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
  "id:901318, \
  phase:1, \
  t:none,t:sha1,t:hexEncode, \
  setvar:tx.ua_hash=%{matched_var}, \
  nolog, \
  pass"

SecAction \
  "id:901321, \
  phase:1, \
  t:none, \
  initcol:global=global, \
  initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
  setvar:tx.real_ip=%{remote_addr}, \
  nolog, \
  pass"


#
# -=[ Easing In / Sampling Percentage ]=-
#
# This is used to send only a limited percentage of requests into the Core
# Rule Set. The selection is based on TX.sampling_percentage and a pseudo
# random number calculated below.
#
# Use this to ease into a new Core Rules installation with an existing
# productive service.
#
# See
# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/
#

#
# Generate the pseudo random number
#
# ATTENTION: This is no cryptographically secure random number. It's just
# a cheap way to get some random number suitable for sampling.
#
# We take the entropy contained in the UNIQUE_ID. We hash that variable and
# take the first integer numbers out of it. Theoretically, it is possible
# there are no integers in a sha1 hash. We make sure we get two
# integer numbers by taking the last two digits from the DURATION counter
# (in microseconds).
# Finally, leading zeros are removed from the two-digit random number.
#

SecRule TX:sampling_percentage "@eq 100" \
	"id:901400,\
	phase:1,\
	pass,\
	nolog,\
	skipAfter:END-SAMPLING"

SecRule UNIQUE_ID "@rx ^." \
	"id:901410,\
	phase:1,\
	pass,\
	nolog,\
	t:sha1,\
	t:hexEncode,\
	setvar:TX.sampling_rnd100=%{MATCHED_VAR}"

SecRule DURATION "@rx (..)$" \
	"id:901420,\
	phase:1,\
	pass,\
	capture,\
	nolog,\
	setvar:TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}"

SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
	"id:901430,\
	phase:1,\
	pass,\
	nolog,\
	capture,\
	setvar:TX.sampling_rnd100=%{TX.1}%{TX.2}"

SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
	"id:901440,\
	phase:1,\
	pass,\
	capture,\
	nolog,\
	setvar:TX.sampling_rnd100=%{TX.1}"


#
# Sampling decision
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# being written.  If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
#
# SecRuleUpdateActionById 901450 "nolog"
#


SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
	"id:901450,\
	phase:1,\
	pass,\
	log,\
	noauditlog,\
	ctl:ruleEngine=off,\
	msg:'Sampling: Disable the rule engine based on sampling_percentage \
%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.'"

SecMarker "END-SAMPLING"
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# These exclusions remedy false positives in a default Drupal install.
# The exclusions are only active if crs_exclusions_drupal=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.

#
# [ POLICY ]
#
# Drupal is a complex application that is hard to secure with the CRS. This set
# of exclusion rules aims to sanitise the CRS in a way that allows a default
# Drupal setup to be installed and configured without much hassle as far as
# ModSecurity and the CRS are concerned.
#
# The exclusion rules are fairly straight forward in the sense that they
# disable CRS on a set of well-known parameter fields that are often the source
# of false positives / false alarms of the CRS. This includes namely the
# session cookie, the password fields and article/node bodies.
#
# This is based on two assumptions: - You have a basic trust in your
# authenticated users who are allowed to edit nodes.  - Drupal allows html
# content in nodes and it protects your users from attacks via these fields.
#
# If you think these assumptions are wrong or if you would prefer a more
# careful/secure approach, you can disable the exclusion rules handling of said
# node body false positives. Do this by placing the following directive in
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
#
# SecRuleRemoveById 9001200-9001299
#
# This will mean the CRS remain intact for the editing of node bodies.
#
# The exclusion rules in this file work without the need to define a Drupal
# installation path prefix. Instead they look at the URI from the end - or
# they use regular expressions when targeting dynamic URL. This is all not
# totally foolproof. In some cases, an advanced attacker might be able to
# doctor a request in a way that one of these exclusion rules is triggered
# and the request will bypass all further inspection despite not being a
# Drupal request at all. These exclusion rules could thus be leveraged to
# disable the CRS completely. This is why these rules are off by default.
#
# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and
# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional
# false positives which you need to handle yourself.
#
# This set of exclusion rules does not cover any additional Drupal modules
# outside of core.
#
# The exclusion rules are based on Drupal 8.1.10.
#
# And finally: This set of exclusion rules is in an experimental state. If you
# encounter false positives with the basic Drupal functionality and they are
# not covered by this rule file, then please report them. The aim is to be able
# to install and run Drupal core in a seamless manner protected by
# ModSecurity / CRS up to the paranoia level 2.


SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
        "id:9001000,\
        phase:2,\
        t:none,\
        nolog,\
        pass,\
        skipAfter:END-DRUPAL-RULE-EXCLUSIONS"


# [ Table of Contents ]
#
# 9001100 Session Cookie
# 9001110 Password
# 9001120 FREE for use
# 9001130 FREE for use
# 9001140 Content and Descriptions
# 9001150 FREE for use
# 9001160 Form Token
# 9001170 Text Formats and Editors
# 9001180 WYSIWYG/CKEditor Assets and Upload
# 9001190 FREE for use
# 9001200 Content and Descriptions
#
# The rule id range from 9001200 to 9001999 is reserved for future
# use (Drupal plugins / modules).


# [ Session Cookie ]
#
# Giving the session cookie a dynamic name is most unfortunate
# from a ModSecurity perspective. The rule language does not allow
# us to disable rules in a granular way for individual cookies with
# dynamic names. So we need to disable rule causing false positives
# for all cookies and their names.
#
# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified
#
SecAction "id:9001100,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
        ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES"


#
# [ Password ]
#
# Disable the CRS completely for all occurrences of passwords.
#
SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
        "id:9001110,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]"

SecRule REQUEST_FILENAME "@endsWith /user/login" \
        "id:9001112,\
        phase:2,\
        t:none,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass"

SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
        "id:9001114,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"

SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
        "id:9001116,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"


#
# [ Admin Settings (general) ]
#
# Disable known false positives for various fields used on admin pages.
#
# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths
# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args)
#                        Disabled completely for admin/config pages
# For the people/accounts page, we disable the CRS completely for a number of
# freeform text fields.
#
SecRule REQUEST_FILENAME "@contains /admin/config/" \
        "id:9001122,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=942430"

SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
        "id:9001124,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=920271,\
        ctl:ruleRemoveById=942440,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
        "id:9001126,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=920271,\
        ctl:ruleRemoveById=942440"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
        "id:9001128,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=942440"


#
#
# [ Content and Descriptions ]
#
# Disable known false positives for field "ids[]".
#
# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected
#
SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
        "id:9001140,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetById=942130;ARGS:ids[]"


#
# [ Form Token / Build ID ]
#
# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ...
# Rule Exclusion for form_token:    942450 SQL Hex Encoding
# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding
#
# This is applied site-wide.
#
SecAction "id:9001160,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
        ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
        ctl:ruleRemoveTargetById=942450;ARGS:form_build_id"


#
# [ Text Formats and Editors ]
#
# Disable the CRS completely for two fields triggering many, many rules
#
# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected
#
SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \
        "id:9001170,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]"


#
# [ WYSIWYG/CKEditor Assets and Upload ]
#
# Disable the unnecessary requestBodyAccess and for binary uploads
# bigger than an arbitrary limit of 31486341 bytes.
#
# Extensive checks make sure these uploads are really legitimate.
#
SecRule REQUEST_METHOD "@streq POST" \
        "id:'9001180',\
        phase:1,\
        t:none,\
        pass,\
        nolog,\
        noauditlog,\
        chain"
        SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
            chain
            SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^[a-zA-Z0-9_-]+" \
                ctl:requestBodyAccess=Off

SecRule REQUEST_METHOD "@streq POST" \
        "id:'9001182',\
        phase:1,\
        t:none,\
        pass,\
        nolog,\
        noauditlog,\
        chain"
        SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
            chain
            SecRule ARGS:destination "@streq admin/content/assets" \
                chain
                SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
                    chain
                    SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
                        ctl:requestBodyAccess=Off

SecRule REQUEST_METHOD "@streq POST" \
        "id:'9001184',\
        phase:1,\
        t:none,\
        pass,\
        nolog,\
        noauditlog,\
        chain"
        SecRule REQUEST_FILENAME \
            "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
            chain
            SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
                chain
                SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
                    chain
                    SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^@rx [a-zA-Z0-9_-]+" \
                        ctl:requestBodyAccess=Off


#
# [ Content and Descriptions ]
#
# Disable the CRS completely for node bodies and other free text fields.
# Other rules are disabled individually.
#
# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack
# Rule Exclusion for ARGS:destination:       932110 RCE: Windows Command Inj.
#
SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
        "id:9001200,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
        ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"

SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
        "id:9001202,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
        ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"

SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
        "id:9001204,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
        ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
        ctl:ruleRemoveTargetById=932110;ARGS:destination"

SecRule REQUEST_FILENAME "@endsWith /block/add" \
        "id:9001206,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]"

SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
        "id:9001208,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:description"

SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(full|basic)_html$" \
        "id:9001210,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:value"

SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
        "id:9001212,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
        "id:9001214,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message"

SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
        "id:9001216,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description"


SecMarker END-DRUPAL-RULE-EXCLUSIONS
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# These exclusions remedy false positives in a default WordPress install.
# The exclusions are only active if crs_exclusions_wordpress=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# Note that the WordPress comment field itself is currently NOT excluded
# from checking. The reason is that malicious content is regularly being
# posted to WordPress comment forms, and there have been various cases
# of XSS and even RCE vulnerabilities exploited by WordPress comments.

SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
	"id:9002000,\
	phase:1,\
	t:none,\
	nolog,\
	pass,\
	skipAfter:END-WORDPRESS"

SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
	"id:9002001,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	skipAfter:END-WORDPRESS"


#
# -=[ WordPress Front-End ]=-
#


#
# [ Login form ]
#

# User login password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
	"id:9002100,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"

# Reset password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
	"id:9002120,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq resetpass" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"


#
# [ Comments ]
#

# Post comment
SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
	"id:9002130,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	ctl:ruleRemoveTargetById=931130;ARGS:url"


#
# [ Live preview ]
# Used when an administrator customizes the site and previews the result
# as a normal user.
#

# Theme select
# Example: wp_customize=on&theme=twentyfifteen&customized=
# {"old_sidebars_widgets_data":{"wp_inactive_widgets":[],
# "sidebar-1":["search-2","recent-posts-2","recent-comments-2",
# "archives-2","categories-2","meta-2"]}}&nonce=XXX&
# customize_messenger_channel=preview-0
SecRule ARGS:wp_customize "@streq on" \
	"id:9002150,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule &ARGS:action "@eq 0" \
		"t:none,\
		ctl:ruleRemoveTargetById=942200;ARGS:customized,\
		ctl:ruleRemoveTargetById=942260;ARGS:customized,\
		ctl:ruleRemoveTargetById=942300;ARGS:customized,\
		ctl:ruleRemoveTargetById=942330;ARGS:customized,\
		ctl:ruleRemoveTargetById=942340;ARGS:customized,\
		ctl:ruleRemoveTargetById=942370;ARGS:customized,\
		ctl:ruleRemoveTargetById=942430;ARGS:customized,\
		ctl:ruleRemoveTargetById=942431;ARGS:customized,\
		ctl:ruleRemoveTargetById=942460;ARGS:customized"

# Appearance -> Widgets -> Live Preview
SecRule ARGS:wp_customize "@streq on" \
	"id:9002160,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=942200;ARGS:customized,\
		ctl:ruleRemoveTargetById=942260;ARGS:customized,\
		ctl:ruleRemoveTargetById=942300;ARGS:customized,\
		ctl:ruleRemoveTargetById=942330;ARGS:customized,\
		ctl:ruleRemoveTargetById=942340;ARGS:customized,\
		ctl:ruleRemoveTargetById=942370;ARGS:customized,\
		ctl:ruleRemoveTargetById=942430;ARGS:customized,\
		ctl:ruleRemoveTargetById=942431;ARGS:customized,\
		ctl:ruleRemoveTargetById=942460;ARGS:customized,\
		ctl:ruleRemoveTargetById=920230;ARGS:partials,\
		ctl:ruleRemoveTargetById=941320;ARGS:partials,\
		ctl:ruleRemoveTargetById=942180;ARGS:partials,\
		ctl:ruleRemoveTargetById=942200;ARGS:partials,\
		ctl:ruleRemoveTargetById=942260;ARGS:partials,\
		ctl:ruleRemoveTargetById=942330;ARGS:partials,\
		ctl:ruleRemoveTargetById=942340;ARGS:partials,\
		ctl:ruleRemoveTargetById=942370;ARGS:partials,\
		ctl:ruleRemoveTargetById=942430;ARGS:partials,\
		ctl:ruleRemoveTargetById=942431;ARGS:partials,\
		ctl:ruleRemoveTargetById=942460;ARGS:partials"



# Self calls to wp-cron.php?doing_wp_cron=[timestamp]
# These requests may be missing Accept, Content-Length headers.
# This rule must run in phase:1.
SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
	"id:9002200,\
	phase:1,\
	t:none,\
	nolog,\
	pass,\
	ctl:ruleRemoveById=920180,\
	ctl:ruleRemoveById=920300"


#
# [ Cookies ]

# WP Session Manager
# Cookie: _wp_session=[hex]||[timestamp]||[timestamp]
# detected SQLi using libinjection with fingerprint 'n&1'
SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+||\d+||\d+$" \
	"id:9002300,\
	phase:1,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session"


#
# -=[ WordPress Administration Back-End (wp-admin) ]=-
#

# Skip this section for performance unless /wp-admin/ is in filename

SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
	"id:9002400,\
	phase:1,\
	t:none,\
	nolog,\
	pass,\
	skipAfter:END-WORDPRESS-ADMIN"

SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
	"id:9002401,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	skipAfter:END-WORDPRESS-ADMIN"


#
# [ Installation ]
#

# WordPress installation: exclude database password
SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
	"id:9002410,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:step "@streq 2" \
		"t:none,\
		chain"
	SecRule &ARGS:step "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"

# WordPress installation: exclude admin password
SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
	"id:9002420,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:step "@streq 2" \
		"t:none,\
		chain"
	SecRule &ARGS:step "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password2,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text"


#
# [ User management ]
#

# Edit logged-in user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
	"id:9002520,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq update" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=931130;ARGS:url,\
		ctl:ruleRemoveTargetById=931130;ARGS:facebook,\
		ctl:ruleRemoveTargetById=931130;ARGS:googleplus,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"

# Edit user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
	"id:9002530,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq update" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=931130;ARGS:url,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"

# Create user
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
	"id:9002540,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq createuser" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=931130;ARGS:url,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"


#
# [ General exclusions ]
#

# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
SecAction \
	"id:9002600,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
	ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
	ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
	ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
	ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
	ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
	ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
	ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
	ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer"

#
# [ Content editing ]
#

# Edit posts and pages
# /wp-admin/post.php, /wp-admin/post.php?t=[timestamp]
# - Themes do not properly escape post_title in HTML, so beware of XSS
#   and be conservative in excluding this parameter.
# - Parameter _wp_http_referer can appear multiple times.
SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
	"id:9002700,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:content,\
		ctl:ruleRemoveById=920272,\
		ctl:ruleRemoveById=921180"

# Autosave posts and pages
# ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:9002710,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq heartbeat" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:data[wp_autosave][content],\
		ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\
		ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\
		ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\
		ctl:ruleRemoveById=921180,\
		ctl:ruleRemoveById=920272"

# Edit menus
SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
	"id:9002720,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq update" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\
		ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\
		ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data"

# Edit text widgets (can contain custom HTML)
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:9002730,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "^(save-widget|update-widget)$" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[0][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[1][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[2][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[3][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[4][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[5][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[6][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[7][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[8][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[9][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[10][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[11][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[12][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[13][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[14][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[15][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[16][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[17][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[18][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[19][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[20][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[21][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[22][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[23][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[24][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[25][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[26][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[27][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[28][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[29][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[30][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[31][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[32][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[33][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[34][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[35][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[36][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[37][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[38][text],\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[39][text]"

# Reorder widgets
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:9002740,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq widgets-order" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\
		ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\
		ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\
		ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\
		ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\
		ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\
		ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\
		ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\
		ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\
		ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\
		ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\
		ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\
		ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\
		ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]"

# Create permalink sample for new post
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:9002750,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq sample-permalink" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title"

# Add external link to menu
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
	"id:9002760,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:action "@streq add-menu-item" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]"


#
# [ Options and Settings ]
#

# Change site URL
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
	"id:9002800,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:option_page "@streq general" \
		"t:none,\
		chain"
	SecRule &ARGS:option_page "@eq 1" \
		"t:none,\
		chain"
	SecRule ARGS:action "@streq update" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetById=931130;ARGS:home,\
		ctl:ruleRemoveTargetById=931130;ARGS:siteurl"

# Permalink settings
# permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
	"id:9002810,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	ctl:ruleRemoveTargetById=920230;ARGS:selection,\
	ctl:ruleRemoveTargetById=920272;ARGS:selection,\
	ctl:ruleRemoveTargetById=942431;ARGS:selection,\
	ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\
	ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
	ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
	ctl:ruleRemoveTargetById=920272;REQUEST_BODY"

# Comments blacklist and moderation list
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
	"id:9002820,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	chain"
	SecRule ARGS:option_page "@streq discussion" \
		"t:none,\
		chain"
	SecRule &ARGS:option_page "@eq 1" \
		"t:none,\
		chain"
	SecRule ARGS:action "@streq update" \
		"t:none,\
		chain"
	SecRule &ARGS:action "@eq 1" \
		"t:none,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:blacklist_keys,\
		ctl:ruleRemoveTargetByTag=CRS;ARGS:moderation_keys"


