1.基础规则集
 modsecurity_crs_20_protocol_violations.conf24条规则 
960911阶段1检测,不符合规范的HTTP Request Line
981227阶段5检测,WEBSERVER_ERROR_LOG 服务器错误
Invalid URI in request
960000阶段2检测,异常的文件名,文件名包含
单引号,双引号,分号,等号,反斜杠
960912阶段2检测,REQBODY_ERROR
请求体解析错误
960914阶段2检测,MULTIPART_STRICT_ERROR 
multipart类型的请求体解析错误
960915阶段2检测,MULTIPART_UNMATCHED_BOUNDARY
multipart类型的请求体解析错误
960016阶段1检测,Content-Length不是数字
960011阶段1检测,request_method取值范围限定
960012阶段1检测,POST请求,Content-Length为0
960902
阶段1检测,Content-Encoding等于Identity
960022
阶段1检测,Expect包含100-continue
960020阶段2检测,Pragma取值no-cache时,没有Cache-Control头
958291
阶段2检测, Range取值以 bytes=0-开始
958230
阶段2检测, Range 或者 Request-Range取值格式为
(\d+)\-(\d+)\,
958231
阶段2检测,Range 或者 Request-Range取值格式为
^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,
958295阶段2检测,Connection取值格式为
\b(keep-alive|close),\s?(keep-alive|close)\b
950107阶段2检测,REQUEST_URI取值格式为
\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})
是否符合validateUrlEncoding
950109阶段2检测,ARGS取值格式为
\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})
实际是多重编码的检测(ARGS本身就是url解码后的)
950108
阶段2检测,Content-Type取值为
^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$
 REQUEST_BODY|XML:/*
是否符合validateUrlEncoding
950801阶段2检测,当modsecurity_crs_10_config.conf中TX:CRS_VALIDATE_UTF8_ENCODING =1的情况下,验证
REQUEST_FILENAME|ARGS|ARGS_NAMES
是否符合validateUtf8Encoding
950116阶段2检测, REQUEST_URI|REQUEST_BODY
的取值格式为
\%u[fF]{2}[0-9a-fA-F]{2} 
960014阶段2检测,REQUEST_URI_RAW 的的不是以
https://%{SERVER_NAME}
开头
960901阶段2检测,检查GET/POST参数值,参数名,请求头(不包括Referer)是否有无效字符
validateByteRange 1-255
960018阶段2检测,当modsecurity_crs_10_config.conf中
TX:PARANOID_MODE 为1时,检查request_uri,request_body,请求头(不包括referer)是否有无效字符
validateByteRange 32-126
 

 modsecurity_crs_21_protocol_anomalies.conf 9条规则
960008阶段2检测,Host头为空
960007阶段2检测,Host取值为空
960009
阶段2检测,User-Agent头为空
960006
阶段2检测,User-Agent取值为空
960904阶段1检测, Content-Length不为0,但没有Content-Type
960017阶段2检测,Host为IP地址
960015阶段2检测,非OPTIONS请求方法,Accept头为空
960021
阶段2检测,非OPTIONS请求方法,Accept取值为空
960913阶段5检测,RESPONSE_STATUS响应状态码为400

 modsecurity_crs_23_request_limits.conf 6条规则
960209阶段2检测,参数名太长
在modsecurity_crs_10_config.conf中设置
ARG_NAME_LENGTH

960208阶段2检测,参数值太长
在modsecurity_crs_10_config.conf中设置
ARG_LENGTH
960335阶段2检测,参数个数太多
在modsecurity_crs_10_config.conf中设置
MAX_NUM_ARGS
960341阶段2检测,参数的总大小太大
TOTAL_ARG_LENGTH 
960342阶段2检测,上传文件太大
在modsecurity_crs_10_config.conf中设置
MAX_FILE_SIZE
960343阶段2检测,上传文件的总大小太大
在modsecurity_crs_10_config.conf中设置
COMBINED_FILE_SIZES

 modsecurity_crs_30_http_policy.conf 5条规则
960032阶段1检测,请求方法是否为允许的请求方法
在modsecurity_crs_10_config.conf中设置
tx.allowed_methods
960010阶段1检测,非GET|HEAD|PROPFIND|OPTIONS的 HTTP请求的Content-Type是否为允许的范围
在modsecurity_crs_10_config.conf中设置
tx.allowed_request_content_type
960034阶段1检测,http协议是否为允许的协议版本
在modsecurity_crs_10_config.conf中设置
tx.allowed_http_versions
960035阶段2检测,REQUEST_BASENAME \.(.*)$ 文件后缀是否为
在modsecurity_crs_10_config.conf中设置
tx.restricted_extensions
960038阶段2检测,REQUEST_HEADERS_NAMES 是否为允许的请求头
在modsecurity_crs_10_config.conf中设置
tx.restricted_headers

