| modsecurity_crs_20_protocol_violations.conf | 24条规则
| 960911 | 阶段1检测,不符合规范的HTTP Request Line | | 981227 | 阶段5检测,WEBSERVER_ERROR_LOG 服务器错误
Invalid URI in request | | 960000 | 阶段2检测,异常的文件名,文件名包含
单引号,双引号,分号,等号,反斜杠 | | 960912 | 阶段2检测,REQBODY_ERROR
请求体解析错误 | | 960914 | 阶段2检测,MULTIPART_STRICT_ERROR
multipart类型的请求体解析错误 | | 960915 | 阶段2检测,MULTIPART_UNMATCHED_BOUNDARY
multipart类型的请求体解析错误 | | 960016 | 阶段1检测,Content-Length不是数字 | | 960011 | 阶段1检测,request_method取值范围限定 | | 960012 | 阶段1检测,POST请求,Content-Length为0 | | 960902 | 阶段1检测,Content-Encoding等于Identity | | 960022 | 阶段1检测,Expect包含100-continue | | 960020 | 阶段2检测,Pragma取值no-cache时,没有Cache-Control头 | | 958291 | 阶段2检测, Range取值以 bytes=0-开始 | | 958230 | 阶段2检测, Range 或者 Request-Range取值格式为 (\d+)\-(\d+)\, | | 958231 | 阶段2检测,Range 或者 Request-Range取值格式为 ^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\, | | 958295 | 阶段2检测,Connection取值格式为
\b(keep-alive|close),\s?(keep-alive|close)\b | | 950107 | 阶段2检测,REQUEST_URI取值格式为
\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})
是否符合validateUrlEncoding | | 950109 | 阶段2检测,ARGS取值格式为
\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})
实际是多重编码的检测(ARGS本身就是url解码后的) | | 950108 | 阶段2检测,Content-Type取值为 ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$ REQUEST_BODY|XML:/* 是否符合validateUrlEncoding | | 950801 | 阶段2检测,当modsecurity_crs_10_config.conf中TX:CRS_VALIDATE_UTF8_ENCODING =1的情况下,验证
REQUEST_FILENAME|ARGS|ARGS_NAMES
是否符合validateUtf8Encoding
| | 950116 | 阶段2检测, REQUEST_URI|REQUEST_BODY
的取值格式为
\%u[fF]{2}[0-9a-fA-F]{2} | | 960014 | 阶段2检测,REQUEST_URI_RAW 的的不是以
https://%{SERVER_NAME}
开头 | | 960901 | 阶段2检测,检查GET/POST参数值,参数名,请求头(不包括Referer)是否有无效字符
validateByteRange 1-255 | | 960018 | 阶段2检测,当modsecurity_crs_10_config.conf中
TX:PARANOID_MODE 为1时,检查request_uri,request_body,请求头(不包括referer)是否有无效字符
validateByteRange 32-126
|
|
| modsecurity_crs_21_protocol_anomalies.conf | 9条规则
| 960008 | 阶段2检测,Host头为空 | | 960007 | 阶段2检测,Host取值为空 | | 960009 | 阶段2检测,User-Agent头为空 | | 960006 | 阶段2检测,User-Agent取值为空 | | 960904 | 阶段1检测, Content-Length不为0,但没有Content-Type | | 960017 | 阶段2检测,Host为IP地址 | | 960015 | 阶段2检测,非OPTIONS请求方法,Accept头为空 | | 960021 | 阶段2检测,非OPTIONS请求方法,Accept取值为空 | | 960913 | 阶段5检测,RESPONSE_STATUS响应状态码为400 |
|
| modsecurity_crs_23_request_limits.conf | 6条规则
| 960209 | 阶段2检测,参数名太长
在modsecurity_crs_10_config.conf中设置
ARG_NAME_LENGTH
| | 960208 | 阶段2检测,参数值太长
在modsecurity_crs_10_config.conf中设置
ARG_LENGTH | | 960335 | 阶段2检测,参数个数太多
在modsecurity_crs_10_config.conf中设置
MAX_NUM_ARGS | | 960341 | 阶段2检测,参数的总大小太大
TOTAL_ARG_LENGTH | | 960342 | 阶段2检测,上传文件太大
在modsecurity_crs_10_config.conf中设置
MAX_FILE_SIZE | | 960343 | 阶段2检测,上传文件的总大小太大
在modsecurity_crs_10_config.conf中设置
COMBINED_FILE_SIZES |
|
| modsecurity_crs_30_http_policy.conf | 5条规则
| 960032 | 阶段1检测,请求方法是否为允许的请求方法
在modsecurity_crs_10_config.conf中设置
tx.allowed_methods | | 960010 | 阶段1检测,非GET|HEAD|PROPFIND|OPTIONS的 HTTP请求的Content-Type是否为允许的范围
在modsecurity_crs_10_config.conf中设置
tx.allowed_request_content_type | | 960034 | 阶段1检测,http协议是否为允许的协议版本
在modsecurity_crs_10_config.conf中设置
