[mod-security-users] (no subject)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] (no subject)
|
From: Ehsan M. <ehs...@gm...> - 2015-01-17 07:43:48
|
Dear All, hi
For a specific URI and argument I don't want the rule 960209 to be fired.
The URI is : /fa/views/ajax
I think the argument
is: ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]
The rule 960209 checks argument name length. On my setting it will fire if
the length is greater than 100.
I wrote a rule like: SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=
960209;ARGS_NAMES:ajax_page_state[js][sites/mysite/
modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"
It is fired before the rule 960209 but won't work.
I highlighted these rules on my audit trial.
What is the problem?
Thanks in advance
--
regards
E.M
--VLegPn8AAAEAAFB4UbkAAAEB-A--
[15/Jan/2015:14:40:56 +0330] VLegPn8AAAEAAFB4UbkAAAEB 37.254.173.219 18552
176.101.52.98 80
--VLegPn8AAAEAAFB4UbkAAAEB-B--
POST /fa/views/ajax HTTP/1.1
Referer: http://mysite/fa/session-archivs
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.7,fa;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko
Host: mysite
Content-Length: 8050
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: has_js=1
--VLegPn8AAAEAAFB4UbkAAAEB-C--
field_session_date2_value%5Bmin%5D%5Bdate%5D=&field_session_date2_value%5Bmin%5D%5Bdatex_edit_field_session_date2_value_min%5D=1393-10-25&field_session_date2_value%5Bmax%5D%5Bdate%5D=&field_session_date2_value%5Bmax%5D%5Bdatex_edit_field_session_date2_value_max%5D=1393-10-25&view_name=session_news&view_display_id=page_2&view_args=&view_path=session-archivs&view_base_path=session-archivs&view_dom_id=597b60253f25979c3f6421ceff3d1f38&pager_element=0&ajax_html_ids%5B%5D=wrapper&ajax_html_ids%5B%5D=header&ajax_html_ids%5B%5D=logofa&ajax_html_ids%5B%5D=slogan-fa&ajax_html_ids%5B%5D=uni-title&ajax_html_ids%5B%5D=department-fa&ajax_html_ids%5B%5D=dheader&ajax_html_ids%5B%5D=block-search-form&ajax_html_ids%5B%5D=search-block-form&ajax_html_ids%5B%5D=edit-search-block-form--2&ajax_html_ids%5B%5D=edit-actions&ajax_html_ids%5B%5D=edit-submit&ajax_html_ids%5B%5D=block-block-14&ajax_html_ids%5B%5D=main-menu&ajax_html_ids%5B%5D=container&ajax_html_ids%5B%5D=content&ajax_html_ids%5B%5D=breadcrumbs&ajax_html_ids%5B%5D=post-content&ajax_html_ids%5B%5D=views-exposed-form-session-news-page-2&ajax_html_ids%5B%5D=edit-field-session-date2-value-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-inside-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-min-datex-edit-field-session-date2-value-min&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-inside-wrapper&ajax_html_ids%5B%5D=edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-datepicker-popup-0&ajax_html_ids%5B%5D=edit-field-session-date2-value-max-datex-edit-field-session-date2-value-max&ajax_html_ids%5B%5D=edit-submit-session-news&ajax_html_ids%5B%5D=footer&ajax_html_ids%5B%5D=footer-area&ajax_html_ids%5B%5D=block-block-15&ajax_html_ids%5B%5D=copyright&ajax_page_state%5Btheme%5D=professional_theme&ajax_page_state%5Btheme_token%5D=k8f9oKh7ItaD8TB5aAai0FjBBr5mLTnTdST58LPERsw&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.base-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.menus-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.messages-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.theme.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsystem%2Fsystem.theme-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.core.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.theme.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.css%5D=1&ajax_page_state%5Bcss%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fjquery.timeentry.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fcomment%2Fcomment-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_api%2Fdate.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_api%2Fdate-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fthemes%2Fdatepicker.1.7.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdate-time-field%2Fcss%2Fsmoothness%2Fjquery-ui-1.8.14.custom.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Ffield%2Ftheme%2Ffield-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fnode%2Fnode.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fpoll%2Fpoll-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fsearch%2Fsearch-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fuser%2Fuser-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum.css%5D=1&ajax_page_state%5Bcss%5D%5Bmodules%2Fforum%2Fforum-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fcss%2Fviews-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fckeditor.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fckeditor%2Fckeditor-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fctools%2Fcss%2Fctools.