├── docs
    ├── .gitignore
    ├── package.json
    ├── index.md
    ├── .vitepress
    │   └── config.ts
    ├── getting-started.md
    ├── nginx.md
    ├── apache.md
    ├── traefik.md
    ├── badbots.md
    ├── haproxy.md
    └── api.md
├── requirements.txt
├── .github
    ├── FUNDING.yml
    ├── ISSUE_TEMPLATE
    │   ├── feature_request.md
    │   └── bug_report.md
    └── workflows
    │   ├── docs.yml
    │   ├── test_nginx.yml
    │   ├── test_apache_docker.yml
    │   └── update_patterns.yml
├── tests
    └── nginx.conf
├── waf_patterns
    ├── apache
    │   ├── lfi.conf
    │   ├── leakages.conf
    │   ├── rfi.conf
    │   ├── exceptions.conf
    │   ├── generic.conf
    │   ├── iis.conf
    │   ├── detection.conf
    │   ├── correlation.conf
    │   ├── fixation.conf
    │   ├── php.conf
    │   ├── attack.conf
    │   ├── initialization.conf
    │   ├── sql.conf
    │   ├── java.conf
    │   ├── README.md
    │   ├── shells.conf
    │   ├── evaluation.conf
    │   ├── rce.conf
    │   ├── sqli.conf
    │   └── enforcement.conf
    ├── nginx
    │   ├── rfi.conf
    │   ├── leakages.conf
    │   ├── exceptions.conf
    │   ├── correlation.conf
    │   ├── initialization.conf
    │   ├── evaluation.conf
    │   ├── generic.conf
    │   ├── fixation.conf
    │   ├── iis.conf
    │   ├── php.conf
    │   ├── attack.conf
    │   ├── README.md
    │   ├── java.conf
    │   ├── sql.conf
    │   ├── shells.conf
    │   ├── enforcement.conf
    │   ├── waf_rules.conf
    │   ├── rce.conf
    │   ├── sqli.conf
    │   └── xss.conf
    ├── haproxy
    │   ├── waf.acl
    │   └── README.md
    └── traefik
    │   └── README.md
├── LICENSE
├── SECURITY.md
├── CONTRIBUTING.md
├── import_apache_waf.py
├── CODE_OF_CONDUCT.md
├── import_nginx_waf.py
├── json2traefik.py
├── import_haproxy_waf.py
├── import_traefik_waf.py
├── json2apache.py
└── badbots.py


/docs/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules
2 | .vitepress/cache
3 | .vitepress/dist
4 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | requests>=2.28.0
2 | beautifulsoup4>=4.11.1
3 | tqdm>=4.64.0
4 | 


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | 
3 | github: fabriziosalmi
4 | 


--------------------------------------------------------------------------------
/tests/nginx.conf:
--------------------------------------------------------------------------------
1 | server {
2 |     listen 80;
3 |     server_name example.com;
4 | 
5 |     location / {
6 |         return 200 "Hello, World!";
7 |     }
8 | }
9 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/lfi.conf:
--------------------------------------------------------------------------------
1 | # Apache ModSecurity rules for LFI
2 | SecRuleEngine On
3 | 
4 | SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1000,phase:1,deny,status:403,log,msg:'lfi attack detected'"
5 | 


--------------------------------------------------------------------------------
/docs/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "patterns-docs",
 3 |     "version": "1.0.0",
 4 |     "private": true,
 5 |     "type": "module",
 6 |     "scripts": {
 7 |         "docs:dev": "vitepress dev",
 8 |         "docs:build": "vitepress build",
 9 |         "docs:preview": "vitepress preview"
10 |     },
11 |     "devDependencies": {
12 |         "vitepress": "^1.5.0"
13 |     }
14 | }


--------------------------------------------------------------------------------
/waf_patterns/apache/leakages.conf:
--------------------------------------------------------------------------------
1 | # Apache ModSecurity rules for LEAKAGES
2 | SecRuleEngine On
3 | 
4 | SecRule REQUEST_URI "\^\#!s\?/" "id:1021,phase:1,deny,status:403,log,msg:'leakages attack detected'"
5 | SecRule REQUEST_URI "\^5d\{2\}\$" "id:1022,phase:1,deny,status:403,log,msg:'leakages attack detected'"
6 | SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?<H\|title>Index\ of\.\*\?<h\)1>Index\ of\|>\[To\ Parent\ Directory\]</\[Aa\]><br>\)" "id:1020,phase:1,deny,status:403,log,msg:'leakages attack detected'"
7 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/rfi.conf:
--------------------------------------------------------------------------------
1 | # Apache ModSecurity rules for RFI
2 | SecRuleEngine On
3 | 
4 | SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1043,phase:1,deny,status:403,log,msg:'rfi attack detected'"
5 | SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1044,phase:1,deny,status:403,log,msg:'rfi attack detected'"
6 | SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1042,phase:1,deny,status:403,log,msg:'rfi attack detected'"
7 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/rfi.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for RFI
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_rfi {
 6 |     default 0;
 7 |     "~*^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" 1;
 8 |     "~*!@endsWith .%{request_headers.host}" 1;
 9 | }
10 | 
11 | if ($waf_block_rfi) {
12 |     return 403;
13 |     # Log the blocked request (optional)
14 |     # access_log /var/log/nginx/waf_blocked.log;
15 | }
16 | 
17 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/leakages.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for LEAKAGES
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_leakages {
 6 |     default 0;
 7 |     "~*^#!s?/" 1;
 8 |     "~*^5d{2}$" 1;
 9 |     "~*(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)" 1;
10 | }
11 | 
12 | if ($waf_block_leakages) {
13 |     return 403;
14 |     # Log the blocked request (optional)
15 |     # access_log /var/log/nginx/waf_blocked.log;
16 | }
17 | 
18 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/exceptions.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for EXCEPTIONS
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_exceptions {
 6 |     default 0;
 7 |     "~*@streq GET /" 1;
 8 |     "~*@endsWith (internal dummy connection)" 1;
 9 |     "~*^(?:GET /|OPTIONS *) HTTP/[12].[01]$" 1;
10 |     "~*@ipMatch 127.0.0.1,::1" 1;
11 | }
12 | 
13 | if ($waf_block_exceptions) {
14 |     return 403;
15 |     # Log the blocked request (optional)
16 |     # access_log /var/log/nginx/waf_blocked.log;
17 | }
18 | 
19 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/correlation.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for CORRELATION
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_correlation {
 6 |     default 0;
 7 |     "~*@ge 5" 1;
 8 |     "~*@ge %{tx.inbound_anomaly_score_threshold}" 1;
 9 |     "~*@ge %{tx.outbound_anomaly_score_threshold}" 1;
10 |     "~*@gt 0" 1;
11 |     "~*@eq 0" 1;
12 | }
13 | 
14 | if ($waf_block_correlation) {
15 |     return 403;
16 |     # Log the blocked request (optional)
17 |     # access_log /var/log/nginx/waf_blocked.log;
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/initialization.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for INITIALIZATION
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_initialization {
 6 |     default 0;
 7 |     "~*^[a-f]*([0-9])[a-f]*([0-9])" 1;
 8 |     "~*@eq 100" 1;
 9 |     "~*@eq 1" 1;
10 |     "~*!@rx (?:URLENCODED|MULTIPART|XML|JSON)" 1;
11 |     "~*^.*$" 1;
12 |     "~*@eq 0" 1;
13 | }
14 | 
15 | if ($waf_block_initialization) {
16 |     return 403;
17 |     # Log the blocked request (optional)
18 |     # access_log /var/log/nginx/waf_blocked.log;
19 | }
20 | 
21 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/evaluation.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for EVALUATION
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_evaluation {
 6 |     default 0;
 7 |     "~*@ge 3" 1;
 8 |     "~*@ge 2" 1;
 9 |     "~*@ge %{tx.inbound_anomaly_score_threshold}" 1;
10 |     "~*@ge 4" 1;
11 |     "~*@eq 1" 1;
12 |     "~*@ge %{tx.outbound_anomaly_score_threshold}" 1;
13 |     "~*@ge 1" 1;
14 | }
15 | 
16 | if ($waf_block_evaluation) {
17 |     return 403;
18 |     # Log the blocked request (optional)
19 |     # access_log /var/log/nginx/waf_blocked.log;
20 | }
21 | 
22 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an idea for this project
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 | 
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 | 
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 | 
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/generic.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for GENERIC
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_generic {
 6 |     default 0;
 7 |     "~*[s*constructors*]" 1;
 8 |     "~*@{.*}" 1;
 9 |     "~*while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)" 1;
10 | }
11 | 
12 | if ($waf_block_generic) {
13 |     return 403;
14 |     # Log the blocked request (optional)
15 |     # access_log /var/log/nginx/waf_blocked.log;
16 | }
17 | 
18 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/exceptions.conf:
--------------------------------------------------------------------------------
1 | # Apache ModSecurity rules for EXCEPTIONS
2 | SecRuleEngine On
3 | 
4 | SecRule REQUEST_URI "@streq\ GET\ /" "id:1283,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
5 | SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1284,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
6 | SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1287,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
7 | SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1285,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
8 | SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1286,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
9 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/generic.conf:
--------------------------------------------------------------------------------
1 | # Apache ModSecurity rules for GENERIC
2 | SecRuleEngine On
3 | 
4 | SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1227,phase:1,deny,status:403,log,msg:'generic attack detected'"
5 | SecRule REQUEST_URI "@\{\.\*\}" "id:1228,phase:1,deny,status:403,log,msg:'generic attack detected'"
6 | SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1226,phase:1,deny,status:403,log,msg:'generic attack detected'"
7 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/fixation.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for FIXATION
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_fixation {
 6 |     default 0;
 7 |     "~*(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" 1;
 8 |     "~*!@endsWith %{request_headers.host}" 1;
 9 |     "~*^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" 1;
10 |     "~*^(?:ht|f)tps?://(.*?)/" 1;
11 |     "~*@eq 0" 1;
12 | }
13 | 
14 | if ($waf_block_fixation) {
15 |     return 403;
16 |     # Log the blocked request (optional)
17 |     # access_log /var/log/nginx/waf_blocked.log;
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/iis.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for IIS
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_iis {
 6 |     default 0;
 7 |     "~*!@rx ^404$" 1;
 8 |     "~*(?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)" 1;
 9 |     "~*[a-z]:x5cinetpubb" 1;
10 |     "~*bServer Error in.{0,50}?bApplicationb" 1;
11 | }
12 | 
13 | if ($waf_block_iis) {
14 |     return 403;
15 |     # Log the blocked request (optional)
16 |     # access_log /var/log/nginx/waf_blocked.log;
17 | }
18 | 
19 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/iis.conf:
--------------------------------------------------------------------------------
1 | # Apache ModSecurity rules for IIS
2 | SecRuleEngine On
3 | 
4 | SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1245,phase:1,deny,status:403,log,msg:'iis attack detected'"
5 | SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1244,phase:1,deny,status:403,log,msg:'iis attack detected'"
6 | SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1247,phase:1,deny,status:403,log,msg:'iis attack detected'"
7 | SecRule REQUEST_URI "!@rx\ \^404\$" "id:1246,phase:1,deny,status:403,log,msg:'iis attack detected'"
8 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/detection.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for DETECTION
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "@lt 1" "id:1176,phase:1,deny,status:403,log,msg:'detection attack detected'"
 5 | SecRule REQUEST_URI "@lt 1" "id:1177,phase:1,deny,status:403,log,msg:'detection attack detected'"
 6 | SecRule REQUEST_URI "@pmFromFile scanners-user-agents.data" "id:1178,phase:1,deny,status:403,log,msg:'detection attack detected'"
 7 | SecRule REQUEST_URI "@lt 2" "id:1179,phase:1,deny,status:403,log,msg:'detection attack detected'"
 8 | SecRule REQUEST_URI "@lt 2" "id:1180,phase:1,deny,status:403,log,msg:'detection attack detected'"
 9 | SecRule REQUEST_URI "@lt 3" "id:1181,phase:1,deny,status:403,log,msg:'detection attack detected'"
10 | SecRule REQUEST_URI "@lt 3" "id:1182,phase:1,deny,status:403,log,msg:'detection attack detected'"
11 | SecRule REQUEST_URI "@lt 4" "id:1183,phase:1,deny,status:403,log,msg:'detection attack detected'"
12 | SecRule REQUEST_URI "@lt 4" "id:1184,phase:1,deny,status:403,log,msg:'detection attack detected'"
13 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Create a report to help us improve
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | 
 8 | ---
 9 | 
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 | 
13 | **To Reproduce**
14 | Steps to reproduce the behavior:
15 | 1. Run command '...'
16 | 2. With configuration '...'
17 | 3. See error
18 | 
19 | **Expected behavior**
20 | A clear and concise description of what you expected to happen.
21 | 
22 | **Error messages/logs**
23 | If applicable, add error messages or log output to help explain your problem.
24 | 
25 | ```
26 | Paste error messages or logs here
27 | ```
28 | 
29 | **Environment (please complete the following information):**
30 |  - OS: [e.g. Ubuntu 22.04, macOS 13, Windows 11]
31 |  - Python Version: [e.g. 3.11.0]
32 |  - Web Server: [e.g. Nginx 1.22, Apache 2.4, Traefik 2.9, HAProxy 2.6]
33 |  - Installation Method: [e.g. built from source, downloaded pre-generated configs]
34 | 
35 | **Additional context**
36 | Add any other context about the problem here.
37 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/correlation.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for CORRELATION
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "@ge\ 5" "id:1338,phase:1,deny,status:403,log,msg:'correlation attack detected'"
 5 | SecRule REQUEST_URI "@gt\ 0" "id:1344,phase:1,deny,status:403,log,msg:'correlation attack detected'"
 6 | SecRule REQUEST_URI "@eq\ 0" "id:1337,phase:1,deny,status:403,log,msg:'correlation attack detected'"
 7 | SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1341,phase:1,deny,status:403,log,msg:'correlation attack detected'"
 8 | SecRule REQUEST_URI "@eq\ 0" "id:1339,phase:1,deny,status:403,log,msg:'correlation attack detected'"
 9 | SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1342,phase:1,deny,status:403,log,msg:'correlation attack detected'"
10 | SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1343,phase:1,deny,status:403,log,msg:'correlation attack detected'"
11 | SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1340,phase:1,deny,status:403,log,msg:'correlation attack detected'"
12 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 fab
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/fixation.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for FIXATION
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "@eq\ 0" "id:1225,phase:1,deny,status:403,log,msg:'fixation attack detected'"
 5 | SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1221,phase:1,deny,status:403,log,msg:'fixation attack detected'"
 6 | SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1224,phase:1,deny,status:403,log,msg:'fixation attack detected'"
 7 | SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1223,phase:1,deny,status:403,log,msg:'fixation attack detected'"
 8 | SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1222,phase:1,deny,status:403,log,msg:'fixation attack detected'"
 9 | SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1220,phase:1,deny,status:403,log,msg:'fixation attack detected'"
10 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/php.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for PHP
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_php {
 6 |     default 0;
 7 |     "~*.*.ph(?:pd*|tml|ar|ps|t|pt).*$" 1;
 8 |     "~*[oOcC]:d+:\".+?\":d+:{.*}" 1;
 9 |     "~*(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" 1;
10 |     "~*.*.(?:phpd*|phtml)..*$" 1;
11 |     "~*@pm =" 1;
12 |     "~*@pm ?>" 1;
13 |     "~*(?i)<?(?:=|php)?s+" 1;
14 |     "~*(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" 1;
15 |     "~*(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" 1;
16 |     "~*(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" 1;
17 |     "~*AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" 1;
18 | }
19 | 
20 | if ($waf_block_php) {
21 |     return 403;
22 |     # Log the blocked request (optional)
23 |     # access_log /var/log/nginx/waf_blocked.log;
24 | }
25 | 
26 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/attack.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for ATTACK
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_attack {
 6 |     default 0;
 7 |     "~*^content-types*:s*(.*)$" 1;
 8 |     "~*[nr]" 1;
 9 |     "~*." 1;
10 |     "~*[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" 1;
11 |     "~*@gt 1" 1;
12 |     "~*@gt 0" 1;
13 |     "~*^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" 1;
14 |     "~*[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" 1;
15 |     "~*unix:[^|]*|" 1;
16 |     "~*(?:bhttp/d|<(?:html|meta)b)" 1;
17 |     "~*content-transfer-encoding:(.*)" 1;
18 |     "~*^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" 1;
19 |     "~*TX:paramcounter_(.*)" 1;
20 |     "~*(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" 1;
21 | }
22 | 
23 | if ($waf_block_attack) {
24 |     return 403;
25 |     # Log the blocked request (optional)
26 |     # access_log /var/log/nginx/waf_blocked.log;
27 | }
28 | 
29 | 


--------------------------------------------------------------------------------
/.github/workflows/docs.yml:
--------------------------------------------------------------------------------
 1 | name: Deploy Documentation
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - main
 7 |     paths:
 8 |       - 'docs/**'
 9 |       - '.github/workflows/docs.yml'
10 |   workflow_dispatch:
11 | 
12 | permissions:
13 |   contents: read
14 |   pages: write
15 |   id-token: write
16 | 
17 | concurrency:
18 |   group: pages
19 |   cancel-in-progress: false
20 | 
21 | jobs:
22 |   build:
23 |     runs-on: ubuntu-latest
24 |     steps:
25 |       - name: Checkout
26 |         uses: actions/checkout@v4
27 |         with:
28 |           fetch-depth: 0
29 | 
30 |       - name: Setup Node
31 |         uses: actions/setup-node@v4
32 |         with:
33 |           node-version: 20
34 |           cache: npm
35 |           cache-dependency-path: docs/package-lock.json
36 | 
37 |       - name: Setup Pages
38 |         uses: actions/configure-pages@v4
39 | 
40 |       - name: Install dependencies
41 |         run: npm ci
42 |         working-directory: docs
43 | 
44 |       - name: Build with VitePress
45 |         run: npm run docs:build
46 |         working-directory: docs
47 | 
48 |       - name: Upload artifact
49 |         uses: actions/upload-pages-artifact@v3
50 |         with:
51 |           path: docs/.vitepress/dist
52 | 
53 |   deploy:
54 |     environment:
55 |       name: github-pages
56 |       url: ${{ steps.deployment.outputs.page_url }}
57 |     needs: build
58 |     runs-on: ubuntu-latest
59 |     steps:
60 |       - name: Deploy to GitHub Pages
61 |         id: deployment
62 |         uses: actions/deploy-pages@v4
63 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/README.md:
--------------------------------------------------------------------------------
 1 | # Nginx WAF Configuration
 2 | 
 3 | This directory contains Nginx WAF configuration files generated from OWASP rules.
 4 | You can include these files in your existing Nginx configuration to enhance security.
 5 | 
 6 | ## Usage
 7 | 
 8 | **Important:** You should only include the two main configuration files (`waf_maps.conf` and `waf_rules.conf`). The individual category files (e.g., `attack.conf`, `xss.conf`) are provided for reference only and should **not** be included directly, as they contain both `map` and `if` directives that cannot be used in the same Nginx context.
 9 | 
10 | 1. Include the `waf_maps.conf` file in your `nginx.conf` *inside the `http` block*:
11 |    ```nginx
12 |    http {
13 |        include /path/to/waf_patterns/nginx/waf_maps.conf;
14 |        # ... other http configurations ...
15 |    }
16 |    ```
17 | 2. Include the `waf_rules.conf` file in your `server` block:
18 |    ```nginx
19 |    server {
20 |        # ... other server configurations ...
21 |        include /path/to/waf_patterns/nginx/waf_rules.conf;
22 |    }
23 |    ```
24 | 3. Reload Nginx to apply the changes:
25 |    ```bash
26 |    sudo nginx -t && sudo systemctl reload nginx
27 |    ```
28 | 
29 | ## Notes
30 | - The `map` directives (defined in `waf_maps.conf`) must be placed in the `http` context.
31 | - The `if` rules (defined in `waf_rules.conf`) must be placed in a `server` or `location` context.
32 | - **Do not** try to include individual category files like `attack.conf` directly - they are auto-generated for reference and viewing purposes only.
33 | - Blocked requests return a `403 Forbidden` response by default.
34 | - You can enable logging for blocked requests by uncommenting the `access_log` line.
35 | 
36 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/java.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for JAVA
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_java {
 6 |     default 0;
 7 |     "~*(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" 1;
 8 |     "~*javab.+(?:runtime|processbuilder)" 1;
 9 |     "~*(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" 1;
10 |     "~*(?:runtime|processbuilder)" 1;
11 |     "~*(?:unmarshaller|base64data|java.)" 1;
12 |     "~*xacxedx00x05" 1;
13 |     "~*(?:rO0ABQ|KztAAU|Cs7QAF)" 1;
14 |     "~*(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" 1;
15 |     "~*java.lang.(?:runtime|processbuilder)" 1;
16 |     "~*(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" 1;
17 |     "~*.*.(?:jsp|jspx).*$" 1;
18 |     "~*(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" 1;
19 |     "~*(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)" 1;
20 | }
21 | 
22 | if ($waf_block_java) {
23 |     return 403;
24 |     # Log the blocked request (optional)
25 |     # access_log /var/log/nginx/waf_blocked.log;
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/php.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for PHP
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1253,phase:1,deny,status:403,log,msg:'php attack detected'"
 5 | SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1254,phase:1,deny,status:403,log,msg:'php attack detected'"
 6 | SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1099,phase:1,deny,status:403,log,msg:'php attack detected'"
 7 | SecRule REQUEST_URI "@pm\ =" "id:1250,phase:1,deny,status:403,log,msg:'php attack detected'"
 8 | SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1248,phase:1,deny,status:403,log,msg:'php attack detected'"
 9 | SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1249,phase:1,deny,status:403,log,msg:'php attack detected'"
10 | SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1251,phase:1,deny,status:403,log,msg:'php attack detected'"
11 | SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1252,phase:1,deny,status:403,log,msg:'php attack detected'"
12 | SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1255,phase:1,deny,status:403,log,msg:'php attack detected'"
13 | SecRule REQUEST_URI "@pm\ \?>" "id:1256,phase:1,deny,status:403,log,msg:'php attack detected'"
14 | SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1100,phase:1,deny,status:403,log,msg:'php attack detected'"
15 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/sql.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for SQL
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_sql {
 6 |     default 0;
 7 |     "~*(?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)" 1;
 8 |     "~*(?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)" 1;
 9 |     "~*(?i)Exception (?:condition )?d+. Transaction rollback." 1;
10 |     "~*(?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)" 1;
11 |     "~*(?i)Dynamic SQL Error" 1;
12 |     "~*(?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" 1;
13 |     "~*(?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" 1;
14 |     "~*(?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)" 1;
15 |     "~*(?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])" 1;
16 |     "~*(?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" 1;
17 |     "~*(?i)org.hsqldb.jdbc" 1;
18 |     "~*(?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)" 1;
19 |     "~*(?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" 1;
20 | }
21 | 
22 | if ($waf_block_sql) {
23 |     return 403;
24 |     # Log the blocked request (optional)
25 |     # access_log /var/log/nginx/waf_blocked.log;
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/waf_patterns/haproxy/waf.acl:
--------------------------------------------------------------------------------
 1 | # HAProxy WAF ACL rules
 2 | 
 3 | # Rules for User-Agent
 4 | acl block_initialization_no_id hdr_reg(User-Agent) -i ^\.*\$
 5 | acl block_enforcement_no_id hdr_sub(User-Agent) -i str -m !reg %{tx.allowed_methods}
 6 | acl block_fixation_no_id hdr_reg(User-Agent) -i (?i:.cookieb\.*?;W*?(expires|domain)W*?=|bhttp-equivW+set-cookieb)
 7 | acl block_attack_no_id hdr_sub(User-Agent) -i str -m !str 0
 8 | acl block_rfi_no_id hdr_reg(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
 9 | acl block_exceptions_no_id hdr_sub(User-Agent) -i str -m str GET /
10 | acl block_lfi_no_id hdr_reg(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|\$))
11 | acl block_generic_no_id hdr_reg(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
12 | acl block_xss_no_id hdr_reg(User-Agent) -i <script[^>]*>[sS]*?
13 | acl block_php_no_id hdr_reg(User-Agent) -i (<?([^x]|x[^m]|xm[^l]|xml[^s]|xml\$|\$)|<?php|[(/|x5c)?php])
14 | acl block_rce_no_id hdr_reg(User-Agent) -i \$(((\.*|(\.*)))|{\.*})|[<>](\.*)|/[0-9A-Z_a-z]*[!?\.+]
15 | acl block_sqli_no_id hdr_reg(User-Agent) -i (?i:sleep(s*?d*?s*?)|benchmark(\.*?,\.*?))
16 | acl block_java_no_id hdr_reg(User-Agent) -i java.lang\.(runtime|processbuilder)
17 | acl block_sql_no_id hdr_reg(User-Agent) -i (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])
18 | acl block_leakages_no_id hdr_reg(User-Agent) -i (<(TITLE>Index of\.*?<H|title>Index of\.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)
19 | acl block_shells_no_id hdr_reg(User-Agent) -i (<title>r57 Shell Version [0-9\.]+</title>|<title>r57 shell</title>)
20 | acl block_iis_no_id hdr_reg(User-Agent) -i [a-z]:x5cinetpubb
21 | 
22 | 
23 | # Deny Actions
24 | http-request log if block_initialization_no_id or block_enforcement_no_id or block_fixation_no_id or block_attack_no_id or block_rfi_no_id or block_exceptions_no_id or block_lfi_no_id or block_generic_no_id or block_xss_no_id or block_php_no_id or block_rce_no_id or block_sqli_no_id or block_java_no_id or block_sql_no_id or block_leakages_no_id or block_shells_no_id or block_iis_no_id
25 | 
26 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/shells.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for SHELLS
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_shells {
 6 |     default 0;
 7 |     "~*^<html>n      <head>n             <title>azrail [0-9.]+ by C-W-M</title>" 1;
 8 |     "~*<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" 1;
 9 |     "~*^<html>n<title>.*? ~ Shell I</title>n<head>n<style>" 1;
10 |     "~*@contains <title>punkholicshell</title>" 1;
11 |     "~*<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" 1;
12 |     "~*^<title>PHP Web Shell</title>rn<html>rn<body>rn    <!-- Replaces command with Base64-encoded Data -->" 1;
13 |     "~*<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>" 1;
14 |     "~*<title>lama's'hell v. [0-9.]+</title>" 1;
15 |     "~*^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" 1;
16 |     "~*<title>Symlink_Sa [0-9.]+</title>" 1;
17 |     "~*>SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" 1;
18 |     "~*^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" 1;
19 |     "~*^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>" 1;
20 |     "~*^ <html>nn<head>nn<title>g00nshell v[0-9.]+" 1;
21 |     "~*<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" 1;
22 |     "~*^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" 1;
23 |     "~*<title>CasuS [0-9.]+ by MafiABoY</title>" 1;
24 |     "~*^<html>rn<head>rn<title>GRP WebShell [0-9.]+" 1;
25 |     "~*^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" 1;
26 |     "~*B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" 1;
27 |     "~*@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>" 1;
28 |     "~*^<html>n<head>n<title>Ru24PostWebShell -" 1;
29 |     "~*^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>" 1;
30 |     "~*(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" 1;
31 |     "~*<title>Mini Shell</title>.*Developed By LameHacker" 1;
32 | }
33 | 
34 | if ($waf_block_shells) {
35 |     return 403;
36 |     # Log the blocked request (optional)
37 |     # access_log /var/log/nginx/waf_blocked.log;
38 | }
39 | 
40 | 