#
# [ Helpers ]
#

# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
# admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,
# jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D=
# wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget,
# jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1
#
# /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,
# admin-bar,buttons,media-views,common,forms,admin-menu,dashboard,
# list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D=
# s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1
#
# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
# admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer,
# wp-ajax-response,jquery-color,wp-lists,quicktags,
# jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core,
# jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore,
# customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install,
# wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter,
# jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e
SecRule REQUEST_FILENAME "@rx /wp-admin/load-(scripts|styles)\.php$" \
	"id:9002900,\
	phase:2,\
	t:none,\
	nolog,\
	pass,\
	ctl:ruleRemoveById=921180,\
	ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\
	ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\
	ctl:ruleRemoveTargetById=942360;ARGS:load[],\
	ctl:ruleRemoveTargetById=942430;ARGS:load[],\
	ctl:ruleRemoveTargetById=942431;ARGS:load[],\
	ctl:ruleRemoveTargetById=942432;ARGS:load[]"


SecMarker END-WORDPRESS-ADMIN


SecMarker END-WORDPRESS
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------


# This file is used as an exception mechanism to remove common false positives
# that may be encountered.
#
# Exception for Apache SSL pinger
#
SecRule REQUEST_LINE "@streq GET /" \
	"phase:1,\
	id:905100,\
	t:none,\
	pass,\
	nolog,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-apache',\
	tag:'attack-generic',\
	chain"
		SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
			"t:none,\
			ctl:ruleEngine=Off,\
			ctl:auditEngine=Off"

#
# Exception for Apache internal dummy connection
#
SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
	"phase:1,\
	id:905110,\
	t:none,\
	pass,\
	nolog,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-apache',\
        tag:'attack-generic',\
	chain"
		SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
		"t:none,\
		chain"
			SecRule REQUEST_HEADERS:User-Agent "^.*\(internal dummy connection\)$" \
				"t:none,\
				ctl:ruleEngine=Off,\
				ctl:auditEngine=Off"


# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#


SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:910011,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:910012,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ IP Reputation Block Flag Check ]=-
#
# The first check we do is to see if the client IP address has already
# been blacklisted by rules from previous requests.
#
# If the rule matches, it will do a skipAfter and pick up processing
# at the end of the request phase for actual blocking.
#
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
 "msg:'Request from Known Malicious Client (Based on previous traffic violations).',\
  logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
  severity:'CRITICAL',\
  id:910000,\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
  setvar:'tx.msg=%{rule.msg}',\
  skipAfter:BEGIN_REQUEST_BLOCKING_EVAL,\
  chain"
  SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
    "setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
    setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"


#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
 "msg:'Client IP is from a HIGH Risk Country Location.',\
  severity:'CRITICAL',\
  id:910100,\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  chain"
  SecRule TX:REAL_IP "@geoLookup" \
   "chain"
    SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
     "setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
      setvar:ip.reput_block_flag=1,\
      expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
      setvar:'ip.reput_block_reason=%{rule.msg}'"


#
# -=[ IP Reputation Checks ]=-
#
# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert
# Ref: http://www.modsecurity.org/projects/commercial/rules/
#
# This rule checks the client IP address against a list of recent IPs captured
# from the SpiderLabs web honeypot systems (last 48 hours).
#
#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \
  "msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\
  severity:'CRITICAL',\
  id:910110,\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
  setvar:ip.reput_block_flag=1,\
  expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
  setvar:'ip.reput_block_reason=%{rule.msg}'"


#
# First check if we have already run an @rbl check for this IP by checking in IP collection.
# If we have, then skip doing another check.
#
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
  "id:910120,\
  phase:request,\
  nolog,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  pass,\
  t:none,\
  skipAfter:END_RBL_LOOKUP"

#
# Check Client IP against ProjectHoneypot's HTTP Blacklist
# Ref: http://www.projecthoneypot.org/httpbl_api.php
#
# To use the blacklist, you must register for an HttpBL API Key
# and choose the traffic types to block. See section
# "Project Honey Pot HTTP Blacklist" in crs-setup.conf.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#

# Skip HttpBL checks if user has not defined one of the TX:block_* variables.
# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey"
SecRule &TX:block_suspicious_ip "@eq 0" \
  "id:910130,\
  phase:request,\
  t:none,\
  nolog,\
  pass,\
  chain,\
  skipAfter:END_RBL_CHECK"
  SecRule &TX:block_harvester_ip "@eq 0" "chain"
  SecRule &TX:block_spammer_ip "@eq 0" "chain"
  SecRule &TX:block_search_ip "@eq 0"

SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
  "id:910140,\
  phase:request,\
  capture,\
  nolog,pass,t:none, \
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  chain,\
  setvar:tx.httpbl_msg=%{tx.0}"
        SecRule TX:httpbl_msg "RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
          "t:none,\
          capture,\
          setvar:tx.httpbl_msg=%{tx.1}"

# The following regexs are generated based off re_operators.c
SecRule TX:block_search_ip "@eq 1" \
   "msg:'HTTP Blacklist match for search engine IP',  \
   severity:'CRITICAL', \
   id:910150,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "Search Engine" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecRule TX:block_spammer_ip "@eq 1" \
   "msg:'HTTP Blacklist match for spammer IP',\
   severity:'CRITICAL',\
   id:910160,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "(?i)^.*? spammer .*?$" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecRule TX:block_suspicious_ip "@eq 1" \
   "msg:'HTTP Blacklist match for suspicious IP',\
   severity:'CRITICAL',\
   id:910170,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "(?i)^.*? suspicious .*?$" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecRule TX:block_harvester_ip "@eq 1" \
   "msg:'HTTP Blacklist match for harvester IP',\
   severity:'CRITICAL',\
   id:910180,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "(?i)^.*? harvester .*?$" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecAction \
  "id:910190,\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  setvar:ip.previous_rbl_check=1,\
  expirevar:ip.previous_rbl_check=86400"

SecMarker END_RBL_LOOKUP

SecMarker END_RBL_CHECK


SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:910013,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:910014,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:910015,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:910016,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:910017,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:910018,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-910-IP-REPUTATION"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:911011,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:911012,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ Allowed Request Methods ]=-
#
# tx.allowed_methods is defined in the crs-setup.conf file
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
 "msg:'Method is not allowed by policy',\
  severity:'CRITICAL',\
  id:911100,\
  phase:request,\
  block,\
  rev:'2',\
  ver:'OWASP_CRS/3.0.0',\
  maturity:'9',\
  accuracy:'9',\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-generic',\
  tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\
  tag:'WASCTC/WASC-15',\
  tag:'OWASP_TOP_10/A6',\
  tag:'OWASP_AppSensor/RE1',\
  tag:'PCI/12.1',\
  logdata:'%{matched_var}',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"




SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:911013,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:911014,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:911015,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:911016,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:911017,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:911018,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# Anti-Automation rules to detect Denial of Service attacks.
#
# Description of mechanics:
# When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP
# address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit
# (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the
# counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period
# (TX:DOS_BURST_TIME_SLICE).
# If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag
# is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout
# period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5.
# There is a stricter sibling to this rule (912170) in paranoia level 2, where the
# burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1.
#
# The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK),
# then the request is dropped without sending a response. If this happens, then a
# counter is # raised (IP:DOS_BLOCK_COUNTER).
# When an IP address is blocked for the first time, then the blocking is reported in a
# message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds.
# When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the
# blocking is not being reported (to prevent a flood of alerts). When the flag
# (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the
# counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated
# as the first block (-> alert).
# In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting
# it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different
# variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn.
#
# Variables:
# IP:DOS_BLOCK              Flag if an IP address should be blocked
# IP:DOS_BLOCK_COUNTER      Counter of blocked requests
# IP:DOS_BLOCK_FLAG         Flag keeping track of alert. Flag expires after 60 seconds.
# IP:DOS_BURST_COUNTER      Burst counter
# IP:DOS_COUNTER            Request counter (static resources are ignored)
# TX:DOS_BLOCK_COUNTER      Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons)
# TX:DOS_BLOCK_TIMEOUT      Period in seconds a blocked IP will be blocked
# TX:DOS_COUNTER_THRESHOLD  Limit of requests, where a burst is identified
# TX:DOS_BURST_TIME_SLICE   Period in seconds when we will forget a burst
# TX:STATIC_EXTENSIONS      Paths which can be ignored with regards to DoS
#
# As a precondition for these rules, please set the following three variables:
#  - TX:DOS_BLOCK_TIMEOUT
#  - TX:DOS_COUNTER_THRESHOLD
#  - TX:DOS_BURST_TIME_SLICE
#
# And make sure that TX:STATIC_EXTENSIONS is also set.
#

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

#
# Skip if variables defining DoS protection are not set
#
SecRule &TX:dos_burst_time_slice "@eq 0" \
	"id:912100,\
	phase:1,\
	t:none,\
	nolog,\
	pass,\
	chain,\
	skipAfter:END_DOS_PROTECTION_CHECKS"
	SecRule &TX:dos_counter_threshold "@eq 0" "chain"
	SecRule &TX:dos_block_timeout "@eq 0"

SecRule &TX:dos_burst_time_slice "@eq 0" \
	"id:912110,\
	phase:5,\
	t:none,\
	nolog,\
	pass,\
	chain,\
	skipAfter:END_DOS_PROTECTION_CHECKS"
	SecRule &TX:dos_counter_threshold "@eq 0" "chain"
	SecRule &TX:dos_block_timeout "@eq 0"


SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:912011,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:912012,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ Anti-Automation / DoS Protection : Block ]=-
#

#
# Block and track # of requests and log
#
SecRule IP:DOS_BLOCK "@eq 1" \
	"chain,\
	phase:1,\
	id:912120,\
	drop,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)'"
	SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
		"setvar:ip.dos_block_counter=+1,\
		setvar:ip.dos_block_flag=1,\
		expirevar:ip.dos_block_flag=60,\
		setvar:tx.dos_block_counter=%{ip.dos_block_counter},\
		setvar:ip.dos_block_counter=0"


#
# Block and track # of requests but don't log
#
SecRule IP:DOS_BLOCK "@eq 1" \
	"phase:1,\
	id:912130,\
	t:none,\
	drop,\
	nolog,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	setvar:ip.dos_block_counter=+1"


#
# -=[ Anti-Automation / DoS Protection: Count requests ]=-
#

#
# Skip if we have blocked the request
#
SecRule IP:DOS_BLOCK "@eq 1" \
	"phase:5,\
	id:912140,\
	t:none,\
	nolog,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	pass,\
	skipAfter:END_DOS_PROTECTION_CHECKS"


#
# DOS Counter: Count the number of requests to non-static resources
#
SecRule REQUEST_BASENAME ".*?(\.[a-z0-9]{1,10})?$" \
	"phase:5,\
	id:912150,\
	t:none,\
	t:lowercase,\
	nolog,\
	pass,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	capture,\
   	setvar:tx.extension=/%{TX.1}/,\
	chain"
	SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
		"setvar:ip.dos_counter=+1"


#
# Check DOS Counter
# If the request count is greater than or equal to user settings,
# we raise the burst counter. This happens via two separate rules:
# - 912160: raise from 0 to 1
# - 912161: raise from 1 to 2
#
# This approach with two rules avoids raising the burst counter
# from 0 to 2 via two concurrent requests. We do not raise the
# burst counter beyond 2.
#
#
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
	"phase:5,\
	id:912160,\
	t:none,\
	nolog,\
	pass,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	chain"
	SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
		"setvar:ip.dos_burst_counter=1,\
		expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},\
		setvar:!ip.dos_counter"


SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
	"phase:5,\
	id:912161,\
	t:none,\
	nolog,\
	pass,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	chain"
	SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
		"setvar:ip.dos_burst_counter=2,\
		expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},\
		setvar:!ip.dos_counter"


#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for a given expiry and issue an alert.
#
SecRule IP:DOS_BURST_COUNTER "@ge 2" \
	"phase:5,\
	id:912170,\
	t:none,\
	log,\
	pass,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
	setvar:ip.dos_block=1,\
	expirevar:ip.dos_block=%{tx.dos_block_timeout}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:912013,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:912014,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:5,id:912019,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#

#
# Check DOS Burst Counter and set Block
# Check the burst counter - if greater than or equal to 1, then we set the IP
# block variable for a given expiry and issue an alert.
#
# This is a stricter sibling of rule 912170.
#
SecRule IP:DOS_BURST_COUNTER "@ge 1" \
	"phase:5,\
	id:912171,\
	t:none,\
	log,\
	pass,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-dos',\
	tag:'paranoia-level/2',\
	msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
	setvar:ip.dos_block=1,\
	expirevar:ip.dos_block=%{tx.dos_block_timeout}"



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:912015,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:912016,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:912017,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:912018,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-912-DOS-PROTECTION"

SecMarker END_DOS_PROTECTION_CHECKS
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:913011,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:913012,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ Vulnerability Scanner Checks ]=-
#
# These rules inspect the default User-Agent and Header values sent by
# various commercial and open source vuln scanners.
#
# The following rules contain User-Agent lists:
# 913100 - security scanners (data file scanners-user-agents.data)
# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
# 913102 - web crawlers/bots (data file crawlers-user-agents.data)
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
 "msg:'Found User-Agent associated with security scanner',\
  severity:'CRITICAL',\
  id:913100,\
  rev:'2',\
  phase:request,\
  block,\
  t:none,\
  t:lowercase,\
  ver:'OWASP_CRS/3.0.0',\
  maturity:'9',\
  accuracy:'9',\
  capture,\
  logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-scanner',\
  tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
  tag:'WASCTC/WASC-21',\
  tag:'OWASP_TOP_10/A7',\
  tag:'PCI/6.5.10',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\
  setvar:ip.reput_block_flag=1,\
  expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
  setvar:'ip.reput_block_reason=%{rule.msg}'"

SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
 "msg:'Found request header associated with security scanner',\
  severity:CRITICAL,\
  id:913110,\
  phase:request,\
  rev:'3',\
  ver:'OWASP_CRS/3.0.0',\
  maturity:'9',\
  accuracy:'9',\
  t:none,\
  t:lowercase,\
  block,\
  logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-scanner',\
  tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
  tag:'WASCTC/WASC-21',\
  tag:'OWASP_TOP_10/A7',\
  tag:'PCI/6.5.10',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\
  setvar:ip.reput_block_flag=1,\
  expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
  setvar:'ip.reput_block_reason=%{rule.msg}'"


SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
 "msg:'Found request filename/argument associated with security scanner',\
  severity:CRITICAL,\
  id:913120,\
  phase:request,\
  rev:'3',\
  ver:'OWASP_CRS/3.0.0',\
  maturity:'9',\
  accuracy:'9',\
  t:none,\
  t:lowercase,\
  block,\
  logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-scanner',\
  tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
  tag:'WASCTC/WASC-21',\
  tag:'OWASP_TOP_10/A7',\
  tag:'PCI/6.5.10',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\
  setvar:ip.reput_block_flag=1,\
  expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
  setvar:'ip.reput_block_reason=%{rule.msg}'"


SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:913013,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:913014,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#


#
# -=[ Scripting/Generic User-Agents ]=-
#
# This rule detects user-agents associated with various HTTP client libraries
# and scripting languages. Detection suggests attempted access by some
# automated tool.
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
 "msg:'Found User-Agent associated with scripting/generic HTTP client',\
  severity:'CRITICAL',\
  id:913101,\
  rev:'1',\
  phase:request,\
  block,\
  t:none,\
  t:lowercase,\
  ver:'OWASP_CRS/3.0.0',\
  maturity:'9',\
  accuracy:'7',\
  capture,\
  logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-scripting',\
  tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\
  tag:'WASCTC/WASC-21',\
  tag:'OWASP_TOP_10/A7',\
  tag:'PCI/6.5.10',\
  tag:'paranoia-level/2',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{matched_var_name}=%{matched_var},\
  setvar:ip.reput_block_flag=1,\
  expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
  setvar:'ip.reput_block_reason=%{rule.msg}'"



#
# -=[ Crawler User-Agents ]=-
#
# This rule detects user-agents associated with various crawlers, SEO tools,
# and bots, which have been reported to potentially misbehave.
# These crawlers can have legitimate uses when used with authorization.
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
 "msg:'Found User-Agent associated with web crawler/bot',\
  severity:'CRITICAL',\
  id:913102,\
  rev:'1',\
  phase:request,\
  block,\
  t:none,\
  t:lowercase,\
  ver:'OWASP_CRS/3.0.0',\
  maturity:'9',\
  accuracy:'9',\
  capture,\
  logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-crawler',\
  tag:'OWASP_CRS/AUTOMATION/CRAWLER',\
  tag:'WASCTC/WASC-21',\
  tag:'OWASP_TOP_10/A7',\
  tag:'PCI/6.5.10',\
  tag:'paranoia-level/2',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{matched_var_name}=%{matched_var},\
  setvar:ip.reput_block_flag=1,\
  expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
  setvar:'ip.reput_block_reason=%{rule.msg}'"



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:913015,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:913016,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:913017,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:913018,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-913-SCANNER-DETECTION"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# Some protocol violations are common in application layer attacks.
# Validating HTTP requests eliminates a large number of application layer attacks.
#
# The purpose of this rules file is to enforce HTTP RFC requirements that state how
# the client is supposed to interact with the server.
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html



#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#


SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:920011,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:920012,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# Validate request line against the format specified in the HTTP RFC
#
# -=[ Rule Logic ]=-
#
# Uses rule negation against the regex for positive security.  The regex specifies the proper
# construction of URI request lines such as:
#
# 	"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
#
# It also outlines proper construction for CONNECT, OPTIONS and GET requests.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
# http://capec.mitre.org/data/definitions/272.html
#
SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\
  "msg:'Invalid HTTP Request Line',\
  severity:'WARNING',\
  id:920100,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'2',\
  maturity:'9',\
  accuracy:'9',\
  logdata:'%{request_line}',\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
  tag:'CAPEC-272',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"


