281 lines
8.7 KiB
Plaintext
281 lines
8.7 KiB
Plaintext
# ------------------------------------------------------------------------
|
|
# OWASP CRS ver.4.24.0-dev
|
|
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
|
# Copyright (c) 2021-2026 CRS project. All rights reserved.
|
|
#
|
|
# The OWASP CRS is distributed under
|
|
# Apache Software License (ASL) version 2
|
|
# Please see the enclosed LICENSE file for full details.
|
|
# ------------------------------------------------------------------------
|
|
|
|
# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
|
|
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
|
|
# file if there are any rules that match. If you would like to lessen the number of events
|
|
# generated in the error_log file, you should increase the anomaly score threshold to
|
|
# something like "@gt 20". This would only generate an event in the error_log file if
|
|
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
|
|
#
|
|
# You should also set the desired disruptive action (deny, redirect, etc...).
|
|
#
|
|
|
|
#
|
|
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
|
#
|
|
|
|
|
|
# Summing up the blocking and detection anomaly scores in phase 3
|
|
# even when early blocking is disabled, we need to sum up the scores in phase 3
|
|
# this prevents bugs in phase 5 if Apache skips phases because of error handling
|
|
# See: https://github.com/coreruleset/coreruleset/issues/2319#issuecomment-1047503932
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
|
|
"id:959052,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
|
"id:959152,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
|
"id:959053,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
|
"id:959153,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
|
"id:959054,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
|
"id:959154,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
|
"id:959055,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
|
"id:959155,\
|
|
phase:3,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
|
|
|
# at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
|
|
# this is necessary because the per-PL scores are counted across phases
|
|
SecAction \
|
|
"id:959059,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=0'"
|
|
|
|
SecAction \
|
|
"id:959159,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=0'"
|
|
|
|
SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
|
|
|
|
# Summing up the blocking and detection anomaly scores in phase 4
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
|
|
"id:959060,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
|
"id:959160,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
|
"id:959061,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
|
"id:959161,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
|
"id:959062,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
|
"id:959162,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
|
|
|
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
|
"id:959063,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
|
"id:959163,\
|
|
phase:4,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
|
|
|
#
|
|
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
|
|
#
|
|
|
|
# if early blocking is active, check threshold in phase 3
|
|
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
|
"id:959101,\
|
|
phase:3,\
|
|
deny,\
|
|
t:none,\
|
|
msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
|
|
tag:'anomaly-evaluation',\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
chain"
|
|
SecRule TX:EARLY_BLOCKING "@eq 1"
|
|
|
|
# always check threshold in phase 4
|
|
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
|
"id:959100,\
|
|
phase:4,\
|
|
deny,\
|
|
t:none,\
|
|
msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
|
|
tag:'anomaly-evaluation',\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev'"
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
#
|
|
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
|
#
|
|
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
#
|
|
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
|
#
|
|
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
#
|
|
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
|
#
|
|
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
#
|
|
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
|
#
|
|
|
|
|
|
|
|
#
|
|
# -= Paranoia Levels Finished =-
|
|
#
|
|
SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"
|