 modsecurity_crs_35_bad_robots.conf
 modsecurity_35_bad_robots.conf
modsecurity_35_bad_scanners.conf
 4条规则
990002阶段2检测,ua符合modsecurity_35_bad_scanners.conf 扫描器的UA特征
990901阶段2检测, 存在acunetix-product请求头
990902阶段2检测,REQUEST_FILENAME包含nessustest appscan_fingerprint
990012
阶段2检测,ua符合modsecurity_35_bad_robots.conf恶意爬虫UA特征

 modsecurity_crs_40_generic_attacks.conf
modsecurity_40_generic_attacks.data
 25条规则
950907阶段2检测,系统命令执行
960024阶段2检测,命令执行,
  检查参数(GET/POST) 是不是连续的4个非字符 "\W{4,}"
950008阶段2检测,Coldfusion Injection
950010阶段2检测,LDAP Injection
950011阶段2检测,SSI injection
950018阶段2检测,PDF XSS
950019阶段2检测,Email Injection
950012阶段1检测,HTTP Request Smuggling
检查请求头Content-Length|Transfer-Encoding) 是否包含逗号,
950910阶段2检测, HTTP响应拆分
950911阶段2检测, HTTP响应拆分
950117阶段2检测, 远程文件包含
检查参数(GET/POST) "^(?i)(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
950118阶段2检测,远程文件包含

950119
阶段2检测,远程文件包含
950120
阶段2检测,远程文件包含
981133阶段2检测

匹配命中modsecurity_40_generic_attacks.data的次数
tx.pm_score=+1
981134阶段2检测,与981133一起,计算TX:PM_SCORE "@eq 0"
950009阶段2检测,会话固定
950003
阶段2检测,会话固定
950000
阶段2检测,会话固定
950005阶段2检测,访问敏感信息
 "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)"
950002阶段2检测,系统命令执行
"\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c))"
950006阶段2检测,系统命令执行
"(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:\.exe|32)\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b)))"
959151阶段2检测,PHP代码执行
<\?(?!xml)
958976阶段2检测 ,PHP代码执行
"(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b"
958977阶段2检测,PHP代码执行
查询字符串 "@pm allow_url_include= safe_mode= suhosin.simulation= disable_functions= open_basedir= auto_prepend_file= php://input"

 modsecurity_crs_41_sql_injection_attacks.conf 55条规则,sql注入
981231阶段2检测,sql注释
(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)
981260阶段2检测,十六进制
(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+
981318阶段2检测, 探测字符
^[\"'`´’‘;]+|[\"'`´’‘;]+$
981319阶段2检测,sql操作符
"(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))
950901阶段2检测,sql探测
(?i:([\s'\"`´’‘\(\)]*?)\b([\d\w]++)([\s'\"`´’‘\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*?)\2\b|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*?)(?!\2)([\d\w]+)\b))
981320阶段2检测,数据库元信息探测
(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)|s(?:ys(?:\.database_name|aux)|chema(?:\W*\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\W*\(|information_schema|pg_(catalog|toast)|northwind|tempdb))