--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: home
 3 | 
 4 | hero:
 5 |   name: Patterns
 6 |   text: OWASP WAF Rules for Web Servers
 7 |   tagline: Automated OWASP CRS patterns and Bad Bot detection for Nginx, Apache, Traefik, and HAProxy
 8 |   image:
 9 |     src: /shield.svg
10 |     alt: Patterns
11 |   actions:
12 |     - theme: brand
13 |       text: Get Started
14 |       link: /getting-started
15 |     - theme: alt
16 |       text: View on GitHub
17 |       link: https://github.com/fabriziosalmi/patterns
18 | 
19 | features:
20 |   - icon: 🛡️
21 |     title: OWASP CRS Protection
22 |     details: Leverages OWASP Core Rule Set for web application firewall defense against SQLi, XSS, RCE, and LFI attacks.
23 |   - icon: 🤖
24 |     title: Bad Bot Blocking
25 |     details: Blocks known malicious bots and scrapers using regularly updated public bot lists.
26 |   - icon: ⚙️
27 |     title: Multi-Server Support
28 |     details: Generates WAF configs for Nginx, Apache, Traefik, and HAProxy with consistent protection across platforms.
29 |   - icon: 🔄
30 |     title: Daily Updates
31 |     details: GitHub Actions automatically fetch new OWASP rules daily and push updated configurations.
32 |   - icon: 📦
33 |     title: Pre-Generated Configs
34 |     details: Download ready-to-use WAF configurations from GitHub Releases without building from source.
35 |   - icon: 🧩
36 |     title: Extensible Design
37 |     details: Modular architecture makes it easy to extend support to other web servers or load balancers.
38 | ---
39 | 
40 | ## Quick Start
41 | 
42 | Download the latest configurations from [GitHub Releases](https://github.com/fabriziosalmi/patterns/releases) or build from source:
43 | 
44 | ```bash
45 | git clone https://github.com/fabriziosalmi/patterns.git
46 | cd patterns
47 | pip install -r requirements.txt
48 | python owasp2json.py
49 | python json2nginx.py  # or json2apache.py, json2traefik.py, json2haproxy.py
50 | ```
51 | 
52 | ## Supported Platforms
53 | 
54 | | Platform | Config Format | Documentation |
55 | |----------|---------------|---------------|
56 | | **Nginx** | `.conf` files | [Read more →](/nginx) |
57 | | **Apache** | ModSecurity rules | [Read more →](/apache) |
58 | | **Traefik** | Middleware TOML | [Read more →](/traefik) |
59 | | **HAProxy** | ACL files | [Read more →](/haproxy) |
60 | 
61 | ::: tip Using Caddy?
62 | Check out the [caddy-waf](https://github.com/fabriziosalmi/caddy-waf) project for Caddy-specific WAF support.
63 | :::
64 | 


--------------------------------------------------------------------------------
/docs/.vitepress/config.ts:
--------------------------------------------------------------------------------
 1 | import { defineConfig } from 'vitepress'
 2 | 
 3 | export default defineConfig({
 4 |     title: 'Patterns',
 5 |     description: 'OWASP CRS and Bad Bot Detection for Web Servers',
 6 |     base: '/patterns/',
 7 | 
 8 |     head: [
 9 |         ['link', { rel: 'icon', href: '/patterns/favicon.ico' }]
10 |     ],
11 | 
12 |     themeConfig: {
13 |         logo: '/logo.svg',
14 | 
15 |         nav: [
16 |             { text: 'Home', link: '/' },
17 |             { text: 'Getting Started', link: '/getting-started' },
18 |             {
19 |                 text: 'Web Servers',
20 |                 items: [
21 |                     { text: 'Nginx', link: '/nginx' },
22 |                     { text: 'Apache', link: '/apache' },
23 |                     { text: 'Traefik', link: '/traefik' },
24 |                     { text: 'HAProxy', link: '/haproxy' }
25 |                 ]
26 |             },
27 |             { text: 'Bad Bots', link: '/badbots' },
28 |             { text: 'API', link: '/api' }
29 |         ],
30 | 
31 |         sidebar: [
32 |             {
33 |                 text: 'Introduction',
34 |                 items: [
35 |                     { text: 'Getting Started', link: '/getting-started' }
36 |                 ]
37 |             },
38 |             {
39 |                 text: 'Web Server Integration',
40 |                 items: [
41 |                     { text: 'Nginx', link: '/nginx' },
42 |                     { text: 'Apache (ModSecurity)', link: '/apache' },
43 |                     { text: 'Traefik', link: '/traefik' },
44 |                     { text: 'HAProxy', link: '/haproxy' }
45 |                 ]
46 |             },
47 |             {
48 |                 text: 'Features',
49 |                 items: [
50 |                     { text: 'Bad Bot Detection', link: '/badbots' },
51 |                     { text: 'API Reference', link: '/api' }
52 |                 ]
53 |             }
54 |         ],
55 | 
56 |         socialLinks: [
57 |             { icon: 'github', link: 'https://github.com/fabriziosalmi/patterns' }
58 |         ],
59 | 
60 |         footer: {
61 |             message: 'Released under the MIT License.',
62 |             copyright: 'Copyright © 2024-present Fabrizio Salmi'
63 |         },
64 | 
65 |         search: {
66 |             provider: 'local'
67 |         },
68 | 
69 |         editLink: {
70 |             pattern: 'https://github.com/fabriziosalmi/patterns/edit/main/docs/:path',
71 |             text: 'Edit this page on GitHub'
72 |         }
73 |     }
74 | })
75 | 


--------------------------------------------------------------------------------
/docs/getting-started.md:
--------------------------------------------------------------------------------
 1 | # Getting Started
 2 | 
 3 | This guide will help you get up and running with Patterns WAF configurations for your web server.
 4 | 
 5 | ## Prerequisites
 6 | 
 7 | - **Python 3.11+** (if building from source)
 8 | - **pip** (Python package installer)
 9 | - **git** (for cloning the repository)
10 | 
11 | ## Installation Options
12 | 
13 | ### Option 1: Download Pre-Generated Configurations
14 | 
15 | The easiest way to get started is to download pre-built configurations:
16 | 
17 | 1. Go to the [Releases](https://github.com/fabriziosalmi/patterns/releases) page
18 | 2. Download the ZIP file for your web server:
19 |    - `nginx_waf.zip` - Nginx configurations
20 |    - `apache_waf.zip` - Apache ModSecurity rules
21 |    - `traefik_waf.zip` - Traefik middleware
22 |    - `haproxy_waf.zip` - HAProxy ACL files
23 | 3. Extract and integrate into your server configuration
24 | 
25 | ### Option 2: Build from Source
26 | 
27 | If you prefer to generate the configurations yourself:
28 | 
29 | ```bash
30 | # Clone the repository
31 | git clone https://github.com/fabriziosalmi/patterns.git
32 | cd patterns
33 | 
34 | # Install dependencies
35 | pip install -r requirements.txt
36 | 
37 | # Fetch latest OWASP rules
38 | python owasp2json.py
39 | 
40 | # Generate configurations for your platform
41 | python json2nginx.py    # For Nginx
42 | python json2apache.py   # For Apache
43 | python json2traefik.py  # For Traefik
44 | python json2haproxy.py  # For HAProxy
45 | 
46 | # Generate bad bot blockers
47 | python badbots.py
48 | ```
49 | 
50 | ## Configuration Files
51 | 
52 | After running the scripts, you'll find the generated files in the `waf_patterns/` directory:
53 | 
54 | ```
55 | waf_patterns/
56 | ├── nginx/          # Nginx WAF configs
57 | ├── apache/         # Apache ModSecurity rules
58 | ├── traefik/        # Traefik middleware configs
59 | └── haproxy/        # HAProxy ACL files
60 | ```
61 | 
62 | ## Next Steps
63 | 
64 | Choose your web server to learn how to integrate the WAF configurations:
65 | 
66 | - [Nginx Integration](/nginx)
67 | - [Apache Integration](/apache)
68 | - [Traefik Integration](/traefik)
69 | - [HAProxy Integration](/haproxy)
70 | 
71 | ## Automatic Updates
72 | 
73 | The repository includes a GitHub Actions workflow that:
74 | - Fetches the latest OWASP CRS rules **daily**
75 | - Regenerates all WAF configurations
76 | - Creates a new release with updated files
77 | 
78 | To get the latest rules, simply download from the [Releases](https://github.com/fabriziosalmi/patterns/releases) page or pull the latest changes if you cloned the repository.
79 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/attack.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for ATTACK
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1126,phase:1,deny,status:403,log,msg:'attack attack detected'"
 5 | SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1133,phase:1,deny,status:403,log,msg:'attack attack detected'"
 6 | SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1127,phase:1,deny,status:403,log,msg:'attack attack detected'"
 7 | SecRule REQUEST_URI "\[nr\]" "id:1130,phase:1,deny,status:403,log,msg:'attack attack detected'"
 8 | SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1136,phase:1,deny,status:403,log,msg:'attack attack detected'"
 9 | SecRule REQUEST_URI "@gt\ 0" "id:1137,phase:1,deny,status:403,log,msg:'attack attack detected'"
10 | SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1131,phase:1,deny,status:403,log,msg:'attack attack detected'"
11 | SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1140,phase:1,deny,status:403,log,msg:'attack attack detected'"
12 | SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1346,phase:1,deny,status:403,log,msg:'attack attack detected'"
13 | SecRule REQUEST_URI "\[nr\]" "id:1132,phase:1,deny,status:403,log,msg:'attack attack detected'"
14 | SecRule REQUEST_URI "\[nr\]" "id:1129,phase:1,deny,status:403,log,msg:'attack attack detected'"
15 | SecRule REQUEST_URI "\[nr\]" "id:1135,phase:1,deny,status:403,log,msg:'attack attack detected'"
16 | SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1128,phase:1,deny,status:403,log,msg:'attack attack detected'"
17 | SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1345,phase:1,deny,status:403,log,msg:'attack attack detected'"
18 | SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1134,phase:1,deny,status:403,log,msg:'attack attack detected'"
19 | SecRule REQUEST_URI "@gt\ 1" "id:1139,phase:1,deny,status:403,log,msg:'attack attack detected'"
20 | SecRule REQUEST_URI "\." "id:1138,phase:1,deny,status:403,log,msg:'attack attack detected'"
21 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/enforcement.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for ENFORCEMENT
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_enforcement {
 6 |     default 0;
 7 |     "~*@streq POST" 1;
 8 |     "~*^$" 1;
 9 |     "~*@gt %{tx.max_file_size}" 1;
10 |     "~*@gt 50" 1;
11 |     "~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" 1;
12 |     "~*%[0-9a-fA-F]{2}" 1;
13 |     "~*!@rx ^(?:OPTIONS|CONNECT)$" 1;
14 |     "~*%u[fF]{2}[0-9a-fA-F]{2}" 1;
15 |     "~*@gt 1" 1;
16 |     "~*@eq 1" 1;
17 |     "~*@gt 0" 1;
18 |     "~*(d+)-(d+)" 1;
19 |     "~*!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$" 1;
20 |     "~*@endsWith .pdf" 1;
21 |     "~*@validateByteRange 9,10,13,32-126,128-255" 1;
22 |     "~*@validateUtf8Encoding" 1;
23 |     "~*!@endsWith .pdf" 1;
24 |     "~*!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" 1;
25 |     "~*!@rx ^d+$" 1;
26 |     "~*^(?:GET|HEAD)$" 1;
27 |     "~*(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" 1;
28 |     "~*.[^.~]+~(?:/.*|)$" 1;
29 |     "~*charsets*=s*[\"']?([^;\"'s]+)" 1;
30 |     "~*@validateUrlEncoding" 1;
31 |     "~*(?i)x5cu[0-9a-f]{4}" 1;
32 |     "~*!@rx ^0?$" 1;
33 |     "~*@ge 1" 1;
34 |     "~*@gt %{tx.arg_length}" 1;
35 |     "~*@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" 1;
36 |     "~*@within %{tx.restricted_extensions}" 1;
37 |     "~*@within %{tx.restricted_headers_basic}" 1;
38 |     "~*b(?:keep-alive|close),s?(?:keep-alive|close)b" 1;
39 |     "~*@contains #" 1;
40 |     "~*@gt %{tx.total_arg_length}" 1;
41 |     "~*.([^.]+)$" 1;
42 |     "~*@gt %{tx.max_num_args}" 1;
43 |     "~*!@pm AppleWebKit Android" 1;
44 |     "~*!@pm AppleWebKit Android Business Enterprise Entreprise" 1;
45 |     "~*@validateByteRange 1-255" 1;
46 |     "~*@eq 0" 1;
47 |     "~*!@rx ^OPTIONS$" 1;
48 |     "~*^[^;s]+" 1;
49 |     "~*!@streq JSON" 1;
50 |     "~*@validateByteRange 32-36,38-126" 1;
51 |     "~*@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" 1;
52 |     "~*(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" 1;
53 |     "~*@within %{tx.restricted_headers_extended}" 1;
54 |     "~*['\";=]" 1;
55 |     "~*@gt %{tx.arg_name_length}" 1;
56 |     "~*x25" 1;
57 |     "~*!@rx ^0$" 1;
58 |     "~*@gt %{tx.combined_file_sizes}" 1;
59 |     "~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" 1;
60 |     "~*^.*$" 1;
61 |     "~*charset.*?charset" 1;
62 | }
63 | 
64 | if ($waf_block_enforcement) {
65 |     return 403;
66 |     # Log the blocked request (optional)
67 |     # access_log /var/log/nginx/waf_blocked.log;
68 | }
69 | 
70 | 


--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
 1 | # Security Policy
 2 | 
 3 | ## Supported Versions
 4 | 
 5 | We actively support the current version of this project. The WAF patterns are updated daily via automated GitHub Actions.
 6 | 
 7 | | Version | Supported          |
 8 | | ------- | ------------------ |
 9 | | current (main branch) | :white_check_mark: |
10 | | latest release | :white_check_mark: |
11 | 
12 | ## Reporting a Vulnerability
13 | 
14 | We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
15 | 
16 | ### For Non-Critical Issues
17 | For general security concerns or minor issues:
18 | 1. Open an issue in the [Issues](https://github.com/fabriziosalmi/patterns/issues) section
19 | 2. Use the label "security" if available
20 | 3. Provide a clear description of the issue
21 | 
22 | ### For Critical Vulnerabilities
23 | For critical security vulnerabilities (e.g., in the WAF patterns themselves):
24 | 1. **DO NOT** open a public issue
25 | 2. Email the maintainer directly at: fabrizio.salmi@gmail.com
26 | 3. Include:
27 |    - Description of the vulnerability
28 |    - Steps to reproduce
29 |    - Potential impact
30 |    - Suggested fix (if available)
31 | 
32 | ### What to Include
33 | When reporting a vulnerability, please include:
34 | - Type of vulnerability (e.g., regex bypass, pattern detection issue)
35 | - Affected web server(s) (Nginx, Apache, Traefik, HAProxy)
36 | - Attack pattern that bypasses detection
37 | - Suggested regex or pattern improvement
38 | - Any proof-of-concept code (if applicable)
39 | 
40 | ### Response Time
41 | - We aim to acknowledge vulnerability reports within **48 hours**
42 | - Critical vulnerabilities will be addressed in the next daily update
43 | - Less critical issues will be prioritized based on severity
44 | 
45 | ### After Reporting
46 | Once you report a vulnerability:
47 | 1. We will acknowledge receipt
48 | 2. We will investigate and validate the issue
49 | 3. We will work on a fix and test it
50 | 4. We will deploy the fix in the next update
51 | 5. We will credit you in the release notes (unless you prefer to remain anonymous)
52 | 
53 | ## Security Best Practices
54 | 
55 | When using the WAF patterns from this project:
56 | - Always test new rules in a staging environment first
57 | - Monitor your logs for false positives
58 | - Keep your web server and WAF software up to date
59 | - Review the OWASP CRS documentation for additional hardening
60 | - Consider layering multiple security controls (WAF + rate limiting + IPS, etc.)
61 | 
62 | ## Scope
63 | 
64 | This security policy covers:
65 | - WAF pattern generation logic
66 | - Regex patterns for attack detection
67 | - GitHub Actions workflow security
68 | - Dependencies listed in requirements.txt
69 | 
70 | Thank you for helping keep this project secure!
71 | 
72 | 
73 | 


