Skip to content

Commit

Permalink
Update: [Sun Jan 12 00:29:42 UTC 2025]
Browse files Browse the repository at this point in the history
  • Loading branch information
@github-actions
github-actions[bot] committed Jan 12, 2025
1 parent 6eff0f9 commit c59456b
Show file tree
Hide file tree
Showing 38 changed files with 2,273 additions and 2,273 deletions.
1,998 changes: 999 additions & 999 deletions owasp_rules.json
View file

Large diffs are not rendered by default.

34 changes: 17 additions & 17 deletions waf_patterns/apache/attack.conf
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
# Apache ModSecurity rules for ATTACK
SecRuleEngine On

SecRule REQUEST_URI "\[nr\]" "id:1068,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1065,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1064,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1028,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1069,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1029,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1070,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1063,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1067,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1073,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1061,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1072,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1062,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1071,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1059,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1060,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1066,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1007,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1008,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1001,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1005,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1011,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1018,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1014,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1006,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1017,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1019,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1012,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1013,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1010,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1016,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1015,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1009,phase:1,deny,status:403,log,msg:'attack attack detected'"
16 changes: 8 additions & 8 deletions waf_patterns/apache/correlation.conf
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# Apache ModSecurity rules for CORRELATION
SecRuleEngine On

SecRule REQUEST_URI "@gt\ 0" "id:1346,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1343,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1339,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1342,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1341,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ 5" "id:1340,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1345,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1344,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1321,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1317,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1318,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ 5" "id:1315,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1314,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1319,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1320,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1316,phase:1,deny,status:403,log,msg:'correlation attack detected'"
Loading

0 comments on commit c59456b

Please sign in to comment.