981300-981317阶段2检测,根据SQL 关键字,累计计算分数
select show top distinct from dual where group by order having limit offset union rownum as (case
setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1
当分数大于等于3时进行阻塞,TX:SQLI_SELECT_STATEMENT_COUNT "@ge 3"
950007阶段2检测,SQL盲注
(?i:(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.(db|user))|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)|\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\W+\bchar|mb_users|rownum)\b|t(?:able_name\b|extpos\W+\()))
950001阶段2检测,SQL注入
(?i:\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*\(|llation\W*\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))
959070阶段2检测,SQL注入
\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')
959071阶段2检测,SQL注入
(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])
959072阶段2检测,SQL注入
(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')
950908
阶段2检测,SQL注入
(?i:\b(?:coalesce\b|root\@))
959073
阶段2检测,SQL注入
(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))
981172阶段2检测,特殊字符检测到
([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}
981173阶段2检测,特殊字符检测到
([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}
981272阶段2检测, SQL盲注
(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))
981244阶段2检测,SQL注入
(?i:(?i:\d[\"'`´’‘]\s+[\"'`´’‘]\s+\d)|(?:^admin\s*?[\"'`´’‘]|(\/\*)+[\"'`´’‘]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´’‘]\s*?\b(x?or|div|like|between|and)\b\s*?[+<>=(),-]\s*?[\d\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]?=\s*?[\"'`´’‘])|(?:[\"'`´’‘]\W*?[+=]+\W*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[!=|][\d\s!=+-]+.*?[\"'`´’‘(].*?$)|(?:[\"'`´’‘]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´’‘]\s*?like\W+[\w\"'`´’‘(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´’‘][<>~]+[\"'`´’‘]))
981255
阶段2检测,SQL注入
(?i:(?:\sexec\s+xp_cmdshell)|(?:[\"'`´’‘]\s*?!\s*?[\"'`´’‘\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`´’‘];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`´’‘]))
981257阶段2检测,SQL注入
(?i:(?:,.*?[)\da-f\"'`´’‘][\"'`´’‘](?:[\"'`´’‘].*?[\"'`´’‘]|\Z|[^\"'`´’‘]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())"
981248
阶段2检测,SQL注入
(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`´’‘=()]))
981277阶段2检测,skipfish整数溢出探测
(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$))
981250
阶段2检测,SQL注入
(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))
981241
阶段2检测,SQL注入
(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))
981252阶段2检测,SQL注入
(?i:(?:alter\s*?\w+.*?character\s+set\s+\w+)|([\"'`´’‘];\s*?waitfor\s+time\s+[\"'`´’‘])|(?:[\"'`´’‘];.*?:\s*?goto))
981256
阶段2检测,SQL注入
(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´’‘])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())
981245阶段2检测,SQL注入
(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select\s+)|(?:\w+\s+like\s+[\"'`´’‘])|(?:like\s*?[\"'`´’‘]\%)|(?:[\"'`´’‘]\s*?like\W*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having\s+)|(?:[\"'`´’‘]\s*?\*\s*?\w+\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´’‘]*?\s*?\w+\W+\w)|(?:select\s+?[\[\]()\s\w\.,\"'`´’‘-]+from\s+)|(?:find_in_set\s*?\())
981276
阶段2检测,SQL注入
(?i:(?:(union(.*?)select(.*?)from)))
981254阶段2检测,SQL注入
(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`´’‘]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))
981270阶段2检测,MongoDB注入
(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))
981240阶段2检测,SQL注入
(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`´’‘]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())
981249阶段2检测,SQL注入
(?i:(?:[\"'`´’‘]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`´’‘]\s*?(?:[-+=|@]+\s*?)+[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`´’‘]\w)|(?:[\"'`´’‘];\s*?(?:if|while|begin))|(?:[\"'`´’‘][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))
981253阶段2检测,SQL存储过程注入
(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))
981242
阶段2检测,SQL注入
(?i:(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s*?[\"'`´’‘]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`´’‘]$)|(?:(?:^[\"'`´’‘\\\\]*?(?:[\d\"'`´’‘]+|[^\"'`´’‘]+[\"'`´’‘]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`´’‘][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`´’‘]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`´’‘\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`´’‘].)|(?:\Winformation_schema|table_name\W))
981246阶段2检测,SQL注入
(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`´’‘]|[=\d]+x))|([\"'`´’‘]\s*?\d\s*?(?:--|#))|(?:[\"'`´’‘][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`´’‘]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?\d.+[\"'`´’‘]?\w)|(?:[\"'`´’‘]\|?[\w-]{3,}[^\w\s.,]+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`´’‘]))
981251阶段2检测,SQL UDF
(?i:(?:create\s+function\s+\w+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))
981247阶段2检测,SQL注入
(?i:(?:[\d\W]\s+as\s*?[\"'`´’‘\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´’‘]\s+regexp\W)|(?:[\s(]load_file\s*?\())
981243阶段2检测,SQL注入
(?i:(?:[\"'`´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´’‘]\d)|(?:\^[\"'`´’‘])|(?:^[\w\s\"'`´’‘-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´’‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´’‘].*?\*\s*?\d)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´’‘][^,]))

 modsecurity_crs_41_xss_attacks.conf 114条规则,xss
 modsecurity_crs_42_tight_security.conf 2条规则
950103阶段2检测,目录遍历规则
950103阶段2检测,目录遍历规则