--------------------------------------------------------------------------------
/.github/workflows/test_nginx.yml:
--------------------------------------------------------------------------------
 1 | name: Nginx patterns validation
 2 | 
 3 | permissions:
 4 |   contents: read  # Needed to read repository contents (e.g., WAF rules)
 5 |   
 6 | on:
 7 |   push:
 8 |     branches:
 9 |       - main  # Trigger on push to main branch
10 |   pull_request:
11 |     branches:
12 |       - main  # Trigger on pull request to main branch
13 | 
14 | jobs:
15 |   validate-nginx-configuration:
16 |     runs-on: ubuntu-latest
17 | 
18 |     steps:
19 |     - name: Checkout repository
20 |       uses: actions/checkout@v3
21 | 
22 |     - name: Download WAF rules
23 |       run: |
24 |         wget https://github.com/fabriziosalmi/patterns/releases/download/latest/nginx_waf.zip -O nginx_waf.zip
25 |         echo "Downloaded nginx_waf.zip"
26 |         ls -lh nginx_waf.zip
27 | 
28 |     - name: Extract WAF rules
29 |       run: |
30 |         unzip nginx_waf.zip -d waf_rules
31 |         echo "Extracted WAF rules into waf_rules directory"
32 |         ls -lh waf_rules/
33 | 
34 |     - name: Verify WAF rules extraction
35 |       run: |
36 |         if [ -z "$(ls -A waf_rules/*.conf 2>/dev/null)" ]; then
37 |           echo "Error: No .conf files found in waf_rules/"
38 |           echo "Contents of waf_rules/:"
39 |           ls -l waf_rules/
40 |           exit 1
41 |         fi
42 |         echo "Found WAF configuration files:"
43 |         ls -l waf_rules/*.conf
44 | 
45 |     - name: Set up Python
46 |       uses: actions/setup-python@v4
47 |       with:
48 |         python-version: "3.9"
49 | 
50 |     - name: Install crossplane
51 |       run: |
52 |         python -m pip install --upgrade pip
53 |         pip install crossplane
54 | 
55 |     - name: Validate individual WAF rule files
56 |       run: |
57 |         for file in waf_rules/*.conf; do
58 |           echo "Validating $file..."
59 |           # Use crossplane to parse and validate the file
60 |           if ! crossplane parse "$file" > /dev/null; then
61 |             echo "Error: Validation failed for $file"
62 |             crossplane parse "$file"  # Print detailed error
63 |             exit 1
64 |           fi
65 |           echo "Validation successful for $file"
66 |         done
67 | 
68 |     - name: Merge all WAF rules into a single file
69 |       run: |
70 |         echo "Merging all WAF rules into a single file..."
71 |         echo "http {" > merged_waf_rules.conf
72 |         for file in waf_rules/*.conf; do
73 |           echo "Merging $file..."
74 |           cat "$file" >> merged_waf_rules.conf
75 |           echo "" >> merged_waf_rules.conf
76 |         done
77 |         echo "}" >> merged_waf_rules.conf
78 | 
79 |         echo "Contents of merged_waf_rules.conf:"
80 |         cat merged_waf_rules.conf
81 | 
82 |     - name: Validate merged WAF rules
83 |       run: |
84 |         echo "Validating merged WAF rules..."
85 |         # Use crossplane to parse and validate the merged file
86 |         if ! crossplane parse merged_waf_rules.conf > /dev/null; then
87 |           echo "Error: Validation failed for merged_waf_rules.conf"
88 |           crossplane parse merged_waf_rules.conf  # Print detailed error
89 |           exit 1
90 |         fi
91 |         echo "Validation successful for merged_waf_rules.conf"
92 | 
93 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/initialization.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for INITIALIZATION
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "@eq\ 1" "id:1069,phase:1,deny,status:403,log,msg:'initialization attack detected'"
 5 | SecRule REQUEST_URI "@eq\ 0" "id:1046,phase:1,deny,status:403,log,msg:'initialization attack detected'"
 6 | SecRule REQUEST_URI "@eq\ 100" "id:1071,phase:1,deny,status:403,log,msg:'initialization attack detected'"
 7 | SecRule REQUEST_URI "@eq\ 0" "id:1049,phase:1,deny,status:403,log,msg:'initialization attack detected'"
 8 | SecRule REQUEST_URI "@eq\ 0" "id:1055,phase:1,deny,status:403,log,msg:'initialization attack detected'"
 9 | SecRule REQUEST_URI "@eq\ 0" "id:1052,phase:1,deny,status:403,log,msg:'initialization attack detected'"
10 | SecRule REQUEST_URI "@eq\ 0" "id:1058,phase:1,deny,status:403,log,msg:'initialization attack detected'"
11 | SecRule REQUEST_URI "@eq\ 0" "id:1061,phase:1,deny,status:403,log,msg:'initialization attack detected'"
12 | SecRule REQUEST_URI "@eq\ 0" "id:1064,phase:1,deny,status:403,log,msg:'initialization attack detected'"
13 | SecRule REQUEST_URI "@eq\ 0" "id:1048,phase:1,deny,status:403,log,msg:'initialization attack detected'"
14 | SecRule REQUEST_URI "@eq\ 0" "id:1045,phase:1,deny,status:403,log,msg:'initialization attack detected'"
15 | SecRule REQUEST_URI "@eq\ 0" "id:1051,phase:1,deny,status:403,log,msg:'initialization attack detected'"
16 | SecRule REQUEST_URI "@eq\ 0" "id:1057,phase:1,deny,status:403,log,msg:'initialization attack detected'"
17 | SecRule REQUEST_URI "@eq\ 0" "id:1054,phase:1,deny,status:403,log,msg:'initialization attack detected'"
18 | SecRule REQUEST_URI "@eq\ 0" "id:1060,phase:1,deny,status:403,log,msg:'initialization attack detected'"
19 | SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1068,phase:1,deny,status:403,log,msg:'initialization attack detected'"
20 | SecRule REQUEST_URI "@eq\ 0" "id:1063,phase:1,deny,status:403,log,msg:'initialization attack detected'"
21 | SecRule REQUEST_URI "@eq\ 0" "id:1050,phase:1,deny,status:403,log,msg:'initialization attack detected'"
22 | SecRule REQUEST_URI "\^\.\*\$" "id:1067,phase:1,deny,status:403,log,msg:'initialization attack detected'"
23 | SecRule REQUEST_URI "@eq\ 0" "id:1047,phase:1,deny,status:403,log,msg:'initialization attack detected'"
24 | SecRule REQUEST_URI "@eq\ 0" "id:1053,phase:1,deny,status:403,log,msg:'initialization attack detected'"
25 | SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1072,phase:1,deny,status:403,log,msg:'initialization attack detected'"
26 | SecRule REQUEST_URI "@eq\ 0" "id:1056,phase:1,deny,status:403,log,msg:'initialization attack detected'"
27 | SecRule REQUEST_URI "@eq\ 0" "id:1062,phase:1,deny,status:403,log,msg:'initialization attack detected'"
28 | SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1070,phase:1,deny,status:403,log,msg:'initialization attack detected'"
29 | SecRule REQUEST_URI "@eq\ 0" "id:1059,phase:1,deny,status:403,log,msg:'initialization attack detected'"
30 | SecRule REQUEST_URI "@eq\ 0" "id:1065,phase:1,deny,status:403,log,msg:'initialization attack detected'"
31 | SecRule REQUEST_URI "@eq\ 1" "id:1066,phase:1,deny,status:403,log,msg:'initialization attack detected'"
32 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/sql.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for SQL
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1329,phase:1,deny,status:403,log,msg:'sql attack detected'"
 5 | SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1324,phase:1,deny,status:403,log,msg:'sql attack detected'"
 6 | SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1334,phase:1,deny,status:403,log,msg:'sql attack detected'"
 7 | SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1327,phase:1,deny,status:403,log,msg:'sql attack detected'"
 8 | SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1331,phase:1,deny,status:403,log,msg:'sql attack detected'"
 9 | SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1333,phase:1,deny,status:403,log,msg:'sql attack detected'"
10 | SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1335,phase:1,deny,status:403,log,msg:'sql attack detected'"
11 | SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1330,phase:1,deny,status:403,log,msg:'sql attack detected'"
12 | SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1328,phase:1,deny,status:403,log,msg:'sql attack detected'"
13 | SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1326,phase:1,deny,status:403,log,msg:'sql attack detected'"
14 | SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1325,phase:1,deny,status:403,log,msg:'sql attack detected'"
15 | SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1332,phase:1,deny,status:403,log,msg:'sql attack detected'"
16 | SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1336,phase:1,deny,status:403,log,msg:'sql attack detected'"
17 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/java.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for JAVA
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1230,phase:1,deny,status:403,log,msg:'java attack detected'"
 5 | SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1235,phase:1,deny,status:403,log,msg:'java attack detected'"
 6 | SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1236,phase:1,deny,status:403,log,msg:'java attack detected'"
 7 | SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1233,phase:1,deny,status:403,log,msg:'java attack detected'"
 8 | SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1229,phase:1,deny,status:403,log,msg:'java attack detected'"
 9 | SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1241,phase:1,deny,status:403,log,msg:'java attack detected'"
10 | SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1238,phase:1,deny,status:403,log,msg:'java attack detected'"
11 | SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1231,phase:1,deny,status:403,log,msg:'java attack detected'"
12 | SecRule REQUEST_URI "xacxedx00x05" "id:1237,phase:1,deny,status:403,log,msg:'java attack detected'"
13 | SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1240,phase:1,deny,status:403,log,msg:'java attack detected'"
14 | SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1239,phase:1,deny,status:403,log,msg:'java attack detected'"
15 | SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1242,phase:1,deny,status:403,log,msg:'java attack detected'"
16 | SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1243,phase:1,deny,status:403,log,msg:'java attack detected'"
17 | SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1234,phase:1,deny,status:403,log,msg:'java attack detected'"
18 | SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1232,phase:1,deny,status:403,log,msg:'java attack detected'"
19 | 


--------------------------------------------------------------------------------
/.github/workflows/test_apache_docker.yml:
--------------------------------------------------------------------------------
 1 | name: Apache with Docker patterns validation
 2 | 
 3 | permissions:
 4 |   contents: read  # Needed to read Apache WAF configuration files
 5 | 
 6 | on:
 7 |   push:
 8 |     branches:
 9 |       - main  # Trigger on push to main branch
10 |   pull_request:
11 |     branches:
12 |       - main  # Trigger on pull request to main branch
13 | 
14 | jobs:
15 |   validate-waf-patterns:
16 |     runs-on: ubuntu-latest
17 | 
18 |     steps:
19 |     - name: Checkout repository
20 |       uses: actions/checkout@v3
21 | 
22 |     - name: Cache Docker setup
23 |       id: cache-docker
24 |       uses: actions/cache@v3
25 |       with:
26 |         path: /var/lib/docker
27 |         key: docker-setup-${{ runner.os }}
28 | 
29 |     - name: Set up Docker
30 |       run: |
31 |         sudo apt-get update
32 |         # Remove conflicting containerd package
33 |         sudo apt-get remove -y containerd
34 |         # Install Docker dependencies
35 |         sudo apt-get install -y ca-certificates curl
36 |         # Add Docker's official GPG key
37 |         sudo install -m 0755 -d /etc/apt/keyrings
38 |         curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
39 |         sudo chmod a+r /etc/apt/keyrings/docker.gpg
40 |         # Add Docker's repository
41 |         echo \
42 |           "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
43 |           $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
44 |           sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
45 |         # Install Docker
46 |         sudo apt-get update
47 |         sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
48 |         sudo docker --version
49 | 
50 |     - name: Pull Docker images
51 |       run: |
52 |         echo "Pulling ApacheDocker image..."
53 |         sudo docker pull httpd:latest
54 | 
55 |     - name: Validate Apache configuration
56 |       run: |
57 |         echo "Validating Apache configuration..."
58 |         for file in waf_patterns/apache/*.conf; do
59 |           echo "Validating $file..."
60 |           sudo docker run --rm -v $(pwd)/waf_patterns/apache:/usr/local/apache2/conf/extra:ro httpd httpd -t
61 |           if [ $? -ne 0 ]; then
62 |             echo "Error: Validation failed for $file"
63 |             exit 1
64 |           fi
65 |         done
66 | 
67 |     - name: Start Apache container with WAF rules
68 |       run: |
69 |         echo "Starting Apache container..."
70 |         sudo docker run -d \
71 |           --name apache-waf \
72 |           -p ${{ env.APACHE_PORT }}:80 \
73 |           -v $(pwd)/waf_patterns/apache:/usr/local/apache2/conf/extra \
74 |           httpd:latest
75 |         echo "Apache is running on port ${{ env.APACHE_PORT }}."
76 | 
77 |     - name: Check Apache container logs
78 |       run: |
79 |         echo "Checking Apache container logs..."
80 |         sudo docker logs apache-waf
81 | 
82 |     - name: Clean up containers
83 |       if: always()
84 |       run: |
85 |         echo "Stopping and removing containers..."
86 |         sudo docker stop apache-waf || true
87 |         sudo docker rm apache-waf || true
88 |         echo "Containers stopped and removed."
89 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/README.md:
--------------------------------------------------------------------------------
  1 | # Apache ModSecurity WAF Configuration
  2 | 
  3 | This directory contains Apache ModSecurity WAF configuration files generated from OWASP CRS rules.
  4 | You can include these files in your existing Apache configuration to enhance security.
  5 | 
  6 | ## Prerequisites
  7 | 
  8 | - Apache HTTP Server (2.4 or higher)
  9 | - ModSecurity module installed and enabled
 10 | - Core Rule Set (CRS) base configuration
 11 | 
 12 | ## Installation
 13 | 
 14 | ### Ubuntu/Debian
 15 | ```bash
 16 | sudo apt-get update
 17 | sudo apt-get install libapache2-mod-security2
 18 | sudo a2enmod security2
 19 | sudo systemctl restart apache2
 20 | ```
 21 | 
 22 | ### CentOS/RHEL
 23 | ```bash
 24 | sudo yum install mod_security
 25 | sudo systemctl restart httpd
 26 | ```
 27 | 
 28 | ## Usage
 29 | 
 30 | 1. Copy the generated configuration files to your Apache configuration directory:
 31 |    ```bash
 32 |    sudo cp waf_patterns/apache/*.conf /etc/apache2/modsecurity.d/
 33 |    # or for CentOS/RHEL:
 34 |    # sudo cp waf_patterns/apache/*.conf /etc/httpd/modsecurity.d/
 35 |    ```
 36 | 
 37 | 2. Include the configuration files in your Apache configuration.
 38 |    
 39 |    Edit `/etc/apache2/mods-enabled/security2.conf` (Ubuntu/Debian) or `/etc/httpd/conf.d/mod_security.conf` (CentOS/RHEL):
 40 |    ```apache
 41 |    <IfModule security2_module>
 42 |        Include /etc/apache2/modsecurity.d/*.conf
 43 |    </IfModule>
 44 |    ```
 45 | 
 46 | 3. Test the configuration:
 47 |    ```bash
 48 |    # Ubuntu/Debian
 49 |    sudo apache2ctl configtest
 50 |    
 51 |    # CentOS/RHEL
 52 |    sudo httpd -t
 53 |    ```
 54 | 
 55 | 4. Reload Apache to apply the changes:
 56 |    ```bash
 57 |    # Ubuntu/Debian
 58 |    sudo systemctl reload apache2
 59 |    
 60 |    # CentOS/RHEL
 61 |    sudo systemctl reload httpd
 62 |    ```
 63 | 
 64 | ## Configuration Details
 65 | 
 66 | The generated rules include:
 67 | - **SQL Injection (SQLi)** detection patterns
 68 | - **Cross-Site Scripting (XSS)** prevention rules
 69 | - **Remote Code Execution (RCE)** blocking
 70 | - **Local File Inclusion (LFI)** protection
 71 | - **Bad Bot/User-Agent** blocking
 72 | 
 73 | ## Customization
 74 | 
 75 | You can adjust the severity and actions for each rule by modifying the configuration files.
 76 | Common actions include:
 77 | - `deny` - Block the request
 78 | - `log` - Log the event
 79 | - `status:403` - Return HTTP 403 Forbidden
 80 | 
 81 | ## Troubleshooting
 82 | 
 83 | ### Check ModSecurity is loaded
 84 | ```bash
 85 | # Ubuntu/Debian
 86 | apache2ctl -M | grep security
 87 | 
 88 | # CentOS/RHEL
 89 | httpd -M | grep security
 90 | ```
 91 | 
 92 | ### View ModSecurity logs
 93 | ```bash
 94 | # Ubuntu/Debian
 95 | sudo tail -f /var/log/apache2/modsec_audit.log
 96 | 
 97 | # CentOS/RHEL
 98 | sudo tail -f /var/log/httpd/modsec_audit.log
 99 | ```
100 | 
101 | ### Test with a sample attack
102 | ```bash
103 | curl "http://yourserver.com/?id=1' OR '1'='1"
104 | # Should return 403 Forbidden if WAF is working
105 | ```
106 | 
107 | ## Notes
108 | 
109 | - Rules are updated daily via GitHub Actions
110 | - Blocked requests return a `403 Forbidden` response by default
111 | - Review the ModSecurity documentation for advanced configuration options
112 | 
113 | ## Resources
114 | 
115 | - [ModSecurity Documentation](https://github.com/SpiderLabs/ModSecurity)
116 | - [OWASP CRS](https://coreruleset.org/)
117 | - [Apache ModSecurity Module](https://modsecurity.org/)
118 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/waf_rules.conf:
--------------------------------------------------------------------------------
  1 | # Nginx WAF Rules
  2 | # Automatically generated from OWASP rules.
  3 | # Include this file inside server block
  4 | 
  5 |   # WAF rules
  6 |     if ($waf_block_initialization) {
  7 |       return 403;
  8 |       # Log the blocked request (optional)
  9 |       # access_log /var/log/nginx/waf_blocked.log;
 10 |     }
 11 | 
 12 |     if ($waf_block_fixation) {
 13 |       return 403;
 14 |       # Log the blocked request (optional)
 15 |       # access_log /var/log/nginx/waf_blocked.log;
 16 |     }
 17 | 
 18 |     if ($waf_block_attack) {
 19 |       return 403;
 20 |       # Log the blocked request (optional)
 21 |       # access_log /var/log/nginx/waf_blocked.log;
 22 |     }
 23 | 
 24 |     if ($waf_block_rfi) {
 25 |       return 403;
 26 |       # Log the blocked request (optional)
 27 |       # access_log /var/log/nginx/waf_blocked.log;
 28 |     }
 29 | 
 30 |     if ($waf_block_exceptions) {
 31 |       return 403;
 32 |       # Log the blocked request (optional)
 33 |       # access_log /var/log/nginx/waf_blocked.log;
 34 |     }
 35 | 
 36 |     if ($waf_block_lfi) {
 37 |       return 403;
 38 |       # Log the blocked request (optional)
 39 |       # access_log /var/log/nginx/waf_blocked.log;
 40 |     }
 41 | 
 42 |     if ($waf_block_enforcement) {
 43 |       return 403;
 44 |       # Log the blocked request (optional)
 45 |       # access_log /var/log/nginx/waf_blocked.log;
 46 |     }
 47 | 
 48 |     if ($waf_block_generic) {
 49 |       return 403;
 50 |       # Log the blocked request (optional)
 51 |       # access_log /var/log/nginx/waf_blocked.log;
 52 |     }
 53 | 
 54 |     if ($waf_block_xss) {
 55 |       return 403;
 56 |       # Log the blocked request (optional)
 57 |       # access_log /var/log/nginx/waf_blocked.log;
 58 |     }
 59 | 
 60 |     if ($waf_block_php) {
 61 |       return 403;
 62 |       # Log the blocked request (optional)
 63 |       # access_log /var/log/nginx/waf_blocked.log;
 64 |     }
 65 | 
 66 |     if ($waf_block_evaluation) {
 67 |       return 403;
 68 |       # Log the blocked request (optional)
 69 |       # access_log /var/log/nginx/waf_blocked.log;
 70 |     }
 71 | 
 72 |     if ($waf_block_rce) {
 73 |       return 403;
 74 |       # Log the blocked request (optional)
 75 |       # access_log /var/log/nginx/waf_blocked.log;
 76 |     }
 77 | 
 78 |     if ($waf_block_sqli) {
 79 |       return 403;
 80 |       # Log the blocked request (optional)
 81 |       # access_log /var/log/nginx/waf_blocked.log;
 82 |     }
 83 | 
 84 |     if ($waf_block_java) {
 85 |       return 403;
 86 |       # Log the blocked request (optional)
 87 |       # access_log /var/log/nginx/waf_blocked.log;
 88 |     }
 89 | 
 90 |     if ($waf_block_sql) {
 91 |       return 403;
 92 |       # Log the blocked request (optional)
 93 |       # access_log /var/log/nginx/waf_blocked.log;
 94 |     }
 95 | 
 96 |     if ($waf_block_leakages) {
 97 |       return 403;
 98 |       # Log the blocked request (optional)
 99 |       # access_log /var/log/nginx/waf_blocked.log;
100 |     }
101 | 
102 |     if ($waf_block_shells) {
103 |       return 403;
104 |       # Log the blocked request (optional)
105 |       # access_log /var/log/nginx/waf_blocked.log;
106 |     }
107 | 
108 |     if ($waf_block_correlation) {
109 |       return 403;
110 |       # Log the blocked request (optional)
111 |       # access_log /var/log/nginx/waf_blocked.log;
112 |     }
113 | 
114 |     if ($waf_block_iis) {
115 |       return 403;
116 |       # Log the blocked request (optional)
117 |       # access_log /var/log/nginx/waf_blocked.log;
118 |     }
119 | 
120 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
  1 | # Contributing to Patterns
  2 | 
  3 | Thank you for your interest in contributing to the Patterns project! We appreciate your help in making this project better.
  4 | 
  5 | ## How to Contribute
  6 | 
  7 | ### Reporting Issues
  8 | 
  9 | If you find a bug or have a suggestion for improvement:
 10 | 
 11 | 1. Check if the issue already exists in the [Issues](https://github.com/fabriziosalmi/patterns/issues) section.
 12 | 2. If not, create a new issue with a clear title and description.
 13 | 3. Include relevant details such as:
 14 |    - Steps to reproduce (for bugs)
 15 |    - Expected vs. actual behavior
 16 |    - Your environment (OS, Python version, web server type)
 17 | 
 18 | ### Submitting Pull Requests
 19 | 
 20 | We welcome pull requests! Here's how to submit one:
 21 | 
 22 | 1. **Fork the Repository**
 23 |    ```bash
 24 |    git clone https://github.com/YOUR_USERNAME/patterns.git
 25 |    cd patterns
 26 |    ```
 27 | 
 28 | 2. **Create a Feature Branch**
 29 |    
 30 |    Use descriptive branch names following this convention:
 31 |    - `feature/description` - For new features
 32 |    - `fix/description` - For bug fixes
 33 |    - `docs/description` - For documentation changes
 34 |    - `refactor/description` - For code refactoring
 35 |    
 36 |    Example:
 37 |    ```bash
 38 |    git checkout -b feature/add-caddy-support
 39 |    ```
 40 | 
 41 | 3. **Make Your Changes**
 42 |    - Write clear, concise commit messages
 43 |    - Follow the existing code style and conventions
 44 |    - Add comments where necessary
 45 |    - Update documentation if you're changing functionality
 46 | 
 47 | 4. **Test Your Changes**
 48 |    
 49 |    Before submitting, ensure your code works correctly:
 50 |    ```bash
 51 |    # Install dependencies
 52 |    pip install -r requirements.txt
 53 |    
 54 |    # Test the OWASP scraper
 55 |    python owasp2json.py
 56 |    
 57 |    # Test the converters
 58 |    python json2nginx.py
 59 |    python json2apache.py
 60 |    python json2traefik.py
 61 |    python json2haproxy.py
 62 |    
 63 |    # Test bad bot generation
 64 |    python badbots.py
 65 |    ```
 66 |    
 67 |    For web server specific testing, check the respective workflow files in `.github/workflows/`.
 68 | 
 69 | 5. **Commit and Push**
 70 |    ```bash
 71 |    git add .
 72 |    git commit -m "feat: add support for Caddy web server"
 73 |    git push origin feature/add-caddy-support
 74 |    ```
 75 | 
 76 | 6. **Open a Pull Request**
 77 |    - Go to the original repository on GitHub
 78 |    - Click "New Pull Request"
 79 |    - Select your branch
 80 |    - Provide a clear title and description of your changes
 81 |    - Reference any related issues
 82 | 
 83 | ## Code Style Guidelines
 84 | 
 85 | - Use Python 3.11 or higher
 86 | - Follow PEP 8 style guidelines
 87 | - Use meaningful variable and function names
 88 | - Add docstrings to functions and classes
 89 | - Keep functions focused and modular
 90 | - Handle errors gracefully with try-except blocks
 91 | 
 92 | ## Adding Support for New Web Servers
 93 | 
 94 | If you want to add support for a new web server:
 95 | 
 96 | 1. Create a new converter script: `json2WEBSERVER.py`
 97 | 2. Create output directory: `waf_patterns/WEBSERVER/`
 98 | 3. Add README.md with integration instructions
 99 | 4. Update the main README.md to include the new web server
100 | 5. Update the GitHub Actions workflow to include the new converter
101 | 6. Add example configurations
102 | 
103 | ## Questions?
104 | 
105 | If you have questions about contributing, feel free to:
106 | - Open an issue for discussion
107 | - Contact the maintainers
108 | 
109 | Thank you for contributing!
110 | 


