139 lines
7.5 KiB
Plaintext
139 lines
7.5 KiB
Plaintext
# ------------------------------------------------------------------------
|
|
# OWASP CRS ver.4.24.0-dev
|
|
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
|
# Copyright (c) 2021-2026 CRS project. All rights reserved.
|
|
#
|
|
# The OWASP CRS is distributed under
|
|
# Apache Software License (ASL) version 2
|
|
# Please see the enclosed LICENSE file for full details.
|
|
# ------------------------------------------------------------------------
|
|
|
|
#
|
|
# This file is used in post processing after the response has been sent to
|
|
# the client (in the logging phase). Its purpose is to provide inbound+outbound
|
|
# correlation of events to provide a more intelligent designation as to the outcome
|
|
# or result of the transaction - meaning, was this a successful attack?
|
|
#
|
|
|
|
#
|
|
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
|
#
|
|
|
|
# Combine inbound and outbound scores
|
|
SecAction \
|
|
"id:980099,\
|
|
phase:5,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
noauditlog,\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev',\
|
|
setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
|
|
setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
|
|
setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
|
|
setvar:'tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score}',\
|
|
setvar:'tx.anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
|
|
setvar:'tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}'"
|
|
|
|
#
|
|
# -=[ Anomaly Score Reporting ]=-
|
|
#
|
|
|
|
# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
|
|
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
|
|
|
|
# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
|
|
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
|
|
|
|
# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
|
|
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
|
|
|
|
# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
|
|
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
|
|
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
|
|
|
|
# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
|
|
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
|
|
|
|
# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
|
|
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
|
|
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
|
|
|
|
# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
|
|
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
|
|
|
|
# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
|
|
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:LOG-REPORTING"
|
|
|
|
# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
|
|
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-REPORTING"
|
|
|
|
# At this point, the reporting level is 4 and there's a non-zero detection
|
|
# score (already established by rule 980043) so fall through to the reporting
|
|
# rule.
|
|
|
|
|
|
# Requests that land on the following SecMarker:
|
|
# - At reporting level 5 (unconditional reporting)
|
|
# - At reporting levels 1-4 when a blocking score exceeds a threshold
|
|
# - At reporting levels 2-4 when a detection score exceeds a threshold
|
|
# - At reporting levels 3-4 when the total blocking score is greater than zero
|
|
# - At reporting level 4 when the total detection score is greater than zero
|
|
SecMarker "LOG-REPORTING"
|
|
|
|
# Inbound and outbound - all requests
|
|
SecAction \
|
|
"id:980170,\
|
|
phase:5,\
|
|
pass,\
|
|
t:none,\
|
|
noauditlog,\
|
|
msg:'Anomaly Scores: \
|
|
(Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - \
|
|
(Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \
|
|
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
|
|
tag:'reporting',\
|
|
tag:'OWASP_CRS',\
|
|
ver:'OWASP_CRS/4.24.0-dev'"
|
|
|
|
SecMarker "END-REPORTING"
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
#
|
|
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
|
#
|
|
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
#
|
|
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
|
#
|
|
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
#
|
|
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
|
#
|
|
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.24.0-dev',skipAfter:END-RESPONSE-980-CORRELATION"
|
|
#
|
|
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
|
#
|
|
|
|
|
|
|
|
#
|
|
# -= Paranoia Levels Finished =-
|
|
#
|
|
SecMarker "END-RESPONSE-980-CORRELATION"
|