 modsecurity_crs_45_trojans.conf 3条规则
950110阶段2检测,HEADERS_NAMES为x_(?:key|file)\b
950921阶段2检测,REQUEST_FILENAME 为root\.exe
950922阶段4检测,检查RESPONSE_BODY是否符合特征

 modsecurity_crs_47_common_exceptions.conf 3条规则
981021阶段2检测,Apache internal dummy connection
981022阶段2检测,Adobe Flash Player异常
981020阶段2检测,Apache SSL pinger异常

modsecurity_crs_10_setup.confCRS规则集配置
21条SecAction
900001协作检测模式变量设置,安全级别的分数设置
阶段1
 setvar:tx.critical_anomaly_score=5, \
  setvar:tx.error_anomaly_score=4, \
  setvar:tx.warning_anomaly_score=3, \
  setvar:tx.notice_anomaly_score=2, \

900002
协作检测模式变量设置
阶段1  
setvar:tx.anomaly_score=0, \
  setvar:tx.sql_injection_score=0, \
  setvar:tx.xss_score=0, \
  setvar:tx.inbound_anomaly_score=0, \
  setvar:tx.outbound_anomaly_score=0, \


900003
协作检测模式变量设置
阶段1 
setvar:tx.inbound_anomaly_score_level=5, \
  setvar:tx.outbound_anomaly_score_level=4, \
900004
协作检测模式Collaborative Detection变量设置
阶段1
setvar:tx.anomaly_score_blocking=on

当开启开选项后,在
modsecurity_crs_49_inbound_blocking.conf检测 Inbound anomaly score
modsecurity_crs_59_outbound_blocking.conf检测Outbound anomaly score
900005回归测试模式Regression Testing Mode变量设置
阶段1
ctl:ruleEngine=DetectionOnly,
 setvar:tx.regression_testing=1

900006HTTP策略相关变量设置
阶段1
在modsecurity_common_23_request_limits.conf使用
setvar:tx.max_num_args=255,
900007
HTTP策略相关变量设置
阶段1
在modsecurity_common_23_request_limits.conf使用
setvar:tx.arg_name_length=100
900008
HTTP策略相关变量设置
阶段1
在modsecurity_common_23_request_limits.conf使用
setvar:tx.arg_length=400
900009
HTTP策略相关变量设置
阶段1
在modsecurity_common_23_request_limits.conf使用
setvar:tx.total_arg_length=64000,
900010
HTTP策略相关变量设置
阶段1
在modsecurity_common_23_request_limits.conf使用
setvar:tx.max_file_size=1048576
900011
HTTP策略相关变量设置
阶段1
在modsecurity_common_23_request_limits.conf使用
 setvar:tx.combined_file_sizes=1048576, 
900012
HTTP策略相关变量设置
阶段1
在modsecurity_crs_30_http_policy.conf使用
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \
  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
900013CSP设置
阶段1
 setvar:tx.csp_report_only=1, \
  setvar:tx.csp_report_uri=/csp_violation_report, \
  setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
900014暴力破解设置
阶段1
  setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \
  setvar:'tx.brute_force_burst_time_slice=60', \
  setvar:'tx.brute_force_counter_threshold=10', \
  setvar:'tx.brute_force_block_timeout=300', \

900015DoS保护设置
阶段1
  setvar:'tx.dos_burst_time_slice=60', \
  setvar:'tx.dos_counter_threshold=100', \
  setvar:'tx.dos_block_timeout=600', \
900016UTF-8检测设置
阶段1
  setvar:tx.crs_validate_utf8_encoding=1, \
900017是否解析XML请求体设置
阶段1
900018 Global and IP Collections
阶段1
QUEST_HEADERS:User-Agent "^(.*)$" \
 setvar:tx.ua_hash=%{matched_var}, \
900019Global and IP Collections
阶段1
REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
 setvar:tx.real_ip=%{tx.1},
900020Global and IP Collections
阶段1
&TX:REAL_IP "[email protected] 0"
 initcol:global=global, \
  initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
900021Global and IP Collections
阶段1
&TX:REAL_IP "@eq 0"
 initcol:global=global, \
  initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
  setvar:tx.real_ip=%{remote_addr}, \

 modsecurity_crs_49_inbound_blocking.conf 2条规则
981175
阶段2
anomaly_score_blocking=on
anomaly_score>0
RESOURCE:OSVDB_VULNERABLE>1
981176阶段2
anomaly_score_blocking=on
anomaly_score>0
anomaly_score>inbound_anomaly_score_level