--------------------------------------------------------------------------------
/docs/nginx.md:
--------------------------------------------------------------------------------
  1 | # Nginx Integration
  2 | 
  3 | This guide explains how to integrate the WAF patterns into your Nginx configuration.
  4 | 
  5 | ## Quick Start
  6 | 
  7 | 1. Download `nginx_waf.zip` from [Releases](https://github.com/fabriziosalmi/patterns/releases)
  8 | 2. Extract to your Nginx configuration directory
  9 | 3. Include the configuration files as shown below
 10 | 
 11 | ## Configuration Files
 12 | 
 13 | The Nginx WAF package includes:
 14 | 
 15 | | File | Purpose | Include Location |
 16 | |------|---------|------------------|
 17 | | `waf_maps.conf` | Map directives for pattern matching | `http` block |
 18 | | `waf_rules.conf` | If statements for blocking | `server` block |
 19 | | `bots.conf` | Bad bot detection maps | `http` block |
 20 | 
 21 | ## Integration
 22 | 
 23 | ### Step 1: Include Maps in HTTP Block
 24 | 
 25 | The map directives **must** be included in the `http` context:
 26 | 
 27 | ```nginx
 28 | http {
 29 |     # Include WAF maps (pattern definitions)
 30 |     include /path/to/waf_patterns/nginx/waf_maps.conf;
 31 |     
 32 |     # Include bot detection maps
 33 |     include /path/to/waf_patterns/nginx/bots.conf;
 34 |     
 35 |     # ... other http configurations ...
 36 | }
 37 | ```
 38 | 
 39 | ### Step 2: Include Rules in Server Block
 40 | 
 41 | The blocking rules go inside your `server` or `location` block:
 42 | 
 43 | ```nginx
 44 | server {
 45 |     listen 80;
 46 |     server_name example.com;
 47 |     
 48 |     # Include WAF rules
 49 |     include /path/to/waf_patterns/nginx/waf_rules.conf;
 50 |     
 51 |     # ... other server configurations ...
 52 | }
 53 | ```
 54 | 
 55 | ### Step 3: Reload Nginx
 56 | 
 57 | Test and reload the configuration:
 58 | 
 59 | ```bash
 60 | sudo nginx -t && sudo systemctl reload nginx
 61 | ```
 62 | 
 63 | ## How It Works
 64 | 
 65 | The WAF uses Nginx's `map` directive for efficient pattern matching:
 66 | 
 67 | ```nginx
 68 | map $request_uri $waf_block_sqli {
 69 |     default 0;
 70 |     "~*union.*select" 1;
 71 |     "~*insert.*into" 1;
 72 | }
 73 | 
 74 | if ($waf_block_sqli) {
 75 |     return 403;
 76 | }
 77 | ```
 78 | 
 79 | ## Customization
 80 | 
 81 | ### Enable Logging
 82 | 
 83 | To log blocked requests, edit `waf_rules.conf` and uncomment the logging lines:
 84 | 
 85 | ```nginx
 86 | if ($waf_block_sqli) {
 87 |     return 403;
 88 |     access_log /var/log/nginx/waf_blocked.log;
 89 | }
 90 | ```
 91 | 
 92 | ### Whitelist Specific Paths
 93 | 
 94 | Add exceptions before the WAF rules:
 95 | 
 96 | ```nginx
 97 | location /api/webhook {
 98 |     # Skip WAF for this path
 99 |     # ... your configuration ...
100 | }
101 | 
102 | # WAF rules for other paths
103 | include /path/to/waf_patterns/nginx/waf_rules.conf;
104 | ```
105 | 
106 | ::: warning Important
107 | Individual category files like `attack.conf` or `xss.conf` should **not** be included directly. They contain both `map` and `if` directives which cannot be used in the same context. Always use `waf_maps.conf` + `waf_rules.conf`.
108 | :::
109 | 
110 | ## Testing
111 | 
112 | Test your WAF configuration with common attack patterns:
113 | 
114 | ```bash
115 | # Should be blocked (SQL injection)
116 | curl -I "http://example.com/?id=1' OR '1'='1"
117 | 
118 | # Should be blocked (XSS)
119 | curl -I "http://example.com/?q=<script>alert(1)</script>"
120 | ```
121 | 
122 | ## Troubleshooting
123 | 
124 | ### Configuration errors
125 | Always run `nginx -t` before reloading to catch syntax errors.
126 | 
127 | ### False positives
128 | If legitimate requests are being blocked, check `/var/log/nginx/error.log` and consider adding path-specific exceptions.
129 | 
130 | ### Performance
131 | The map-based approach is highly efficient. For high-traffic sites, consider enabling caching for the map variables.
132 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/rce.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for RCE
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_rce {
 6 |     default 0;
 7 |     "~*rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)" 1;
 8 |     "~*b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))" 1;
 9 |     "~*;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" 1;
10 |     "~*['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]" 1;
11 |     "~*s" 1;
12 |     "~*(?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])" 1;
13 |     "~*(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" 1;
14 |     "~*!@rx [0-9]s*'s*[0-9]" 1;
15 |     "~*ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]" 1;
16 |     "~*^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))" 1;
17 |     "~*^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])" 1;
18 |     "~*rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" 1;
19 |     "~*!-d" 1;
20 |     "~*$(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" 1;
21 |     "~*rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" 1;
22 |     "~*!(?:d|!)" 1;
23 |     "~*/" 1;
24 |     "~*/(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" 1;
25 |     "~*^(s*)s+{" 1;
26 |     "~*(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)" 1;
27 | }
28 | 
29 | if ($waf_block_rce) {
30 |     return 403;
31 |     # Log the blocked request (optional)
32 |     # access_log /var/log/nginx/waf_blocked.log;
33 | }
34 | 
35 | 


--------------------------------------------------------------------------------
/docs/apache.md:
--------------------------------------------------------------------------------
  1 | # Apache Integration
  2 | 
  3 | This guide explains how to integrate the WAF patterns with Apache using ModSecurity.
  4 | 
  5 | ## Prerequisites
  6 | 
  7 | - Apache 2.4+
  8 | - ModSecurity module installed
  9 | 
 10 | ### Install ModSecurity
 11 | 
 12 | ::: code-group
 13 | 
 14 | ```bash [Debian/Ubuntu]
 15 | sudo apt install libapache2-mod-security2
 16 | sudo a2enmod security2
 17 | ```
 18 | 
 19 | ```bash [RHEL/CentOS]
 20 | sudo yum install mod_security
 21 | ```
 22 | 
 23 | :::
 24 | 
 25 | ## Quick Start
 26 | 
 27 | 1. Download `apache_waf.zip` from [Releases](https://github.com/fabriziosalmi/patterns/releases)
 28 | 2. Extract to your Apache configuration directory
 29 | 3. Include the files in your Apache configuration
 30 | 
 31 | ## Configuration Files
 32 | 
 33 | The Apache WAF package includes ModSecurity rules organized by attack type:
 34 | 
 35 | | File | Protection Type |
 36 | |------|-----------------|
 37 | | `sqli.conf` | SQL Injection |
 38 | | `xss.conf` | Cross-Site Scripting |
 39 | | `rce.conf` | Remote Code Execution |
 40 | | `lfi.conf` | Local File Inclusion |
 41 | | `rfi.conf` | Remote File Inclusion |
 42 | | `bots.conf` | Bad Bot Detection |
 43 | 
 44 | ## Integration
 45 | 
 46 | ### Step 1: Enable ModSecurity
 47 | 
 48 | Create or edit `/etc/apache2/mods-enabled/security2.conf`:
 49 | 
 50 | ```apache
 51 | <IfModule security2_module>
 52 |     SecRuleEngine On
 53 |     SecRequestBodyAccess On
 54 |     SecResponseBodyAccess Off
 55 |     SecDebugLogLevel 0
 56 | </IfModule>
 57 | ```
 58 | 
 59 | ### Step 2: Include WAF Rules
 60 | 
 61 | Add to your Apache configuration or virtual host:
 62 | 
 63 | ```apache
 64 | <VirtualHost *:80>
 65 |     ServerName example.com
 66 |     
 67 |     # Include all WAF patterns
 68 |     Include /path/to/waf_patterns/apache/*.conf
 69 |     
 70 |     # ... other configurations ...
 71 | </VirtualHost>
 72 | ```
 73 | 
 74 | Or include specific rule sets:
 75 | 
 76 | ```apache
 77 | Include /path/to/waf_patterns/apache/sqli.conf
 78 | Include /path/to/waf_patterns/apache/xss.conf
 79 | Include /path/to/waf_patterns/apache/bots.conf
 80 | ```
 81 | 
 82 | ### Step 3: Restart Apache
 83 | 
 84 | ```bash
 85 | sudo apachectl configtest && sudo systemctl restart apache2
 86 | ```
 87 | 
 88 | ## Rule Format
 89 | 
 90 | The rules follow ModSecurity syntax:
 91 | 
 92 | ```apache
 93 | SecRule REQUEST_URI "@rx union.*select" \
 94 |     "id:100001,\
 95 |     phase:2,\
 96 |     deny,\
 97 |     status:403,\
 98 |     msg:'SQL Injection Attempt',\
 99 |     severity:CRITICAL"
100 | ```
101 | 
102 | ## Customization
103 | 
104 | ### Adjust Severity Levels
105 | 
106 | Modify the action from `deny` to `log` for monitoring mode:
107 | 
108 | ```apache
109 | SecRule REQUEST_URI "@rx pattern" \
110 |     "id:100001,\
111 |     phase:2,\
112 |     log,\
113 |     pass,\
114 |     msg:'Potential attack detected'"
115 | ```
116 | 
117 | ### Whitelist Paths
118 | 
119 | Add exceptions for specific paths:
120 | 
121 | ```apache
122 | SecRule REQUEST_URI "@beginsWith /api/webhook" \
123 |     "id:1,\
124 |     phase:1,\
125 |     allow,\
126 |     nolog"
127 | ```
128 | 
129 | ## Logging
130 | 
131 | ModSecurity logs are typically found at:
132 | - `/var/log/apache2/modsec_audit.log`
133 | - `/var/log/httpd/modsec_audit.log`
134 | 
135 | Enable detailed logging:
136 | 
137 | ```apache
138 | SecAuditEngine RelevantOnly
139 | SecAuditLog /var/log/apache2/modsec_audit.log
140 | SecAuditLogParts ABCDEFHZ
141 | ```
142 | 
143 | ## Testing
144 | 
145 | ```bash
146 | # Test SQL injection detection
147 | curl -I "http://example.com/?id=1' UNION SELECT * FROM users--"
148 | 
149 | # Check Apache error log
150 | sudo tail -f /var/log/apache2/error.log
151 | ```
152 | 
153 | ## Troubleshooting
154 | 
155 | ### ModSecurity not loading
156 | Ensure the module is enabled: `sudo a2enmod security2`
157 | 
158 | ### Rules not triggering
159 | Check that `SecRuleEngine` is set to `On` and rules are being included.
160 | 
161 | ### Performance issues
162 | Consider using `SecRuleRemoveById` to disable noisy rules that cause false positives.
163 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/shells.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for SHELLS
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1115,phase:1,deny,status:403,log,msg:'shells attack detected'"
 5 | SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1102,phase:1,deny,status:403,log,msg:'shells attack detected'"
 6 | SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1114,phase:1,deny,status:403,log,msg:'shells attack detected'"
 7 | SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1124,phase:1,deny,status:403,log,msg:'shells attack detected'"
 8 | SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1104,phase:1,deny,status:403,log,msg:'shells attack detected'"
 9 | SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1112,phase:1,deny,status:403,log,msg:'shells attack detected'"
10 | SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1106,phase:1,deny,status:403,log,msg:'shells attack detected'"
11 | SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1125,phase:1,deny,status:403,log,msg:'shells attack detected'"
12 | SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1105,phase:1,deny,status:403,log,msg:'shells attack detected'"
13 | SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1108,phase:1,deny,status:403,log,msg:'shells attack detected'"
14 | SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1111,phase:1,deny,status:403,log,msg:'shells attack detected'"
15 | SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1107,phase:1,deny,status:403,log,msg:'shells attack detected'"
16 | SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1122,phase:1,deny,status:403,log,msg:'shells attack detected'"
17 | SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1103,phase:1,deny,status:403,log,msg:'shells attack detected'"
18 | SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1118,phase:1,deny,status:403,log,msg:'shells attack detected'"
19 | SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1109,phase:1,deny,status:403,log,msg:'shells attack detected'"
20 | SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1119,phase:1,deny,status:403,log,msg:'shells attack detected'"
21 | SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1116,phase:1,deny,status:403,log,msg:'shells attack detected'"
22 | SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1120,phase:1,deny,status:403,log,msg:'shells attack detected'"
23 | SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1101,phase:1,deny,status:403,log,msg:'shells attack detected'"
24 | SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1117,phase:1,deny,status:403,log,msg:'shells attack detected'"
25 | SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1121,phase:1,deny,status:403,log,msg:'shells attack detected'"
26 | SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1113,phase:1,deny,status:403,log,msg:'shells attack detected'"
27 | SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1110,phase:1,deny,status:403,log,msg:'shells attack detected'"
28 | SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1123,phase:1,deny,status:403,log,msg:'shells attack detected'"
29 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/evaluation.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for EVALUATION
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "@ge\ 4" "id:1037,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
 5 | SecRule REQUEST_URI "@ge\ 1" "id:1031,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
 6 | SecRule REQUEST_URI "@ge\ 2" "id:1033,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
 7 | SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1019,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
 8 | SecRule REQUEST_URI "@ge\ 3" "id:1005,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
 9 | SecRule REQUEST_URI "@ge\ 3" "id:1014,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
10 | SecRule REQUEST_URI "@ge\ 4" "id:1015,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
11 | SecRule REQUEST_URI "@ge\ 1" "id:1009,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
12 | SecRule REQUEST_URI "@ge\ 2" "id:1011,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
13 | SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1041,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
14 | SecRule REQUEST_URI "@ge\ 4" "id:1030,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
15 | SecRule REQUEST_URI "@ge\ 3" "id:1035,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
16 | SecRule REQUEST_URI "@ge\ 1" "id:1024,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
17 | SecRule REQUEST_URI "@ge\ 2" "id:1026,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
18 | SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1039,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
19 | SecRule REQUEST_URI "@ge\ 3" "id:1027,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
20 | SecRule REQUEST_URI "@eq\ 1" "id:1040,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
21 | SecRule REQUEST_URI "@ge\ 4" "id:1008,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
22 | SecRule REQUEST_URI "@ge\ 3" "id:1013,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
23 | SecRule REQUEST_URI "@ge\ 1" "id:1002,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
24 | SecRule REQUEST_URI "@ge\ 2" "id:1004,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
25 | SecRule REQUEST_URI "@ge\ 3" "id:1028,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
26 | SecRule REQUEST_URI "@ge\ 1" "id:1023,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
27 | SecRule REQUEST_URI "@ge\ 4" "id:1029,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
28 | SecRule REQUEST_URI "@ge\ 1" "id:1032,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
29 | SecRule REQUEST_URI "@eq\ 1" "id:1018,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
30 | SecRule REQUEST_URI "@ge\ 2" "id:1025,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
31 | SecRule REQUEST_URI "@ge\ 4" "id:1038,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
32 | SecRule REQUEST_URI "@ge\ 2" "id:1034,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
33 | SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1017,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
34 | SecRule REQUEST_URI "@ge\ 3" "id:1006,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
35 | SecRule REQUEST_URI "@ge\ 4" "id:1007,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
36 | SecRule REQUEST_URI "@ge\ 1" "id:1001,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
37 | SecRule REQUEST_URI "@ge\ 2" "id:1003,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
38 | SecRule REQUEST_URI "@ge\ 4" "id:1016,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
39 | SecRule REQUEST_URI "@ge\ 1" "id:1010,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
40 | SecRule REQUEST_URI "@ge\ 2" "id:1012,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
41 | SecRule REQUEST_URI "@ge\ 3" "id:1036,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
42 | 


--------------------------------------------------------------------------------
/waf_patterns/traefik/README.md:
--------------------------------------------------------------------------------
  1 | # Traefik WAF Configuration
  2 | 
  3 | This directory contains Traefik WAF configuration files generated from OWASP CRS rules.
  4 | You can use these middleware configurations to enhance security in your Traefik setup.
  5 | 
  6 | ## Prerequisites
  7 | 
  8 | - Traefik v2.x or higher
  9 | - Basic understanding of Traefik middleware
 10 | 
 11 | ## Configuration Files
 12 | 
 13 | The generated configuration includes:
 14 | - Middleware definitions for request filtering
 15 | - Regular expression patterns for attack detection
 16 | - Bad bot/User-Agent blocking rules
 17 | 
 18 | ## Usage
 19 | 
 20 | ### Option 1: File Provider (Recommended)
 21 | 
 22 | 1. Copy the generated configuration files to your Traefik configuration directory:
 23 |    ```bash
 24 |    cp waf_patterns/traefik/*.toml /etc/traefik/dynamic/
 25 |    # or to your custom config directory
 26 |    ```
 27 | 
 28 | 2. Configure Traefik to load dynamic configuration from files.
 29 |    
 30 |    In your `traefik.yml` or `traefik.toml`:
 31 |    ```yaml
 32 |    providers:
 33 |      file:
 34 |        directory: "/etc/traefik/dynamic"
 35 |        watch: true
 36 |    ```
 37 | 
 38 | 3. Apply the middleware to your routes by referencing it in your service configuration:
 39 |    ```yaml
 40 |    http:
 41 |      routers:
 42 |        my-router:
 43 |          rule: "Host(`example.com`)"
 44 |          service: my-service
 45 |          middlewares:
 46 |            - waf-middleware
 47 |    ```
 48 | 
 49 | ### Option 2: Docker Labels
 50 | 
 51 | If you're using Docker, you can apply the middleware via labels:
 52 | 
 53 | ```yaml
 54 | services:
 55 |   my-service:
 56 |     image: my-app:latest
 57 |     labels:
 58 |       - "traefik.enable=true"
 59 |       - "traefik.http.routers.my-router.rule=Host(`example.com`)"
 60 |       - "traefik.http.routers.my-router.middlewares=waf-middleware@file"
 61 | ```
 62 | 
 63 | ### Option 3: Kubernetes IngressRoute
 64 | 
 65 | For Kubernetes deployments:
 66 | 
 67 | ```yaml
 68 | apiVersion: traefik.containo.us/v1alpha1
 69 | kind: Middleware
 70 | metadata:
 71 |   name: waf-middleware
 72 | spec:
 73 |   plugin:
 74 |     # Reference your WAF plugin configuration here
 75 | ```
 76 | 
 77 | ## Configuration Details
 78 | 
 79 | The middleware includes protection against:
 80 | - **SQL Injection (SQLi)** attacks
 81 | - **Cross-Site Scripting (XSS)** attempts
 82 | - **Remote Code Execution (RCE)** patterns
 83 | - **Local File Inclusion (LFI)** attempts
 84 | - **Malicious bots and crawlers**
 85 | 
 86 | ## Testing
 87 | 
 88 | Test the WAF is working by sending a malicious request:
 89 | 
 90 | ```bash
 91 | curl -H "User-Agent: AhrefsBot" http://yourserver.com
 92 | # Should be blocked if bot protection is working
 93 | 
 94 | curl "http://yourserver.com/?id=1' OR '1'='1"
 95 | # Should be blocked if SQLi protection is working
 96 | ```
 97 | 
 98 | ## Monitoring
 99 | 
100 | Monitor blocked requests in Traefik logs:
101 | 
102 | ```bash
103 | # Docker
104 | docker logs traefik 2>&1 | grep -i "blocked\|forbidden"
105 | 
106 | # Standard installation
107 | tail -f /var/log/traefik/access.log | grep -i "403"
108 | ```
109 | 
110 | ## Customization
111 | 
112 | You can customize the middleware behavior by:
113 | 1. Editing the generated `.toml` files
114 | 2. Adjusting regex patterns for your specific needs
115 | 3. Modifying response codes and error pages
116 | 4. Adding custom headers for blocked requests
117 | 
118 | ## Performance Considerations
119 | 
120 | - Regular expression matching can impact performance under high load
121 | - Consider using caching middleware in combination with WAF
122 | - Monitor CPU usage and adjust rules if needed
123 | - Use Traefik's built-in rate limiting for additional protection
124 | 
125 | ## Notes
126 | 
127 | - Rules are updated daily via GitHub Actions
128 | - Blocked requests typically return `403 Forbidden` or `400 Bad Request`
129 | - Middleware is applied at the router level
130 | - Compatible with other Traefik middlewares (chain them as needed)
131 | 
132 | ## Resources
133 | 
134 | - [Traefik Documentation](https://doc.traefik.io/traefik/)
135 | - [Traefik Middleware](https://doc.traefik.io/traefik/middlewares/overview/)
136 | - [OWASP CRS](https://coreruleset.org/)
137 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/sqli.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for SQLI
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_sqli {
 6 |     default 0;
 7 |     "~*[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]" 1;
 8 |     "~*(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))" 1;
 9 |     "~*(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" 1;
10 |     "~*(?:^s*[\"'`;]+|[\"'`]+s*$)" 1;
11 |     "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){8})" 1;
12 |     "~*(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)" 1;
13 |     "~*(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" 1;
14 |     "~*!@streq %{TX.2}" 1;
15 |     "~*^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" 1;
16 |     "~*(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+" 1;
17 |     "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){3})" 1;
18 |     "~*@streq %{TX.2}" 1;
19 |     "~*@detectSQLi" 1;
20 |     "~*';" 1;
21 |     "~*(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" 1;
22 |     "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){6})" 1;
23 |     "~*(?i:b0x[a-fd]{3,})" 1;
24 |     "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){12})" 1;
25 |     "~*(?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" 1;
26 |     "~*(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" 1;
27 |     "~*((?:[~!@#$%^&*()-+={}[]|:;\"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;\"'´’‘`<>]*?){2})" 1;
28 |     "~*(?i:^[Wd]+s*?(?:alter|union)b)" 1;
29 |     "~*^(?:and|or)$" 1;
30 |     "~*(?i)union.*?select.*?from" 1;
31 |     "~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
32 |     "~*(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" 1;
33 |     "~*^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b" 1;
34 |     "~*W{4}" 1;
35 |     "~*(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b" 1;
36 |     "~*^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;" 1;
37 |     "~*(?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" 1;
38 |     "~*(?i)1.e[(-),]" 1;
39 |     "~*!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" 1;
40 |     "~*(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" 1;
41 |     "~*(?i)W+d*?s*?bhavingbs*?[^s-]" 1;
42 | }
43 | 
44 | if ($waf_block_sqli) {
45 |     return 403;
46 |     # Log the blocked request (optional)
47 |     # access_log /var/log/nginx/waf_blocked.log;
48 | }
49 | 
50 | 


--------------------------------------------------------------------------------
/docs/traefik.md:
--------------------------------------------------------------------------------
  1 | # Traefik Integration
  2 | 
  3 | This guide explains how to integrate the WAF patterns with Traefik using middleware plugins.
  4 | 
  5 | ## Quick Start
  6 | 
  7 | 1. Download `traefik_waf.zip` from [Releases](https://github.com/fabriziosalmi/patterns/releases)
  8 | 2. Extract the files
  9 | 3. Configure the middleware in your Traefik configuration
 10 | 
 11 | ## Configuration Files
 12 | 
 13 | The Traefik WAF package includes:
 14 | 
 15 | | File | Purpose |
 16 | |------|---------|
 17 | | `middleware.toml` | WAF middleware configuration |
 18 | | `bots.toml` | Bad bot detection rules |
 19 | 
 20 | ## Integration with File Provider
 21 | 
 22 | ### Step 1: Enable File Provider
 23 | 
 24 | In your `traefik.toml` or `traefik.yml`:
 25 | 
 26 | ::: code-group
 27 | 
 28 | ```toml [traefik.toml]
 29 | [providers]
 30 |   [providers.file]
 31 |     directory = "/etc/traefik/dynamic"
 32 |     watch = true
 33 | ```
 34 | 
 35 | ```yaml [traefik.yml]
 36 | providers:
 37 |   file:
 38 |     directory: /etc/traefik/dynamic
 39 |     watch: true
 40 | ```
 41 | 
 42 | :::
 43 | 
 44 | ### Step 2: Copy Middleware Files
 45 | 
 46 | Copy the WAF configuration files to your dynamic configuration directory:
 47 | 
 48 | ```bash
 49 | cp waf_patterns/traefik/*.toml /etc/traefik/dynamic/
 50 | ```
 51 | 
 52 | ### Step 3: Apply Middleware to Routes
 53 | 
 54 | Reference the middleware in your router configuration:
 55 | 
 56 | ::: code-group
 57 | 
 58 | ```toml [dynamic/routes.toml]
 59 | [http.routers.my-router]
 60 |   rule = "Host(`example.com`)"
 61 |   service = "my-service"
 62 |   middlewares = ["waf-protection", "bot-blocker"]
 63 | 
 64 | [http.middlewares.waf-protection.plugin.waf]
 65 |   # WAF configuration loaded from middleware.toml
 66 | 
 67 | [http.middlewares.bot-blocker.plugin.botblocker]
 68 |   # Bot blocking loaded from bots.toml
 69 | ```
 70 | 
 71 | ```yaml [dynamic/routes.yml]
 72 | http:
 73 |   routers:
 74 |     my-router:
 75 |       rule: "Host(`example.com`)"
 76 |       service: my-service
 77 |       middlewares:
 78 |         - waf-protection
 79 |         - bot-blocker
 80 | ```
 81 | 
 82 | :::
 83 | 
 84 | ## Integration with Docker Labels
 85 | 
 86 | For Docker-based deployments:
 87 | 
 88 | ```yaml
 89 | services:
 90 |   my-app:
 91 |     image: my-app:latest
 92 |     labels:
 93 |       - "traefik.enable=true"
 94 |       - "traefik.http.routers.my-app.rule=Host(`example.com`)"
 95 |       - "traefik.http.routers.my-app.middlewares=waf@file"
 96 | ```
 97 | 
 98 | ## Middleware Configuration
 99 | 
100 | The `middleware.toml` contains regex-based blocking rules:
101 | 
102 | ```toml
103 | [http.middlewares.waf.plugin.rewriteHeaders]
104 |   # SQL Injection patterns
105 |   [[http.middlewares.waf.plugin.rewriteHeaders.replacements]]
106 |     regex = "(?i)union.*select"
107 |     replacement = "BLOCKED"
108 | ```
109 | 
110 | ## Using with Traefik Plugins
111 | 
112 | For enhanced WAF capabilities, consider using community plugins:
113 | 
114 | ```yaml
115 | experimental:
116 |   plugins:
117 |     waf:
118 |       moduleName: "github.com/example/traefik-waf-plugin"
119 |       version: "v1.0.0"
120 | ```
121 | 
122 | ## Customization
123 | 
124 | ### Add Custom Patterns
125 | 
126 | Edit `middleware.toml` to add your own patterns:
127 | 
128 | ```toml
129 | [[http.middlewares.waf.plugin.rewriteHeaders.replacements]]
130 |   regex = "your-custom-pattern"
131 |   replacement = "BLOCKED"
132 | ```
133 | 
134 | ### Logging
135 | 
136 | Enable access logs to monitor blocked requests:
137 | 
138 | ```toml
139 | [accessLog]
140 |   filePath = "/var/log/traefik/access.log"
141 |   format = "json"
142 |   
143 |   [accessLog.fields]
144 |     [accessLog.fields.headers]
145 |       defaultMode = "keep"
146 | ```
147 | 
148 | ## Testing
149 | 
150 | ```bash
151 | # Test WAF detection
152 | curl -H "Host: example.com" \
153 |   "http://localhost/?id=1' OR '1'='1"
154 | 
155 | # Check Traefik logs
156 | docker logs traefik 2>&1 | grep -i blocked
157 | ```
158 | 
159 | ## Troubleshooting
160 | 
161 | ### Middleware not loading
162 | Check that the file provider is correctly configured and watching the right directory.
163 | 
164 | ### Routes not applying middleware
165 | Ensure the middleware name matches exactly between router and middleware definition.
166 | 
167 | ### Performance considerations
168 | Traefik's regex-based middleware can impact performance at high traffic. Monitor latency after enabling WAF rules.
169 | 