#
# Identify multipart/form-data name evasion attempts
#
# There are possible impedance mismatches between how
# ModSecurity interprets multipart file names and how
# a destination app server such as PHP might parse the
# Content-Disposition data:
#
#       filename-parm := "filename" "=" value
#
# -=[ Rule Logic ]=-
# These rules check for the existence of the ' " ; = meta-characters in
# either the file or file name variables.
# HTML entities may lead to false positives, why they are allowed on PL1.
# Negative look behind assertions allow frequently used entities &_;
#
# -=[ Targets, characters and html entities ]=-
#
# 920120: PL1 : FILES_NAMES, FILES
#         ['\";=] but allowed:
#         &[aAoOuUyY]uml); &[aAeEiIoOuU]circ; &[eEiIoOuUyY]acute;
#         &[aAeEiIoOuU]grave; &[cC]cedil; &[aAnNoO]tilde; & '
#
# 920121: PL2 : FILES_NAMES, FILES
#         ['\";=] : ' " ; = meta-characters
#
# -=[ References ]=-
# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000
# http://www.ietf.org/rfc/rfc2183.txt
#
SecRule FILES_NAMES|FILES "(?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" \
  "msg:'Attempted multipart/form-data bypass',\
  severity:'CRITICAL',\
  id:920120,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'1',\
  maturity:'9',\
  accuracy:'7',\
  logdata:'%{matched_var}',\
  phase:request,\
  block,\
  t:none,t:urlDecodeUni,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
  tag:'CAPEC-272',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"


#
# Verify that we've correctly processed the request body.
#
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
# -=[ Rule Logic ]=-
# Checks for the existence of the REQBODY_ERROR variable that is created
# by the request body processor if it encounters errors.
#
# -=[ References ]=-
# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#REQBODY_ERROR
#
SecRule REQBODY_ERROR "!@eq 0" \
  "msg:'Failed to parse request body.',\
  severity:'CRITICAL',\
  id:920130,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  logdata:'%{REQBODY_ERROR_MSG}',\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
  tag:'CAPEC-272',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"


#
# Strict Multipart Parsing Checks
#
# -=[ Rule Logic ]=-
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
# -=[ References ]=-
# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_STRICT_ERROR
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
  "msg:'Multipart request body failed strict validation:\
    PE %{REQBODY_PROCESSOR_ERROR},\
    BQ %{MULTIPART_BOUNDARY_QUOTED},\
    BW %{MULTIPART_BOUNDARY_WHITESPACE},\
    DB %{MULTIPART_DATA_BEFORE},\
    DA %{MULTIPART_DATA_AFTER},\
    HF %{MULTIPART_HEADER_FOLDING},\
    LF %{MULTIPART_LF_LINE},\
    SM %{MULTIPART_SEMICOLON_MISSING},\
    IQ %{MULTIPART_INVALID_QUOTING},\
    IH %{MULTIPART_INVALID_HEADER_FOLDING},\
    FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}',\
  severity:'CRITICAL',\
  id:920140,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'1',\
  maturity:'8',\
  accuracy:'7',\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
  tag:'CAPEC-272',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"


#
# Accept only digits in content length
#
# -=[ Rule Logic ]=-
# This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header
# is NOT all digits, then it will match.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
#
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \
  "msg:'Content-Length HTTP header is not numeric.',\
  severity:'CRITICAL',\
  id:920160,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:1,\
  block,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"


#
# Do not accept GET or HEAD requests with bodies
# HTTP standard allows GET requests to have a body but this
# feature is not used in real life. Attackers could try to force
# a request body on an unsuspecting web applications.
#
# -=[ Rule Logic ]=-
# This is a chained rule that first checks the Request Method.  If it is a
# GET or HEAD method, then it checks for the existence of a Content-Length
# header.  If the header exists and its payload is either not a 0 digit or not
# empty, then it will match.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3
#
SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
  "msg:'GET or HEAD Request with Body Content.',\
  severity:'CRITICAL',\
  id:920170,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:request,\
  block,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
	SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
	  "t:none,\
	  setvar:'tx.msg=%{rule.msg}',\
	  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"


#
# Require Content-Length to be provided with every POST request.
#
# -=[ Rule Logic ]=-
# This chained rule checks if the request method is POST, if so, it checks that a Content-Length
# header is also present.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
#
SecRule REQUEST_METHOD "^POST$" \
  "msg:'POST request missing Content-Length Header.',\
  severity:'WARNING',\
  id:920180,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'1',\
  maturity:'9',\
  accuracy:'9',\
  phase:request,\
  block,\
  logdata:'%{matched_var}',\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
  tag:'CAPEC-272',\
  chain"
        SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
          "t:none,\
          setvar:'tx.msg=%{rule.msg}',\
          setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
          setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"


#
# Range Header Checks
#
# 1. Range Header exists and begins with 0 - normal browsers don't do this.
# Automated programs and bots often do not obey the HTTP RFC
#
# -=[ Rule Logic ]=-
# This rule inspects the Range request header to see if it starts with 0.
#
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
# 2. Per RFC 2616 -
#    "If the last-byte-pos value is present, it MUST be greater than or equal to the first-byte-pos in that byte-range-spec,
#    or the byte- range-spec is syntactically invalid."
# -=[ Rule Logic ]=-
# This rule compares the first and second byte ranges and flags when the first value is greater than the second.
#
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
# http://seclists.org/fulldisclosure/2011/Aug/175
#
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," \
  "capture,\
   phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'Range: Invalid Last Byte Value.',\
   logdata:'%{matched_var}',\
   severity:'WARNING',\
   id:920190,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
   chain"
        SecRule TX:2 "!@ge %{tx.1}" \
		"setvar:'tx.msg=%{rule.msg}',\
		setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
		setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"


#
# Broken/Malicous clients often have duplicate or conflicting headers
# Automated programs and bots often do not obey the HTTP RFC
#
# -=[ Rule Logic ]=-
# This rule inspects the Connection header and looks for duplicates of the
# keep-alive and close options.
#
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'Multiple/Conflicting Connection Header Data Found.',\
   logdata:'%{matched_var}',\
   id:920210,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
   severity:'WARNING',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

#
# Check URL encodings
#
# -=[ Rule Logic ]=-
# There are two different chained rules.  We need to separate them as we are inspecting two
# different variables - REQUEST_URI and REQUEST_BODY.  For REQUEST_BODY, we only want to
# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding.
#
# -=[ References ]=-
# http://www.ietf.org/rfc/rfc1738.txt
#
SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'URL Encoding Abuse Attack Attempt',\
   id:920220,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   severity:'WARNING',\
   chain"
     SecRule REQUEST_URI "@validateUrlEncoding" \
       "setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'URL Encoding Abuse Attack Attempt',\
   id:920240,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   severity:'WARNING',\
   chain"
     SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
       SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" \
         "setvar:'tx.msg=%{rule.msg}',\
          setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
          setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"


#
# Check UTF enconding
# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
# it will result in false positives.
#
# -=[ Rule Logic ]=-
# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING
# variable in the crs-setup.conf file.
#
SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'UTF8 Encoding Abuse Attack Attempt',\
   id:920250,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   severity:'WARNING',\
   chain"
     SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
       "setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"


#
# Disallow use of full-width unicode as decoding evasions my be possible.
#
# -=[ Rule Logic ]=-
# This rule looks for full-width encoding by looking for %u followed by 2 'f'
# characters and then 2 hex characters. It is a vulnerability that affected
# IIS circa 2007.
# The rule will trigger on %uXXXX formatted chars that are full or half
# width, as explained above. This %uXXXX format is passed as a raw parameter
# and is (seemingly only) accepted by IIS (5.0, 6.0, 7.0, and 8.0). Other
# webservers will only process unicode chars presented as hex UTF-8 bytes.
#
# -=[ References ]=-
# http://www.kb.cert.org/vuls/id/739224
# https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html
# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719
#
SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \
  "msg:'Unicode Full/Half Width Abuse Attack Attempt',\
   id:920260,\
   severity:'WARNING',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   phase:request,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-iis',\
   tag:'platform-windows',\
   tag:'attack-protocol',\
   block,\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"


#
# Restrict type of characters sent
#
# This is a rule with multiple stricter siblings that grows more
# restrictive in higher paranoia levels.
#
# -=[ Rule Logic ]=-
# This rule uses the @validateByteRange operator to restrict the request
# payloads.
#
# -=[ Targets and ASCII Ranges ]=-
#
# 920270: PL1 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
# 	  ASCII 1-255 : Full ASCII range without null character
#
# 920271: PL2 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
#         ASCII 9,10,13,32-126,128-255 : Full visible ASCII range, tab, newline
#
# 920272: PL3 : REQUEST_URI, REQUEST_HEADERS, ARGS, ARGS_NAMES and REQUEST_BODY
#         ASCII 32-36,38-126 : Visible lower ASCII range without percent symbol
#
# 920273: PL4 : ARGS, ARGS_NAMES and REQUEST_BODY
#         ASCII 38,44-46,48-58,61,65-90,95,97-122
#               A-Z a-z 0-9 = - _ . , : &
#
# 920274: PL4 : REQUEST_HEADERS without User-Agent, Referer and Cookie
#         ASCII 32,34,38,42-59,61,65-90,95,97-122
#               A-Z a-z 0-9 = - _ . , : & " * + / SPACE
#
# REQUEST_URI and REQUEST_HEADERS User-Agent, Referer and Cookie are very hard
# to restrict beyond the limits in 920272.
#
# 920274 generally has few positives. However, it would detect rare attacks
# on Accept request headers and friends.

SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   block,\
   msg:'Invalid character in request (null character)',\
   id:920270,\
   severity:'CRITICAL',\
   t:none,t:urlDecodeUni,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"


#
# Do not accept requests without common headers.
# All normal web browsers include Host, User-Agent and Accept headers.
# Implies either an attacker or a legitimate automation client.
#

#
# Missing/Empty Host Header
#
# -=[ Rule Logic ]=-
# These rules will first check to see if a Host header is present.
# The second check is to see if a Host header exists but is empty.
#
SecRule &REQUEST_HEADERS:Host "@eq 0" \
  "msg:'Request Missing a Host Header',\
   severity:'WARNING',\
   phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   t:none,\
   pass,\
   id:920280,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',\
   tag:'WASCTC/WASC-21',\
   tag:'OWASP_TOP_10/A7',\
   tag:'PCI/6.5.10',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var},\
   skipAfter:END_HOST_CHECK"


SecRule REQUEST_HEADERS:Host "^$" \
  "msg:'Empty Host Header',\
   severity:'WARNING',\
   phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   t:none,\
   pass,\
   id:920290,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecMarker END_HOST_CHECK


#
# Empty Accept Header
#
# -=[ Rule Logic ]=-
# This rule checks if an Accept header exists, but has an empty value.
# This is only allowed in combination with the OPTIONS method.
# Additionally, there are some clients sending empty Accept headers.
# They are covered in another chained rule checking the User-Agent.
# This technique demands a separate rule to detect an empty
# Accept header if there is no user agent. This is checked via
# the separate rule 920311.
#
# Exclude some common broken clients sending empty Accept header:
# "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0" (CRS issue #515)
# "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0" (CRS issue #366)
#
# -=[ References ]=-
# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/366
#

SecRule REQUEST_HEADERS:Accept "^$" \
  "msg:'Request Has an Empty Accept Header',\
   chain,\
   phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'8',\
   t:none,\
   pass,\
   severity:'NOTICE',\
   id:920310,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
     SecRule REQUEST_METHOD "!^OPTIONS$" \
       "chain"
          SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \
            "t:none,\
            setvar:'tx.msg=%{rule.msg}',\
            setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
            setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

#
# This rule is a sibling of rule 920310.
#
SecRule REQUEST_HEADERS:Accept "^$" \
  "msg:'Request Has an Empty Accept Header',\
   chain,\
   phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'8',\
   t:none,\
   pass,\
   severity:'NOTICE',\
   id:920311,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
     SecRule REQUEST_METHOD "!^OPTIONS$" \
       "chain"
          SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
            "t:none,\
            setvar:'tx.msg=%{rule.msg}',\
            setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
            setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"


#
# Empty User-Agent Header
#
# -=[ Rule Logic ]=-
# This rules will check to see if the User-Agent header is empty.
#
# Note that there is a second rule, 920320, which will check for
# the existence of the User-Agent header.
#

SecRule REQUEST_HEADERS:User-Agent "^$" \
  "msg:'Empty User Agent Header',\
   severity:'NOTICE',\
   phase:request,\
   t:none,\
   pass,\
   id:920330,\
   rev:'1',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EMPTY_HEADER_UA',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

#
# Missing Content-Type Header with Request Body
#
# -=[ Rule Logic]=-
# This rule will first check to see if the value of the Content-Length header is
# non-equal to 0. The chained rule is then checking the existence of the
# Content-Type header. The RFCs do not state there must be a
# Content-Type header. However, a request missing a Content-Header is a
# strong indication of a non-compliant browser.
#
# -=[ References ]=-
# http://httpwg.org/specs/rfc7231.html#header.content-type

SecRule REQUEST_HEADERS:Content-Length "!^0$" \
  "msg:'Request Containing Content, but Missing Content-Type header',\
   chain,\
   phase:request,\
   rev:'3',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   t:none,\
   block,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   id:920340,\
   severity:'NOTICE'"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
       "t:none,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

# Check that the host header is not an IP address
# This is not an HTTP RFC violation but it is indicative of automated client access.
# Many web-based worms propagate by scanning IP address blocks.
#
# -=[ Rule Logic ]=-
# This rule triggers if the Host header contains all digits (and possible port)
#
# -=[ References ]=-
# http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
#

SecRule REQUEST_HEADERS:Host "^[\d.:]+$" \
  "msg:'Host header is a numeric IP address',\
   phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   t:none,\
   block,\
   logdata:'%{matched_var}',\
   severity:'WARNING',\
   id:920350,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',\
   tag:'WASCTC/WASC-21',\
   tag:'OWASP_TOP_10/A7',\
   tag:'PCI/6.5.10',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"


# In most cases, you should expect a certain volume of each a request on your
# website. For example, a request with 400 arguments, can be suspicious.
# This file creates limitations on the request.
#
# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
#      Note that most of the rules are commented out by default.
#      Uncomment the rules you need
#


#
# Maximum number of arguments in request limited
#
SecRule &TX:MAX_NUM_ARGS "@eq 1" \
  "chain,\
   phase:request,\
   t:none,\
   block,\
   msg:'Too many arguments in request',\
   id:920380,\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
     SecRule &ARGS "@gt %{tx.max_num_args}" \
       "t:none,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

## -- Arguments limits --
#
# Limit argument name length
#
SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
  "chain,\
   phase:request,\
   t:none,\
   block,\
   msg:'Argument name too long',\
   id:920360,\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
     SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
       "t:none,\
        t:length,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

#
# Limit argument value length
#
SecRule &TX:ARG_LENGTH "@eq 1" \
  "chain,\
   phase:request,\
   t:none,\
   block,\
   msg:'Argument value too long',\
   id:920370,\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
     SecRule ARGS "@gt %{tx.arg_length}" \
       "t:none,\
        t:length,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

#
# Limit arguments total length
#
SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
  "chain,\
   phase:request,\
   t:none,\
   block,\
   msg:'Total arguments size exceeded',\
   id:920390,\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
     SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
       "t:none,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"


#
# -- File upload limits --
#
# Individual file size is limited
SecRule &TX:MAX_FILE_SIZE "@eq 1" \
  "chain,\
   phase:request,\
   t:none,\
   block,\
   msg:'Uploaded file size too large',\
   id:920400,\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
     SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data" \
       "chain"
         SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \
           "t:none,\
            setvar:'tx.msg=%{rule.msg}',\
            setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
            setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

#
# Combined file size is limited
#
SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
  "chain,\
   phase:request,\
   t:none,\
   block,\
   msg:'Total uploaded files size too large',\
   id:920410,\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
     SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
       "t:none,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"



#
# Restrict which content-types we accept.
#
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
  "phase:request,\
   chain,\
   t:none,\
   block,\
   msg:'Request content type is not allowed by policy',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   id:920420,\
   severity:'CRITICAL',\
   logdata:'%{matched_var}',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',\
   tag:'WASCTC/WASC-20',\
   tag:'OWASP_TOP_10/A1',\
   tag:'OWASP_AppSensor/EE2',\
   tag:'PCI/12.1'"
     SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" \
       "chain,\
        capture"
          SecRule TX:0 "!^%{tx.allowed_request_content_type}$" \
            "t:none,\
             ctl:forceRequestBodyVariable=On,\
             setvar:'tx.msg=%{rule.msg}',\
             setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
             setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

#
# Restrict protocol versions.
#
SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
  "phase:request,\
   t:none,\
   block,\
   msg:'HTTP protocol version is not allowed by policy',\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   id:920430,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',\
   tag:'WASCTC/WASC-21',\
   tag:'OWASP_TOP_10/A6',\
   tag:'PCI/6.5.10',\
   logdata:'%{matched_var}',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

#
# Restrict file extension
#
SecRule REQUEST_BASENAME "\.(.*)$" \
  "chain,\
   capture,\
   phase:request,\
   t:none,t:urlDecodeUni,t:lowercase,\
   block,\
   msg:'URL file extension is restricted by policy',\
   severity:'CRITICAL',\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   id:920440,\
   logdata:'%{TX.0}',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',\
   tag:'WASCTC/WASC-15',\
   tag:'OWASP_TOP_10/A7',\
   tag:'PCI/6.5.10',logdata:'%{TX.0}',\
   setvar:tx.extension=.%{tx.1}/"
     SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
       "t:none,\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"

#
# Restricted HTTP headers
#
# -=[ Rule Logic ]=-
# The use of certain headers is restricted. They are listed in the variable
# TX.restricted_headers.
#
# The headers are transformed into lowercase before the match.  In order to
# make sure that only complete header names are matching, the names in
# TX.restricted_headers are wrapped in slashes. This guarantees that the
# header Range (-> /range/) is not matching the restricted header
# /content-range/ for example.
#
# This is a chained rule, where the first rule fills a set of variables of the
# form TX.header_name_<HEADER_NAME>. The second rule is then executed for all
# variables of the form TX.header_name_<HEADER_NAME>.
#
# As a consequence of the construction of the rule, the alert message and the
# alert data will not display the original header name Content-Range, but
# /content-range/ instead.
#
#
# -=[ References ]=-
# https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy)
#
SecRule REQUEST_HEADERS_NAMES "@rx ^(.*)$" \
  "msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\
   severity:'CRITICAL',\
   phase:request,\
   t:none,\
   block,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   id:920450,\
   capture,\
   logdata:' Restricted header detected: %{matched_var}',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',\
   tag:'WASCTC/WASC-21',\
   tag:'OWASP_TOP_10/A7',\
   tag:'PCI/12.1',\
   tag:'WASCTC/WASC-15',\
   tag:'OWASP_TOP_10/A7',\
   tag:'PCI/12.1',\
   t:lowercase,\
   setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
   chain"
     SecRule TX:/^HEADER_NAME_/ "@within %{tx.restricted_headers}" \
   	"setvar:'tx.msg=%{rule.msg}',\
   	 setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   	 setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}'"


SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:920013,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:920014,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#

#
# -=[ Rule Logic ]=-
#
# Check the number of range fields in the Range request header.
#
# An excessive number of Range request headers can be used to DoS a server.
# The original CVE proposed an arbitrary upper limit of 5 range fields.
#
# Several clients are known to request PDF fields with up to 34 range
# fields. Therefore the standard rule does not cover PDF files. This is
# performed in two separate (stricter) siblings of this rule.
#
# 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs
# 920201: PL2: Limit of 34 range header fields for PDFs
# 920202: PL4: Limit of 5 range header fields for PDFs
#
# -=[ References ]=-
# https://httpd.apache.org/security/CVE-2011-3192.txt

SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
  "phase:request,\
   capture,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'Range: Too many fields (6 or more)',\
   logdata:'%{matched_var}',\
   severity:'WARNING',\
   id:920200,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
   tag:'paranoia-level/2',\
   chain"
   SecRule REQUEST_BASENAME "!@endsWith .pdf" \
   	"setvar:'tx.msg=%{rule.msg}',\
	 setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
	 setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

#
# This is a sibling of rule 920200
#

SecRule REQUEST_BASENAME "@endsWith .pdf" \
  "phase:request,\
   capture,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'Range: Too many fields for pdf request (35 or more)',\
   logdata:'%{matched_var}',\
   severity:'WARNING',\
   id:920201,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
   tag:'paranoia-level/2',\
   chain"
   SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){35}" \
   	   "setvar:'tx.msg=%{rule.msg}',\
	   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
	   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"


SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'Multiple URL Encoding Detected',\
   id:920230,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   tag:'paranoia-level/2',\
   severity:'WARNING',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"


#
# Missing Accept Header
#
# -=[ Rule Logic ]=-
# This rule generates a notice if the Accept header is missing.
#
SecRule &REQUEST_HEADERS:Accept "@eq 0" \
  "msg:'Request Missing an Accept Header',\
   chain,\
   phase:request,\
   rev:'3',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'8',\
   t:none,\
   pass,\
   severity:'NOTICE',\
   id:920300,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\
   tag:'WASCTC/WASC-21',\
   tag:'OWASP_TOP_10/A7',\
   tag:'PCI/6.5.10',\
   tag:'paranoia-level/2'"
     SecRule REQUEST_METHOD "!^OPTIONS$" \
       "chain"
	  SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \
	    "t:none,\
            setvar:'tx.msg=%{rule.msg}',\
            setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
            setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

#
# PL2: This is a stricter sibling of 920270.
#
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   block,\
   msg:'Invalid character in request (non printable characters)',\
   id:920271,\
   severity:'CRITICAL',\
   t:none,t:urlDecodeUni,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   tag:'paranoia-level/2',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"


#
# Missing User-Agent Header
#
# -=[ Rule Logic ]=-
# This rules will check to see if there is a User-Agent header or not.
#

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
  "msg:'Missing User Agent Header',\
   severity:'NOTICE',\
   phase:request,\
   rev:'1',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   t:none,\
   pass,\
   id:920320,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',\
   tag:'WASCTC/WASC-21',\
   tag:'OWASP_TOP_10/A7',\
   tag:'PCI/6.5.10',\
   tag:'paranoia-level/2',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"


#
# PL2: This is a stricter sibling of 920120.
#
SecRule FILES_NAMES|FILES "['\";=]" \
  "msg:'Attempted multipart/form-data bypass',\
  severity:'CRITICAL',\
  id:920121,\
  ver:'OWASP_CRS/3.0.0',\
  rev:'1',\
  maturity:'9',\
  accuracy:'7',\
  logdata:'%{matched_var}',\
  phase:request,\
  block,\
  t:none,t:urlDecodeUni,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-protocol',\
  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
  tag:'CAPEC-272',\
  tag:'paranoia-level/2',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"


SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:920015,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:920016,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#

#
# PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range
#
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   block,\
   msg:'Invalid character in request (outside of printable chars below ascii 127)',\
   id:920272,\
   severity:'CRITICAL',\
   t:none,t:urlDecodeUni,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   tag:'paranoia-level/3',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:920017,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:920018,nolog,pass,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#

#
# This is a stricter sibling of rule 920200
#

SecRule REQUEST_BASENAME "@endsWith .pdf" \
  "phase:request,\
   capture,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'6',\
   accuracy:'8',\
   t:none,\
   block,\
   msg:'Range: Too many fields for pdf request (6 or more)',\
   logdata:'%{matched_var}',\
   severity:'WARNING',\
   id:920202,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
   tag:'paranoia-level/4',\
   chain"
   SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
   	   "setvar:'tx.msg=%{rule.msg}',\
	   setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
	   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"


#
# This is a stricter sibling of 920270.
#
SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   block,\
   msg:'Invalid character in request (outside of very strict set)',\
   id:920273,\
   severity:'CRITICAL',\
   t:none,t:urlDecodeUni,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   tag:'paranoia-level/4',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

#
# This is a stricter sibling of 920270.
#
SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \
  "phase:request,\
   rev:'2',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'9',\
   accuracy:'9',\
   block,\
   msg:'Invalid character in request headers (outside of very strict set)',\
   id:920274,\
   severity:'CRITICAL',\
   t:none,t:urlDecodeUni,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
   tag:'paranoia-level/4',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"


# -=[ Abnormal Character Escapes ]=-
#
# [ Rule Logic ]
# Consider the following payload: arg=cat+/e\tc/pa\ssw\d
# Here, \s and \d were only used to obfuscate the string passwd and a lot of
# parsers will silently ignore the non-necessary escapes. The case with \t is
# a bit different though, as \t is a natural escape for the TAB character,
# so we will avoid this (and \n, \r, etc.).
#
# This rule aims to detect non-necessary, abnormal esacpes. You could say it is
# a nice # way to forbid the backslash character where it is not needed.
#
# This is a new rule at paranoia level 4. We expect quite a few false positives
# for this rule and we will later evaluate if the rule makes any sense at all.
# The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs
# to be useful and false positives remain at a reasonable level, then it might
# be shifted to PL3 in a future release, where it would be the only rule
# covering the backslash escape.
#
# The rule construct is overly complex due to the fact that matching the
# backslash character with \b did not work. \Q\\\E does match the backslash
# character though. This is thus the base of the rule. We forbid the backslash
# when followed by a list of basic ascii characters - unless the backslash
# is preceded by another backslash character, which is being checked via a
# negative look-behind construct. If that is the case, the backslash character
# is allowed.
#
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "(?<!\Q\\\E)\Q\\\E[cdeghijklmpqwxyz123456789]" \
  "phase:request,\
   id:920460,\
   rev:'1',\
   accuracy:'1',\
   maturity:'1',\
   ver:'OWASP_CRS/3.0.0',\
   block,\
   log,\
   severity:'CRITICAL',\
   capture,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-protocol',\
   tag:'paranoia-level/4',\
   t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
   ctl:auditLogParts=+E,\
   logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/ABNORMAL-ESCAPE-%{matched_var_name}=%{matched_var}"


#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:921011,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:921012,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ HTTP Request Smuggling ]=-
#
# [ Rule Logic ]
# This rule looks for a comma character in either the Content-Length or Transfer-Encoding
# request headers.  This character would indicate that there were more than one request header
# with this same name.  In these instances, Apache treats the data in a similar manner as
# multiple cookie values.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
# http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
#
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," \
	"msg:'HTTP Request Smuggling Attack.',\
	phase:request,\
	id:921100,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	severity:'CRITICAL',\
	t:none,\
	capture,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-protocol',\
	tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\
	tag:'WASCTC/WASC-26',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"

#
# -=[ HTTP Request Smuggling ]=-
#
# [ Rule Logic ]
# This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name.
# This would point to an attempt to inject a 2nd request into the request, thus bypassing
# tests carried out on the primary request.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
#
SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
	"msg:'HTTP Request Smuggling Attack',\
	phase:request,\
	id:921110,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'5',\
	accuracy:'5',\
	severity:'CRITICAL',\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-protocol',\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{matched_var_name}=%{tx.0}"

#
# -=[ HTTP Response Splitting ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\r\n]\W*?(?:content-(type|length)|set-cookie|location):" \
	"msg:'HTTP Response Splitting Attack',\
	phase:request,\
	id:921120,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	severity:'CRITICAL',\
	t:none,t:urlDecodeUni,t:lowercase,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-protocol',\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
	"msg:'HTTP Response Splitting Attack',\
	phase:request,\
	id:921130,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	severity:'CRITICAL',\
	capture,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-protocol',\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"

#
# -=[ HTTP Header Injection ]=-
#
# [ Rule Logic ]
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters,
# on their own or in combination with header field names.
# These characters may cause problems if the data is returned in a respones header
# and interpreted by the client.
# The rules are similar to rules defending against the HTTP Request Splitting and
# Request Smuggling rules.
#
# [ References ]
# https://en.wikipedia.org/wiki/HTTP_header_injection
#
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "(\n|\r)" \
	"msg:'HTTP Header Injection Attack via headers',\
	phase:request,\
	id:921140,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'5',\
	accuracy:'5',\
	severity:'CRITICAL',\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-protocol',\
	t:none,t:htmlEntityDecode,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"


# Detect newlines in argument names.
# Checking for GET arguments has been moved to paranoia level 2 (921151)
# in order to mitigate possible false positives.
#
SecRule ARGS_NAMES "(\n|\r)" \
	"msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
	phase:request,\
	id:921150,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'5',\
	accuracy:'5',\
	severity:'CRITICAL',\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-protocol',\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"


SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:\s+|location|refresh|(?:set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
	"msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
	phase:request,\
	id:921160,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'5',\
	accuracy:'5',\
	severity:'CRITICAL',\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-protocol',\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:921013,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:921014,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#


# Detect newlines in GET argument values.
# These may point to a HTTP header injection attack, but can also sometimes
# occur in benign query parameters.
#
# See also: rule 921140, 921150
#
SecRule ARGS_GET "(\n|\r)" \
	"msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
	phase:request,\
	id:921151,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'5',\
	accuracy:'5',\
	severity:'CRITICAL',\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-protocol',\
	tag:'paranoia-level/2',\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"


SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:921015,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:921016,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#
#

# -=[ HTTP Parameter Polution ]=-
#
# [ Rule Logic ]
# These rules look for multiple parameters with the same name.
# 921170 counts the occurrences of the individual parameters.
# 921180 checks if any counter is > 1.
#
# One HPP attack vector is to try evade signature filters by distributing the
# attack payload across multiple parameters with the same name.
# This works as many security devices only apply signatures to individual
# parameter payloads, however the back-end web application may (in the case
# of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# [ References ]
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
# https://capec.mitre.org/data/definitions/460.html
#
SecRule ARGS_NAMES "." \
        "phase:request,\
        id:921170,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        pass,\
        nolog,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-protocol',\
        tag:'paranoia-level/3',\
        tag:'CAPEC-460',\
        setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"

SecRule TX:/paramcounter_.*/ "@gt 1" \
        "msg:'HTTP Parameter Pollution (%{TX.1})',\
        chain,\
        phase:request,\
        id:921180,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'7',\
        accuracy:'8',\
        severity:'CRITICAL',\
        pass,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-protocol',\
        tag:'paranoia-level/3',\
        tag:'CAPEC-460',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
                SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)" \
                     "capture,\
                     setvar:tx.msg=%{rule.msg},\
                     setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},\
                     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
                     setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:921017,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:921018,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:930011,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:930012,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \
	"phase:request,\
	msg:'Path Traversal Attack (/../)',\
	id:930100,\
	ver:'OWASP_CRS/3.0.0',\
	rev:'3',\
	maturity:'9',\
	accuracy:'7',\
	t:none,\
	block,\
	severity:CRITICAL,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-lfi',\
	tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

#
# [ Decoded /../ Payloads ]
#
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \
	"phase:request,\
        msg:'Path Traversal Attack (/../)',\
        id:930110,\
        ver:'OWASP_CRS/3.0.0',\
        rev:'1',\
        maturity:'9',\
	accuracy:'7',\
	multiMatch,\
        t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
        block,\
        severity:CRITICAL,\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        capture,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-lfi',\
        tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

#
# -=[ OS File Access ]=-
#
# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \
	"phase:request,\
	msg:'OS File Access Attempt',\
	rev:'4',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	capture,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
	block,\
	id:930120,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-lfi',\
	tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
	tag:'WASCTC/WASC-33',\
	tag:'OWASP_TOP_10/A4',\
	tag:'PCI/6.5.4',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"

#
# -=[ Restricted File Access ]=-
#
# Detects attempts to retrieve application source code, metadata,
# credentials and version control history possibly reachable in a web root.
#
SecRule REQUEST_FILENAME "@pmf restricted-files.data" \
	"phase:request,\
	msg:'Restricted File Access Attempt',\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'7',\
	accuracy:'8',\
	capture,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
	block,\
	id:930130,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-lfi',\
	tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
	tag:'WASCTC/WASC-33',\
	tag:'OWASP_TOP_10/A4',\
	tag:'PCI/6.5.4',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:930013,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:930014,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:930015,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:930016,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:930017,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:930018,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# RFI Attacks
#

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:931011,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:931012,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
#	- URL Contains an IP Address
#	- The PHP "include()" Function
#	- RFI Data Ends with Question Mark(s) (?)
#	- RFI Host Doesn't Match Local Host
#
# -=[ References ]=-
# http://projects.webappsec.org/Remote-File-Inclusion
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
#
SecRule ARGS "^(?i)(?:file|ftps?|https?):\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
	"msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\
	severity:CRITICAL,\
	phase:request,\
	id:931100, \
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-rfi',\
	tag:'OWASP_CRS/WEB_ATTACK/RFI',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"

SecRule QUERY_STRING|REQUEST_BODY "(?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(file|ftps?|https?):\/\/)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,t:urlDecodeUni,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:931110,\
	severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-rfi',\
	tag:'OWASP_CRS/WEB_ATTACK/RFI',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"

SecRule ARGS "^(?i)(?:file|ftps?|https?)(.*?)\?+$" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:931120,\
	severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-rfi',\
	tag:'OWASP_CRS/WEB_ATTACK/RFI',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:931013,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:931014,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#

SecRule ARGS "^(?i)(?:file|ftps?|https?)://(.*)$" \
	"chain,\
	phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:931130,\
	severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-rfi',\
	tag:'OWASP_CRS/WEB_ATTACK/RFI',\
	tag:'paranoia-level/2'"
        	SecRule TX:1 "!@beginsWith %{request_headers.host}" \
			"setvar:'tx.msg=%{rule.msg}',\
			setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
			setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
			setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:931015,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:931016,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:931017,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:931018,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:932011,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:932012,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#


# [ Unix command injection ]
#
# This rule detects Unix command injections.
# A command injection takes a form such as:
#
#   foo.jpg;uname -a
#   foo.jpg||uname -a
#
# The vulnerability exists when an application executes a shell command
# without proper input escaping/validation.
#
# To prevent false positives, we look for a 'starting sequence' that
# precedes a command in shell syntax, such as: ; | & $( ` <( >(
#
# This rule is case-sensitive to prevent FP ("Cat" vs. "cat").
#
# An effort was made to combat evasions by shell quoting (e.g. 'ls',
# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine
# transformation built-in to deal with this, but unfortunately, it
# replaces ';' characters and lowercases the payload, which is less
# useful for this case. However, emulating the transformation makes
# the regexp more complex.
#
# To rebuild the word list regexp:
#   cd util/regexp-assemble
#   cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl
#
# Then insert the assembled regexp into this template:
#
# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*
# [regexp assembled from util/regexp-assemble/regexp-932100.txt]
# \b" \
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:w[\\\\'\"]*p[\\\\'\"]*-[\\\\'\"]*(?:d[\\\\'\"]*(?:o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*m[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*q[\\\\'\"]*u[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|m[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*r)|s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|h[\\\\'\"]*w|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m|(?:\s|<|>).*)|o[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*(?:t[\\\\'\"]*e|l)[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|d[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|(?:[np]|y[\\\\'\"]*n[\\\\'\"]*x)[\\\\'\"]*(?:\s|<|>).*)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p[\\\\'\"]*2)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*h)|r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*k[\\\\'\"]*s[\\\\'\"]*w|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*(?:p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|h[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*(?:\s|<|>).*|f[\\\\'\"]*l[\\\\'\"]*a[\\\\'\"]*g[\\\\'\"]*s|a[\\\\'\"]*t[\\\\'\"]*t[\\\\'\"]*r|m[\\\\'\"]*o[\\\\'\"]*d)|r[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*b|(?:[cp]|a[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h)|f[\\\\'\"]*(?:i(?:[\\\\'\"]*(?:l[\\\\'\"]*e[\\\\'\"]*(?:t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|(?:\s|<|>).*)|n[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*))?|t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|u[\\\\'\"]*n[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n|(?:e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|c)[\\\\'\"]*(?:\s|<|>).*|o[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|e[\\\\'\"]*(?:n[\\\\'\"]*(?:v(?:[\\\\'\"]*-[\\\\'\"]*u[\\\\'\"]*p[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)?|d[\\\\'\"]*(?:i[\\\\'\"]*f|s[\\\\'\"]*w))|x[\\\\'\"]*(?:p[\\\\'\"]*(?:a[\\\\'\"]*n[\\\\'\"]*d|o[\\\\'\"]*r[\\\\'\"]*t|r)|e[\\\\'\"]*c[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*t)|c[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|s[\\\\'\"]*a[\\\\'\"]*c|v[\\\\'\"]*a[\\\\'\"]*l)|h[\\\\'\"]*(?:t[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|p[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|o[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e|i[\\\\'\"]*d)|(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*y)|i[\\\\'\"]*(?:p[\\\\'\"]*(?:(?:6[\\\\'\"]*)?t[\\\\'\"]*a[\\\\'\"]*b[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*s|c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g)|r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|f[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|g[\\\\'\"]*(?:(?:e[\\\\'\"]*t[\\\\'\"]*f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c|i[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|u[\\\\'\"]*n[\\\\'\"]*z[\\\\'\"]*i[\\\\'\"]*p|d[\\\\'\"]*b)|a[\\\\'\"]*(?:(?:l[\\\\'\"]*i[\\\\'\"]*a[\\\\'\"]*s|w[\\\\'\"]*k)[\\\\'\"]*(?:\s|<|>).*|d[\\\\'\"]*d[\\\\'\"]*u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r|p[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t|r[\\\\'\"]*(?:c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|d[\\\\'\"]*(?:h[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*i[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*t|(?:i[\\\\'\"]*f[\\\\'\"]*f|u)[\\\\'\"]*(?:\s|<|>).*|(?:m[\\\\'\"]*e[\\\\'\"]*s|p[\\\\'\"]*k)[\\\\'\"]*g|o[\\\\'\"]*(?:a[\\\\'\"]*s|n[\\\\'\"]*e)|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:k[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*r|o[\\\\'\"]*r[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*(?:x[\\\\'\"]*(?:\s|<|>).*|q)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)|j[\\\\'\"]*(?:(?:a[\\\\'\"]*v[\\\\'\"]*a|o[\\\\'\"]*b[\\\\'\"]*s)[\\\\'\"]*(?:\s|<|>).*|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c)|k[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*l[\\\\'\"]*(?:a[\\\\'\"]*l[\\\\'\"]*l|(?:\s|<|>).*)|(?:G[\\\\'\"]*E[\\\\'\"]*T[\\\\'\"]*(?:\s|<|>)|\.\s).*|7[\\\\'\"]*z(?:[\\\\'\"]*[ar])?)\b" \
	"msg:'Remote Command Execution: Unix Command Injection',\
	phase:request,\
	rev:'4',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	capture,\
	t:none,\
	ctl:auditLogParts=+E,\
	block,\
	id:932100,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-unix',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"