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus_default.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus_default-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fsmoothness.calendars.picker.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle.css%5D=1&ajax_page_state%5Bcss%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fstyle-rtl.css%5D=1&ajax_page_state%5Bcss%5D%5Bpublic%3A%2F%2Fcpn%2Fblock-14.css%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.once.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fdrupal.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.core.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.widget.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.accordion.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.cookie.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fjquery.form.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fui%2Fjquery.ui.datepicker.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bmodules%2Flocale%2Flocale.datepicker.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdate%2Fdate_popup%2Fjquery.timeentry.pack.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fajax.js%5D=1&ajax_page_state%5Bjs%5D%5Bpublic%3A%2F%2Flanguages%2Ffa_BNMes1sG4z0w_DbIK9uy6lL3jNXwx-Job66BivlN1tA.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Faccordion_blocks%2Faccordion_init.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fsuperfish.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.bgiframe.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fsuperfish%2Fjs%2Fjquery.hoverIntent.minified.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fmodules%2Fnice_menus%2Fnice_menus.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fbase.js%5D=1&ajax_page_state%5Bjs%5D%5Bmisc%2Fprogress.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fviews%2Fjs%2Fajax_view.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.all.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.picker.lang.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.persian.min.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Flibraries%2Fjquery.calendars%2Fjquery.calendars.persian-fa.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fall%2Fmodules%2Fdatex%2Fdatex_popup%2Fdatex_popup.js%5D=1&ajax_page_state%5Bjs%5D%5Bsites%2Fmysite%2Fthemes%2Ffacu%2Fjs%2Fcustom.js%5D=1
--VLegPn8AAAEAAFB4UbkAAAEB-E--
--VLegPn8AAAEAAFB4UbkAAAEB-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.16
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 15 Jan 2015 10:16:58 GMT
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1421317018"
Content-Type: application/json; charset=utf-8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
--VLegPn8AAAEAAFB4UbkAAAEB-H--
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file
"/opt/modsec/facu/etc/active/11035.conf"] [line "3"] [id "2001"]
Message: Warning. String match "/fa/views/ajax" at REQUEST_URI. [file
"/opt/modsec/facu/etc/active/11035.conf"] [line "5"] [id "2002"]
*Message: Warning. Operator GT matched 100 at
ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js].
[file "/etc/modsecurity/23001.conf"] [line "23"] [id "960209"] [rev "2"]
[msg "Argument name too long"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/SIZE_LIMIT"]*
Message: Warning. Operator LT matched 9 at TX:inbound_anomaly_score. [file
"/etc/modsecurity/60001.conf"] [line "33"] [id "981203"] [msg "Inbound
Anomaly Score (Total Inbound Score: 2, SQLi=0, XSS=0): Argument name too
long"]
Apache-Handler: proxy-server
Stopwatch: 1421320254300902 1867389 (- - -)
Stopwatch2: 1421320254300902 1867389; combined=676477, p1=1617, p2=673800,
p3=7, p4=259, p5=568, sr=202, sw=226, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9. <http://2.2.0.9/>
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "DETECTION_ONLY"
--VLegPn8AAAEAAFB4UbkAAAEB-K--
SecAction
"phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"
SecAction
"phase:1,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"
SecAction
"phase:1,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=9,setvar:tx.outbound_anomaly_score_level=5,nolog,pass"
SecAction
"phase:1,id:900004,t:none,setvar:tx.anomaly_score_blocking=on,nolog,pass"
SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"
SecAction
"phase:1,id:900007,t:none,setvar:tx.arg_name_length=100,nolog,pass"
SecAction "phase:1,id:900008,t:none,setvar:tx.arg_length=400,nolog,pass"
SecAction
"phase:1,id:900009,t:none,setvar:tx.total_arg_length=64000,nolog,pass"
SecAction
"phase:1,id:900010,t:none,setvar:tx.max_file_size=1048576,nolog,pass"
SecAction
"phase:1,id:900011,t:none,setvar:tx.combined_file_sizes=1048576,nolog,pass"
SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD
POST
OPTIONS',setvar:tx.allowed_request_content_type=application/json|application/x-amf|application/x-www-form-urlencoded|application/xml|multipart/form-data|text/xml,setvar:'tx.allowed_http_versions=HTTP/0.9
HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.dos/ .dll/ .cmd/ .cer/
.bat/ .bak/ .backup/ .dll/
.cer/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
/Content-Range/ /Translate/ /via/ /if/',nolog,pass"
SecAction
"phase:1,id:900015,t:none,setvar:tx.dos_burst_time_slice=20,setvar:tx.dos_counter_threshold=60,setvar:tx.dos_block_timeout=300,nolog,pass"
SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$"
"phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"
SecRule "&TX:REAL_IP" "@eq 0"
"phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"
*SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2001,t:none,pass,ctl:ruleRemoveTargetById=960209;ARGS_NAMES:ajax_page_state[js][sites/mysite/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js]"*
SecRule "REQUEST_URI" "@streq /fa/views/ajax"
"phase:1,log,id:2002,t:none,pass,ctl:ruleRemoveById=981173"
SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,log,msg:'POST request
missing Content-Length
Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.9,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
#SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
SecRule "&TX:MAX_FILE_SIZE" "@eq 1"
"phase:1,log,chain,t:none,block,msg:'Uploaded file size too
large',id:960342,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "REQUEST_HEADERS:Content-Type" "@beginsWith multipart/form-data"
"chain"
#SecRule "REQUEST_HEADERS:Content-Length" "@gt %{tx.max_file_size}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$"
"phase:1,log,chain,t:none,block,msg:'Request content type is not allowed by
policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture"
#SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$"
"t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx
^(application\\/x-www-form-urlencoded|text\\/xml)(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$"
"phase:2,log,chain,rev:2,ver:OWASP_CRS/2.2.9,maturity:6,accuracy:8,t:none,block,msg:'URL
Encoding Abuse Attack
Attempt',id:950108,tag:OWASP_CRS/PROTOCOL_VIOLATION/EVASION,severity:4"
SecRule "REQUEST_BODY|XML:/*" "@rx
\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
#SecRule "REQUEST_BODY|XML:/*" "@validateUrlEncoding "
"setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
"phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request
Missing an Accept
Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
#SecRule "&REQUEST_HEADERS:Accept" "@eq 0"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$"
"phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,t:none,block,msg:'Request
Has an Empty Accept
Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
#SecRule "REQUEST_HEADERS:Accept" "@rx ^$"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
*SecRule "&TX:ARG_NAME_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Argument name too
long',id:960209,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"*
*SecRule "ARGS_NAMES" "@gt %{tx.arg_name_length}"
"t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id
<http://rule.id/>}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"*
SecRule "&TX:ARG_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Argument value too
long',id:960208,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS" "@gt %{tx.arg_length}"
"t:none,t:length,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Too
many arguments in
request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "&ARGS" "@gt %{tx.max_num_args}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "&TX:TOTAL_ARG_LENGTH" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Total arguments size
exceeded',id:960341,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "ARGS_COMBINED_SIZE" "@gt %{tx.total_arg_length}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "&TX:COMBINED_FILE_SIZES" "@eq 1"
"phase:2,log,chain,t:none,block,msg:'Total uploaded files size too
large',id:960343,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "FILES_COMBINED_SIZE" "@gt %{tx.combined_file_sizes}"
"t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{
rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$"
"phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by
policy',rev:2,ver:OWASP_CRS/2.2.9,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}"
"setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{
rule.id
}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"
Other non disruptive rules! <the complete audit trial is available as
attachment>
--VLegPn8AAAEAAFB4UbkAAAEB-Z--
|