tx.allowed_http_versions | | 960035 | 阶段2检测,REQUEST_BASENAME \.(.*)$ 文件后缀是否为
在modsecurity_crs_10_config.conf中设置
tx.restricted_extensions | | 960038 | 阶段2检测,REQUEST_HEADERS_NAMES 是否为允许的请求头
在modsecurity_crs_10_config.conf中设置
tx.restricted_headers |
|
modsecurity_crs_35_bad_robots.conf
modsecurity_35_bad_robots.conf
modsecurity_35_bad_scanners.conf | 4条规则
| 990002 | 阶段2检测,ua符合modsecurity_35_bad_scanners.conf 扫描器的UA特征 | | 990901 | 阶段2检测, 存在acunetix-product请求头 | | 990902 | 阶段2检测,REQUEST_FILENAME包含nessustest appscan_fingerprint | | 990012 | 阶段2检测,ua符合modsecurity_35_bad_robots.conf恶意爬虫UA特征 |
|
modsecurity_crs_40_generic_attacks.conf
modsecurity_40_generic_attacks.data | 25条规则
| 950907 | 阶段2检测,系统命令执行 | | 960024 | 阶段2检测,命令执行,
检查参数(GET/POST) 是不是连续的4个非字符 "\W{4,}" | | 950008 | 阶段2检测,Coldfusion Injection | | 950010 | 阶段2检测,LDAP Injection | | 950011 | 阶段2检测,SSI injection | | 950018 | 阶段2检测,PDF XSS | | 950019 | 阶段2检测,Email Injection | | 950012 | 阶段1检测,HTTP Request Smuggling
检查请求头Content-Length|Transfer-Encoding) 是否包含逗号, | | 950910 | 阶段2检测, HTTP响应拆分 | | 950911 | 阶段2检测, HTTP响应拆分 | | 950117 | 阶段2检测, 远程文件包含
检查参数(GET/POST) "^(?i)(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | | 950118 | 阶段2检测,远程文件包含
| | 950119 | 阶段2检测,远程文件包含 | | 950120 | 阶段2检测,远程文件包含 | | 981133 | 阶段2检测
匹配命中modsecurity_40_generic_attacks.data的次数
tx.pm_score=+1 | | 981134 | 阶段2检测,与981133一起,计算TX:PM_SCORE "@eq 0" | | 950009 | 阶段2检测,会话固定 | | 950003 | 阶段2检测,会话固定 | | 950000 | 阶段2检测,会话固定 | | 950005 | 阶段2检测,访问敏感信息
"(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" | | 950002 | 阶段2检测,系统命令执行
"\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c))" | | 950006 | 阶段2检测,系统命令执行
"(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:\.exe|32)\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b)))" | | 959151 | 阶段2检测,PHP代码执行
<\?(?!xml) | | 958976 | 阶段2检测 ,PHP代码执行
"(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" | | 958977 | 阶段2检测,PHP代码执行
查询字符串 "@pm allow_url_include= safe_mode= suhosin.simulation= disable_functions= open_basedir= auto_prepend_file= php://input" |
|
| modsecurity_crs_41_sql_injection_attacks.conf | 55条规则,sql注入
| 981231 | 阶段2检测,sql注释
(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00) | | 981260 | 阶段2检测,十六进制
(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+ | | 981318 | 阶段2检测, 探测字符
^[\"'`´’‘;]+|[\"'`´’‘;]+$ | | 981319 | 阶段2检测,sql操作符
"(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary)) | | 950901 | 阶段2检测,sql探测
(?i:([\s'\"`´’‘\(\)]*?)\b([\d\w]++)([\s'\"`´’‘\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*?)\2\b|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*?)(?!\2)([\d\w]+)\b)) | | 981320 | 阶段2检测,数据库元信息探测
(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)|s(?:ys(?:\.database_name|aux)|chema(?:\W*\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\W*\(|information_schema|pg_(catalog|toast)|northwind|tempdb))
| | 981300-981317 | 阶段2检测,根据SQL 关键字,累计计算分数
select show top distinct from dual where group by order having limit offset union rownum as (case
setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1