# Apache 2.2 requires configuration file lines to be under 8kB.
# Therefore, some remaining commands have been split off to a separate rule.
# For explanation of this rule, see rule 932100.
#
# To rebuild the word list regexp:
#   cd util/regexp-assemble
#   cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl
#
# Then insert the assembled regexp into this template:
#
# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*
# [regexp assembled from util/regexp-assemble/regexp-932105.txt]
# \b" \
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:(?:f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*)?(?:\s|<|>).*|e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d[\\\\'\"]*(?:\s|<|>).*)|h[\\\\'\"]*(?:\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b|u[\\\\'\"]*t[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n|(?:\s|<|>).*)|o[\\\\'\"]*(?:(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|r[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|c[\\\\'\"]*a[\\\\'\"]*t)|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p[\\\\'\"]*(?:\s|<|>).*)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|(?:l[\\\\'\"]*e[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|u[\\\\'\"]*(?:(?:\s|<|>).*|d[\\\\'\"]*o)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:k[\\\\'\"]*(?:g(?:(?:[\\\\'\"]*_)?[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*o)?|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|f[\\\\'\"]*(?:\s|<|>).*)|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|e[\\\\'\"]*r[\\\\'\"]*(?:l(?:[\\\\'\"]*(?:s[\\\\'\"]*h|5))?|m[\\\\'\"]*s)|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|(?:u[\\\\'\"]*s[\\\\'\"]*h|o[\\\\'\"]*p)[\\\\'\"]*d|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*(?:\s|<|>).*)|n[\\\\'\"]*(?:c[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|(?:\s|<|>).*|a[\\\\'\"]*t)|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t|(?:\s|<|>).*)|s[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*o[\\\\'\"]*k[\\\\'\"]*u[\\\\'\"]*p|t[\\\\'\"]*a[\\\\'\"]*t)|(?:a[\\\\'\"]*n[\\\\'\"]*o|i[\\\\'\"]*c[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|(?:o[\\\\'\"]*h[\\\\'\"]*u|m[\\\\'\"]*a)[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*)?(?:\s|<|>).*|u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|(?:a[\\\\'\"]*r|c[\\\\'\"]*p|p[\\\\'\"]*m)[\\\\'\"]*(?:\s|<|>).*|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|e[\\\\'\"]*(?:l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t|e[\\\\'\"]*(?:\s|<|>).*)|i[\\\\'\"]*m[\\\\'\"]*e[\\\\'\"]*(?:o[\\\\'\"]*u[\\\\'\"]*t|(?:\s|<|>).*)|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r[\\\\'\"]*(?:\s|<|>).*)|o[\\\\'\"]*(?:u[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|u[\\\\'\"]*(?:n[\\\\'\"]*(?:l[\\\\'\"]*(?:i[\\\\'\"]*n[\\\\'\"]*k[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*m[\\\\'\"]*a)|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l)|l[\\\\'\"]*i[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*(?:\s|<|>).*)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l(?:[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w))?|(?:(?:o[\\\\'\"]*u[\\\\'\"]*n|u[\\\\'\"]*t)[\\\\'\"]*t|v)[\\\\'\"]*(?:\s|<|>).*)|x[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|(?:\s|<|>).*)|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s|t[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*m|x[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*)|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|i[\\\\'\"]*p[\\\\'\"]*(?:\s|<|>).*|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|o[\\\\'\"]*(?:p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*l|n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*(?:a[\\\\'\"]*m[\\\\'\"]*i|(?:\s|<|>).*)|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|v[\\\\'\"]*i[\\\\'\"]*(?:m[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r|p[\\\\'\"]*w)|y[\\\\'\"]*u[\\\\'\"]*m)\b" \
	"msg:'Remote Command Execution: Unix Command Injection',\
	phase:request,\
	rev:'4',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	capture,\
	t:none,\
	ctl:auditLogParts=+E,\
	block,\
	id:932105,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-unix',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"


# [ Windows command injection ]
#
# This rule detects Windows shell command injections.
# If you are not running Windows, it is safe to disable this rule.
#
# A command injection takes a form such as:
#
#   foo.jpg&ver /r
#   foo.jpg|ver /r
#
# The vulnerability exists when an application executes a shell command
# without proper input escaping/validation.
#
# To prevent false positives, we look for a 'starting sequence' that
# precedes a command in CMD syntax, such as: ; | & `
#
# An effort is made to combat evasions by CMD syntax; for example,
# the following strings are valid: c^md, @cmd, "c"md. ModSecurity
# has a t:cmdLine transformation built-in to deal with some of these,
# but unfortunately, that transformation replaces ';' characters (so
# we cannot match on the start of a command) and '\' characters (so we
# have trouble matching paths). This makes the regexp more complex.
#
# This rule is case-insensitive.
#
# To rebuild the word list regexp:
#   cd util/regexp-assemble
#   cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl
#
# Then insert the assembled regexp into this template:
#
# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*
# [regexp assembled from util/regexp-assemble/regexp-932110.txt]
# (?:\.[\"\^]*\w+)?\b" \
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p(?:[\"\^]*s[\"\^]*l[\"\^]*o[\"\^]*w)?|h[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*h[\"\^]*o[\"\^]*w))?|s[\"\^]*(?:i[\"\^]*(?:n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2|e[\"\^]*x[\"\^]*e[\"\^]*c)|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|g[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*c)|o[\"\^]*(?:u[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|v[\"\^]*o[\"\^]*l)|v[\"\^]*e[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r|[dr][\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*i[\"\^]*n[\"\^]*k)|d[\"\^]*(?:s[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*d|(?:[\s,;]|\.|/|<|>).*)|a[\"\^]*p[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*d|b[\"\^]*s[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*i|e[\"\^]*a[\"\^]*s[\"\^]*u[\"\^]*r[\"\^]*e|m[\"\^]*s[\"\^]*y[\"\^]*s)|d[\"\^]*(?:i[\"\^]*(?:s[\"\^]*k[\"\^]*(?:(?:m[\"\^]*g[\"\^]*m|p[\"\^]*a[\"\^]*r)[\"\^]*t|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|r[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*e)|f[\"\^]*f[\"\^]*(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*(?:l[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*f|t[\"\^]*r[\"\^]*e[\"\^]*e|(?:[\s,;]|\.|/|<|>).*)|v[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c[\"\^]*o[\"\^]*n)|(?:f[\"\^]*r[\"\^]*a|b[\"\^]*u)[\"\^]*g)|s[\"\^]*(?:a[\"\^]*(?:c[\"\^]*l[\"\^]*s|d[\"\^]*d)|q[\"\^]*u[\"\^]*e[\"\^]*r[\"\^]*y|m[\"\^]*o[\"\^]*(?:v[\"\^]*e|d)|g[\"\^]*e[\"\^]*t|r[\"\^]*m)|(?:r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r|o[\"\^]*s[\"\^]*k[\"\^]*e)[\"\^]*y|(?:c[\"\^]*o[\"\^]*m[\"\^]*c[\"\^]*n[\"\^]*f|x[\"\^]*d[\"\^]*i[\"\^]*a)[\"\^]*g|a[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|n[\"\^]*s[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|c[\"\^]*(?:o[\"\^]*(?:m[\"\^]*(?:p[\"\^]*(?:(?:a[\"\^]*c[\"\^]*t[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|m[\"\^]*g[\"\^]*m[\"\^]*t)|e[\"\^]*x[\"\^]*p)|n[\"\^]*(?:2[\"\^]*p|v[\"\^]*e)[\"\^]*r[\"\^]*t|p[\"\^]*y)|l[\"\^]*(?:e[\"\^]*a[\"\^]*(?:n[\"\^]*m[\"\^]*g[\"\^]*r|r[\"\^]*m[\"\^]*e[\"\^]*m)|u[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*r)|h[\"\^]*(?:k[\"\^]*(?:n[\"\^]*t[\"\^]*f[\"\^]*s|d[\"\^]*s[\"\^]*k)|d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|s[\"\^]*(?:c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|c[\"\^]*m[\"\^]*d)|v[\"\^]*d[\"\^]*e)|e[\"\^]*r[\"\^]*t[\"\^]*(?:u[\"\^]*t[\"\^]*i[\"\^]*l|r[\"\^]*e[\"\^]*q)|a[\"\^]*(?:l[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|c[\"\^]*l[\"\^]*s)|m[\"\^]*d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|i[\"\^]*p[\"\^]*h[\"\^]*e[\"\^]*r|u[\"\^]*r[\"\^]*l)|f[\"\^]*(?:o[\"\^]*r[\"\^]*(?:m[\"\^]*a[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*n[\"\^]*d[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|s[\"\^]*t[\"\^]*r)|s[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*(?:p[\"\^]*(?:[\s,;]|\.|/|<|>).*|y[\"\^]*p[\"\^]*e)|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|c[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*r[\"\^]*e[\"\^]*p)|n[\"\^]*(?:e[\"\^]*t[\"\^]*(?:s[\"\^]*(?:t[\"\^]*a[\"\^]*t|v[\"\^]*c|h)|(?:[\s,;]|\.|/|<|>).*|c[\"\^]*a[\"\^]*t|d[\"\^]*o[\"\^]*m)|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|r[\"\^]*i[\"\^]*g[\"\^]*h[\"\^]*t[\"\^]*s)|(?:s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u|m[\"\^]*a)[\"\^]*p|c[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|a[\"\^]*t)|b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|e[\"\^]*(?:x[\"\^]*(?:p[\"\^]*(?:a[\"\^]*n[\"\^]*d[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|i[\"\^]*t)|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*(?:c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e|v[\"\^]*w[\"\^]*r)|n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|g[\"\^]*r[\"\^]*e[\"\^]*p|r[\"\^]*a[\"\^]*s[\"\^]*e|c[\"\^]*h[\"\^]*o)|g[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*e[\"\^]*r[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*w[\"\^]*o[\"\^]*r[\"\^]*k[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*(?:(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l|e[\"\^]*d[\"\^]*i)[\"\^]*t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|i[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*t[\"\^]*m[\"\^]*a[\"\^]*c)|i[\"\^]*(?:r[\"\^]*b(?:[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))?|f[\"\^]*m[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*e[\"\^]*r|p[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|n[\"\^]*e[\"\^]*t[\"\^]*c[\"\^]*p[\"\^]*l|c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s)|a[\"\^]*(?:d[\"\^]*(?:d[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*s|m[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*m[\"\^]*d)|r[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*t[\"\^]*r[\"\^]*i[\"\^]*b|s[\"\^]*s[\"\^]*o[\"\^]*c|z[\"\^]*m[\"\^]*a[\"\^]*n)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*i[\"\^]*m[\"\^]*e|m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f)|a[\"\^]*b[\"\^]*e[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*r[\"\^]*m[\"\^]*g[\"\^]*r)|b[\"\^]*(?:(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)|r[\"\^]*o[\"\^]*w[\"\^]*s[\"\^]*t[\"\^]*a)[\"\^]*t|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|o[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*f[\"\^]*g)|h[\"\^]*(?:o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e|d[\"\^]*w[\"\^]*w[\"\^]*i[\"\^]*z)|j[\"\^]*a[\"\^]*v[\"\^]*a[\"\^]*(?:[\s,;]|\.|/|<|>).*|7[\"\^]*z(?:[\"\^]*[ar])?)(?:\.[\"\^]*\w+)?\b" \
	"msg:'Remote Command Execution: Windows Command Injection',\
	phase:request,\
	rev:'4',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,\
	ctl:auditLogParts=+E,\
	block,\
	id:932110,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-windows',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"

# Apache 2.2 requires configuration file lines to be under 8kB.
# Therefore, some remaining commands have been split off to a separate rule.
# For explanation of this rule, see rule 932110.
#
# To rebuild the word list regexp:
#   cd util/regexp-assemble
#   cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl
#
# Then insert the assembled regexp into this template:
#
# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*
# [regexp assembled from util/regexp-assemble/regexp-932110.txt]
# (?:\.[\"\^]*\w+)?\b" \
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c|h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r)[\"\^]*e|a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d)|i[\"\^]*n[\"\^]*f[\"\^]*o)|k[\"\^]*e[\"\^]*y|d[\"\^]*m)|h[\"\^]*(?:o[\"\^]*(?:w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s|r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t)|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|a[\"\^]*r[\"\^]*e|i[\"\^]*f[\"\^]*t)|e[\"\^]*(?:t[\"\^]*(?:(?:x[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l)|c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t)|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|t[\"\^]*a[\"\^]*r[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|o[\"\^]*r[\"\^]*t|f[\"\^]*c|v[\"\^]*n)|p[\"\^]*(?:s[\"\^]*(?:s[\"\^]*(?:h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t)|i[\"\^]*s[\"\^]*t)|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l)|o[\"\^]*(?:w[\"\^]*e[\"\^]*r[\"\^]*(?:s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?|c[\"\^]*f[\"\^]*g)|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|p[\"\^]*d)|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|a[\"\^]*t[\"\^]*h[\"\^]*(?:p[\"\^]*i[\"\^]*n[\"\^]*g|(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*r[\"\^]*(?:l(?:[\"\^]*(?:s[\"\^]*h|5))?|f[\"\^]*m[\"\^]*o[\"\^]*n)|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:3(?:[\"\^]*m)?|2))?|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|h[\"\^]*p(?:[\"\^]*[57])?|u[\"\^]*s[\"\^]*h[\"\^]*d|i[\"\^]*n[\"\^]*g)|r[\"\^]*(?:e[\"\^]*(?:(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|n(?:[\"\^]*a[\"\^]*m[\"\^]*e)?|s[\"\^]*e[\"\^]*t)[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*(?:s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2|e[\"\^]*d[\"\^]*i[\"\^]*t|(?:[\s,;]|\.|/|<|>).*|i[\"\^]*n[\"\^]*i)|c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z)|u[\"\^]*(?:n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|a[\"\^]*s)|b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))|a[\"\^]*(?:s[\"\^]*(?:p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e|d[\"\^]*i[\"\^]*a[\"\^]*l)|r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:u[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|d[\"\^]*(?:[\s,;]|\.|/|<|>).*)|t[\"\^]*(?:a[\"\^]*(?:s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*c[\"\^]*h[\"\^]*d|m[\"\^]*g[\"\^]*r)|k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n)|(?:i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i|e[\"\^]*l[\"\^]*n[\"\^]*e|l[\"\^]*i[\"\^]*s)[\"\^]*t|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:p[\"\^]*e[\"\^]*r[\"\^]*f|(?:[\s,;]|\.|/|<|>).*)|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e))|w[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|v[\"\^]*a[\"\^]*r|r[\"\^]*[ms])|u[\"\^]*(?:a[\"\^]*(?:u[\"\^]*c[\"\^]*l[\"\^]*t|p[\"\^]*p)|s[\"\^]*a)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|m[\"\^]*i[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c)|a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|g[\"\^]*e[\"\^]*t)|u[\"\^]*(?:s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p))|q[\"\^]*(?:u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*(?:[\s,;]|\.|/|<|>).*|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a|g[\"\^]*r[\"\^]*e[\"\^]*p)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|v[\"\^]*(?:o[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y)|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*)(?:\.[\"\^]*\w+)?\b" \
	"msg:'Remote Command Execution: Windows Command Injection',\
	phase:request,\
	rev:'4',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,\
	ctl:auditLogParts=+E,\
	block,\
	id:932115,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-windows',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"


