Submit
Path:
~
/
/
etc
/
modsecurity
/
mod_sec3_CRS
/
File Content:
REQUEST-944-APPLICATION-ATTACK-JAVA.conf
# ------------------------------------------------------------------------ # OWASP CRS ver.4.7.0-dev # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # # The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # This rule is also triggered by an Apache Struts exploit: # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] # # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx java\.lang\.(?:runtime|processbuilder)" \ "id:944100,\ phase:2,\ block,\ t:none,t:lowercase,\ msg:'Remote Command Execution: Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ] # [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Generic rule to detect processbuilder or runtime calls, if any of those is found and the same target contains # java. unmarshaller or base64data to trigger a potential payload execution # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:runtime|processbuilder)" \ "id:944110,\ phase:2,\ block,\ t:none,t:lowercase,\ msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ chain" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected # anomaly score set to critical as all conditions indicate the request try to perform RCE. SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "id:944120,\ phase:2,\ block,\ t:none,t:lowercase,\ msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ] # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \ "@pmFromFile java-classes.data" \ "id:944130,\ phase:2,\ block,\ t:none,\ msg:'Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ Java Script Uploads ] # # Block file uploads with filenames ending in Java scripts (.jsp, .jspx) # # Many application contain Unrestricted File Upload vulnerabilities. # https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload # # Attackers may use such a vulnerability to achieve remote code execution # by uploading a script file. If the upload storage location is predictable # and not adequately protected, the attacker may then request the uploaded # file and have the code within it executed on the server. # # Some AJAX uploaders use the nonstandard request headers X-Filename, # X_Filename, or X-File-Name to transmit the file name to the server; # scan these request headers as well as multipart/form-data file names. # SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:jsp|jspx)\.*$" \ "id:944140,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,\ msg:'Java Injection Attack: Java Script File Upload Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-injection-java',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Log4J / Log4Shell Defense # # This addresses exploits against the Log4J library described in several CVEs: # * CVE-2021-44228 # * CVE-2021-44832 # * CVE-2021-45046 # * CVE-2021-45105 # # See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/ # # This rule attempts to detect two things: # * Nested use of ${ # * use of ${jndi:... without the closing bracket # # Rule 932130 is also essential for defense since there are certain # bypasses of the log4j rules that can be caught by 932130. # # The payload is not displayed in the alert message since log4j could # potentially be executed on the logviewer. # # This rule has stricter siblings: 944151 (PL2), 944152 (PL4) # # Regular expression generated from regex-assembly/944150.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 944150 # SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]{0,15}(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \ "id:944150,\ phase:2,\ block,\ t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ log,\ msg:'Potential Remote Command Execution: Log4j / Log4shell',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # # This is a stricter sibling of 944150. # It is a re-iteration of said rule without the curly bracket distance limiter # between the nested "${". This is prone to backtracking and therefore a potential # DoS problem for backtracking regular expression engines (e.g. PCRE2), but it also avoids evasions that fill the space between the nested # elements with arbitrary data. # # Regular expression generated from regex-assembly/944151.