当分数大于等于3时进行阻塞,TX:SQLI_SELECT_STATEMENT_COUNT "@ge 3" | | 950007 | 阶段2检测,SQL盲注
(?i:(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.(db|user))|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)|\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\W+\bchar|mb_users|rownum)\b|t(?:able_name\b|extpos\W+\())) | | 950001 | 阶段2检测,SQL注入
(?i:\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*\(|llation\W*\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)')) | | 959070 | 阶段2检测,SQL注入
\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}') | | 959071 | 阶段2检测,SQL注入
(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]) | | 959072 | 阶段2检测,SQL注入
(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}') | | 950908 | 阶段2检测,SQL注入 (?i:\b(?:coalesce\b|root\@)) | | 959073 | 阶段2检测,SQL注入 (?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)')) | | 981172 | 阶段2检测,特殊字符检测到
([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,} | | 981173 | 阶段2检测,特殊字符检测到
([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,} | | 981272 | 阶段2检测, SQL盲注
(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\))) | | 981244 | 阶段2检测,SQL注入
(?i:(?i:\d[\"'`´’‘]\s+[\"'`´’‘]\s+\d)|(?:^admin\s*?[\"'`´’‘]|(\/\*)+[\"'`´’‘]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´’‘]\s*?\b(x?or|div|like|between|and)\b\s*?[+<>=(),-]\s*?[\d\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]?=\s*?[\"'`´’‘])|(?:[\"'`´’‘]\W*?[+=]+\W*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[!=|][\d\s!=+-]+.*?[\"'`´’‘(].*?$)|(?:[\"'`´’‘]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´’‘]\s*?like\W+[\w\"'`´’‘(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´’‘][<>~]+[\"'`´’‘])) | | 981255 | 阶段2检测,SQL注入
(?i:(?:\sexec\s+xp_cmdshell)|(?:[\"'`´’‘]\s*?!\s*?[\"'`´’‘\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`´’‘];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`´’‘])) | | 981257 | 阶段2检测,SQL注入
(?i:(?:,.*?[)\da-f\"'`´’‘][\"'`´’‘](?:[\"'`´’‘].*?[\"'`´’‘]|\Z|[^\"'`´’‘]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" | | 981248 | 阶段2检测,SQL注入 (?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`´’‘=()])) | | 981277 | 阶段2检测,skipfish整数溢出探测
(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.90738585072007e-308|1e309)$)) | | 981250 | 阶段2检测,SQL注入
(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+)) | | 981241 | 阶段2检测,SQL注入 (?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~])) | | 981252 | 阶段2检测,SQL注入
(?i:(?:alter\s*?\w+.*?character\s+set\s+\w+)|([\"'`´’‘];\s*?waitfor\s+time\s+[\"'`´’‘])|(?:[\"'`´’‘];.*?:\s*?goto)) | | 981256 | 阶段2检测,SQL注入
(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´’‘])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\()) | | 981245 | 阶段2检测,SQL注入
(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select\s+)|(?:\w+\s+like\s+[\"'`´’‘])|(?:like\s*?[\"'`´’‘]\%)|(?:[\"'`´’‘]\s*?like\W*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having\s+)|(?:[\"'`´’‘]\s*?\*\s*?\w+\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´’‘]*?\s*?\w+\W+\w)|(?:select\s+?[\[\]()\s\w\.,\"'`´’‘-]+from\s+)|(?:find_in_set\s*?\()) | | 981276 | 阶段2检测,SQL注入