# [ Windows PowerShell, cmdlets and options ]
#
# Detect some common PowerShell commands, cmdlets and options.
# These commands should be relatively uncommon in normal text, but
# potentially useful for code injection.
#
# If you are not running Windows, it is safe to disable this rule.
#
# https://technet.microsoft.com/en-us/magazine/ff714569.aspx
# https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf windows-powershell-commands.data" \
	"msg:'Remote Command Execution: Windows PowerShell Command Found',\
	phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'7',\
	capture,\
	t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	id:932120,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'language-powershell',\
	tag:'platform-windows',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"


# [ Unix shell expressions ]
#
# Detects the following patterns which are common in Unix shell scripts
# and oneliners:
#
# $(foo)    Command substitution
# ${foo}    Parameter expansion
# <(foo)    Process substitution
# >(foo)    Process substitution
# $((foo))  Arithmetic expansion
#
# Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble.
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \
	"msg:'Remote Command Execution: Unix Shell Expression Found',\
	phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'7',\
	capture,\
	t:none,t:urlDecodeUni,t:cmdLine,\
	ctl:auditLogParts=+E,\
	block,\
	id:932130,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-unix',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"


# [ Windows FOR, IF commands ]
#
# This rule detects Windows command shell FOR and IF commands.
# If you are not running Windows, it is safe to disable this rule.
#
# Examples:
#
#   FOR              %a IN (set) DO
#   FOR /D           %a IN (dirs) DO
#   FOR /F "options" %a IN (text|"text") DO
#   FOR /L           %a IN (start,step,end) DO
#   FOR /R C:\dir    %A IN (set) DO
#
#   IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n
#   IF [/I] [NOT] item1   [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2
#   IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2)
#
# http://ss64.com/nt/if.html
# http://ss64.com/nt/for.html
#
# Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble.
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(/[dflr].*)* %+[^ ]+ in\(.*\)\s?do)" \
	"msg:'Remote Command Execution: Windows FOR/IF Command Found',\
	phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'7',\
	capture,\
	t:none,t:urlDecodeUni,t:cmdLine,\
	ctl:auditLogParts=+E,\
	block,\
	id:932140,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-windows',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"


# [ Unix direct remote command execution ]
#
# Detects Unix commands at the start of a parameter (direct RCE).
# Example: foo=wget%20www.example.com
#
# This case is different from command injection (rule 932100), where a
# command string is appended (injected) to a regular parameter, and then
# passed to a shell unescaped.
#
# Due to a higher risk of false positives, the following changes have been
# made relative to rule 932100:
# 1) the set of commands is smaller
# 2) we require a trailing space (denoting command parameters) or command
#    separator character after the command
#
# To rebuild the word list regexp:
#   cd util/regexp-assemble
#   cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl
#
# Then insert the assembled regexp into this template:
#
# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*
# [regexp assembled from util/regexp-assemble/regexp-932150.txt]
# [\\\\'\"]*(?:\s|;|\||&|<|>)" \
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m)|w[\\\\'\"]*p(?:[\\\\'\"]*-[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d)?|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|y[\\\\'\"]*n[\\\\'\"]*x)|s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d)|h(?:[\\\\'\"]*\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b)?|o[\\\\'\"]*(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|f[\\\\'\"]*t[\\\\'\"]*p|u[\\\\'\"]*d[\\\\'\"]*o|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|k[\\\\'\"]*(?:e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*v|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|e[\\\\'\"]*r[\\\\'\"]*l(?:[\\\\'\"]*5)?|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g)|n[\\\\'\"]*(?:c(?:[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|a[\\\\'\"]*t))?|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t)|o[\\\\'\"]*h[\\\\'\"]*u[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|i[\\\\'\"]*m[\\\\'\"]*e(?:[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t)?|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r)|e[\\\\'\"]*l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|m[\\\\'\"]*(?:u[\\\\'\"]*s[\\\\'\"]*e|d[\\\\'\"]*i)[\\\\'\"]*r|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c|c[\\\\'\"]*p)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*q)|u[\\\\'\"]*(?:n[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|l[\\\\'\"]*z[\\\\'\"]*m[\\\\'\"]*a|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l))|x[\\\\'\"]*(?:z(?:[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e))?|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s)|z[\\\\'\"]*(?:(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e|i)[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|f[\\\\'\"]*(?:t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o)|i[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h|c)|e[\\\\'\"]*(?:g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*h[\\\\'\"]*o|v[\\\\'\"]*a[\\\\'\"]*l|x[\\\\'\"]*e[\\\\'\"]*c|n[\\\\'\"]*v)|d[\\\\'\"]*(?:m[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*g|a[\\\\'\"]*s[\\\\'\"]*h|i[\\\\'\"]*f[\\\\'\"]*f|o[\\\\'\"]*a[\\\\'\"]*s)|g[\\\\'\"]*(?:z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*i|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|j[\\\\'\"]*(?:o[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*\s[\\\\'\"]*-[\\\\'\"]*x|a[\\\\'\"]*v[\\\\'\"]*a)|i[\\\\'\"]*r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|o[\\\\'\"]*n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r|h[\\\\'\"]*(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)|v[\\\\'\"]*i[\\\\'\"]*(?:g[\\\\'\"]*r|p[\\\\'\"]*w)|G[\\\\'\"]*E[\\\\'\"]*T)[\\\\'\"]*(?:\s|;|\||&|<|>)" \
	"msg:'Remote Command Execution: Direct Unix Command Execution',\
	phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'7',\
	capture,\
	t:none,\
	ctl:auditLogParts=+E,\
	block,\
	id:932150,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-unix',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"


# [ Unix shell snippets ]
#
# Detect some common sequences found in shell commands and scripts.
#
# Some commands which were restricted in earlier rules due to FP,
# have been added here with their full path, in order to catch some
# cases where the full path is sent.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf unix-shell.data" \
	"msg:'Remote Command Execution: Unix Shell Code Found',\
	phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	id:932160,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-unix',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"


# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ]
#
# Detect exploitation of "Shellshock" GNU Bash RCE vulnerability.
#
# Based on ModSecurity rules created by Red Hat.
# Permission for use was granted by Martin Prpic <secalert@redhat.com>
#
# https://access.redhat.com/articles/1212303
#
SecRule REQUEST_HEADERS|REQUEST_LINE "^\(\s*\)\s+{" \
	"msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
	phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'9',\
	capture,\
	t:none,t:urlDecode,\
	ctl:auditLogParts=+E,\
	block,\
	id:932170,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-unix',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"

SecRule ARGS_NAMES|ARGS|FILES_NAMES "^\(\s*\)\s+{" \
	"msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
	phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'9',\
	capture,\
	t:none,t:urlDecode,t:urlDecodeUni,\
	ctl:auditLogParts=+E,\
	block,\
	id:932171,\
	tag:'application-multi',\
	tag:'language-shell',\
	tag:'platform-unix',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:932013,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:932014,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:932015,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:932016,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:932017,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:932018,nolog,pass,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:933011,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:933012,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ PHP Injection Attacks ]=-
#
# [ References ]
# http://rips-scanner.sourceforge.net/
# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh
#

#
# [ PHP Open Tag Found ]
#
# Detects PHP open tags "<?" and "<?php".
# http://www.php.net/manual/en/language.basic-syntax.phptags.php
#
# Care is taken to avoid false positives in XML declarations "<?xml..."
#
# Also detects "[php]", "[/php]" and "[\php]" tags used by some applications
# to indicate PHP dynamic content.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?!xml\s)|<\?php|\[(?:/|\\\\)?php\])" \
	"msg:'PHP Injection Attack: PHP Open Tag Found',\
	phase:request,\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,t:urlDecodeUni,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:933100,\
	severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
	tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
	tag:'OWASP_TOP_10/A1',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
		


#
# [ PHP Script Uploads ]
#
# Block file uploads with PHP extensions (.php, .php5, .phtml etc).
#
# Many application contain Unrestricted File Upload vulnerabilities.
# https://www.owasp.org/index.php/Unrestricted_File_Upload
#
# Attackers may use such a vulnerability to achieve remote code execution
# by uploading a .php file. If the upload storage location is predictable
# and not adequately protected, the attacker may then request the uploaded
# .php file and have the code within it executed on the server.
#
# Also block files with just dot (.) characters after the extension:
# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla
#
# Some AJAX uploaders use the nonstandard request headers X-Filename,
# X_Filename, or X-File-Name to transmit the file name to the server;
# scan these request headers as well as multipart/form-data file names.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
        "msg:'PHP Injection Attack: PHP Script File Upload Found',\
        phase:request,\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'8',\
        t:none,t:lowercase,\
        ctl:auditLogParts=+E,\
        block,\
        capture,\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        id:933110,\
        severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP Configuration Directives ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
        "msg:'PHP Injection Attack: Configuration Directive Found',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'8',\
        capture,\
        t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
        ctl:auditLogParts=+E,\
        block,\
        id:933120,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        chain"
                SecRule MATCHED_VARS "@pm =" \
                        "capture,\
			setvar:'tx.msg=%{rule.msg}',\
                        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
                        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
                        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP Variables ]
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
        "msg:'PHP Injection Attack: Variables Found',\
        phase:request,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'8',\
        capture,\
        t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\
        ctl:auditLogParts=+E,\
        block,\
        id:933130,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP I/O Streams ]
#
# The "php://" syntax can be used to refer to various objects, such as local files (for LFI),
# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt
# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app.
#
# Examples:
# php://filter/resource=./../../../wp-config.php
# php://filter/resource=http://www.example.com
# php://stdin
# php://input
#
# http://php.net/manual/en/wrappers.php.php
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \
        "@rx (?i)php://(std(in|out|err)|(in|out)put|fd|memory|temp|filter)" \
        "msg:'PHP Injection Attack: I/O Stream Found',\
        phase:request,\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'9',\
        t:none,\
        ctl:auditLogParts=+E,\
        block,\
        capture,\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        id:933140,\
        severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP Functions ]
#
# Detecting PHP function names is useful to block PHP code injection attacks.
# There are many PHP functions. We have to strike a balance between robust detection
# of PHP code in content, and the risk of false positives.
#
# The list of PHP functions is divided into four groups of varying attack/false positive risk.
# Four separate rules are used to detect these groups of functions:
#
# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
#                natural language or other contexts.
#                Examples: 'base64_decode', 'file_get_contents'.
#                These words are detected as a match directly using @pmf.
#                Function names are defined in php-function-names-933150.data
#
# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
#                false positives in natural language or other contexts.
#                Examples: 'chr', 'eval'.
#                To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
#                Regexp is generated from function names in util/regexp-assemble/regexp-933160.data
#
# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
#                Examples: 'addslashes', 'array_diff'.
#                For performance reasons, the @pmf operator is used, and many functions from lesser
#                used PHP extensions are removed.
#                To mitigate false positives, we only match when the '(' character is also found.
#                This rule only runs in paranoia level 2 or higher.
#                Function names are defined in php-function-names-933151.data
#
# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives.
#                Examples: 'abs', 'cos'.
#                To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
#                This rule only runs in paranoia level 3 or higher.
#                Regexp is generated from function names in util/regexp-assemble/regexp-933161.data
#


#
# [ PHP Functions: High-Risk PHP Function Names ]
#
# Rule 933150 contains a small list of function names which are highly indicative of a PHP
# injection attack, for example 'base64_decode'.
# We block these function names outright, without using a complex regexp or chain.
# This could make the detection a bit more robust against possible bypasses.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933150.data" \
        "msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'9',\
        capture,\
        t:none,t:lowercase,\
        ctl:auditLogParts=+E,\
        block,\
        id:933150,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP Functions: High-Risk PHP Function Calls ]
#
# Some PHP function names have a certain risk of false positives, due to short
# names, full or partial overlap with common natural language terms, uses in
# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'.
#
# For these function names, we apply a regexp to look for PHP function syntax.
# The regexp looks for a word boundary and adjoining parentheses.
# For instance, we want to block 'eval()', but we want to allow 'medieval()'.
#
# We have to be careful of possible bypasses using comment syntax. Examples:
#
#   system(...)
#   system (...)
#   system\t(...)
#   system /*comment*/ (...)
#   system /*multiline \n comment*/ (...)
#   system //comment \n (...)
#   system #comment \n (...)
#
# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble.
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
        "msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'8',\
        capture,\
        t:none,\
        ctl:auditLogParts=+E,\
        block,\
        id:933160,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP Object Injection ]
#
# PHP Object Injection is an application level vulnerability that could allow
# an attacker to perform different kinds of malicious attacks, such as
# Code Injection, SQL Injection, Path Traversal and Application Denial of Service,
# depending on the context.
#
# The vulnerability occurs when user-supplied input is not properly sanitized
# before being passed to the unserialize() PHP function. Since PHP allows object
# serialization, attackers could pass ad-hoc serialized strings to a vulnerable
# unserialize() call, resulting in an arbitrary PHP object(s) injection into the
# application scope.
#
# https://www.owasp.org/index.php/PHP_Object_Injection
#
# In serialized form, PHP objects have the following format:
#
#    O:8:"stdClass":1:{s:1:"a";i:2;}
#    O:3:"Foo":0:{}
#
# Also detected are PHP objects with a custom unserializer:
# http://www.phpinternalsbook.com/classes_objects/serialization.html
# These have the following format:
#
#    C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}}
#    C:3:"Foo":23:{s:15:"My private data";}
#
# HTTP headers are inspected, since PHP object injection vulnerabilities have been
# found in applications parsing them:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header)
# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header)
# http://karmainsecurity.com/KIS-2015-10 (Host header)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* \
                "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
        "msg:'PHP Injection Attack: Serialized Object Injection',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'9',\
        t:none,\
        ctl:auditLogParts=+E,\
        block,\
        capture,\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        id:933170,\
        severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"



#
# [ PHP Functions: Variable Function Calls ]
#
# PHP 'variable functions' provide an alternate syntax for calling PHP functions.
# http://php.net/manual/en/functions.variable-functions.php
#
# An attacker may use variable function syntax to evade detection of function
# names during exploitation of a remote code execution vulnerability.
# An example to use the 'file_get_contents' function while evading rule 933150:
#
#   $fn = 'file_' . 'get_' . 'contents';
#   echo $fn('wp-co' . 'nfig.php');
#
# Some examples from obfuscated malware:
#
#   $OOO0000O0(...)
#   @$b374k(...)
#   $_[@-_]($_[@!+_] )
#
# A breakdown of the regular expression:
#
#   \$+
#       The variable's '$' char, or multiple '$' for 'variable variables':
#       http://php.net/manual/en/language.variables.variable.php
#   (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})
#       One of the following:
#       - A variable name; regexp from http://php.net/language.variables.basics
#       - A nonempty expression for variable variables: ${'fn'} or $ {'fn'}
#   (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*
#       Optional whitespace, array access, or comments
#   \(.*\)
#       Parentheses optionally containing function parameters
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
        "msg:'PHP Injection Attack: Variable Function Call Found',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'7',\
        capture,\
        t:none,\
        ctl:auditLogParts=+E,\
        block,\
        id:933180,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:933013,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:933014,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#

#
# [ PHP Functions: Medium-Risk PHP Function Names ]
#
# In paranoia level 2, we add additional checks for most PHP functions.
#
# The size of the PHP function list is considerable.
# Even after excluding the more obscure PHP extensions, 1300+ functions remain.
# For performance and maintenance reasons, this rule does not use a regexp,
# but uses a phrase file (@pmf), and additionally looks for an '(' character
# in the matched variable.
#
# This approach carries some risk for false positives. Therefore, the function list
# has been curated to remove words closely matching natural language and terms often
# used in other contexts.
#
# This rule is a stricter sibling of rule 933150.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933151.data" \
        "msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'7',\
        capture,\
        t:none,t:lowercase,\
        ctl:auditLogParts=+E,\
        block,\
        id:933151,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        tag:'paranoia-level/2',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        chain"
            SecRule MATCHED_VARS "@pm (" \
                        "capture,\
                        setvar:'tx.msg=%{rule.msg}',\
                        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
                        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
                        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"




SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:933015,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:933016,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#

#
# [ PHP Variables: Common Variable Indexes ]
#
# In paranoia level 3, we add additional checks for parameters to many PHP variables.
#
#
# One of the more common variables used within attacks on PHP is $_SERVER. Because
# of how many different ways PHP has for executing variables (variable variables,
# etc) often just looking for $_SERVER will be less effective than looking for the
# various indexes within $_SERVER. This rule checks for these indexes.
# This rule is located in PL 3 because often developers will use these names as
# parameter names or values and this will lead to false positives.
# Because this list is not expected to change and it is limited in size we use a
# regex in this case to look for these values whereas in its sibling rule we use
# @pmf for flexibility and performance.
#
# To rebuild the regexp:
#   cd util/regexp-assemble
#   ./regexp-assemble.pl < regexp-933131.data
#
# This rule is a stricter sibling of rule 933130.
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \
        "msg:'PHP Injection Attack: Variables Found',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'7',\
        capture,\
        t:none,t:normalisePath,t:urlDecodeUni,\
        ctl:auditLogParts=+E,\
        block,\
        id:933131,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        tag:'paranoia-level/3',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP Functions: Low-Value PHP Function Calls ]
#
# In paranoia level 3, we add additional checks for the remaining PHP functions.
#
# Most of these function names are likely to cause false positives in natural text
# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'.
# Therefore, these function names are not scanned in lower paranoia levels.
#
# To mitigate the risk of false positives somewhat, a regexp is used to look for
# PHP function syntax. (See rule 933160 for a description.)
#
# This rule is a stricter sibling of rule 933160.
#
# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble.
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
        "msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\
        phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'7',\
        capture,\
        t:none,\
        ctl:auditLogParts=+E,\
        block,\
        id:933161,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        tag:'paranoia-level/3',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ PHP Script Uploads: Superfluous extension ]
#
# Block file uploads with PHP extensions (.php, .php5, .phtml etc)
# anywhere in the name, followed by a dot.
#
# Example: index.php.tmp
#
# Uploading of such files can lead to remote code execution if
# Apache is configured with AddType and MultiViews, as Apache will
# automatically do a filename match when the extension is unknown.
# This configuration is fortunately not common in modern installs.
#
# Blocking these file names might lead to more false positives.
#
# Some AJAX uploaders use the nonstandard request headers X-Filename,
# X_Filename, or X-File-Name to transmit the file name to the server;
# scan these request headers as well as multipart/form-data file names.
#
# This rule is a stricter sibling of rule 933110.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
        "msg:'PHP Injection Attack: PHP Script File Upload Found',\
        phase:request,\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'7',\
        t:none,t:lowercase,\
        ctl:auditLogParts=+E,\
        block,\
        capture,\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        id:933111,\
        severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-injection-php',\
        tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
        tag:'OWASP_TOP_10/A1',\
        tag:'paranoia-level/3',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"


SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:933017,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:933018,nolog,pass,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:941011,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:941012,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#


#
# -=[ Libinjection - XSS Detection ]=-
#
# Ref: https://libinjection.client9.com/
# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss
#
# -=[ Targets ]=-
#
# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
#               REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|
#               ARGS_NAMES|ARGS|XML:/*
#
# 941101: PL2 : REQUEST_HEADERS:Referer
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
	"msg:'XSS Attack Detected via libinjection',\
	id:941100,\
	phase:request,\
	severity:'CRITICAL',\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'9',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# -=[ XSS Filters - Category 1 ]=-
# http://xssplayground.net23.net/xssfilter.html
# script tag based XSS vectors, e.g., <script> alert(1)</script>
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)([<＜]script[^>＞]*[>＞][\s\S]*?)" \
	"msg:'XSS Filter - Category 1: Script Tag Vector',\
	id:941110,\
	phase:request,\
	severity:'CRITICAL',\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'4',\
	accuracy:'9',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# -=[ XSS Filters - Category 2 ]=-
# XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)([\s\"'`;\/0-9\=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=)" \
	"msg:'XSS Filter - Category 2: Event Handler Vector',\
	id:941120,\
	phase:request,\
	severity:'CRITICAL',\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'4',\
	accuracy:'8',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# -=[ XSS Filters - Category 3 ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "(?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \
	"msg:'XSS Filter - Category 3: Attribute Vector',\
	id:941130,\
	phase:request,\
	severity:'CRITICAL',\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# -=[ XSS Filters - Category 4 ]=-
# XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \
	"msg:'XSS Filter - Category 4: Javascript URI Vector',\
	id:941140,\
	severity:'CRITICAL',\
	phase:request,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# -=[ NoScript XSS Filters ]=-
# Ref: http://noscript.net/
#
# [NoScript InjectionChecker] HTML injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \
	"msg:'NoScript XSS InjectionChecker: HTML Injection',\
	id:941160,\
	severity:'CRITICAL',\
	phase:request,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# [NoScript InjectionChecker] Attributes injection
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \
	"msg:'NoScript XSS InjectionChecker: Attribute Injection',\
	id:941170,\
	severity:'CRITICAL',\
	phase:request,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# [Blacklist Keywords from Node-Validator]
# https://raw.github.com/chriso/node-validator/master/validator.js
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
	"msg:'Node-Validator Blacklist Keywords',\
	id:941180,\
	severity:'CRITICAL',\
	phase:request,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# -=[ XSS Filters from IE ]=-
# Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
# Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941190,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941200,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941210,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941220,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<EMBED[\s/+].*?((src)|(type)).*?=)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941230,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941240,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941250,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<META[\s/+].*?charset[\s/+]*=)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941260,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<LINK[\s/+].*?href[\s/+]*=)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941270,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<BASE[\s/+].*?href[\s/+]*=)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941280,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<APPLET[\s/+>])" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941290,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<OBJECT[\s/+].*?((type)|(codetype)|(classid)|(code)|(data))[\s/+]*=)" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941300,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

#
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
# US-ASCII encoding bypass listed on XSS filter evasion
# Reported by Mazin Ahmed
#

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:¾|¼).*(?:¾|¼|>)|(?:¾|¼|<).*(?:¾|¼)" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'7',\
	accuracy:'8',\
	id:941310,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
	block,\
	ctl:auditLogParts=+E,\
	msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-tomcat',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

#
# http://openmya.hacker.jp/hasegawa/security/utf7cs.html
# UTF-7 encoding XSS filter evasion for IE.
# Reported by Vladimir Ivanov
#

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).*(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).*(?:\+ADw\-|\+AD4\-)" \
        "phase:request,\
        rev:'1',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'7',\
        accuracy:'8',\
        id:941350,\
        severity:'CRITICAL',\
        capture,\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
        block,\
        ctl:auditLogParts=+E,\
        msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-internet-explorer',\
        tag:'attack-xss',\
        tag:'OWASP_CRS/WEB_ATTACK/XSS',\
        tag:'WASCTC/WASC-8',\
        tag:'WASCTC/WASC-22',\
        tag:'OWASP_TOP_10/A3',\
        tag:'OWASP_AppSensor/IE1',\
        tag:'CAPEC-242',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

SecMarker END_XSS_CHECKS


SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:941013,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:941014,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#

#
# This is a stricter sibling of rule 941100.
#
SecRule REQUEST_HEADERS:Referer "@detectXSS" \
        "msg:'XSS Attack Detected via libinjection',\
        id:941101,\
        phase:request,\
        severity:'CRITICAL',\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'1',\
        accuracy:'9',\
        t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
        block,\
        ctl:auditLogParts=+E,\
        capture,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-xss',\
        tag:'OWASP_CRS/WEB_ATTACK/XSS',\
        tag:'WASCTC/WASC-8',\
        tag:'WASCTC/WASC-22',\
        tag:'OWASP_TOP_10/A3',\
        tag:'OWASP_AppSensor/IE1',\
        tag:'CAPEC-242',\
        tag:'paranoia-level/2',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


#
# -=[ XSS Filters - Category 5 ]=-
# HTML attribues - src, style and href
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
	"msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\
	id:941150,\
	phase:request,\
	severity:'CRITICAL',\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
	block,\
	ctl:auditLogParts=+E,\
	capture,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A3',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'CAPEC-242',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"


# Detect tags that are the most common direct HTML injection points.
#
#     <a href=javascript:...
#     <applet src="..." type=text/html>
#     <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
#     <base href=javascript:...
#     <base href=... // change base URL to something else to exploit relative filename inclusion
#     <bgsound src=javascript:...
#     <body background=javascript:...
#     <body onload=...
#     <embed src=http://www.example.com/flash.swf allowScriptAccess=always
#     <embed src="data:image/svg+xml;
#     <frameset><frame src="javascript:..."></frameset>
#     <iframe src=javascript:...
#     <img src=x onerror=...
#     <input type=image src=javascript:...
#     <layer src=...
#     <link href="javascript:..." rel="stylesheet" type="text/css"
#     <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
#     <meta http-equiv="refresh" content="0;url=javascript:..."
#     <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
#     <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
#     <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
#     <object data=http://www.example.com
#     <object type=text/x-scriptlet data=...
#     <object type=application/x-shockwave-flash data=xss.swf>
#     <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
#     <script>...</script>
#     <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
#     <script src="data:text/javascript,alert(1)"></script>
#     <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
#     <style>STYLE</style>
#     <style type=text/css>STYLE</style>
#     <style type=text/javascript>alert('xss')</style>
#     <table background=javascript:...
#     <td background=javascript:
#
#
# NOTES
#
#  - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
#
#  - Not using closing brackets because they are not needed for the
#    attacks to succeed. The following seems to work in FF: <body/s/onload=...
#
#  - Also, browsers sometimes tend to translate < into >, in order to "repair"
#    what they think was a mistake made by the programmer/template designer.
#
#  - Browsers are flexible when it comes to what they accept as separator between
#    tag names and attributes. The following is commonly used in payloads: <img/src=...
#    A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
#
#  - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
#    but I don't believe we need to look for quotes anywhere.
#
#  - Links do not have to be fully qualified. For example, the following works:
#    <script src="//ha.ckers.org/.j">
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941320,\
	severity:'CRITICAL',\
	capture,\
	t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
	block,\
	msg:'Possible XSS Attack Detected - HTML Tag Handler',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A2',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'PCI/6.5.1',\
	tag:'paranoia-level/2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941330,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
	block,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A2',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'PCI/6.5.1',\
	tag:'paranoia-level/2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).+?[.].+?=)" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'8',\
	accuracy:'8',\
	id:941340,\
	severity:'CRITICAL',\
	capture,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
	block,\
	msg:'IE XSS Filters - Attack Detected.',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A2',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'PCI/6.5.1',\
	tag:'paranoia-level/2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.xss_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"




SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:941015,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:941016,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:941017,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:941018,nolog,pass,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-941-APPLICATION-ATTACK-XSS"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:942011,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:942012,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# References:
#
# SQL Injection Knowledgebase (via @LightOS) -
# http://websec.ca/kb/sql_injection
#
# SQLi Filter Evasion Cheat Sheet -
# http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
#
# SQL Injection Cheat Sheet -
# http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
#
# SQLMap's Tamper Scripts (for evasions)
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/
#

#
# -=[ LibInjection Check ]=-
#
# Ref: https://libinjection.client9.com/
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \
  "msg:'SQL Injection Attack Detected via libinjection',\
   id:942100,\
   severity:'CRITICAL',\
   rev:'1',\
   ver:'OWASP_CRS/3.0.0',\
   maturity:'1',\
   accuracy:'8',\
   phase:request,\
   block,\
   multiMatch,\
   t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments,\
   capture,\
   logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-sqli',\
   tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
   tag:'WASCTC/WASC-19',\
   tag:'OWASP_TOP_10/A1',\
   tag:'OWASP_AppSensor/CIE1',\
   tag:'PCI/6.5.2',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
   setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
   setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"


#
# -=[ Detect DB Names ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(?:ys(?:\.database_name|aux)\b|chema(?:\W*\(|_name\b)|qlite(_temp)?_master\b)|d(?:atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'SQL Injection Attack: Common DB Names Detected',\
	id:942140,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


#
# -=[ PHPIDS - Converted SQLI Filters ]=-
#
# https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects blind sqli tests using sleep() or benchmark().',\
	id:942160,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',\
	id:942170,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\s*?(?:exec|execute).*?(?:\W)xp_cmdshell)|(?:[\"'`]\s*?!\s*?[\"'`\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`];?\s*?(?:select|union|having)\b\s*?[^\s])|(?:\wiif\s*?\()|(?:(?:exec|execute)\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects MSSQL code execution and information gathering attempts',\
	id:942190,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \"magic number\" crash',\
	id:942220,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects conditional SQL injection attempts',\
	id:942230,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:alter\s*?\w+.*?(?:character|char)\s+set\s+\w+)|([\"'`];*?\s*?waitfor\s+(?:time|delay)\s+[\"'`])|(?:[\"'`];.*?:\s*?goto))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects MySQL charset switch and MSSQL DoS attempts',\
	id:942240,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections',\
	id:942250,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',\
	id:942270,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',\
	id:942280,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Finds basic MongoDB SQL injection attempts',\
	id:942290,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\
	id:942320,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:create\s+function\s+.+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',\
	id:942350,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\d\W]\s+as\s*?[\"'`\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc)\b)|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`]\s+regexp\W)|(?:[\s(]load_file\s*?\())" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\
	id:942360,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:942013,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:942014,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#


#
# -=[ String Termination/Statement Ending Injection Testing ]=-
#
# Identifies common initial SQLi probing requests where attackers insert/append
# quote characters to the existing normal payload to see how the app/db responds.
#
SecRule ARGS_NAMES|ARGS|XML:/* "(^[\"'`;]+|[\"'`]+$)" \
	"phase:request,\
	rev:'4',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,\
	block,\
	msg:'SQL Injection Attack: Common Injection Testing Detected',\
	id:942110,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'WARNING',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


#
# -=[ SQL Operators ]=-
#
SecRule ARGS_NAMES|ARGS|XML:/* "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|\bxor\b|\brlike\b|\bregexp\b|\bisnull\b)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:\bxor\b|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))" \
	"phase:request,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:utf8toUnicode,t:urlDecodeUni,\
	block,\
	msg:'SQL Injection Attack: SQL Operator Detected',\
	id:942120,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
 	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


#
# -=[ SQL Tautologies ]=-
#
SecRule ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`\(\)]*?)(?!\2)([\d\w]+)))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	multiMatch,t:none,t:urlDecodeUni,t:replaceComments,\
	block,\
	msg:'SQL Injection Attack: SQL Tautology Detected.',\
	id:942130,\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


#
# -=[ SQL Function Names ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf sql-function-names.data" \
	"chain,\
	phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'SQL Injection Attack',\
	id:942150,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL'"
	SecRule MATCHED_VARS "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\("\
		"setvar:'tx.msg=%{rule.msg}',\
		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
		setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?i:\d[\"'`]\s+[\"'`]\s+\d)|(?:^admin\s*?[\"'`]|(\/\*)+[\"'`]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`])|(?:[\"'`]\s*?[^\w\s]?=\s*?[\"'`])|(?:[\"'`]\W*?[+=]+\W*?[\"'`])|(?:[\"'`]\s*?[!=|][\d\s!=+-]+.*?[\"'`(].*?$)|(?:[\"'`]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`]\s*?like\W+[\w\"'`(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`][<>~]+[\"'`]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects basic SQL authentication bypass attempts 1/3',\
	id:942180,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',\
	id:942200,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects chained SQL injection attempts 1/2',\
	id:942210,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select\s+)|(?:\w+\s+like\s+[\"'`])|(?:like\s*?[\"'`]\%)|(?:[\"'`]\s*?like\W*?[\"'`\d])|(?:[\"'`]\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having\s+)|(?:[\"'`]\s*?\*\s*?\w+\W+[\"'`])|(?:[\"'`]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w)|(?:select\s+?[\[\]()\s\w\.,\"'`-]+from\s+)|(?:find_in_set\s*?\())" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects basic SQL authentication bypass attempts 2/3',\
	id:942260,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects MySQL comments, conditions and ch(a)r injections',\
	id:942300,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`]\s*?(?:(?:[-+=|@]+\s+?)+|[-+=|@]+)[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`]\w)|(?:[\"'`];\s*?(?:if|while|begin))|(?:[\"'`][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects chained SQL injection attempts 2/2',\
	id:942310,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?(x?or|div|like|between|and)\s*?[\"'`]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`]$)|(?:(?:^[\"'`\\\\]*?(?:[\d\"'`]+|[^\"'`]+[\"'`]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].)|(?:\Winformation_schema|table_name\W))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects classic SQL injection probings 1/2',\
	id:942330,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`]|[=\d]+x))|([\"'`]\s*?\d\s*?(?:--|#))|(?:[\"'`][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`])|(?:[\"'`]\s*?is\s*?\d.+[\"'`]?\w)|(?:[\"'`]\|?[\w-]{3,}[^\w\s.,]+[\"'`])|(?:[\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects basic SQL authentication bypass attempts 3/3',\
	id:942340,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`]\d)|(?:\^[\"'`])|(?:^[\w\s\"'`-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])|(?:[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`])|(?:[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`].*?\*\s*?\d)|(?:[\"'`]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]))" \
	"phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'8',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects classic SQL injection probings 2/2',\
	id:942370,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')" \
        "phase:request,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        capture,\
        t:none,t:urlDecodeUni,\
        ctl:auditLogParts=+E,\
        block,\
        msg:'SQL Injection Attack',\
        id:942380,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/2',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])" \
        "phase:request,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        capture,\
        t:none,t:urlDecodeUni,\
        ctl:auditLogParts=+E,\
        block,\
        msg:'SQL Injection Attack',\
        id:942390,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/2',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \
        "phase:request,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        capture,\
        t:none,t:urlDecodeUni,\
        ctl:auditLogParts=+E,\
        block,\
        msg:'SQL Injection Attack',\
        id:942400,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/2',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|replwritetovarbin|help|addextendedproc|is_srvrolemember|prepare|password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|servicecontrol|ntsec_enumdomains|terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
        "phase:request,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        capture,\
        t:none,t:urlDecodeUni,\
        ctl:auditLogParts=+E,\
        block,\
        msg:'SQL Injection Attack',\
        id:942410,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/2',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


#
# [ SQL Injection Character Anomaly Usage ]
#
# This rules attempts to gauge when there is an exccesive use of
# meta-characters within a single parameter payload.
#
# Expect a lot of false positives with this rule.
# The most likely false positive instances will be free-form text fields.
# This will make it necessary to disable the rule for certain known parameters.
# The following directive is an example to switch off the rule globally for
# the parameter foo. Place this instruction in your configuration after
# the include directive for the Core Rules Set.
#
# SecRuleUpdateTargetById 942430 "!ARGS:foo"
#

SecRule ARGS_NAMES|ARGS|XML:/* "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){12})" \
        "phase:request,\
        t:none,t:urlDecodeUni,\
        block,\
        id:942430,\
        severity:'WARNING',\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)',\
        capture,\
        logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/2',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
        setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


#
# -=[ Detect SQL Comment Sequences ]=-
#
# Example Payloads Detected:
# -------------------------
# OR 1#
# DROP sampletable;--
# admin'--
# DROP/*comment*/sampletable
# DR/**/OP/*bypass blacklisting*/sampletable
# SELECT/*avoid-spaces*/password/**/FROM/**/Members
# SELECT /*!32302 1/0, */ 1 FROM tablename
# ‘ or 1=1#
# ‘ or 1=1-- -
# ‘ or 1=1/*
# ' or 1=1;\x00
# 1='1' or-- -
# ' /*!50000or*/1='1
# ' /*!or*/1='1
# 0/**/union/*!50000select*/table_name`foo`/**/
# -------------------------
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" \
        "phase:request,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'8',\
        accuracy:'8',\
        id:942440,\
        t:none,t:urlDecodeUni,\
        block,\
        msg:'SQL Comment Sequence Detected.',\
        severity:'CRITICAL',\
        capture,\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/2',\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


#
# -=[ SQL Hex Evasion Methods ]=-
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" \
        "phase:request,\
        id:942450,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'8',\
        accuracy:'8',\
        capture,\
        t:none,t:urlDecodeUni,\
        block,\
        msg:'SQL Hex Encoding Identified',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/2',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:942015,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:942016,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#


