Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

flatten CRS rules to workaround crowdsecurity/crowdsec#3343 #83

Merged
merged 1 commit into from
Nov 25, 2024
Merged

flatten CRS rules to workaround crowdsecurity/crowdsec#3343 #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
275 changes: 34 additions & 241 deletions appsec/crs/REQUEST-901-INITIALIZATION.conf
View file
Open in desktop

Large diffs are not rendered by default.

40 changes: 5 additions & 35 deletions appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,42 +14,12 @@
#
# Exception for Apache SSL pinger
#
SecRule REQUEST_LINE "@streq GET /" \
"id:905100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/4.0.0-rc1',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
ctl:ruleRemoveByTag=OWASP_CRS,\
ctl:auditEngine=Off"
SecRule REQUEST_LINE "@streq GET /" "id:905100, phase:1, pass, t:none, nolog, tag:'application-multi', tag:'language-multi', tag:'platform-apache', tag:'attack-generic', ver:'OWASP_CRS/4.0.0-rc1', chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "t:none, ctl:ruleRemoveByTag=OWASP_CRS, ctl:auditEngine=Off"

#
# Exception for Apache internal dummy connection
#
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"id:905110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/4.0.0-rc1',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\
chain"
SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
"t:none,\
ctl:ruleRemoveByTag=OWASP_CRS,\
ctl:auditEngine=Off"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "id:905110, phase:1, pass, t:none, nolog, tag:'application-multi', tag:'language-multi', tag:'platform-apache', tag:'attack-generic', ver:'OWASP_CRS/4.0.0-rc1', chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" "t:none, chain"
SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" "t:none, ctl:ruleRemoveByTag=OWASP_CRS, ctl:auditEngine=Off"
18 changes: 1 addition & 17 deletions appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,23 +25,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAf
#
# tx.allowed_methods is defined in the crs-setup.conf file
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
"id:911100,\
phase:1,\
block,\
msg:'Method is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "id:911100, phase:1, block, msg:'Method is not allowed by policy', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-generic', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/274', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"



Expand Down
111 changes: 10 additions & 101 deletions appsec/crs/REQUEST-913-SCANNER-DETECTION.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,69 +34,14 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf
# Chained rule is allow listing:
# YUM package manager of CentOS / Fedore: User-Agent: urlgrabber/3.10 yum/3.4.3
# eCairn service: User-Agent: mozilla/5.0 ecairn-grabber/1.0 (+http://ecairn.com/grabber)
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
"id:913100,\
phase:1,\
block,\
capture,\
t:none,\
msg:'Found User-Agent associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
"id:913110,\
phase:1,\
block,\
capture,\
t:none,\
msg:'Found request header associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"



SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
"id:913120,\
phase:2,\
block,\
capture,\
t:none,\
msg:'Found request filename/argument associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" "id:913100, phase:1, block, capture, t:none, msg:'Found User-Agent associated with security scanner', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scanner', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain"
SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" "id:913110, phase:1, block, capture, t:none, msg:'Found request header associated with security scanner', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scanner', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"



SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" "id:913120, phase:2, block, capture, t:none, msg:'Found request filename/argument associated with security scanner', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scanner', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
Expand All @@ -115,25 +60,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAf
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
"id:913101,\
phase:1,\
block,\
capture,\
t:none,\
msg:'Found User-Agent associated with scripting/generic HTTP client',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scripting',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" "id:913101, phase:1, block, capture, t:none, msg:'Found User-Agent associated with scripting/generic HTTP client', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scripting', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"



Expand All @@ -146,25 +73,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
#
# This rule is a sibling of rule 913100.
#
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
"id:913102,\
phase:1,\
block,\
capture,\
t:none,\
msg:'Found User-Agent associated with web crawler/bot',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-crawler',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/150',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" "id:913102, phase:1, block, capture, t:none, msg:'Found User-Agent associated with web crawler/bot', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-crawler', tag:'OWASP_CRS', tag:'capec/1000/118/116/150', tag:'PCI/6.5.10', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"


SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
Expand Down
Loading