--------------------------------------------------------------------------------
/docs/badbots.md:
--------------------------------------------------------------------------------
  1 | # Bad Bot Detection
  2 | 
  3 | This guide explains how to use the bad bot detection feature to block malicious crawlers and scrapers.
  4 | 
  5 | ## Overview
  6 | 
  7 | The `badbots.py` script generates configuration files to block known malicious bots based on their User-Agent strings. It fetches bot lists from multiple public sources and generates blocking rules for each supported web server.
  8 | 
  9 | ## How It Works
 10 | 
 11 | 1. Fetches bot lists from public sources:
 12 |    - [ai.robots.txt](https://github.com/ai-robots-txt/ai.robots.txt)
 13 |    - Various community-maintained bot lists
 14 | 2. Generates blocking configurations for each platform
 15 | 3. Updates configurations daily via GitHub Actions
 16 | 
 17 | ## Generated Files
 18 | 
 19 | | Platform | File | Format |
 20 | |----------|------|--------|
 21 | | Nginx | `bots.conf` | Map directive |
 22 | | Apache | `bots.conf` | ModSecurity rules |
 23 | | Traefik | `bots.toml` | Middleware config |
 24 | | HAProxy | `bots.acl` | ACL patterns |
 25 | 
 26 | ## Nginx Bot Blocker
 27 | 
 28 | The Nginx configuration uses a map directive:
 29 | 
 30 | ```nginx
 31 | # In http block
 32 | map $http_user_agent $bad_bot {
 33 |     default 0;
 34 |     "~*AhrefsBot" 1;
 35 |     "~*SemrushBot" 1;
 36 |     "~*MJ12bot" 1;
 37 |     "~*DotBot" 1;
 38 |     # ... more bots
 39 | }
 40 | 
 41 | # In server block
 42 | if ($bad_bot) {
 43 |     return 403;
 44 | }
 45 | ```
 46 | 
 47 | ### Integration
 48 | 
 49 | ```nginx
 50 | http {
 51 |     include /path/to/waf_patterns/nginx/bots.conf;
 52 |     
 53 |     server {
 54 |         if ($bad_bot) {
 55 |             return 403;
 56 |         }
 57 |     }
 58 | }
 59 | ```
 60 | 
 61 | ## Apache Bot Blocker
 62 | 
 63 | Uses ModSecurity rules:
 64 | 
 65 | ```apache
 66 | SecRule REQUEST_HEADERS:User-Agent "@rx AhrefsBot" \
 67 |     "id:200001,phase:1,deny,status:403,msg:'Bad Bot Blocked'"
 68 | ```
 69 | 
 70 | ## HAProxy Bot Blocker
 71 | 
 72 | Uses ACL rules:
 73 | 
 74 | ```haproxy
 75 | acl bad_bot hdr_reg(User-Agent) -i -f /etc/haproxy/bots.acl
 76 | http-request deny if bad_bot
 77 | ```
 78 | 
 79 | ## Blocked Bot Categories
 80 | 
 81 | The following categories of bots are blocked by default:
 82 | 
 83 | ### SEO/Marketing Crawlers
 84 | - AhrefsBot
 85 | - SemrushBot
 86 | - MJ12bot
 87 | - DotBot
 88 | - BLEXBot
 89 | 
 90 | ### AI/ML Crawlers
 91 | - GPTBot
 92 | - ChatGPT-User
 93 | - CCBot
 94 | - Google-Extended
 95 | - Anthropic-AI
 96 | 
 97 | ### Scrapers
 98 | - DataForSeoBot
 99 | - PetalBot
100 | - Bytespider
101 | - ClaudeBot
102 | 
103 | ### Malicious Bots
104 | - Known vulnerability scanners
105 | - Spam bots
106 | - Content scrapers
107 | 
108 | ## Customization
109 | 
110 | ### Add Custom Bots
111 | 
112 | Edit the generated file or add your own patterns:
113 | 
114 | ```nginx
115 | # Nginx: Add to bots.conf
116 | "~*MyCustomBot" 1;
117 | ```
118 | 
119 | ```apache
120 | # Apache: Add rule
121 | SecRule REQUEST_HEADERS:User-Agent "@rx MyCustomBot" \
122 |     "id:200999,deny"
123 | ```
124 | 
125 | ### Whitelist Bots
126 | 
127 | For Nginx, allow specific bots:
128 | 
129 | ```nginx
130 | map $http_user_agent $bad_bot {
131 |     default 0;
132 |     "~*Googlebot" 0;     # Allow Google
133 |     "~*AhrefsBot" 1;     # Block Ahrefs
134 | }
135 | ```
136 | 
137 | ### Allow All Bots for Specific Paths
138 | 
139 | ```nginx
140 | location /public-api {
141 |     # Override bot blocking
142 |     if ($bad_bot) {
143 |         # Don't block here
144 |     }
145 | }
146 | ```
147 | 
148 | ## Generate Manually
149 | 
150 | Run the script to regenerate bot lists:
151 | 
152 | ```bash
153 | python badbots.py
154 | ```
155 | 
156 | The script supports fallback lists if primary sources are unavailable.
157 | 
158 | ## Monitoring
159 | 
160 | ### Log Blocked Bots
161 | 
162 | Enable logging to track blocked requests:
163 | 
164 | ```nginx
165 | if ($bad_bot) {
166 |     access_log /var/log/nginx/blocked_bots.log;
167 |     return 403;
168 | }
169 | ```
170 | 
171 | ### Analyze Bot Traffic
172 | 
173 | ```bash
174 | # Count blocked bot requests
175 | grep "403" /var/log/nginx/access.log | \
176 |   awk '{print $12}' | sort | uniq -c | sort -rn | head -20
177 | ```
178 | 
179 | ## Best Practices
180 | 
181 | 1. **Regular Updates**: The bot lists are updated daily. Pull the latest changes or download from releases.
182 | 
183 | 2. **Monitor False Positives**: Some legitimate services may use blocked User-Agents. Monitor your logs.
184 | 
185 | 3. **Combine with Rate Limiting**: Use bot blocking with rate limiting for comprehensive protection.
186 | 
187 | 4. **Test Before Deploying**: Verify that legitimate traffic (search engines, monitoring) is not blocked.
188 | 
189 | ::: warning
190 | Blocking search engine bots (Googlebot, Bingbot) can negatively impact SEO. The default lists do **not** block major search engines.
191 | :::
192 | 


--------------------------------------------------------------------------------
/import_apache_waf.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import subprocess
  3 | import logging
  4 | from pathlib import Path
  5 | import shutil
  6 | import filecmp  # Import for file comparison
  7 | 
  8 | # --- Configuration ---
  9 | LOG_LEVEL = logging.INFO  # DEBUG, INFO, WARNING, ERROR
 10 | WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/apache")).resolve()
 11 | APACHE_WAF_DIR = Path(os.getenv("APACHE_WAF_DIR", "/etc/modsecurity.d/")).resolve()
 12 | APACHE_CONF = Path(os.getenv("APACHE_CONF", "/etc/apache2/apache2.conf")).resolve()
 13 | INCLUDE_STATEMENT = "IncludeOptional /etc/modsecurity.d/*.conf"
 14 | BACKUP_DIR = Path(os.getenv("BACKUP_DIR", "/etc/modsecurity.d/backup")).resolve()
 15 | 
 16 | 
 17 | # --- Logging Setup ---
 18 | logging.basicConfig(level=LOG_LEVEL, format="%(asctime)s - %(levelname)s - %(message)s")
 19 | logger = logging.getLogger(__name__)
 20 | 
 21 | 
 22 | def copy_waf_files():
 23 |     """Copies WAF files, handling existing files and creating backups."""
 24 |     logger.info("Copying Apache WAF patterns...")
 25 | 
 26 |     # Ensure target directory exists
 27 |     APACHE_WAF_DIR.mkdir(parents=True, exist_ok=True)
 28 |     logger.info(f"Target directory: {APACHE_WAF_DIR}")
 29 | 
 30 |     # Ensure backup directory exists
 31 |     BACKUP_DIR.mkdir(parents=True, exist_ok=True)
 32 |     logger.info(f"Backup directory: {BACKUP_DIR}")
 33 | 
 34 |     for conf_file in WAF_DIR.glob("*.conf"):
 35 |         dst_path = APACHE_WAF_DIR / conf_file.name
 36 | 
 37 |         try:
 38 |             if dst_path.exists():
 39 |                 # Compare files.  If identical, skip.  If different, backup and replace.
 40 |                 if filecmp.cmp(conf_file, dst_path, shallow=False):
 41 |                     logger.info(f"Skipping {conf_file.name} (identical file exists).")
 42 |                     continue  # Identical file, skip
 43 | 
 44 |                 # Different file exists: create backup
 45 |                 backup_path = BACKUP_DIR / f"{dst_path.name}.{int(time.time())}"  # Timestamped backup
 46 |                 logger.warning(f"Existing file {dst_path.name} differs. Backing up to {backup_path}")
 47 |                 shutil.copy2(dst_path, backup_path)  # Backup existing file
 48 | 
 49 |             # Copy the new file (or overwrite if it was different)
 50 |             shutil.copy2(conf_file, dst_path)  # Copy with metadata
 51 |             logger.info(f"Copied {conf_file.name} to {dst_path}")
 52 | 
 53 |         except OSError as e:
 54 |             logger.error(f"Error copying {conf_file.name}: {e}")
 55 |             raise  # Re-raise for critical error handling
 56 | 
 57 | 
 58 | def update_apache_conf():
 59 |     """Ensures the include statement is present, avoiding duplicates."""
 60 |     logger.info("Checking Apache configuration for WAF include...")
 61 | 
 62 |     try:
 63 |         with open(APACHE_CONF, "r") as f:
 64 |             config_lines = f.readlines()
 65 | 
 66 |         # Check if the include statement *already* exists.
 67 |         include_present = any(INCLUDE_STATEMENT in line for line in config_lines)
 68 | 
 69 |         if not include_present:
 70 |             # Append the include statement to the *end* of the file.
 71 |             with open(APACHE_CONF, "a") as f:
 72 |                 f.write(f"\n{INCLUDE_STATEMENT}\n")  # Add a newline for safety
 73 |             logger.info(f"Added include statement to {APACHE_CONF}")
 74 |         else:
 75 |             logger.info("Include statement already present.")
 76 | 
 77 |     except FileNotFoundError:
 78 |         logger.error(f"Apache configuration file not found: {APACHE_CONF}")
 79 |         raise  # Critical error
 80 |     except OSError as e:
 81 |         logger.error(f"Error updating Apache configuration: {e}")
 82 |         raise
 83 | 
 84 | 
 85 | def reload_apache():
 86 |     """Tests the Apache configuration and reloads if valid."""
 87 |     logger.info("Reloading Apache...")
 88 | 
 89 |     try:
 90 |         # Test configuration
 91 |         subprocess.run(["apachectl", "configtest"], check=True, capture_output=True, text=True)
 92 |         logger.info("Apache configuration test successful.")
 93 | 
 94 |         # Reload Apache
 95 |         subprocess.run(["systemctl", "reload", "apache2"], check=True, capture_output=True, text=True)
 96 |         logger.info("Apache reloaded.")
 97 | 
 98 |     except subprocess.CalledProcessError as e:
 99 |         logger.error(f"Apache command failed: {e.cmd} - Return code: {e.returncode}")
100 |         logger.error(f"Stdout: {e.stdout}")
101 |         logger.error(f"Stderr: {e.stderr}")
102 |         raise  # Re-raise to signal failure
103 |     except FileNotFoundError:
104 |         logger.error("apachectl or systemctl command not found.  Is Apache/systemd installed?")
105 |         raise
106 | 
107 | 
108 | def main():
109 |     """Main function."""
110 |     try:
111 |         copy_waf_files()
112 |         update_apache_conf()
113 |         reload_apache()
114 |         logger.info("Apache WAF configuration updated successfully.")
115 |     except Exception as e:
116 |         logger.critical(f"Script failed: {e}")
117 |         exit(1)
118 | 
119 | 
120 | if __name__ == "__main__":
121 |     main()
122 | 


--------------------------------------------------------------------------------
/docs/haproxy.md:
--------------------------------------------------------------------------------
  1 | # HAProxy Integration
  2 | 
  3 | This guide explains how to integrate the WAF patterns with HAProxy using ACL rules.
  4 | 
  5 | ## Quick Start
  6 | 
  7 | 1. Download `haproxy_waf.zip` from [Releases](https://github.com/fabriziosalmi/patterns/releases)
  8 | 2. Extract the files
  9 | 3. Include the ACL files in your HAProxy configuration
 10 | 
 11 | ## Configuration Files
 12 | 
 13 | The HAProxy WAF package includes:
 14 | 
 15 | | File | Purpose |
 16 | |------|---------|
 17 | | `waf.acl` | Main WAF ACL rules |
 18 | | `bots.acl` | Bad bot detection ACLs |
 19 | 
 20 | ## Integration
 21 | 
 22 | ### Step 1: Include ACL Files
 23 | 
 24 | In your `haproxy.cfg`, include the WAF ACL files:
 25 | 
 26 | ```haproxy
 27 | frontend http-in
 28 |     bind *:80
 29 |     
 30 |     # Include WAF ACL rules
 31 |     acl waf_block_sqli path_reg -i union.*select
 32 |     acl waf_block_sqli path_reg -i insert.*into
 33 |     acl waf_block_xss path_reg -i <script>
 34 |     
 35 |     # Or include from external file
 36 |     # acl waf_patterns path_reg -i -f /etc/haproxy/waf.acl
 37 |     
 38 |     # Block matching requests
 39 |     http-request deny if waf_block_sqli
 40 |     http-request deny if waf_block_xss
 41 |     
 42 |     default_backend servers
 43 | ```
 44 | 
 45 | ### Step 2: Include Bot Blockers
 46 | 
 47 | ```haproxy
 48 | frontend http-in
 49 |     bind *:80
 50 |     
 51 |     # Bad bot detection
 52 |     acl bad_bot hdr_reg(User-Agent) -i -f /etc/haproxy/bots.acl
 53 |     http-request deny if bad_bot
 54 |     
 55 |     default_backend servers
 56 | ```
 57 | 
 58 | ### Step 3: Reload HAProxy
 59 | 
 60 | ```bash
 61 | haproxy -c -f /etc/haproxy/haproxy.cfg && sudo systemctl reload haproxy
 62 | ```
 63 | 
 64 | ## ACL Rule Format
 65 | 
 66 | HAProxy ACLs use pattern matching on various request attributes:
 67 | 
 68 | ```haproxy
 69 | # Match path
 70 | acl sqli_path path_reg -i union.*select
 71 | 
 72 | # Match query string
 73 | acl sqli_query url_param(id) -m reg -i union.*select
 74 | 
 75 | # Match headers
 76 | acl bad_referer hdr_reg(Referer) -i malicious-site\.com
 77 | 
 78 | # Combined conditions
 79 | http-request deny if sqli_path OR sqli_query
 80 | ```
 81 | 
 82 | ## Complete Example
 83 | 
 84 | ```haproxy
 85 | global
 86 |     log /dev/log local0
 87 |     maxconn 4096
 88 | 
 89 | defaults
 90 |     mode http
 91 |     log global
 92 |     option httplog
 93 |     timeout connect 5s
 94 |     timeout client 50s
 95 |     timeout server 50s
 96 | 
 97 | frontend http-in
 98 |     bind *:80
 99 |     
100 |     # WAF Rules
101 |     acl waf_sqli path_reg -i (union.*select|insert.*into|delete.*from)
102 |     acl waf_xss path_reg -i (<script|javascript:|on\w+\s*=)
103 |     acl waf_lfi path_reg -i (\.\.\/|\.\.\\)
104 |     acl waf_rce path_reg -i (;|\||`|\$\()
105 |     
106 |     # Bot blocking
107 |     acl bad_bot hdr_reg(User-Agent) -i (AhrefsBot|SemrushBot|MJ12bot)
108 |     
109 |     # Deny malicious requests
110 |     http-request deny deny_status 403 if waf_sqli
111 |     http-request deny deny_status 403 if waf_xss
112 |     http-request deny deny_status 403 if waf_lfi
113 |     http-request deny deny_status 403 if waf_rce
114 |     http-request deny deny_status 403 if bad_bot
115 |     
116 |     default_backend servers
117 | 
118 | backend servers
119 |     balance roundrobin
120 |     server server1 127.0.0.1:8080 check
121 | ```
122 | 
123 | ## Customization
124 | 
125 | ### Custom Error Pages
126 | 
127 | Return a custom error page for blocked requests:
128 | 
129 | ```haproxy
130 | http-request deny deny_status 403 content-type text/html \
131 |     string "Access Denied" if waf_sqli
132 | ```
133 | 
134 | ### Logging Blocked Requests
135 | 
136 | Create a dedicated log for WAF blocks:
137 | 
138 | ```haproxy
139 | frontend http-in
140 |     # Log blocked requests
141 |     http-request set-var(txn.blocked) str(1) if waf_sqli
142 |     http-request capture var(txn.blocked) len 1
143 |     
144 |     # Custom log format
145 |     log-format "%ci:%cp [%t] %ft %b/%s %Tq/%Tw/%Tc/%Tr/%Tt %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq blocked=%[var(txn.blocked)]"
146 | ```
147 | 
148 | ### Whitelist Paths
149 | 
150 | Skip WAF for specific paths:
151 | 
152 | ```haproxy
153 | acl is_api path_beg /api/webhook
154 | http-request deny if waf_sqli !is_api
155 | ```
156 | 
157 | ## Rate Limiting
158 | 
159 | Combine WAF with rate limiting:
160 | 
161 | ```haproxy
162 | # Stick table for rate limiting
163 | stick-table type ip size 100k expire 30s store http_req_rate(10s)
164 | http-request track-sc0 src
165 | acl too_many_requests sc_http_req_rate(0) gt 100
166 | 
167 | http-request deny if too_many_requests
168 | ```
169 | 
170 | ## Testing
171 | 
172 | ```bash
173 | # Test SQL injection detection
174 | curl -I "http://example.com/?id=1' UNION SELECT * FROM users--"
175 | 
176 | # Test bot blocking
177 | curl -A "AhrefsBot" -I "http://example.com/"
178 | 
179 | # Check HAProxy stats
180 | echo "show stat" | socat stdio /var/run/haproxy.sock
181 | ```
182 | 
183 | ## Troubleshooting
184 | 
185 | ### ACLs not matching
186 | Use `haproxy -c -f haproxy.cfg` to validate syntax. Enable debug logging to see ACL evaluation.
187 | 
188 | ### Performance impact
189 | ACL evaluation is fast, but complex regex patterns can add latency. Test with realistic traffic.
190 | 
191 | ### Configuration too large
192 | HAProxy has limits on configuration size. Consider splitting large ACL lists into multiple files.
193 | 