#
# [ SQL HAVING queries ]
#
# This pattern was split off from rule 942250 due to frequent
# false positives in English text. Testing showed that SQL
# injections with HAVING should be detected by libinjection
# (rule 942100).
#
# This is a stricter sibling of rule 942250.
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\W+\d*?\s*?having\s*?[^\s\-]" \
	"phase:request,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'6',\
	capture,\
	t:none,t:urlDecodeUni,\
	block,\
	msg:'Detects HAVING injections',\
	id:942251,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-sqli',\
	tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
	tag:'WASCTC/WASC-19',\
	tag:'OWASP_TOP_10/A1',\
	tag:'OWASP_AppSensor/CIE1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/3',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

#
# [ SQL Injection Character Anomaly Usage ]
#
# This rule attempts to gauge when there is an exccesive use of
# meta-characters within a single parameter payload.
#
# It is similar to 942430, but focues on Cookies instead of
# GET/POST parameters.
#
# Expect a lot of false positives with this rule.
# The most likely false positive instances will be complex session ids.
# This will make it necessary to disable the rule for certain known cookies.
# The following directive is an example to switch off the rule globally for
# the cookie foo_id. Place this instruction in your configuration after
# the include directive for the Core Rules Set.
#
# SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:foo_id"
#

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){8})" \
        "phase:request,\
        t:none,t:urlDecodeUni,\
        block,\
        id:942420,\
        severity:'WARNING',\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)',\
        capture,\
        logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/3',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
        setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


#
# This is a stricter sibling of rule 942430.
#

SecRule ARGS_NAMES|ARGS|XML:/* "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){6})" \
        "phase:request,\
        t:none,t:urlDecodeUni,\
        block,\
        id:942431,\
        severity:'WARNING',\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)',\
        capture,\
        logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/3',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
        setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


#
# [ Repetitive Non-Word Characters ]
#
# This rule attempts to identify when multiple (4 or more) non-word characters
# are repeated in sequence.
#
# The pattern may occur in some normal texts, e.g. "foo...." will match.
#
SecRule ARGS "\W{4}" \
        "phase:request,\
        capture,\
        t:none,t:urlDecodeUni,\
        block,\
        id:942460,\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        severity:'WARNING',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/3',\
        msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"


SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:942017,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:942018,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#

#
# [ SQL Injection Character Anomaly Usage ]
#
# This is a stricter sibling of rule 942420.
#

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){3})" \
        "phase:request,\
        t:none,t:urlDecodeUni,\
        block,\
        id:942421,\
        severity:'WARNING',\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)',\
        capture,\
        logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/4',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
        setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


#
# This is a stricter sibling of rule 942430.
#

SecRule ARGS_NAMES|ARGS|XML:/* "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){2})" \
        "phase:request,\
        t:none,t:urlDecodeUni,\
        block,\
        id:942432,\
        severity:'WARNING',\
        rev:'2',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'8',\
        msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',\
        capture,\
        logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-sqli',\
        tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
        tag:'WASCTC/WASC-19',\
        tag:'OWASP_TOP_10/A1',\
        tag:'OWASP_AppSensor/CIE1',\
        tag:'PCI/6.5.2',\
        tag:'paranoia-level/4',\
        setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
        setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"


#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-942-APPLICATION-ATTACK-SQLI"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:943011,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:943012,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
# http://projects.webappsec.org/w/page/13246960/Session%20Fixation
# http://capec.mitre.org/data/definitions/61.html
#	
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
	"msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\
	phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	severity:'CRITICAL',\
	t:none,t:urlDecodeUni,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	id:943100,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-fixation',\
	tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
	tag:'WASCTC/WASC-37',\
	tag:'CAPEC-61',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"


SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
	"msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
	phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'2',\
	accuracy:'7',\
	id:943110,\
	t:none,t:urlDecodeUni,t:lowercase,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	severity:'CRITICAL',\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-fixation',\
	tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
	tag:'WASCTC/WASC-37',\
	tag:'CAPEC-61',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	chain"
		SecRule REQUEST_HEADERS:Referer	"^(?:ht|f)tps?://(.*?)\/" \
			"capture,\
			chain"
        			SecRule TX:1 "!@endsWith %{request_headers.host}" \
					"setvar:'tx.msg=%{rule.msg}',\
					setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\
					setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
					setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"


SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
	"msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
	phase:request,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'2',\
	accuracy:'7',\
	id:943120,\
	t:none,t:urlDecodeUni,t:lowercase,\
	capture,\
	ctl:auditLogParts=+E,\
	severity:'CRITICAL',\
	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-fixation',\
	tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
	tag:'WASCTC/WASC-37',\
	tag:'CAPEC-61',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	chain"
		SecRule &REQUEST_HEADERS:Referer "@eq 0" \
			"setvar:'tx.msg=%{rule.msg}',\
			setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\
			setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
			setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"




SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:943013,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:943014,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:943015,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:943016,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:943017,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:943018,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

SecMarker BEGIN_REQUEST_BLOCKING_EVAL

# These rules use the anomaly score settings specified in the 10 config file.
# You should also set the desired disruptive action (deny, redirect, etc...).
#
# -=[ IP Reputation Checks ]=-
#
# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
#
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
	"msg:'Request Denied by IP Reputation Enforcement.',\
	severity:CRITICAL,\
	phase:request,\
	id:949100,\
	deny,\
	log,\
	logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-reputation-ip',\
	chain"
	SecRule TX:DO_REPUT_BLOCK "@eq 1" \
	        "setvar:tx.inbound_tx_msg=%{tx.msg},\
                setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"


#
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
#
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
    "msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
    severity:CRITICAL,\
    phase:request,\
    id:949110,\
    t:none,\
    deny,\
    log,\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-generic',\
    setvar:tx.inbound_tx_msg=%{tx.msg},\
    setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:949011,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:949012,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:949013,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:949014,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:949015,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:949016,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:949017,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:949018,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-949-BLOCKING-EVALUATION"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# The paranoia level skip rules 950020, 950021 and 950022 have odd
# numbers not in sync with other paranoia level skip rules in other
# files. This is done to avoid rule id collisions with CRSv2.
# This is also true for rule 950130.

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:950020,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:950021,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ Directory Listing ]=-
#
SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
	"phase:response,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'Directory Listing',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:950130,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
	severity:'ERROR',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:950013,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:950014,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#

#
# -=[ The application is not available - 5xx level status code ]=-
#
SecRule RESPONSE_STATUS "^5\d{2}$" \
	"phase:response,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'The Application Returned a 500-Level Status Code',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:950100,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-disclosure',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
        tag:'paranoia-level/2',\
	severity:'ERROR',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:950015,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:950016,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:950017,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:950022,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-950-DATA-LEAKAGES"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:951011,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:951012,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ SQL Error Leakages ]=-
#
# Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml
# Ref: https://github.com/Arachni/arachni/tree/master/modules/audit/sqli/patterns
#
SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
        "phase:response,\
        id:951100,\
        rev:'5',\
        ver:'OWASP_CRS/3.0.0',\
        pass,\
        nolog,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-multi',\
        tag:'attack-disclosure',\
        setvar:tx.sql_error_match=1,\
        t:none"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'Microsoft Access SQL Information Leakage',\
   	phase:response,\
   	id:951110,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
   	tag:'application-multi',\
   	tag:'language-multi',\
   	tag:'platform-msaccess',\
   	tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'Oracle SQL Information Leakage',\
   	phase:response,\
   	id:951120,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-oracle',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
	   		"capture,\
	  		 setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'DB2 SQL Information Leakage',\
   	phase:response,\
   	id:951130,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-db2',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	  		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	  		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	  		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'EMC SQL Information Leakage',\
	phase:response,\
   	id:951140,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
  	ctl:auditLogParts=+E,\
  	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-emc',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
	  		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
	"msg:'firebird SQL Information Leakage',\
   	phase:response,\
   	id:951150,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-firebird',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:Dynamic SQL Error)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
	"msg:'Frontbase SQL Information Leakage',\
	phase:response,\
	id:951160,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'7',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-frontbase',\
        tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
	tag:'CWE-209',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:Exception (condition )?\d+\. Transaction rollback\.)" \
			"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
	"msg:'hsqldb SQL Information Leakage',\
	phase:response,\
	id:951170,\
	rev:'1',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'7',\
	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-hsqldb',\
        tag:'attack-disclosure',\
 	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:org\.hsqldb\.jdbc)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
	"msg:'informix SQL Information Leakage',\
	phase:response,\
   	id:951180,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-informix',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
	   		"capture,\
	  		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"


SecRule TX:sql_error_match "@eq 1" \
   	"msg:'ingres SQL Information Leakage',\
   	phase:response,\
	id:951190,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-ingres',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"


SecRule TX:sql_error_match "@eq 1" \
   	"msg:'interbase SQL Information Leakage',\
   	phase:response,\
   	id:951200,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-interbase',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'maxDB SQL Information Leakage',\
   	phase:response,\
   	id:951210,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-maxdb',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:SQL error.*POS([0-9]+).*|Warning.*maxdb.*)" \
			"capture,\
			setvar:'tx.msg=%{rule.msg}',\
			setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
			setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'mssql SQL Information Leakage',\
   	phase:response,\
   	id:951220,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-mssql',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
	"msg:'mysql SQL Information Leakage',\
   	phase:response,\
   	id:951230,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-mysql',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'postgres SQL Information Leakage',\
   	phase:response,\
   	id:951240,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-pgsql',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
   	"msg:'sqlite SQL Information Leakage',\
   	phase:response,\
   	id:951250,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-sqlite',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

SecRule TX:sql_error_match "@eq 1" \
	"msg:'Sybase SQL Information Leakage',\
   	phase:response,\
   	id:951260,\
   	rev:'1',\
   	ver:'OWASP_CRS/3.0.0',\
   	maturity:'7',\
   	accuracy:'9',\
   	t:none,\
   	capture,\
   	ctl:auditLogParts=+E,\
   	block,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-sybase',\
        tag:'attack-disclosure',\
   	tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
   	tag:'CWE-209',\
   	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
   	severity:'CRITICAL',\
   	chain"
		SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
	   		"capture,\
	   		setvar:'tx.msg=%{rule.msg}',\
	   		setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	   		setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:951013,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:951014,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:951015,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:951016,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:951017,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:951018,nolog,pass,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-951-DATA-LEAKAGES-SQL"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:952011,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:952012,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ Java Source Code Leakages ]=-
#
SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
	"phase:4,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'Java Source Code Leakage',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:952100,\
        tag:'application-multi',\
        tag:'language-java',\
        tag:'platform-multi',\
        tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
	severity:'ERROR',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"

#
# -=[ Java Errors ]=-
#
# Ref: https://github.com/andresriancho/w3af/blob/master/plugins/grep/error_pages.py
#
SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
        "phase:4,\
        rev:'3',\
        ver:'OWASP_CRS/3.0.0',\
        maturity:'9',\
        accuracy:'9',\
        t:none,\
        capture,\
        ctl:auditLogParts=+E,\
        block,\
        msg:'Java Errors',\
        logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        id:952110,\
        tag:'application-multi',\
        tag:'language-java',\
        tag:'platform-multi',\
        tag:'attack-disclosure',\
        tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\
        tag:'WASCTC/WASC-13',\
        tag:'OWASP_TOP_10/A6',\
        tag:'PCI/6.5.6',\
        severity:'ERROR',\
        setvar:'tx.msg=%{rule.msg}',\
        setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
        setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
        setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:952013,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:952014,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:952015,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:952016,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:952017,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:952018,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:953011,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:953012,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ PHP Error Message Leakage ]=-
#
SecRule RESPONSE_BODY "@pmf php-errors.data" \
	"msg:'PHP Information Leakage',\
	id:953100,\
	phase:response,\
	ver:'OWASP_CRS/3.0.0',\
	rev:'3',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	severity:'ERROR',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"

#
# -=[ PHP source code leakage ]=-
#
# Detect some common PHP keywords in output.
#
SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
	"phase:response,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'PHP source code leakage',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:953110,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
	severity:'ERROR',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"

# Detect the presence of the PHP open tag "<?" or "<?php" in output.
#
# To prevent false positives due to the short "<?" sequence, an attempt
# is made to stop alerts in binary output. This is done by detecting
# some common binary file format headers, such as gzip (\x1f\x8b\x08),
# png (IHDR), mp3 (ID3), movie formats et cetera.
#
SecRule RESPONSE_BODY "<\?(?!xml)" \
	"phase:response,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	chain,\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'PHP source code leakage',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:953120,\
        tag:'application-multi',\
        tag:'language-php',\
        tag:'platform-multi',\
        tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',severity:'ERROR'"
		SecRule RESPONSE_BODY "!(?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \
			"t:none,\
			capture,\
			setvar:'tx.msg=%{rule.msg}',\
			setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
			setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
			setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"


SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:953013,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:953014,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:953015,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:953016,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:953017,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:953018,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-953-DATA-LEAKAGES-PHP"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:954011,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:954012,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

# IIS default location
SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
	"phase:4,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	t:lowercase,\
	ctl:auditLogParts=+E,\
	block,\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-iis',\
	tag:'platform-windows',\
	tag:'attack-disclosure',\
	msg:'Disclosure of IIS install location',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:954100,\
	severity:'ERROR',\
	chain"
		SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" \
			"setvar:global.alerted_970018_iisDefLoc,\
			setvar:'tx.msg=%{rule.msg}',\
			setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
			setvar:tx.anomaly_score=+%{tx.error_anomaly_score}"


SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
	"phase:4,\
	rev:'3',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'Application Availability Error',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:954110,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-iis',\
        tag:'platform-windows',\
        tag:'attack-disclosure',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
	severity:'ERROR',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"

#
# IIS Errors leakage
#
SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \
	"phase:4,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'IIS Information Leakage',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:954120,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-iis',\
        tag:'platform-windows',\
        tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
	severity:'ERROR',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"


SecRule RESPONSE_STATUS "!^404$" \
	"phase:4,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	capture,\
	ctl:auditLogParts=+E,\
	block,\
	msg:'IIS Information Leakage',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	id:954130,\
        tag:'application-multi',\
        tag:'language-multi',\
        tag:'platform-iis',\
        tag:'platform-windows',\
        tag:'attack-disclosure',\
	tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
	tag:'WASCTC/WASC-13',\
	tag:'OWASP_TOP_10/A6',\
	tag:'PCI/6.5.6',\
	severity:'ERROR',\
	chain"
		SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
			"t:none,\
			capture,\
			setvar:'tx.msg=%{rule.msg}',\
			setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
			setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
			setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:954013,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:954014,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:954015,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:954016,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:954017,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:954018,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match.  If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "@gt 20".  This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
# You should also set the desired disruptive action (deny, redirect, etc...).
#

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

# Alert and Block on High Anomaly Scores - this would block outbound data leakages
#
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
  "phase:4,\
  id:959100,\
  tag:'anomaly-evaluation',\
  t:none,\
  deny,\
  msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"



SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:959011,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:959012,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:959013,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:959014,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:959015,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:959016,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:959017,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:959018,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# This file is used in post processing after the response has been sent to
# the client (in the logging phase).  Its purpose is to provide inbound+outbound
# correlation of events to provide a more intelligent designation as to the outcome
# or result of the transaction - meaning, was this a successful attack?
#

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

#
# -=[ Correlated Successful Attack ]=-
#
SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
	"chain,\
	phase:logging,\
	id:980100,\
	t:none,\
	log,\
	pass,\
	tag:'event-correlation',\
	skipAfter:END_CORRELATION,\
	severity:'EMERGENCY',\
	msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
		SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
		

#
# -=[ Correlated Attack Attempt ]=-
#
SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
	"chain,\
	phase:logging,\
	id:980110,\
	t:none,\
	log,\
	pass,\
        tag:'event-correlation',\
	skipAfter:END_CORRELATION,\
	severity:'ALERT',\
	msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
		SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"

SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
	"chain,\
	phase:logging,\
	id:980120,\
	t:none,\
	log,noauditlog,\
	pass,\
        tag:'event-correlation',\
	skipAfter:END_CORRELATION,\
	msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}): %{tx.inbound_tx_msg}'"
		SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}"

SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
	"phase:logging,\
	id:980130,\
	t:none,\
	log,noauditlog,\
	pass,\
        tag:'event-correlation',\
	msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}'"

SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
	"phase:logging,\
	id:980140,\
	t:none,\
	log,noauditlog,\
	pass,\
        tag:'event-correlation',\
	msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"

SecMarker END_CORRELATION


SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:980011,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:980012,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:980013,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:980014,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:980015,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:980016,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:980017,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:980018,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-980-CORRELATION"

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# The purpose of this file is to hold LOCAL exceptions for your site.
# The types of rules that would go into this file are one where you want
# to unconditionally disable rules or modify their actions during startup.
#
# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
# for a description of the rule exclusions mechanism and the correct
# use of this file.
#

#
# Example Exclusion Rule: To unconditionally disable a rule ID
#
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
# SecRuleRemoveById 942100

# Example Exclusion Rule: Remove a group of rules
#
# ModSecurity Rule Exclusion: Disable PHP injection rules
# SecRuleRemoveByTag "attack-injection-php"

#
# Example Exclusion Rule: To unconditionally remove parameter "foo" from
#                         inspection for SQLi rules
#
# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"


# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
#
# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
# against your policy. To apply a disruptive action, they overwrite the default
# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
# This 'deny' is by default paired with a 'status:403' action.
#
# In order to change the disruptive action from 'deny' to something else,
# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
#
# These actions only apply when using Anomaly Mode.
#
# Default action: block with error 403
# (No configuration needed in this file if you want the default behavior.)
#

# Example: redirect back to the homepage on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"

# Example: redirect to another URL on blocking
#
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"

# Example: send an error 404
#
# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
# SecRuleUpdateActionById 959100 "t:none,deny,status:404"

# Example: drop the connection (best for DoS attacks)
#
# SecRuleUpdateActionById 949110 "t:none,drop"
# SecRuleUpdateActionById 959100 "t:none,drop"