 modsecurity_crs_50_outbound.conf 29条规则
检测response_body中的错误信息,警告信息,列目录信息
RESPONSE_STATUS 5xx错误
 modsecurity_crs_59_outbound_blocking.conf 1条规则
981200阶段4
anomaly_score_blocking=on
outbound_anomaly_score>outbound_anomaly_score_level

 modsecurity_crs_60_correlation.conf 5条规则
相关性检测
   


2. slr规则集
注1:数据data文件皆为有漏洞的文件路径
注2: 检测方法是先检查当前请求的文件路径是否出现在data文件中,若出现再进行下一步测试,否则跳过该规则集的检测
modsecurity_crs_46_slr_et_xss_attacks.conf
modsecurity_46_slr_et_xss.data
240条规则
各种APP的XSS漏洞
setvar:'tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}'"
其中有200条
 &TX:'/XSS.*ARGS:id/' 
modsecurity_crs_46_slr_et_joomla_attacks.conf
modsecurity_46_slr_et_joomla.data
273条规则
Joomla的漏洞防御 
modsecurity_crs_46_slr_et_lfi_attacks.conf
modsecurity_46_slr_et_lfi.data
192条规则
各种APP的本地文件包含漏洞
在modsecurity_crs_42_tight_security.conf

setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'

其中有29条
&TX:'/DIR_TRAVERSAL.*ARGS:path/' 
modsecurity_crs_46_slr_et_phpbb_attacks.conf
modsecurity_46_slr_et_phpbb.data
26条规则
PHPBB的漏洞防御
modsecurity_crs_46_slr_et_rfi_attacks.conf
modsecurity_46_slr_et_rfi.data
589条规则
各种APP的远程文件包含漏洞
setvar:'tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}'"

其中有386条
&TX:'/RFI.*ARGS:pathForArdeaCore/'
modsecurity_crs_46_slr_et_sqli_attacks.conf
modsecurity_46_slr_et_sqli.data
663条规则
setvar:'tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}'"
触发后,
tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments
其中有603条
&TX:'/SQL_INJECTION.*ARGS:article_id/
modsecurity_crs_46_slr_et_wordpress_attacks.conf
modsecurity_46_slr_et_wordpress.data
105条规则
 wordpress的漏洞防御

3. 可选规则集
modsecurity_crs_10_ignore_static.conf6条规则,静态文件不过WAF检测 (以下根据文件后缀名来检测,如果存在文件解析漏洞就死掉了)
900040阶段2检测
没有参数的GET/HEAD请求直接通过
900041
阶段2检测
没有参数的GET/HEAD请求直接通过,跳过下面检测
900042阶段2检测
REQUEST_FILENAME
\.(?:(?:jpe?|pn)g|gif|ico)$
直接通过
900043
阶段2检测
REQUEST_FILENAME
\.(?:doc|pdf|txt|xls)$
直接通过
999005
阶段2检测
REQUEST_FILENAME
\.(?:(?:cs|j)s|html?)$
直接通过
999006
阶段2检测
REQUEST_FILENAME
\.(?:mp(?:e?g|3)|avi|flv|swf|wma)$
直接通过

modsecurity_crs_11_avs_traffic.conf一共三条规则,AVS (授权的漏洞扫描器)的ip白名单
modsecurity_crs_13_xml_enabler.conf一条规则
阶段1检测,当Conent-Type为text/xml,开启
requestBodyProcessor=XML
modsecurity_crs_16_authentication_tracking.conf一共2条规则
阶段3检测,记录登陆成功与失败的请求
modsecurity_crs_16_session_hijacking.conf一共14条规则
会话劫持检测
modsecurity_crs_16_username_tracking.conf一共3条规则
阶段2检测,密码复杂度检测
modsecurity_crs_25_cc_known.conf一共20条规则
verifyCC, CreditCard验证
modsecurity_crs_42_comment_spam.conf
modsecurity_42_comment_spam.data
一共9条规则
垃圾评论检测
modsecurity_crs_43_csrf_protection.conf一共3条规则,开启CSRF保护,使用
与modsecurity_crs_16_session_hijacking.conf一起使用,使用内容注入动作append注入CSRF Token
modsecurity_crs_46_av_scanning.conf一条规则
使用外部脚本扫描病毒 /bin/runAV
modsecurity_crs_47_skip_outbound_checks.conf一条规则
modsecurity_crs_10_ignore_static.conf的补充
modsecurity_crs_49_header_tagging.conf两条规则
将WAF规则命中情况配合Apache RequestHeader指令注入到请求头中,以供后续应用进一步处理
modsecurity_crs_55_application_defects.conf27条规则
(1)Content-Type头没有设置charset, HTML meta中没有设置charset
(2)Content-Type, HTML meta中的charset没有设置为utf-8
(3)Content-Type与HTML meta中的charset不一致
(4)Set-Cookie Domain设置不严格
(5)Set-Cookie httponly没有设置,及修正这个问题
(6)Set-Cookie secure没有设置,及修正这个问题
(7)Cache-Control响应头没有no-store
(8)Content-Type响应头缺失或内容为空
(9)X-XSS-Protection安全头,值为0
(10)X-FRAME-OPTIONS安全头没有设置,或者值设置为allow
(11)X-Content-Type-Options安全投没有设置,或者没有设置为nosniff
(12)响应体中有潜在的XSS元字符 [\'\"\(\)\;<>#]
modsecurity_crs_55_marketing.conf3条规则
记录MSN/Google/Yahoo robot情况