--------------------------------------------------------------------------------
/docs/api.md:
--------------------------------------------------------------------------------
  1 | # API Reference
  2 | 
  3 | This page documents the Python scripts that power the Patterns project.
  4 | 
  5 | ## Core Scripts
  6 | 
  7 | ### owasp2json.py
  8 | 
  9 | Fetches and parses OWASP Core Rule Set patterns from GitHub.
 10 | 
 11 | ```bash
 12 | python owasp2json.py
 13 | ```
 14 | 
 15 | **Output**: `owasp_rules.json`
 16 | 
 17 | **Configuration**:
 18 | - Uses environment variable `OWASP_REPO` to specify source repository
 19 | - Default: `coreruleset/coreruleset`
 20 | 
 21 | **Features**:
 22 | - Fetches latest CRS rules from GitHub
 23 | - Parses `.conf` files for regex patterns
 24 | - Extracts rule metadata (ID, severity, category)
 25 | - Outputs structured JSON for conversion scripts
 26 | 
 27 | ---
 28 | 
 29 | ### json2nginx.py
 30 | 
 31 | Converts OWASP JSON rules to Nginx WAF configuration.
 32 | 
 33 | ```bash
 34 | python json2nginx.py
 35 | ```
 36 | 
 37 | **Input**: `owasp_rules.json`  
 38 | **Output**: `waf_patterns/nginx/`
 39 | 
 40 | **Generated Files**:
 41 | | File | Purpose |
 42 | |------|---------|
 43 | | `waf_maps.conf` | Map directives (http block) |
 44 | | `waf_rules.conf` | If statements (server block) |
 45 | | `README.md` | Integration instructions |
 46 | 
 47 | **Environment Variables**:
 48 | - `INPUT_FILE` - Path to OWASP JSON (default: `owasp_rules.json`)
 49 | - `OUTPUT_DIR` - Output directory (default: `waf_patterns/nginx`)
 50 | 
 51 | ---
 52 | 
 53 | ### json2apache.py
 54 | 
 55 | Converts OWASP JSON rules to Apache ModSecurity format.
 56 | 
 57 | ```bash
 58 | python json2apache.py
 59 | ```
 60 | 
 61 | **Input**: `owasp_rules.json`  
 62 | **Output**: `waf_patterns/apache/`
 63 | 
 64 | **Generated Files**:
 65 | - Category-specific `.conf` files (sqli.conf, xss.conf, etc.)
 66 | - Each file contains ModSecurity `SecRule` directives
 67 | 
 68 | ---
 69 | 
 70 | ### json2traefik.py
 71 | 
 72 | Converts OWASP JSON rules to Traefik middleware configuration.
 73 | 
 74 | ```bash
 75 | python json2traefik.py
 76 | ```
 77 | 
 78 | **Input**: `owasp_rules.json`  
 79 | **Output**: `waf_patterns/traefik/`
 80 | 
 81 | **Generated Files**:
 82 | - `middleware.toml` - Traefik middleware configuration
 83 | - `README.md` - Integration instructions
 84 | 
 85 | ---
 86 | 
 87 | ### json2haproxy.py
 88 | 
 89 | Converts OWASP JSON rules to HAProxy ACL format.
 90 | 
 91 | ```bash
 92 | python json2haproxy.py
 93 | ```
 94 | 
 95 | **Input**: `owasp_rules.json`  
 96 | **Output**: `waf_patterns/haproxy/`
 97 | 
 98 | **Generated Files**:
 99 | - `waf.acl` - Main WAF ACL rules
100 | - `README.md` - Integration instructions
101 | 
102 | ---
103 | 
104 | ### badbots.py
105 | 
106 | Generates bad bot blocking configurations from public bot lists.
107 | 
108 | ```bash
109 | python badbots.py
110 | ```
111 | 
112 | **Output**: Bot configurations in each `waf_patterns/*/` directory
113 | 
114 | **Features**:
115 | - Fetches from multiple public bot lists
116 | - Includes fallback sources for reliability
117 | - Generates platform-specific configs
118 | 
119 | ---
120 | 
121 | ## Import Scripts
122 | 
123 | These scripts help import existing WAF configurations.
124 | 
125 | ### import_nginx_waf.py
126 | 
127 | Import Nginx WAF patterns from external sources.
128 | 
129 | ```bash
130 | python import_nginx_waf.py --source /path/to/external/rules
131 | ```
132 | 
133 | ### import_apache_waf.py
134 | 
135 | Import Apache ModSecurity rules.
136 | 
137 | ```bash
138 | python import_apache_waf.py --source /path/to/modsec/rules
139 | ```
140 | 
141 | ### import_traefik_waf.py
142 | 
143 | Import Traefik middleware configurations.
144 | 
145 | ```bash
146 | python import_traefik_waf.py --source /path/to/traefik/config
147 | ```
148 | 
149 | ### import_haproxy_waf.py
150 | 
151 | Import HAProxy ACL rules.
152 | 
153 | ```bash
154 | python import_haproxy_waf.py --source /path/to/haproxy/acl
155 | ```
156 | 
157 | ---
158 | 
159 | ## Data Structures
160 | 
161 | ### owasp_rules.json Format
162 | 
163 | ```json
164 | [
165 |   {
166 |     "id": "942100",
167 |     "pattern": "(?i:union.*select)",
168 |     "category": "sqli",
169 |     "severity": "critical",
170 |     "location": "request-uri",
171 |     "description": "SQL Injection Attack Detected"
172 |   }
173 | ]
174 | ```
175 | 
176 | **Fields**:
177 | | Field | Type | Description |
178 | |-------|------|-------------|
179 | | `id` | string | OWASP CRS rule ID |
180 | | `pattern` | string | Regex pattern |
181 | | `category` | string | Attack category (sqli, xss, rce, etc.) |
182 | | `severity` | string | critical, high, medium, low |
183 | | `location` | string | Where to match (request-uri, headers, etc.) |
184 | | `description` | string | Human-readable description |
185 | 
186 | ---
187 | 
188 | ## Extending the Project
189 | 
190 | ### Adding a New Platform
191 | 
192 | 1. Create `json2<platform>.py` based on existing converters
193 | 2. Add output directory in `waf_patterns/<platform>/`
194 | 3. Update GitHub Actions workflow
195 | 4. Add documentation in `docs/`
196 | 
197 | ### Custom Pattern Sources
198 | 
199 | Modify `owasp2json.py` to add new pattern sources:
200 | 
201 | ```python
202 | SOURCES = [
203 |     "coreruleset/coreruleset",
204 |     "your-org/your-rules",
205 | ]
206 | ```
207 | 
208 | ---
209 | 
210 | ## Dependencies
211 | 
212 | Listed in `requirements.txt`:
213 | 
214 | ```
215 | requests>=2.28.0
216 | beautifulsoup4>=4.11.0
217 | ```
218 | 
219 | Install with:
220 | 
221 | ```bash
222 | pip install -r requirements.txt
223 | ```
224 | 


--------------------------------------------------------------------------------
/waf_patterns/haproxy/README.md:
--------------------------------------------------------------------------------
  1 | # HAProxy WAF Configuration
  2 | 
  3 | This directory contains HAProxy WAF configuration files generated from OWASP CRS rules.
  4 | You can include these ACL (Access Control List) files in your HAProxy configuration to enhance security.
  5 | 
  6 | ## Prerequisites
  7 | 
  8 | - HAProxy 2.0 or higher
  9 | - Basic understanding of HAProxy ACLs and rules
 10 | 
 11 | ## Configuration Files
 12 | 
 13 | The generated files include:
 14 | - ACL files with pattern matching rules
 15 | - Request filtering configurations
 16 | - Bad bot/User-Agent blocking lists
 17 | 
 18 | ## Usage
 19 | 
 20 | 1. Copy the generated ACL files to your HAProxy configuration directory:
 21 |    ```bash
 22 |    sudo cp waf_patterns/haproxy/*.acl /etc/haproxy/
 23 |    ```
 24 | 
 25 | 2. Include the ACL files in your HAProxy configuration.
 26 |    
 27 |    Edit `/etc/haproxy/haproxy.cfg`:
 28 |    ```haproxy
 29 |    frontend http-in
 30 |        bind *:80
 31 |        
 32 |        # Load WAF ACL files
 33 |        acl is_sql_injection path_reg -i -f /etc/haproxy/sqli_patterns.acl
 34 |        acl is_xss_attack path_reg -i -f /etc/haproxy/xss_patterns.acl
 35 |        acl is_bad_bot hdr_reg(User-Agent) -i -f /etc/haproxy/bad_bots.acl
 36 |        
 37 |        # Block malicious requests
 38 |        http-request deny if is_sql_injection
 39 |        http-request deny if is_xss_attack
 40 |        http-request deny if is_bad_bot
 41 |        
 42 |        # Default backend
 43 |        default_backend web_servers
 44 |    
 45 |    backend web_servers
 46 |        balance roundrobin
 47 |        server web1 10.0.0.1:80 check
 48 |        server web2 10.0.0.2:80 check
 49 |    ```
 50 | 
 51 | 3. Test the configuration:
 52 |    ```bash
 53 |    sudo haproxy -c -f /etc/haproxy/haproxy.cfg
 54 |    ```
 55 | 
 56 | 4. Reload HAProxy to apply the changes:
 57 |    ```bash
 58 |    sudo systemctl reload haproxy
 59 |    # or
 60 |    sudo service haproxy reload
 61 |    ```
 62 | 
 63 | ## Advanced Configuration
 64 | 
 65 | ### Logging Blocked Requests
 66 | 
 67 | Add logging for better visibility:
 68 | 
 69 | ```haproxy
 70 | frontend http-in
 71 |     bind *:80
 72 |     
 73 |     # ... ACL definitions ...
 74 |     
 75 |     # Log blocked requests
 76 |     http-request capture req.hdr(User-Agent) len 200
 77 |     http-request deny deny_status 403 if is_sql_injection
 78 |     log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
 79 | ```
 80 | 
 81 | ### Custom Error Pages
 82 | 
 83 | Return custom error pages for blocked requests:
 84 | 
 85 | ```haproxy
 86 | frontend http-in
 87 |     bind *:80
 88 |     
 89 |     # ... ACL definitions ...
 90 |     
 91 |     # Return custom error page
 92 |     http-request deny deny_status 403 if is_sql_injection
 93 |     errorfile 403 /etc/haproxy/errors/403.http
 94 | ```
 95 | 
 96 | ### Rate Limiting
 97 | 
 98 | Combine with rate limiting for additional protection:
 99 | 
100 | ```haproxy
101 | frontend http-in
102 |     bind *:80
103 |     
104 |     # Track request rate
105 |     stick-table type ip size 100k expire 30s store http_req_rate(10s)
106 |     http-request track-sc0 src
107 |     
108 |     # Deny if rate limit exceeded
109 |     http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
110 |     
111 |     # ... WAF ACLs ...
112 | ```
113 | 
114 | ## Testing
115 | 
116 | ### Test SQL Injection Protection
117 | ```bash
118 | curl "http://yourserver.com/?id=1' OR '1'='1"
119 | # Should return 403 Forbidden
120 | ```
121 | 
122 | ### Test XSS Protection
123 | ```bash
124 | curl "http://yourserver.com/?q=<script>alert('xss')</script>"
125 | # Should return 403 Forbidden
126 | ```
127 | 
128 | ### Test Bad Bot Blocking
129 | ```bash
130 | curl -H "User-Agent: AhrefsBot" http://yourserver.com
131 | # Should return 403 Forbidden
132 | ```
133 | 
134 | ## Monitoring
135 | 
136 | ### Check HAProxy Stats
137 | ```bash
138 | # Enable stats in haproxy.cfg
139 | listen stats
140 |     bind *:8404
141 |     stats enable
142 |     stats uri /stats
143 |     stats refresh 10s
144 | ```
145 | 
146 | Visit `http://yourserver:8404/stats` to view statistics.
147 | 
148 | ### View Logs
149 | ```bash
150 | sudo tail -f /var/log/haproxy.log
151 | ```
152 | 
153 | ## Performance Considerations
154 | 
155 | - ACL pattern matching is highly efficient in HAProxy
156 | - Use regular expressions sparingly for better performance
157 | - Consider using stick tables for rate limiting
158 | - Monitor CPU and memory usage under load
159 | - Test thoroughly before deploying to production
160 | 
161 | ## Configuration Details
162 | 
163 | The ACL files protect against:
164 | - **SQL Injection (SQLi)** - Common SQL injection patterns
165 | - **Cross-Site Scripting (XSS)** - JavaScript injection attempts
166 | - **Remote Code Execution (RCE)** - Command injection patterns
167 | - **Local File Inclusion (LFI)** - Path traversal attempts
168 | - **Bad Bots** - Known malicious crawlers and scrapers
169 | 
170 | ## Notes
171 | 
172 | - Rules are updated daily via GitHub Actions
173 | - Blocked requests return `403 Forbidden` by default
174 | - ACLs are case-insensitive (`-i` flag)
175 | - Regular expressions are used for pattern matching (`-f` for file-based ACLs)
176 | - Compatible with HAProxy 2.0 and higher
177 | 
178 | ## Resources
179 | 
180 | - [HAProxy Documentation](https://www.haproxy.org/#docs)
181 | - [HAProxy ACL Guide](https://www.haproxy.com/documentation/hapee/latest/onepage/#7)
182 | - [OWASP CRS](https://coreruleset.org/)
183 | - [HAProxy Configuration Manual](http://cbonte.github.io/haproxy-dconv/)
184 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
  1 | # Contributor Covenant Code of Conduct
  2 | 
  3 | ## Our Pledge
  4 | 
  5 | We as members, contributors, and leaders pledge to make participation in our
  6 | community a harassment-free experience for everyone, regardless of age, body
  7 | size, visible or invisible disability, ethnicity, sex characteristics, gender
  8 | identity and expression, level of experience, education, socio-economic status,
  9 | nationality, personal appearance, race, religion, or sexual identity
 10 | and orientation.
 11 | 
 12 | We pledge to act and interact in ways that contribute to an open, welcoming,
 13 | diverse, inclusive, and healthy community.
 14 | 
 15 | ## Our Standards
 16 | 
 17 | Examples of behavior that contributes to a positive environment for our
 18 | community include:
 19 | 
 20 | * Demonstrating empathy and kindness toward other people
 21 | * Being respectful of differing opinions, viewpoints, and experiences
 22 | * Giving and gracefully accepting constructive feedback
 23 | * Accepting responsibility and apologizing to those affected by our mistakes,
 24 |   and learning from the experience
 25 | * Focusing on what is best not just for us as individuals, but for the
 26 |   overall community
 27 | 
 28 | Examples of unacceptable behavior include:
 29 | 
 30 | * The use of sexualized language or imagery, and sexual attention or
 31 |   advances of any kind
 32 | * Trolling, insulting or derogatory comments, and personal or political attacks
 33 | * Public or private harassment
 34 | * Publishing others' private information, such as a physical or email
 35 |   address, without their explicit permission
 36 | * Other conduct which could reasonably be considered inappropriate in a
 37 |   professional setting
 38 | 
 39 | ## Enforcement Responsibilities
 40 | 
 41 | Community leaders are responsible for clarifying and enforcing our standards of
 42 | acceptable behavior and will take appropriate and fair corrective action in
 43 | response to any behavior that they deem inappropriate, threatening, offensive,
 44 | or harmful.
 45 | 
 46 | Community leaders have the right and responsibility to remove, edit, or reject
 47 | comments, commits, code, wiki edits, issues, and other contributions that are
 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation
 49 | decisions when appropriate.
 50 | 
 51 | ## Scope
 52 | 
 53 | This Code of Conduct applies within all community spaces, and also applies when
 54 | an individual is officially representing the community in public spaces.
 55 | Examples of representing our community include using an official e-mail address,
 56 | posting via an official social media account, or acting as an appointed
 57 | representative at an online or offline event.
 58 | 
 59 | ## Enforcement
 60 | 
 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
 62 | reported to the community leaders responsible for enforcement at
 63 | fabrizio.salmi@gmail.com.
 64 | All complaints will be reviewed and investigated promptly and fairly.
 65 | 
 66 | All community leaders are obligated to respect the privacy and security of the
 67 | reporter of any incident.
 68 | 
 69 | ## Enforcement Guidelines
 70 | 
 71 | Community leaders will follow these Community Impact Guidelines in determining
 72 | the consequences for any action they deem in violation of this Code of Conduct:
 73 | 
 74 | ### 1. Correction
 75 | 
 76 | **Community Impact**: Use of inappropriate language or other behavior deemed
 77 | unprofessional or unwelcome in the community.
 78 | 
 79 | **Consequence**: A private, written warning from community leaders, providing
 80 | clarity around the nature of the violation and an explanation of why the
 81 | behavior was inappropriate. A public apology may be requested.
 82 | 
 83 | ### 2. Warning
 84 | 
 85 | **Community Impact**: A violation through a single incident or series
 86 | of actions.
 87 | 
 88 | **Consequence**: A warning with consequences for continued behavior. No
 89 | interaction with the people involved, including unsolicited interaction with
 90 | those enforcing the Code of Conduct, for a specified period of time. This
 91 | includes avoiding interactions in community spaces as well as external channels
 92 | like social media. Violating these terms may lead to a temporary or
 93 | permanent ban.
 94 | 
 95 | ### 3. Temporary Ban
 96 | 
 97 | **Community Impact**: A serious violation of community standards, including
 98 | sustained inappropriate behavior.
 99 | 
100 | **Consequence**: A temporary ban from any sort of interaction or public
101 | communication with the community for a specified period of time. No public or
102 | private interaction with the people involved, including unsolicited interaction
103 | with those enforcing the Code of Conduct, is allowed during this period.
104 | Violating these terms may lead to a permanent ban.
105 | 
106 | ### 4. Permanent Ban
107 | 
108 | **Community Impact**: Demonstrating a pattern of violation of community
109 | standards, including sustained inappropriate behavior,  harassment of an
110 | individual, or aggression toward or disparagement of classes of individuals.
111 | 
112 | **Consequence**: A permanent ban from any sort of public interaction within
113 | the community.
114 | 
115 | ## Attribution
116 | 
117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage],
118 | version 2.0, available at
119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
120 | 
121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct
122 | enforcement ladder](https://github.com/mozilla/diversity).
123 | 
124 | [homepage]: https://www.contributor-covenant.org
125 | 
126 | For answers to common questions about this code of conduct, see the FAQ at
127 | https://www.contributor-covenant.org/faq. Translations are available at
128 | https://www.contributor-covenant.org/translations.
129 | 


--------------------------------------------------------------------------------
/.github/workflows/update_patterns.yml:
--------------------------------------------------------------------------------
  1 | name: Update Patterns
  2 | 
  3 | permissions:
  4 |   contents: write  # Commit changes, push updates
  5 |   statuses: write  # Update commit statuses
  6 |   actions: read    # Required for checking out the repository
  7 |   packages: write  # For GitHub Packages (if used)
  8 | 
  9 | on:
 10 |   schedule:
 11 |     - cron: '0 0 * * *'  # Daily at midnight UTC
 12 |   workflow_dispatch:  # Manual trigger
 13 | 
 14 | jobs:
 15 |   update-owasp-waf:
 16 |     runs-on: ubuntu-latest
 17 | 
 18 |     steps:
 19 |     - name: 🚚 Checkout Repository
 20 |       uses: actions/checkout@v3
 21 |       with:
 22 |         fetch-depth: 0 # get full git history
 23 | 
 24 |     - name: ⚙️ Set Up Python 3.11
 25 |       uses: actions/setup-python@v4
 26 |       with:
 27 |         python-version: '3.11'
 28 | 
 29 |     - name: 📦 Cache pip dependencies
 30 |       uses: actions/cache@v3
 31 |       with:
 32 |         path: ~/.cache/pip
 33 |         key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
 34 |         restore-keys: |
 35 |           ${{ runner.os }}-pip-
 36 | 
 37 |     - name: 📥 Install Dependencies
 38 |       run: |
 39 |         python -m pip install --upgrade pip
 40 |         pip install -r requirements.txt
 41 | 
 42 |     - name: 🕷️ Run OWASP Scraper
 43 |       run: python owasp2json.py
 44 | 
 45 |     - name: 🔄 Convert OWASP to Nginx WAF
 46 |       run: python json2nginx.py
 47 | 
 48 |     - name: 🔄 Convert OWASP to Apache WAF
 49 |       run: python json2apache.py
 50 | 
 51 |     - name: 🔄 Convert OWASP to Traefik WAF
 52 |       run: python json2traefik.py
 53 | 
 54 |     - name: 🔄 Convert OWASP to HAProxy WAF
 55 |       run: python json2haproxy.py
 56 | 
 57 |     - name: 🔄 Generate Bad Bot Blockers
 58 |       run: python badbots.py
 59 | 
 60 |     - name: 🚀 Commit and Push Changes (if any)
 61 |       run: |
 62 |         git config user.name "github-actions[bot]"
 63 |         git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 64 |         git add .
 65 |         # Check if there are any changes *before* committing.
 66 |         if ! git diff --quiet --exit-code; then
 67 |           git commit -m "Update WAF rules [$(date +'%Y-%m-%d')]"
 68 |           git push
 69 |         else
 70 |           echo "No changes to commit."
 71 |         fi
 72 |       continue-on-error: true  # Continue even if no changes
 73 | 
 74 |     - name: 📦 Create Zip Archives
 75 |       run: |
 76 |         mkdir -p dist
 77 |         (cd waf_patterns/nginx && zip -r ../../dist/nginx_waf.zip .)
 78 |         (cd waf_patterns/apache && zip -r ../../dist/apache_waf.zip .)
 79 |         (cd waf_patterns/traefik && zip -r ../../dist/traefik_waf.zip .)
 80 |         (cd waf_patterns/haproxy && zip -r ../../dist/haproxy_waf.zip .)
 81 | 
 82 |     - name: 🗑️ Delete Existing 'latest' Tag and Release (if they exist)
 83 |       run: |
 84 |         # Delete local tag
 85 |         git tag -d latest || true
 86 |         # Delete remote tag (force)
 87 |         git push --delete origin latest || true
 88 |         # Delete release, --yes for confirmation
 89 |         gh release delete latest --yes || true
 90 |       env:
 91 |         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 92 | 
 93 | 
 94 |     - name: 🚀 Create GitHub Release (if previous steps succeeded)
 95 |       id: create_release
 96 |       if: success()  # Only create release if previous steps were successful
 97 |       uses: actions/create-release@v1
 98 |       env:
 99 |         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
100 |       with:
101 |         tag_name: latest
102 |         release_name: Latest Release
103 |         draft: false
104 |         prerelease: false
105 | 
106 |     - name: 📤 Upload Nginx WAF Zip
107 |       if: success()
108 |       uses: actions/upload-release-asset@v1
109 |       env:
110 |         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
111 |       with:
112 |         upload_url: ${{ steps.create_release.outputs.upload_url }}
113 |         asset_path: dist/nginx_waf.zip
114 |         asset_name: nginx_waf.zip
115 |         asset_content_type: application/zip
116 | 
117 |     - name: 📤 Upload Apache WAF Zip
118 |       if: success()
119 |       uses: actions/upload-release-asset@v1
120 |       env:
121 |         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
122 |       with:
123 |         upload_url: ${{ steps.create_release.outputs.upload_url }}
124 |         asset_path: dist/apache_waf.zip
125 |         asset_name: apache_waf.zip
126 |         asset_content_type: application/zip
127 | 
128 |     - name: 📤 Upload Traefik WAF Zip
129 |       if: success()
130 |       uses: actions/upload-release-asset@v1
131 |       env:
132 |         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
133 |       with:
134 |         upload_url: ${{ steps.create_release.outputs.upload_url }}
135 |         asset_path: dist/traefik_waf.zip
136 |         asset_name: traefik_waf.zip
137 |         asset_content_type: application/zip
138 | 
139 |     - name: 📤 Upload HAProxy WAF Zip
140 |       if: success()
141 |       uses: actions/upload-release-asset@v1
142 |       env:
143 |         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
144 |       with:
145 |         upload_url: ${{ steps.create_release.outputs.upload_url }}
146 |         asset_path: dist/haproxy_waf.zip
147 |         asset_name: haproxy_waf.zip
148 |         asset_content_type: application/zip
149 | 
150 |     - name: 🧹 Clean Up (Optional)
151 |       if: always()  # Run cleanup even on failure
152 |       run: rm -rf ~/.cache/pip
153 | 
154 |     - name: 🚨 Notify on Failure (Optional)
155 |       if: failure()
156 |       run: |
157 |         echo "🚨 Workflow failed! Please investigate."
158 |         # Example: Send a Slack notification (requires a Slack webhook URL)
159 |         # curl -X POST -H 'Content-type: application/json' --data '{"text":"WAF update workflow failed!"}' ${{ secrets.SLACK_WEBHOOK }}
160 | 