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 944151 # SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]*(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \ "id:944151,\ phase:2,\ block,\ t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ log,\ msg:'Potential Remote Command Execution: Log4j / Log4shell',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ] # # Detect exploitation of "Java deserialization" Apache Commons. # # Based on rules by @spartantri. # https://spartantri.com/ModSecurity/?p=44 # # Interesting references about the vulnerability # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ # https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet # # Potential false positives with random fields, the anomaly level is set low to avoid blocking request SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx \xac\xed\x00\x05" \ "id:944200,\ phase:2,\ block,\ msg:'Magic bytes Detected, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \ "id:944210,\ phase:2,\ block,\ msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "id:944240,\ phase:2,\ block,\ t:none,t:lowercase,\ msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx java\b.+(?:runtime|processbuilder)" \ "id:944250,\ phase:2,\ block,\ t:lowercase,\ msg:'Remote Command Execution: Suspicious Java method detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" \ "id:944260,\ phase:2,\ block,\ t:urlDecodeUni,\ msg:'Remote Command Execution: Malicious class-loading payload',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # # Interesting keywords for possibly RCE on vulnerable classes and methods base64 encoded # Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure'] #for item in keywords: # pad='\x00' # for padding in xrange(3): # print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:], #cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \ "id:944300,\ phase:2,\ block,\ t:none,\ msg:'Base64 encoded string matched suspicious keyword',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # # This is a stricter sibling of 944150. # It simply checks for the existence of `${`, taking into account the same encoding evasions # as 944150. # # Regular expression generated from regex-assembly/944152.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 944152 # SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)" \ "id:944152,\ phase:2,\ block,\ t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ log,\ msg:'Potential Remote Command Execution: Log4j / Log4shell',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.7.0-dev',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"
Edit
Rename
Chmod
Delete
FILE
FOLDER
Name
Size
Permission
Action
10_modsecurity_crs_10_config.conf
37009 bytes
0644
999_dreamhost_request_limits.conf
5308 bytes
0644
99_dreamhost_rules.conf
14332 bytes
0644
99_modsec-crs-setup.conf
32757 bytes
0644
REQUEST-00-LOCAL-WHITELIST.conf
9043 bytes
0644
REQUEST-901-INITIALIZATION.conf
14718 bytes
0644
REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
13555 bytes
0644
REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
25812 bytes
0644
REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
10642 bytes
0644
REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
7822 bytes
0644
REQUEST-905-COMMON-EXCEPTIONS.conf
1649 bytes
0644
REQUEST-911-METHOD-ENFORCEMENT.conf
2982 bytes
0644
REQUEST-913-SCANNER-DETECTION.conf
3622 bytes
0644
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
64491 bytes
0644
REQUEST-921-PROTOCOL-ATTACK.conf
21029 bytes
0644
REQUEST-930-APPLICATION-ATTACK-LFI.conf
8134 bytes
0644
REQUEST-931-APPLICATION-ATTACK-RFI.conf
8932 bytes
0644
REQUEST-933-APPLICATION-ATTACK-PHP.conf
32894 bytes
0644
REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
3927 bytes
0644
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
96560 bytes
0644
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
5628 bytes
0644
REQUEST-944-APPLICATION-ATTACK-JAVA.conf
22516 bytes
0644
REQUEST-949-BLOCKING-EVALUATION.conf
8176 bytes
0644
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
4122 bytes
0644
WPtoolUA.data
318 bytes
0644
cachefly.ips.data
166 bytes
0644
crawlers-user-agents.data
786 bytes
0644
dh_whitelist_ip.data
0 bytes
0644
fastly.ips.data
189 bytes
0644
incapsula.ips.data
110 bytes
0644
java-classes.data
1826 bytes
0644
java-code-leakages.data
264 bytes
0644
java-errors.data
240 bytes
0644
lfi-os-files.data
11712 bytes
0644
maxcdn.ips.data
623 bytes
0644
mod_sec.conf
2078 bytes
0644
modsecurity_46_slr_et_joomla.data
1731 bytes
0644
modsecurity_46_slr_et_wordpress.data
1729 bytes
0644
php-config-directives.data
12725 bytes
0644
php-errors.data
75989 bytes
0644
php-function-names-933150.data
3414 bytes
0644
php-function-names-933151.data
38099 bytes
0644
php-variables.data
610 bytes
0644
restricted-files.data
4066 bytes
0644
restricted-upload.data
2513 bytes
0644
scanners-headers.data
216 bytes
0644
scanners-urls.data
418 bytes
0644
scanners-user-agents.data
1950 bytes
0644
scripting-user-agents.data
717 bytes
0644
sig_inspect.lua
68157 bytes
0644
spam-mailer.data
84 bytes
0644
sql-errors.data
4373 bytes
0644
staminus.ips.data
228 bytes
0644
unix-shell.data
7837 bytes
0644
windows-powershell-commands.data
7222 bytes
0644
N4ST4R_ID | Naxtarrr
