D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
proc
/
self
/
root
/
opt
/
bitninja-waf
/
etc
/
crs
/
rules
/
Filename :
REQUEST-921-PROTOCOL-ATTACK.conf
back
Copy
# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.0.2 # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:921011,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:921012,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) # # # -=[ HTTP Request Smuggling ]=- # # [ Rule Logic ] # This rule looks for a comma character in either the Content-Length or Transfer-Encoding # request headers. This character would indicate that there were more than one request header # with this same name. In these instances, Apache treats the data in a similar manner as # multiple cookie values. # # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # http://article.gmane.org/gmane.comp.apache.mod-security.user/3299 # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," \ "msg:'HTTP Request Smuggling Attack.',\ phase:request,\ id:921100,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ severity:'CRITICAL',\ t:none,\ capture,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\ tag:'WASCTC/WASC-26',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}" # # -=[ HTTP Request Smuggling ]=- # # [ Rule Logic ] # This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name. # This would point to an attempt to inject a 2nd request into the request, thus bypassing # tests carried out on the primary request. # # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \ "msg:'HTTP Request Smuggling Attack',\ phase:request,\ id:921110,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{matched_var_name}=%{tx.0}" # # -=[ HTTP Response Splitting ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. # These characters may cause problems if the data is returned in a respones header and # may be interpreted by an intermediary proxy server and treated as two separate # responses. # # [ References ] # http://projects.webappsec.org/HTTP-Response-Splitting # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\r\n]\W*?(?:content-(type|length)|set-cookie|location):" \ "msg:'HTTP Response Splitting Attack',\ phase:request,\ id:921120,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ severity:'CRITICAL',\ t:none,t:urlDecodeUni,t:lowercase,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \ "msg:'HTTP Response Splitting Attack',\ phase:request,\ id:921130,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" # # -=[ HTTP Header Injection ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, # on their own or in combination with header field names. # These characters may cause problems if the data is returned in a respones header # and interpreted by the client. # The rules are similar to rules defending against the HTTP Request Splitting and # Request Smuggling rules. # # [ References ] # https://en.wikipedia.org/wiki/HTTP_header_injection # SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "(\n|\r)" \ "msg:'HTTP Header Injection Attack via headers',\ phase:request,\ id:921140,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" # Detect newlines in argument names. # Checking for GET arguments has been moved to paranoia level 2 (921151) # in order to mitigate possible false positives. # SecRule ARGS_NAMES "(\n|\r)" \ "msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ phase:request,\ id:921150,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',chain" SecRule &TX:BN_XMLRPC_CALL "@eq 0" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:\s+|location|refresh|(?:set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ "msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ phase:request,\ id:921160,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:921013,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:921014,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) # # Detect newlines in GET argument values. # These may point to a HTTP header injection attack, but can also sometimes # occur in benign query parameters. # # See also: rule 921140, 921150 # SecRule ARGS_GET "(\n|\r)" \ "msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ phase:request,\ id:921151,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:921015,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:921016,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) # # # -=[ HTTP Parameter Polution ]=- # # [ Rule Logic ] # These rules look for multiple parameters with the same name. # 921170 counts the occurrences of the individual parameters. # 921180 checks if any counter is > 1. # # One HPP attack vector is to try evade signature filters by distributing the # attack payload across multiple parameters with the same name. # This works as many security devices only apply signatures to individual # parameter payloads, however the back-end web application may (in the case # of ASP.NET) consolidate all of the payloads into one thus making the # attack payload active. # # [ References ] # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html # https://capec.mitre.org/data/definitions/460.html # SecRule ARGS_NAMES "." \ "phase:request,\ id:921170,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ pass,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'CAPEC-460',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ "msg:'HTTP Parameter Pollution (%{TX.1})',\ chain,\ phase:request,\ id:921180,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'7',\ accuracy:'8',\ severity:'CRITICAL',\ pass,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'CAPEC-460',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'" SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)" \ "capture,\ setvar:tx.msg=%{rule.msg},\ setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:921017,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:921018,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"