--------------------------------------------------------------------------------
/import_nginx_waf.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import subprocess
  3 | import logging
  4 | from pathlib import Path
  5 | import shutil
  6 | import filecmp
  7 | import time
  8 | 
  9 | # --- Configuration ---
 10 | LOG_LEVEL = logging.INFO  # DEBUG, INFO, WARNING, ERROR
 11 | WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/nginx")).resolve()
 12 | NGINX_WAF_DIR = Path(os.getenv("NGINX_WAF_DIR", "/etc/nginx/waf/")).resolve()
 13 | NGINX_CONF = Path(os.getenv("NGINX_CONF", "/etc/nginx/nginx.conf")).resolve()
 14 | BACKUP_DIR = Path(os.getenv("BACKUP_DIR", "/etc/nginx/waf_backup/")).resolve()
 15 | INCLUDE_STATEMENT = "include /etc/nginx/waf/*.conf;"
 16 | 
 17 | # --- Logging Setup ---
 18 | logging.basicConfig(level=LOG_LEVEL, format="%(asctime)s - %(levelname)s - %(message)s")
 19 | logger = logging.getLogger(__name__)
 20 | 
 21 | 
 22 | 
 23 | def copy_waf_files():
 24 |     """Copies WAF files, handling existing files, and creating backups."""
 25 |     logger.info("Copying Nginx WAF patterns...")
 26 | 
 27 |     NGINX_WAF_DIR.mkdir(parents=True, exist_ok=True)
 28 |     BACKUP_DIR.mkdir(parents=True, exist_ok=True)
 29 | 
 30 |     for conf_file in WAF_DIR.glob("*.conf"):
 31 |         dst_path = NGINX_WAF_DIR / conf_file.name
 32 | 
 33 |         try:
 34 |             if dst_path.exists():
 35 |                 # Compare and backup if different
 36 |                 if filecmp.cmp(conf_file, dst_path, shallow=False):
 37 |                     logger.info(f"Skipping {conf_file.name} (identical file exists).")
 38 |                     continue
 39 |                 # Backup different file
 40 |                 backup_path = BACKUP_DIR / f"{dst_path.name}.{int(time.time())}"
 41 |                 logger.warning(f"Existing {dst_path.name} differs. Backing up to {backup_path}")
 42 |                 shutil.copy2(dst_path, backup_path)
 43 | 
 44 |             # Copy the (new/updated) file
 45 |             shutil.copy2(conf_file, dst_path)
 46 |             logger.info(f"Copied {conf_file.name} to {dst_path}")
 47 | 
 48 |         except OSError as e:
 49 |             logger.error(f"Error copying {conf_file.name}: {e}")
 50 |             raise
 51 | 
 52 | 
 53 | def update_nginx_conf():
 54 |     """Ensures the include directive is present in nginx.conf (http context)."""
 55 |     logger.info("Checking Nginx configuration for WAF include...")
 56 | 
 57 |     try:
 58 |         with open(NGINX_CONF, "r") as f:
 59 |             config_lines = f.readlines()
 60 | 
 61 |         # Check if the include statement is already present.
 62 |         include_present = any(INCLUDE_STATEMENT in line for line in config_lines)
 63 | 
 64 |         if not include_present:
 65 |             # Find the 'http' block.  This is where the include belongs.
 66 |             http_start = -1
 67 |             for i, line in enumerate(config_lines):
 68 |                 if line.strip().startswith("http {"):
 69 |                     http_start = i
 70 |                     break
 71 | 
 72 |             if http_start == -1:
 73 |                 # No http block found.  Add the include *and* the http block.
 74 |                 logger.warning("No 'http' block found. Adding to end of file.")
 75 |                 with open(NGINX_CONF, "a") as f:
 76 |                     f.write(f"\nhttp {{\n    {INCLUDE_STATEMENT}\n}}\n")
 77 |                 logger.info(f"Added 'http' block and WAF include to {NGINX_CONF}")
 78 |                 return
 79 | 
 80 |             # Find the end of the 'http' block
 81 |             http_end = -1
 82 |             for i in range(http_start + 1, len(config_lines)):
 83 |                 if line.strip() == "}":
 84 |                      http_end = i
 85 |                      break
 86 | 
 87 |             if http_end == -1:
 88 |                 # Malformed config?  Shouldn't happen, but handle it.
 89 |                 http_end = len(config_lines)
 90 |                 logger.warning("Malformed Nginx config (no closing brace for 'http' block).")
 91 | 
 92 |             # Insert the include statement *within* the http block.
 93 |             config_lines.insert(http_end, f"    {INCLUDE_STATEMENT}\n")
 94 | 
 95 |             # Write the modified configuration back.
 96 |             with open(NGINX_CONF, "w") as f:
 97 |                 f.writelines(config_lines)
 98 |             logger.info(f"Added WAF include to 'http' block in {NGINX_CONF}")
 99 | 
100 |         else:
101 |             logger.info("WAF include statement already present.")
102 | 
103 |     except FileNotFoundError:
104 |         logger.error(f"Nginx configuration file not found: {NGINX_CONF}")
105 |         raise
106 |     except OSError as e:
107 |         logger.error(f"Error updating Nginx configuration: {e}")
108 |         raise
109 | 
110 | 
111 | def reload_nginx():
112 |     """Tests the Nginx configuration and reloads if valid."""
113 |     logger.info("Reloading Nginx...")
114 | 
115 |     try:
116 |         # Test configuration
117 |         result = subprocess.run(["nginx", "-t"],
118 |                                 capture_output=True, text=True, check=True)
119 |         logger.info(f"Nginx configuration test successful:\n{result.stdout}")
120 | 
121 |         # Reload Nginx
122 |         result = subprocess.run(["systemctl", "reload", "nginx"],
123 |                                 capture_output=True, text=True, check=True)
124 |         logger.info("Nginx reloaded.")
125 | 
126 |     except subprocess.CalledProcessError as e:
127 |         logger.error(f"Nginx command failed: {e.cmd} - Return code: {e.returncode}")
128 |         logger.error(f"Stdout: {e.stdout}")
129 |         logger.error(f"Stderr: {e.stderr}")
130 |         raise  # Re-raise to signal failure
131 |     except FileNotFoundError:
132 |         logger.error("'nginx' or 'systemctl' command not found. Is Nginx/systemd installed?")
133 |         raise
134 |     except Exception as e: # added extra exception
135 |         logger.error(f"[!] Error reloading Nginx: {e}")
136 |         raise
137 | 
138 | 
139 | def main():
140 |     """Main function."""
141 |     try:
142 |         copy_waf_files()
143 |         update_nginx_conf()
144 |         reload_nginx()
145 |         logger.info("Nginx WAF configuration updated successfully.")
146 |     except Exception as e:
147 |         logger.critical(f"Script failed: {e}")
148 |         exit(1)
149 | 
150 | if __name__ == "__main__":
151 |     main()
152 | 


--------------------------------------------------------------------------------
/json2traefik.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import json
  3 | import re
  4 | import logging
  5 | from pathlib import Path
  6 | from typing import List, Dict, Set, Tuple, Optional
  7 | from functools import lru_cache
  8 | 
  9 | # --- Configuration ---
 10 | LOG_LEVEL = logging.INFO  # DEBUG, INFO, WARNING, ERROR
 11 | INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json"))
 12 | OUTPUT_DIR = Path(os.getenv("OUTPUT_DIR", "waf_patterns/traefik"))
 13 | MIDDLEWARE_FILE = OUTPUT_DIR / "middleware.toml"
 14 | 
 15 | # Unsupported patterns (for Traefik's badbot plugin, which uses regex)
 16 | UNSUPPORTED_PATTERNS = [
 17 |     "@pmFromFile",  # No file lookups
 18 |     # Add other unsupported operators/patterns here.
 19 | ]
 20 | 
 21 | # --- Logging Setup ---
 22 | logging.basicConfig(level=LOG_LEVEL, format="%(asctime)s - %(levelname)s - %(message)s")
 23 | logger = logging.getLogger(__name__)
 24 | 
 25 | @lru_cache(maxsize=256)
 26 | def validate_regex(pattern: str) -> bool:
 27 |     """Validates a regex pattern."""
 28 |     try:
 29 |         re.compile(pattern)
 30 |         return True
 31 |     except re.error as e:
 32 |         logger.warning(f"Invalid regex: {pattern} - {e}")
 33 |         return False
 34 | 
 35 | def _sanitize_pattern(pattern: str) -> str:
 36 |     """Internal helper for pattern sanitization."""
 37 |     pattern = pattern.replace("@rx ", "").strip()
 38 |     pattern = re.sub(r"\(\?i\)", "", pattern)  # Remove case-insensitive flag
 39 | 
 40 |     # Convert $ to \$
 41 |     pattern = pattern.replace("$", r"\$")
 42 | 
 43 |     # Convert { or { to {
 44 |     pattern = re.sub(r"&l(?:brace|cub);?", r"{", pattern)
 45 |     pattern = re.sub(r"&r(?:brace|cub);?", r"}", pattern)
 46 | 
 47 |     # Remove unnecessary \.*
 48 |     pattern = re.sub(r"\\\.\*", r"\.*", pattern)
 49 |     pattern = re.sub(r"(?<!\\)\.(?![\w])", r"\.", pattern)  # Escape dots
 50 | 
 51 |     # Replace non-capturing groups (?:...) with capturing groups (...)
 52 |     pattern = re.sub(r"\(\?:", "(", pattern)
 53 | 
 54 |     return pattern
 55 | 
 56 | 
 57 | def sanitize_pattern(pattern: str) -> Optional[str]:
 58 |     """Sanitizes a pattern for use with Traefik's badbot plugin."""
 59 |     for unsupported in UNSUPPORTED_PATTERNS:
 60 |         if unsupported in pattern:
 61 |             logger.warning(f"Skipping unsupported pattern: {pattern}")
 62 |             return None
 63 | 
 64 |     # if it is not a string comparison we use regex
 65 |     if not any(op in pattern for op in ["@streq", "@contains", "!@eq", "!@within", "@lt", "@ge", "@gt", "@eq", "@ipMatch", "@endsWith"]):
 66 |       return _sanitize_pattern(pattern) # return the regex
 67 |     else: # if it is not a regex
 68 |        return None
 69 | 
 70 | 
 71 | def generate_traefik_conf(rules: List[Dict]) -> None:
 72 |     """Generates the Traefik middleware configuration (middleware.toml)."""
 73 |     OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
 74 | 
 75 |     try:
 76 |         with open(MIDDLEWARE_FILE, "w", encoding="utf-8") as f:
 77 |             f.write("[http.middlewares]\n\n")
 78 | 
 79 |             # Group rules by category AND location.  This is important!
 80 |             categorized_rules: Dict[str, Dict[str, Set[str]]] = {}
 81 | 
 82 |             for rule in rules:
 83 |                 rule_id = rule.get("id", "no_id")
 84 |                 category = rule.get("category", "generic").lower()
 85 |                 location = rule.get("location", "user-agent").lower() # default value!
 86 |                 pattern = rule["pattern"]
 87 |                 severity = rule.get("severity", "medium").lower() # default
 88 | 
 89 |                 # Sanitize, but *only* if the location is User-Agent.
 90 |                 # We *don't* want to apply regexes to other locations here.
 91 |                 if location == "user-agent":
 92 |                     sanitized_pattern = sanitize_pattern(pattern)
 93 |                     if not sanitized_pattern or not validate_regex(sanitized_pattern):
 94 |                         continue # skip
 95 |                 else:
 96 |                     logger.warning(f"Skipping rule with unsupported location '{location}' for Traefik: {rule_id}")
 97 |                     continue
 98 | 
 99 |                 # Initialize category/location if needed
100 |                 if category not in categorized_rules:
101 |                     categorized_rules[category] = {}
102 |                 if location not in categorized_rules[category]:
103 |                     categorized_rules[category][location] = set()  # Use a set
104 | 
105 |                 # Add the *escaped* pattern to the set.
106 |                 categorized_rules[category][location].add(sanitized_pattern)
107 | 
108 |             # Write the configuration
109 |             for category, location_rules in categorized_rules.items():
110 |               for location, patterns in location_rules.items():
111 |                 # Create a unique middleware name
112 |                 middleware_name = f"waf_{category}_{location}".replace("-", "_")
113 |                 f.write(f"[http.middlewares.{middleware_name}]\n")
114 |                 f.write(f"  [http.middlewares.{middleware_name}.plugin.badbot]\n")
115 |                 f.write("    userAgent = [\n")
116 |                 # Properly escape for TOML (and for regex within the string)
117 |                 for pattern in patterns:
118 |                     # No extra escape for TOML, because we write the full regex
119 |                     f.write(f'      "{pattern}",\n')
120 |                 f.write("    ]\n\n")
121 | 
122 |         logger.info(f"Generated Traefik middleware file: {MIDDLEWARE_FILE}")
123 | 
124 |     except OSError as e:
125 |         logger.error(f"Error writing to {MIDDLEWARE_FILE}: {e}")
126 |         raise
127 | 
128 | 
129 | def load_owasp_rules(file_path: Path) -> List[Dict]:
130 |     """Loads OWASP rules from a JSON file."""
131 |     try:
132 |         with open(file_path, "r", encoding="utf-8") as f:
133 |             return json.load(f)
134 |     except (FileNotFoundError, json.JSONDecodeError, OSError) as e:
135 |         logger.error(f"Error loading rules from {file_path}: {e}")
136 |         raise
137 | 
138 | def main():
139 |     """Main function."""
140 |     try:
141 |         logger.info("Loading OWASP rules...")
142 |         owasp_rules = load_owasp_rules(INPUT_FILE)
143 |         logger.info(f"Loaded {len(owasp_rules)} rules.")
144 | 
145 |         logger.info("Generating Traefik WAF configuration...")
146 |         generate_traefik_conf(owasp_rules)
147 |         logger.info("Traefik WAF generation complete.")
148 | 
149 |     except Exception as e:
150 |         logger.critical(f"Script failed: {e}")
151 |         exit(1)
152 | 
153 | if __name__ == "__main__":
154 |     main()
155 | 


--------------------------------------------------------------------------------
/import_haproxy_waf.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import subprocess
  3 | import logging
  4 | from pathlib import Path
  5 | import shutil
  6 | import filecmp
  7 | import time
  8 | 
  9 | # --- Configuration ---
 10 | LOG_LEVEL = logging.INFO  # DEBUG, INFO, WARNING, ERROR
 11 | WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/haproxy")).resolve()
 12 | HAPROXY_WAF_DIR = Path(os.getenv("HAPROXY_WAF_DIR", "/etc/haproxy/waf/")).resolve()
 13 | HAPROXY_CONF = Path(os.getenv("HAPROXY_CONF", "/etc/haproxy/haproxy.cfg")).resolve()
 14 | BACKUP_DIR = Path(os.getenv("BACKUP_DIR", "/etc/haproxy/waf_backup/")).resolve()
 15 | 
 16 | # HAProxy WAF configuration snippet
 17 | WAF_CONFIG_SNIPPET = """
 18 | # WAF and Bot Protection (Generated by import_haproxy_waf.py)
 19 | frontend http-in
 20 |     bind *:80
 21 |     mode http
 22 |     option httplog
 23 |     # WAF and Bot Protection ACLs and Rules
 24 |     # Include generated ACL files
 25 |     include /etc/haproxy/waf/*.acl
 26 | """
 27 | # --- Logging Setup ---
 28 | logging.basicConfig(level=LOG_LEVEL, format="%(asctime)s - %(levelname)s - %(message)s")
 29 | logger = logging.getLogger(__name__)
 30 | 
 31 | 
 32 | 
 33 | def copy_waf_files():
 34 |     """Copies WAF files, handling existing files, creating backups."""
 35 |     logger.info("Copying HAProxy WAF patterns...")
 36 | 
 37 |     HAPROXY_WAF_DIR.mkdir(parents=True, exist_ok=True)
 38 |     BACKUP_DIR.mkdir(parents=True, exist_ok=True)  # Ensure backup dir exists
 39 | 
 40 |     for acl_file in WAF_DIR.glob("*.acl"):  # Find all .acl files
 41 |         dst_path = HAPROXY_WAF_DIR / acl_file.name
 42 | 
 43 |         try:
 44 |             if dst_path.exists():
 45 |                 # Compare and backup if different
 46 |                 if filecmp.cmp(acl_file, dst_path, shallow=False):
 47 |                     logger.info(f"Skipping {acl_file.name} (identical file exists).")
 48 |                     continue
 49 |                 # Different file exists: backup
 50 |                 backup_path = BACKUP_DIR / f"{dst_path.name}.{int(time.time())}"
 51 |                 logger.warning(f"Existing {dst_path.name} differs. Backing up to {backup_path}")
 52 |                 shutil.copy2(dst_path, backup_path)  # Backup old file
 53 | 
 54 |             # Copy the (new or updated) file
 55 |             shutil.copy2(acl_file, dst_path)
 56 |             logger.info(f"Copied {acl_file.name} to {dst_path}")
 57 | 
 58 |         except OSError as e:
 59 |             logger.error(f"Error copying {acl_file.name}: {e}")
 60 |             raise
 61 | 
 62 | 
 63 | def update_haproxy_conf():
 64 |     """Ensures the include statement is in haproxy.cfg, avoiding duplicates."""
 65 |     logger.info("Checking HAProxy configuration for WAF include...")
 66 | 
 67 |     try:
 68 |         with open(HAPROXY_CONF, "r") as f:
 69 |             config_lines = f.readlines()
 70 | 
 71 |         # Check if the *exact* snippet is already present.  We'll check for the
 72 |         # key parts of the snippet to be more robust.
 73 |         snippet_present = False
 74 |         for line in config_lines:
 75 |             if "include /etc/haproxy/waf/*.acl" in line:
 76 |                 snippet_present = True
 77 |                 break
 78 | 
 79 |         if not snippet_present:
 80 |              # Find the 'frontend http-in' section
 81 |             frontend_start = -1
 82 |             for i, line in enumerate(config_lines):
 83 |                 if line.strip().startswith("frontend http-in"):
 84 |                     frontend_start = i
 85 |                     break
 86 | 
 87 |             if frontend_start == -1:
 88 |                 logger.warning("No 'frontend http-in' section found. Appending to end of file.")
 89 |                 with open(HAPROXY_CONF, "a") as f:
 90 |                     f.write(f"\n{WAF_CONFIG_SNIPPET}\n")
 91 |                 logger.info(f"Added WAF configuration snippet to {HAPROXY_CONF}")
 92 |             else:
 93 |                 # Find the end of the 'frontend http-in' section
 94 |                 frontend_end = -1
 95 |                 for i in range(frontend_start + 1, len(config_lines)):
 96 |                     if line.strip() == "" or  not line.startswith("    "): # Check it is part of the config
 97 |                          frontend_end = i
 98 |                          break
 99 | 
100 | 
101 |                 if frontend_end == -1:
102 |                     frontend_end = len(config_lines)  # End of file
103 | 
104 |                 # Insert the include statement *within* the frontend section.
105 |                 config_lines.insert(frontend_end, "    include /etc/haproxy/waf/*.acl\n")
106 | 
107 |                 # Write the modified configuration back to the file
108 |                 with open(HAPROXY_CONF, "w") as f:
109 |                     f.writelines(config_lines)
110 |                 logger.info(f"Added WAF include to 'frontend http-in' section in {HAPROXY_CONF}")
111 |         else:
112 |             logger.info("WAF include statement already present.")
113 | 
114 |     except FileNotFoundError:
115 |         logger.error(f"HAProxy configuration file not found: {HAPROXY_CONF}")
116 |         raise
117 |     except OSError as e:
118 |         logger.error(f"Error updating HAProxy configuration: {e}")
119 |         raise
120 | 
121 | 
122 | def reload_haproxy():
123 |     """Tests the HAProxy configuration and reloads if valid."""
124 |     logger.info("Reloading HAProxy...")
125 | 
126 |     try:
127 |         # Test configuration
128 |         result = subprocess.run(["haproxy", "-c", "-f", str(HAPROXY_CONF)],
129 |                                 capture_output=True, text=True, check=True)
130 |         logger.info(f"HAProxy configuration test successful:\n{result.stdout}")
131 | 
132 | 
133 |         # Reload HAProxy
134 |         result = subprocess.run(["systemctl", "reload", "haproxy"],
135 |                                 capture_output=True, text=True, check=True)
136 |         logger.info("HAProxy reloaded.")
137 | 
138 | 
139 |     except subprocess.CalledProcessError as e:
140 |         logger.error(f"HAProxy command failed: {e.cmd} - Return code: {e.returncode}")
141 |         logger.error(f"Stdout: {e.stdout}")
142 |         logger.error(f"Stderr: {e.stderr}")
143 |         raise  # Re-raise to signal failure
144 |     except FileNotFoundError:
145 |         logger.error("'haproxy' or 'systemctl' command not found. Is HAProxy/systemd installed?")
146 |         raise
147 | 
148 | 
149 | def main():
150 |     """Main function."""
151 |     try:
152 |         copy_waf_files()
153 |         update_haproxy_conf()
154 |         reload_haproxy()
155 |         logger.info("HAProxy WAF configuration updated successfully.")
156 |     except Exception as e:
157 |         logger.critical(f"Script failed: {e}")
158 |         exit(1)
159 | 
160 | 
161 | if __name__ == "__main__":
162 |     main()
163 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/rce.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for RCE
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1073,phase:1,deny,status:403,log,msg:'rce attack detected'"
 5 | SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1098,phase:1,deny,status:403,log,msg:'rce attack detected'"
 6 | SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1084,phase:1,deny,status:403,log,msg:'rce attack detected'"
 7 | SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1075,phase:1,deny,status:403,log,msg:'rce attack detected'"
 8 | SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1080,phase:1,deny,status:403,log,msg:'rce attack detected'"
 9 | SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1087,phase:1,deny,status:403,log,msg:'rce attack detected'"
10 | SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1090,phase:1,deny,status:403,log,msg:'rce attack detected'"
11 | SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1097,phase:1,deny,status:403,log,msg:'rce attack detected'"
12 | SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1094,phase:1,deny,status:403,log,msg:'rce attack detected'"
13 | SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1074,phase:1,deny,status:403,log,msg:'rce attack detected'"
14 | SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1078,phase:1,deny,status:403,log,msg:'rce attack detected'"
15 | SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1092,phase:1,deny,status:403,log,msg:'rce attack detected'"
16 | SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1093,phase:1,deny,status:403,log,msg:'rce attack detected'"
17 | SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1091,phase:1,deny,status:403,log,msg:'rce attack detected'"
18 | SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1096,phase:1,deny,status:403,log,msg:'rce attack detected'"
19 | SecRule REQUEST_URI "/" "id:1082,phase:1,deny,status:403,log,msg:'rce attack detected'"
20 | SecRule REQUEST_URI "/" "id:1085,phase:1,deny,status:403,log,msg:'rce attack detected'"
21 | SecRule REQUEST_URI "!\-d" "id:1076,phase:1,deny,status:403,log,msg:'rce attack detected'"
22 | SecRule REQUEST_URI "/" "id:1088,phase:1,deny,status:403,log,msg:'rce attack detected'"
23 | SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1077,phase:1,deny,status:403,log,msg:'rce attack detected'"
24 | SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1079,phase:1,deny,status:403,log,msg:'rce attack detected'"
25 | SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1095,phase:1,deny,status:403,log,msg:'rce attack detected'"
26 | SecRule REQUEST_URI "s" "id:1083,phase:1,deny,status:403,log,msg:'rce attack detected'"
27 | SecRule REQUEST_URI "s" "id:1086,phase:1,deny,status:403,log,msg:'rce attack detected'"
28 | SecRule REQUEST_URI "s" "id:1089,phase:1,deny,status:403,log,msg:'rce attack detected'"
29 | SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1081,phase:1,deny,status:403,log,msg:'rce attack detected'"
30 | 


--------------------------------------------------------------------------------
/waf_patterns/nginx/xss.conf:
--------------------------------------------------------------------------------
 1 | # Nginx WAF rules for XSS
 2 | # Automatically generated from OWASP rules.
 3 | # Include this file in your server or location block.
 4 | 
 5 | map $request_uri $waf_block_xss {
 6 |     default 0;
 7 |     "~*(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" 1;
 8 |     "~*!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" 1;
 9 |     "~*((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`" 1;
10 |     "~*(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=" 1;
11 |     "~*(?i)<script[^>]*>[sS]*?" 1;
12 |     "~*(?i:<META[s/+].*?charset[s/+]*=)" 1;
13 |     "~*@detectXSS" 1;
14 |     "~*<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W" 1;
15 |     "~*(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=" 1;
16 |     "~*(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)" 1;
17 |     "~*(?i)<APPLET[s/+>]" 1;
18 |     "~*(?i)<BASE[s/+].*?href[s/+]*=" 1;
19 |     "~*xbc[^xbe>]*[xbe>]|<[^xbe]*xbe" 1;
20 |     "~*(?i)<EMBED[s/+].*?(?:src|type).*?=" 1;
21 |     "~*@contains -->" 1;
22 |     "~*<[?]?import[s/+S]*?implementation[s/+]*?=" 1;
23 |     "~*(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)" 1;
24 |     "~*(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))" 1;
25 |     "~*(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)" 1;
26 |     "~*(?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=" 1;
27 |     "~*(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b" 1;
28 |     "~*{{.*?}}" 1;
29 |     "~*(?i)<LINK[s/+].*?href[s/+]*=" 1;
30 |     "~*(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=" 1;
31 |     "~*(?i)[s\"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]" 1;
32 | }
33 | 
34 | if ($waf_block_xss) {
35 |     return 403;
36 |     # Log the blocked request (optional)
37 |     # access_log /var/log/nginx/waf_blocked.log;
38 | }
39 | 
40 | 