(?i:(?:(union(.*?)select(.*?)from))) | | 981254 | 阶段2检测,SQL注入
(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`´’‘]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{))) | | 981270 | 阶段2检测,MongoDB注入
(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\])) |
| 981240 | 阶段2检测,SQL注入
(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`´’‘]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\()) | | 981249 | 阶段2检测,SQL注入
(?i:(?:[\"'`´’‘]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`´’‘]\s*?(?:[-+=|@]+\s*?)+[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`´’‘]\w)|(?:[\"'`´’‘];\s*?(?:if|while|begin))|(?:[\"'`´’‘][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(])) | | 981253 | 阶段2检测,SQL存储过程注入
(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@)) | | 981242 | 阶段2检测,SQL注入 (?i:(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s*?[\"'`´’‘]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`´’‘]$)|(?:(?:^[\"'`´’‘\\\\]*?(?:[\d\"'`´’‘]+|[^\"'`´’‘]+[\"'`´’‘]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`´’‘][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`´’‘]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`´’‘\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`´’‘].)|(?:\Winformation_schema|table_name\W)) | | 981246 | 阶段2检测,SQL注入
(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`´’‘]|[=\d]+x))|([\"'`´’‘]\s*?\d\s*?(?:--|#))|(?:[\"'`´’‘][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`´’‘]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?\d.+[\"'`´’‘]?\w)|(?:[\"'`´’‘]\|?[\w-]{3,}[^\w\s.,]+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`´’‘])) | | 981251 | 阶段2检测,SQL UDF
(?i:(?:create\s+function\s+\w+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,})) | | 981247 | 阶段2检测,SQL注入
(?i:(?:[\d\W]\s+as\s*?[\"'`´’‘\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´’‘]\s+regexp\W)|(?:[\s(]load_file\s*?\()) | | 981243 | 阶段2检测,SQL注入
(?i:(?:[\"'`´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´’‘]\d)|(?:\^[\"'`´’‘])|(?:^[\w\s\"'`´’‘-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´’‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´’‘].*?\*\s*?\d)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´’‘][^,])) |
|
| modsecurity_crs_41_xss_attacks.conf | 114条规则,xss |
| modsecurity_crs_42_tight_security.conf | 2条规则
| 950103 | 阶段2检测,目录遍历规则 | | 950103 | 阶段2检测,目录遍历规则
|
|
| modsecurity_crs_45_trojans.conf | 3条规则
| 950110 | 阶段2检测,HEADERS_NAMES为x_(?:key|file)\b | | 950921 | 阶段2检测,REQUEST_FILENAME 为root\.exe | | 950922 | 阶段4检测,检查RESPONSE_BODY是否符合特征 |
|
| modsecurity_crs_47_common_exceptions.conf | 3条规则
| 981021 | 阶段2检测,Apache internal dummy connection
| | 981022 | 阶段2检测,Adobe Flash Player异常
| | 981020 | 阶段2检测,Apache SSL pinger异常 |
|
| modsecurity_crs_10_setup.conf | CRS规则集配置
21条SecAction
| 900001 | 协作检测模式变量设置,安全级别的分数设置
阶段1
setvar:tx.critical_anomaly_score=5, \
setvar:tx.error_anomaly_score=4, \
setvar:tx.warning_anomaly_score=3, \
setvar:tx.notice_anomaly_score=2, \