4.试验性规则
modsecurity_crs_11_brute_force.conf8条规则,防暴力破解规则
modsecurity_crs_11_dos_protection.conf
6条规则,防DoS攻击规则
modsecurity_crs_11_proxy_abuse.conf
1条规则,检测X-Forwarded-For是否是恶意代理IP,IP黑名单
modsecurity_crs_11_slow_dos_protection.conf
2条规则,Slow HTTP DoS攻击
modsecurity_crs_16_scanner_integration.conf
2条规则
配合
modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
modsecurity_crs_40_appsensor_detection_point_3.0_end.conf
使用 
(1) 对User-Agent: Arachni设置IP白名单
(2) 调用arachni_integration.lua 调用arachni扫描器API进行检测
modsecurity_crs_25_cc_track_pan.conf
三条规则
检测响应体credit card信息
modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
三条规则
首先设置
resource.min_pattern_threshold=50
resource.min_traffic_threshold=100
然后 
阶段2:Enforcement check 
阶段5:Profiling analysis

modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf
调用脚本
appsensor_request_exception_enforce.lua
enforce规则 
(1)请求方法
HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT
RESOURCE.enforce_request_methods
(2)参数个数
RESOURCE.MinNumOfArgs
RESOURCE.MaxNumOfArgs
RESOURCE.enforce_num_of_args
(3)参数名字
RESOURCE.enforce_args_names
(4)参数长度
RESOURCE._length_min
RESOURCE._length_max
(5)参数字符
RESOURCE.enforce_charclass_email
RESOURCE.enforce_charclass_digits
RESOURCE.enforce_charclass_url
RESOURCE.enforce_charclass_path   
RESOURCE.enforce_charclass_flag
RESOURCE.enforce_charclass_alphas
RESOURCE.enforce_charclass_alphanumeric
RESOURCE.enforce_charclass_safetext

appsensor_request_exception_profile.lua

modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf
使用隐藏参数设置蜜罐
modsecurity_crs_40_appsensor_detection_point_3.0_end.conf

modsecurity_crs_40_http_parameter_pollution.conf
1条规则
检测参数污染
modsecurity_crs_42_csp_enforcement.conf
4条规则
CSP安全策略设置
modsecurity_crs_46_scanner_integration.conf
2条规则

使用
modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf
modsecurity_crs_40_appsensor_detection_point_3.0_end.conf 
来跟踪
resource.xss_vulnerable_params
resource.sqli_vulnerable_params
modsecurity_crs_48_bayes_analysis.conf
https://blog.spiderlabs.com/2012/09/web-application-defense-bayesian-attack-analysis.html
使用外部脚本采取贝叶斯分析方法分析HTTP请求,区分正常与恶意请求
bayes_check_spam.lua

bayes_train_ham.lua (HAM=Non-malicious HTTP request)
bayes_train_spam.lua(SPAM=HTTP Attack payloads)
modsecurity_crs_55_response_profiling.conf
11条规则
使用profile_page_scripts.lua将http响应中的
<script 
<iframe
a href
<img
替换为空
modsecurity_crs_56_pvi_checks.conf
2条规则
使用osvdb.lua检测 REQUEST_FILENAME是否在osvdb漏洞库中

modsecurity_crs_61_ip_forensics.conf
4条规则
使用gather_ip_data.lua 收集ip nslookup ,whois信息
 然后使用https://www.maxmind.com/app/geoip提供的IP库查询可疑IP GEO信息


参考: 
https://github.com/SpiderLabs/owasp-modsecurity-crs