| | 900002 | 协作检测模式变量设置 阶段1 setvar:tx.anomaly_score=0, \
setvar:tx.sql_injection_score=0, \
setvar:tx.xss_score=0, \
setvar:tx.inbound_anomaly_score=0, \
setvar:tx.outbound_anomaly_score=0, \
| | 900003 | 协作检测模式变量设置 阶段1 setvar:tx.inbound_anomaly_score_level=5, \
setvar:tx.outbound_anomaly_score_level=4, \ | | 900004 | 协作检测模式Collaborative Detection变量设置 阶段1 setvar:tx.anomaly_score_blocking=on
当开启开选项后,在 modsecurity_crs_49_inbound_blocking.conf检测 Inbound anomaly score modsecurity_crs_59_outbound_blocking.conf检测Outbound anomaly score | | 900005 | 回归测试模式Regression Testing Mode变量设置
阶段1
ctl:ruleEngine=DetectionOnly,
setvar:tx.regression_testing=1
| | 900006 | HTTP策略相关变量设置
阶段1
在modsecurity_common_23_request_limits.conf使用
setvar:tx.max_num_args=255, | | 900007 | HTTP策略相关变量设置
阶段1 在modsecurity_common_23_request_limits.conf使用 setvar:tx.arg_name_length=100 | | 900008 | HTTP策略相关变量设置
阶段1 在modsecurity_common_23_request_limits.conf使用 setvar:tx.arg_length=400 | | 900009 | HTTP策略相关变量设置
阶段1 在modsecurity_common_23_request_limits.conf使用 setvar:tx.total_arg_length=64000, | | 900010 | HTTP策略相关变量设置
阶段1 在modsecurity_common_23_request_limits.conf使用 setvar:tx.max_file_size=1048576 | | 900011 | HTTP策略相关变量设置
阶段1 在modsecurity_common_23_request_limits.conf使用 setvar:tx.combined_file_sizes=1048576, | | 900012 | HTTP策略相关变量设置 阶段1 在modsecurity_crs_30_http_policy.conf使用 setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \ | | 900013 | CSP设置
阶段1
setvar:tx.csp_report_only=1, \
setvar:tx.csp_report_uri=/csp_violation_report, \
setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ | | 900014 | 暴力破解设置
阶段1
setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=10', \
setvar:'tx.brute_force_block_timeout=300', \
| | 900015 | DoS保护设置
阶段1
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=100', \
setvar:'tx.dos_block_timeout=600', \ | | 900016 | UTF-8检测设置
阶段1
setvar:tx.crs_validate_utf8_encoding=1, \ | | 900017 | 是否解析XML请求体设置
阶段1 | | 900018 | Global and IP Collections
阶段1
QUEST_HEADERS:User-Agent "^(.*)$" \
setvar:tx.ua_hash=%{matched_var}, \ | | 900019 | Global and IP Collections
阶段1
REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
setvar:tx.real_ip=%{tx.1}, | | 900020 | Global and IP Collections
阶段1
&TX:REAL_IP "[email protected] 0"
initcol:global=global, \
initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ | | 900021 | Global and IP Collections
阶段1
&TX:REAL_IP "@eq 0"
initcol:global=global, \
initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
setvar:tx.real_ip=%{remote_addr}, \ |
|
| modsecurity_crs_49_inbound_blocking.conf | 2条规则
| 981175 | 阶段2 anomaly_score_blocking=on
anomaly_score>0 RESOURCE:OSVDB_VULNERABLE>1 | | 981176 | 阶段2
anomaly_score_blocking=on
anomaly_score>0
anomaly_score>inbound_anomaly_score_level |
|
| modsecurity_crs_50_outbound.conf | 29条规则
检测response_body中的错误信息,警告信息,列目录信息
RESPONSE_STATUS 5xx错误 |
| modsecurity_crs_59_outbound_blocking.conf | 1条规则
| 981200 | 阶段4
anomaly_score_blocking=on
outbound_anomaly_score>outbound_anomaly_score_level |
|
| modsecurity_crs_60_correlation.conf | 5条规则
相关性检测
|