--------------------------------------------------------------------------------
/import_traefik_waf.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import subprocess
  3 | import logging
  4 | from pathlib import Path
  5 | import shutil
  6 | import filecmp
  7 | import time
  8 | import toml  # Add toml library
  9 | 
 10 | # --- Configuration ---
 11 | LOG_LEVEL = logging.INFO  # DEBUG, INFO, WARNING, ERROR
 12 | WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/traefik")).resolve()
 13 | TRAEFIK_WAF_DIR = Path(os.getenv("TRAEFIK_WAF_DIR", "/etc/traefik/waf/")).resolve()
 14 | TRAEFIK_DYNAMIC_CONF = Path(os.getenv("TRAEFIK_DYNAMIC_CONF", "/etc/traefik/dynamic.toml")).resolve()
 15 | BACKUP_DIR = Path(os.getenv("BACKUP_DIR", "/etc/traefik/waf_backup/")).resolve()
 16 | # No longer a simple string; will be constructed dynamically
 17 | # INCLUDE_STATEMENT = 'middlewares = ["bad_bot_block"]'
 18 | 
 19 | # --- Logging Setup ---
 20 | logging.basicConfig(level=LOG_LEVEL, format="%(asctime)s - %(levelname)s - %(message)s")
 21 | logger = logging.getLogger(__name__)
 22 | 
 23 | 
 24 | 
 25 | def copy_waf_files():
 26 |     """Copies WAF files, handling existing files and creating backups."""
 27 |     logger.info("Copying Traefik WAF patterns...")
 28 | 
 29 |     TRAEFIK_WAF_DIR.mkdir(parents=True, exist_ok=True)
 30 |     BACKUP_DIR.mkdir(parents=True, exist_ok=True)
 31 | 
 32 |     for toml_file in WAF_DIR.glob("*.toml"):  # Find all .toml files
 33 |         dst_path = TRAEFIK_WAF_DIR / toml_file.name
 34 | 
 35 |         try:
 36 |             if dst_path.exists():
 37 |                 # Compare and backup if different
 38 |                 if filecmp.cmp(toml_file, dst_path, shallow=False):
 39 |                     logger.info(f"Skipping {toml_file.name} (identical file exists).")
 40 |                     continue
 41 |                 # Backup different file
 42 |                 backup_path = BACKUP_DIR / f"{dst_path.name}.{int(time.time())}"
 43 |                 logger.warning(f"Existing {dst_path.name} differs. Backing up to {backup_path}")
 44 |                 shutil.copy2(dst_path, backup_path)
 45 | 
 46 |             # Copy the (new/updated) file
 47 |             shutil.copy2(toml_file, dst_path)
 48 |             logger.info(f"Copied {toml_file.name} to {dst_path}")
 49 | 
 50 |         except OSError as e:
 51 |             logger.error(f"Error copying {toml_file.name}: {e}")
 52 |             raise
 53 | 
 54 | def update_traefik_conf():
 55 |     """
 56 |     Ensures Traefik's dynamic config includes the generated middlewares.
 57 |     This function now *intelligently* adds the middlewares to a router,
 58 |     creating the necessary sections if they don't exist.  It also avoids
 59 |     duplicate middleware entries.
 60 |     """
 61 |     logger.info("Updating Traefik dynamic configuration...")
 62 | 
 63 |     try:
 64 |         # Create dynamic_conf.toml if it doesn't exist.
 65 |         if not TRAEFIK_DYNAMIC_CONF.exists():
 66 |             TRAEFIK_DYNAMIC_CONF.parent.mkdir(parents=True, exist_ok=True)
 67 |             # Initialize with empty http section
 68 |             with open(TRAEFIK_DYNAMIC_CONF, "w") as f:
 69 |                 f.write("[http]\n  [http.middlewares]\n  [http.routers]\n    [http.routers.default]\n      rule = \"PathPrefix(`/`)\"\n      service = \"default-service\"\n") # added default service to make it work
 70 |             logger.info(f"Created initial dynamic config file: {TRAEFIK_DYNAMIC_CONF}")
 71 | 
 72 | 
 73 |         # Load existing TOML configuration (if any).
 74 |         try:
 75 |             config = toml.load(TRAEFIK_DYNAMIC_CONF)
 76 |         except toml.TomlDecodeError as e:
 77 |             logger.error(f"Error decoding TOML file {TRAEFIK_DYNAMIC_CONF}: {e}")
 78 |             raise
 79 | 
 80 |         # 1. Collect *all* middleware names from the generated file.
 81 |         middleware_names = []
 82 |         middleware_file = TRAEFIK_WAF_DIR / "middleware.toml"
 83 |         if middleware_file.exists():
 84 |             try:
 85 |                 middleware_config = toml.load(middleware_file)
 86 |                 if "http" in middleware_config and "middlewares" in middleware_config["http"]:
 87 |                     middleware_names = list(middleware_config["http"]["middlewares"].keys())
 88 |             except toml.TomlDecodeError as e:
 89 |                 logger.error(f"Error reading generated middleware file: {e}")
 90 |                 # Don't raise here; we can still try to proceed
 91 | 
 92 |         if not middleware_names:
 93 |             logger.warning("No middlewares found in generated file. Skipping configuration update.")
 94 |             return # added return to avoid errors
 95 | 
 96 |         # 2.  Ensure the necessary sections exist in the dynamic config.
 97 |         if "http" not in config:
 98 |             config["http"] = {}
 99 |         if "routers" not in config["http"]:
100 |             config["http"]["routers"] = {}
101 |         if "my_router" not in config["http"]["routers"]:  # Use a specific router name
102 |             config["http"]["routers"]["my_router"] = {
103 |                 "rule": "PathPrefix(`/`)",  # Default rule - adjust as needed!
104 |                 "service": "my_service",    # Default service - MUST BE DEFINED!
105 |                 "middlewares": [],
106 |             }
107 |         # check default values exists
108 |         if "rule" not in config["http"]["routers"]["my_router"]:
109 |             config["http"]["routers"]["my_router"]["rule"] = "PathPrefix(`/`)"
110 |         if "service" not in config["http"]["routers"]["my_router"]:
111 |             config["http"]["routers"]["my_router"]["service"] = "my_service" # needs to have a service
112 | 
113 |         # 3. Add middlewares to the router's 'middlewares' list, avoiding duplicates
114 |         existing_middlewares = config["http"]["routers"]["my_router"].get("middlewares", [])
115 |         for middleware_name in middleware_names:
116 |             if middleware_name not in existing_middlewares:
117 |                 existing_middlewares.append(middleware_name)
118 |         config["http"]["routers"]["my_router"]["middlewares"] = existing_middlewares
119 | 
120 |         # 4. Write the updated configuration back to the file.
121 |         try:
122 |             with open(TRAEFIK_DYNAMIC_CONF, "w") as f:
123 |                 toml.dump(config, f)
124 |             logger.info(f"Updated Traefik dynamic configuration: {TRAEFIK_DYNAMIC_CONF}")
125 |         except OSError as e:
126 |             logger.error(f"Error writing to {TRAEFIK_DYNAMIC_CONF}: {e}")
127 |             raise
128 | 
129 |     except Exception as e:  # Catch broader exception during file ops
130 |         logger.error(f"Error updating Traefik dynamic configuration: {e}")
131 |         raise
132 | 
133 | def reload_traefik():
134 |     """Tests the Traefik configuration (if possible) and reloads."""
135 |     logger.info("Reloading Traefik...")
136 | 
137 |     try:
138 |         # Traefik doesn't have a built-in config test like nginx or apachectl.
139 |         # We'll rely on systemctl to do a basic check during reload.
140 | 
141 |         # Reload Traefik
142 |         result = subprocess.run(["systemctl", "reload", "traefik"],
143 |                                 capture_output=True, text=True, check=True)
144 |         logger.info("Traefik reloaded.")
145 | 
146 |     except subprocess.CalledProcessError as e:
147 |         logger.error(f"Traefik command failed: {e.cmd} - Return code: {e.returncode}")
148 |         logger.error(f"Stdout: {e.stdout}")
149 |         logger.error(f"Stderr: {e.stderr}")
150 |         raise
151 |     except FileNotFoundError:
152 |         logger.error("'systemctl' command not found. Is systemd installed?")
153 |         raise
154 | 
155 | 
156 | def main():
157 |     """Main function."""
158 |     try:
159 |         copy_waf_files()
160 |         update_traefik_conf()
161 |         reload_traefik()
162 |         logger.info("Traefik WAF configuration updated successfully.")
163 |     except Exception as e:
164 |         logger.critical(f"Script failed: {e}")
165 |         exit(1)
166 | 
167 | 
168 | if __name__ == "__main__":
169 |     main()
170 | 


--------------------------------------------------------------------------------
/json2apache.py:
--------------------------------------------------------------------------------
  1 | import json
  2 | import os
  3 | import re
  4 | import logging
  5 | from pathlib import Path
  6 | from typing import List, Dict, Set, Tuple, Optional
  7 | from functools import lru_cache
  8 | from collections import defaultdict  # Import defaultdict
  9 | 
 10 | # --- Configuration ---
 11 | LOG_LEVEL = logging.INFO  # Adjust as needed (DEBUG, INFO, WARNING, ERROR)
 12 | INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json"))
 13 | OUTPUT_DIR = Path(os.getenv("OUTPUT_DIR", "waf_patterns/apache"))
 14 | 
 15 | # ModSecurity Rule Templates (more flexible)
 16 | MODSEC_RULE_TEMPLATE = (
 17 |     'SecRule {variables} "{pattern}" '
 18 |     '"id:{rule_id},phase:{phase},t:none,{actions},msg:\'{category} attack detected\',severity:{severity}"\n'
 19 | )
 20 | # Default Actions
 21 | DEFAULT_ACTIONS = "deny,status:403,log"
 22 | 
 23 | # Unsupported ModSecurity directives (expand as needed)
 24 | UNSUPPORTED_PATTERNS = [
 25 |     "@pmFromFile",  # File lookups not directly supported
 26 |     # You might handle some of these with ctl:ruleRemoveTargetById later
 27 | ]
 28 | # Supported ModSecurity operators and their rough translations (for logging/info)
 29 | SUPPORTED_OPERATORS = {
 30 |     "@rx": "Regular Expression",
 31 |     "@streq": "String Equals",
 32 |     "@contains": "Contains String",
 33 |     "@beginsWith": "Begins With",
 34 |     "@endsWith": "Ends With",
 35 |     "@within": "Contained Within",
 36 |     "@ipMatch": "IP Address Match",
 37 |     # ... add more as needed
 38 | }
 39 | 
 40 | # --- Logging Setup ---
 41 | logging.basicConfig(level=LOG_LEVEL, format="%(asctime)s - %(levelname)s - %(message)s")
 42 | logger = logging.getLogger(__name__)
 43 | 
 44 | # --- Utility Functions ---
 45 | @lru_cache(maxsize=None)
 46 | def validate_regex(pattern: str) -> bool:
 47 |     """Validates a regex pattern (basic check)."""
 48 |     try:
 49 |         re.compile(pattern)
 50 |         return True
 51 |     except re.error as e:
 52 |         logger.warning(f"Invalid regex: {pattern} - {e}")
 53 |         return False
 54 | 
 55 | def _sanitize_pattern(pattern: str) -> str:
 56 |     """Internal helper to perform basic pattern sanitization."""
 57 |     # Remove @rx prefix, if present
 58 |     pattern = pattern.replace("@rx ", "").strip()
 59 |     # You *could* add basic escaping here if needed, but be *very* careful
 60 |     # not to break valid regexes.  It's generally better to handle this
 61 |     # in the `owasp2json.py` script.
 62 |     return pattern
 63 | 
 64 | def _determine_variables(location: str) -> str:
 65 |     """Maps the 'location' field to ModSecurity variables."""
 66 |     location = location.lower()  # Normalize to lowercase
 67 |     if location == "request-uri":
 68 |         return "REQUEST_URI"
 69 |     elif location == "query-string":
 70 |         return "ARGS"  # Or ARGS_GET, depending on your needs
 71 |     elif location == "user-agent":
 72 |         return "REQUEST_HEADERS:User-Agent"
 73 |     elif location == "host":
 74 |         return "REQUEST_HEADERS:Host"
 75 |     elif location == "referer":
 76 |         return "REQUEST_HEADERS:Referer"
 77 |     elif location == "content-type":
 78 |         return "REQUEST_HEADERS:Content-Type"
 79 |     # Add other location mappings as needed
 80 |     else:
 81 |         logger.warning(f"Unknown location '{location}', defaulting to REQUEST_URI")
 82 |         return "REQUEST_URI"  # Default variable
 83 | 
 84 | 
 85 | def generate_apache_waf(rules: List[Dict]) -> None:
 86 |     """Generates Apache ModSecurity configuration files."""
 87 | 
 88 |     OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
 89 | 
 90 |     # Use a dictionary to group rules by category.  Sets prevent duplicates.
 91 |     categorized_rules: Dict[str, Set[str]] = defaultdict(set)
 92 |     rule_id_counter = 9000000  # Start with a high ID range (OWASP CRS convention)
 93 | 
 94 | 
 95 |     for rule in rules:
 96 |         rule_id = rule.get("id", "no_id")  # Get rule ID
 97 |         if not isinstance(rule_id, int):  # check if is an int
 98 |             # Extract ID from rule and convert to an integer
 99 |             match = re.search(r'id:(\d+)', rule_id)
100 |             if match:
101 |                 try:
102 |                     rule_id = int(match.group(1))
103 |                 except ValueError:
104 |                     logger.warning(f"Invalid rule ID '{match.group(1)}' in rule: {rule}. Using generated ID.")
105 |                     rule_id = rule_id_counter
106 |                     rule_id_counter += 1
107 |             else:
108 |                 rule_id = rule_id_counter
109 |                 rule_id_counter += 1
110 | 
111 |         category = rule.get("category", "generic").lower()
112 |         pattern = rule["pattern"]
113 |         location = rule.get("location", "REQUEST_URI")  # Set a default variable
114 |         severity = rule.get("severity", "CRITICAL").upper()  # CRITICAL, ERROR, WARNING, NOTICE
115 |         # --- Operator Handling ---
116 |         operator_used = "Unknown"  # Default
117 |         for op in SUPPORTED_OPERATORS:
118 |             if pattern.startswith(op):
119 |                 operator_used = SUPPORTED_OPERATORS[op]
120 |                 break  # Stop after finding the *first* matching operator
121 | 
122 |         # Skip unsupported patterns.
123 |         if any(unsupported in pattern for unsupported in UNSUPPORTED_PATTERNS):
124 |             logger.info(f"[!] Skipping unsupported pattern: {pattern}")
125 |             continue
126 | 
127 |         sanitized_pattern = _sanitize_pattern(pattern)
128 |         if not sanitized_pattern or not validate_regex(sanitized_pattern):
129 |             continue  # Skip invalid regexes
130 | 
131 |         # Determine ModSecurity variables based on 'location'
132 |         variables = _determine_variables(location)
133 | 
134 |         # --- Rule Construction ---
135 |         # Build the ModSecurity rule string
136 |         rule_str = MODSEC_RULE_TEMPLATE.format(
137 |             variables=variables,
138 |             pattern=re.escape(sanitized_pattern),  # Escape for ModSecurity
139 |             rule_id=rule_id,
140 |             category=category.upper(),  # Use uppercase for category
141 |             severity=severity,
142 |             phase=2,  # Phase 2 (request body processing) is common, adjust if needed
143 |             actions=DEFAULT_ACTIONS,
144 |         )
145 |         categorized_rules[category].add(rule_str)  # added into a dict
146 | 
147 | 
148 |     # --- File Output ---
149 |     # Write rules to per-category files.  This is good for organization.
150 |     for category, rule_set in categorized_rules.items():
151 |         output_file = OUTPUT_DIR / f"{category}.conf"
152 |         try:
153 |             with open(output_file, "w") as f:
154 |                 f.write(f"# ModSecurity Rules for Category: {category.upper()}\n")
155 |                 f.write("SecRuleEngine On\n\n")  # Enable the rule engine
156 |                 for rule in rule_set:
157 |                     f.write(rule)
158 |             logger.info(f"Generated {output_file} ({len(rule_set)} rules)")
159 |         except IOError as e:
160 |             logger.error(f"Error writing to {output_file}: {e}")
161 |             #  Consider raising the exception here if you want the script to *stop*
162 |             #  on any file write error.
163 | 
164 | 
165 | def load_owasp_rules(file_path: Path) -> List[Dict]:
166 |     """Loads OWASP rules from the JSON file."""
167 |     try:
168 |         with open(file_path, "r", encoding="utf-8") as f:
169 |             return json.load(f)
170 |     except (FileNotFoundError, json.JSONDecodeError, Exception) as e:
171 |         logger.error(f"Error loading rules from {file_path}: {e}")
172 |         raise
173 | 
174 | def main():
175 |     """Main function."""
176 |     try:
177 |         rules = load_owasp_rules(INPUT_FILE)
178 |         generate_apache_waf(rules)
179 |         logger.info("Apache ModSecurity configuration generated successfully.")
180 |     except Exception as e:
181 |         logger.critical(f"Script failed: {e}")
182 |         exit(1)
183 | 
184 | if __name__ == "__main__":
185 |     main()
186 | 


--------------------------------------------------------------------------------
/badbots.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import os
  3 | import logging
  4 | import json
  5 | import time
  6 | from pathlib import Path
  7 | from concurrent.futures import ThreadPoolExecutor, as_completed
  8 | import random
  9 | import re
 10 | from tqdm import tqdm  # Import tqdm for progress bar
 11 | 
 12 | # Logging setup
 13 | logging.basicConfig(level=logging.INFO, format="%(asctime)s - %(levelname)s - %(message)s")
 14 | 
 15 | # Constants and Configuration
 16 | OUTPUT_DIRS = {
 17 |     "nginx": "waf_patterns/nginx/",
 18 |     "apache": "waf_patterns/apache/",
 19 |     "traefik": "waf_patterns/traefik/",
 20 |     "haproxy": "waf_patterns/haproxy/"
 21 | }
 22 | 
 23 | # Updated list of bot list sources
 24 | BOT_LIST_SOURCES = [
 25 |     "https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list",
 26 |     "https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt",
 27 |     "https://raw.githubusercontent.com/piwik/referrer-spam-blacklist/master/spammers.txt"]
 28 | 
 29 | RATE_LIMIT_DELAY = 600
 30 | RETRY_DELAY = 5
 31 | MAX_RETRIES = 3
 32 | EXPONENTIAL_BACKOFF = True
 33 | BACKOFF_MULTIPLIER = 2
 34 | MAX_WORKERS = 4
 35 | GITHUB_TOKEN = os.getenv("GITHUB_TOKEN")
 36 | 
 37 | # Regex to detect IP addresses and domains
 38 | IP_REGEX = re.compile(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")
 39 | DOMAIN_REGEX = re.compile(r"\b([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}\b")
 40 | 
 41 | 
 42 | def fetch_with_retries(url: str) -> list:
 43 |     """
 44 |     Fetch bot patterns from a URL with retries and rate-limiting handling.
 45 |     """
 46 |     retries = 0
 47 |     headers = {}
 48 | 
 49 |     if GITHUB_TOKEN:
 50 |         headers['Authorization'] = f'token {GITHUB_TOKEN}'
 51 |         logging.info(f"Using GitHub token for {url}")
 52 | 
 53 |     while retries < MAX_RETRIES:
 54 |         try:
 55 |             response = requests.get(url, headers=headers, timeout=10)
 56 |             if response.status_code == 200:
 57 |                 logging.info(f"Fetched from {url}")
 58 |                 return parse_bot_list(url, response)
 59 |             
 60 |             if response.status_code == 403 and 'X-RateLimit-Remaining' in response.headers:
 61 |                 reset_time = int(response.headers['X-RateLimit-Reset'])
 62 |                 wait_time = max(reset_time - int(time.time()), RATE_LIMIT_DELAY)
 63 |                 logging.warning(f"Rate limit exceeded for {url}. Retrying in {wait_time} seconds...")
 64 |                 time.sleep(wait_time)
 65 |             else:
 66 |                 jitter = random.uniform(1, 3)
 67 |                 wait_time = (RETRY_DELAY * (BACKOFF_MULTIPLIER ** retries) if EXPONENTIAL_BACKOFF else RETRY_DELAY) + jitter
 68 |                 logging.warning(f"Retrying {url}... ({retries + 1}/{MAX_RETRIES}) in {wait_time:.2f} seconds.")
 69 |                 time.sleep(wait_time)
 70 |                 retries += 1
 71 |         except requests.RequestException as e:
 72 |             logging.error(f"Error fetching {url}: {e}")
 73 |             retries += 1
 74 | 
 75 |     logging.error(f"Failed to fetch {url} after {MAX_RETRIES} retries.")
 76 |     return []
 77 | 
 78 | 
 79 | def parse_bot_list(url: str, response: requests.Response) -> list:
 80 |     """
 81 |     Parse bot patterns from the fetched response (JSON or plain text).
 82 |     """
 83 |     bot_patterns = set()
 84 |     try:
 85 |         if url.endswith(".json"):
 86 |             json_data = response.json()
 87 |             if isinstance(json_data, list):
 88 |                 for entry in json_data:
 89 |                     user_agent = entry.get('pattern') or entry.get('ua', '')
 90 |                     if user_agent and not user_agent.startswith("#"):
 91 |                         bot_patterns.add(user_agent)
 92 |             elif isinstance(json_data, dict):
 93 |                 for entry in json_data.get('test_cases', []):
 94 |                     user_agent = entry.get('user_agent_string', '')
 95 |                     if user_agent and not user_agent.startswith("#"):
 96 |                         bot_patterns.add(user_agent)
 97 |         else:
 98 |             for line in response.text.splitlines():
 99 |                 # Exclude comments, empty lines, IPs, and domains
100 |                 if line and not line.startswith("#") and len(line) > 3:
101 |                     if not IP_REGEX.search(line) and not DOMAIN_REGEX.search(line):
102 |                         bot_patterns.add(line)
103 |     except (ValueError, json.JSONDecodeError) as e:
104 |         logging.warning(f"Error parsing {url}: {e}")
105 | 
106 |     return list(bot_patterns)
107 | 
108 | 
109 | def fetch_bot_list():
110 |     """
111 |     Fetch bot patterns from all sources using a thread pool.
112 |     """
113 |     bot_patterns = set()
114 | 
115 |     with ThreadPoolExecutor(max_workers=MAX_WORKERS) as executor:
116 |         # Create a dictionary of futures to URLs
117 |         future_to_url = {executor.submit(fetch_with_retries, url): url for url in BOT_LIST_SOURCES}
118 | 
119 |         # Use tqdm to show progress
120 |         for future in tqdm(as_completed(future_to_url), total=len(BOT_LIST_SOURCES), desc="Fetching bot lists"):
121 |             result = future.result()
122 |             bot_patterns.update(result)
123 | 
124 |     if not bot_patterns:
125 |         logging.error("❌ No bots were fetched from any source. Exiting...")
126 |         exit(1)
127 | 
128 |     logging.info(f"✅ Total unique bots collected: {len(bot_patterns)}")
129 |     return sorted(bot_patterns)
130 | 
131 | 
132 | def write_to_file(path: Path, content: str):
133 |     """
134 |     Write content to a file at the specified path.
135 |     """
136 |     try:
137 |         with path.open("w") as f:
138 |             f.write(content)
139 |         logging.info(f"Generated file: {path}")
140 |     except IOError as e:
141 |         logging.error(f"Failed to write to {path}: {e}")
142 | 
143 | 
144 | def generate_nginx_conf(bots):
145 |     """
146 |     Generate Nginx WAF configuration for blocking bots.
147 |     """
148 |     path = Path(OUTPUT_DIRS['nginx'], "bots.conf")
149 |     content = "map $http_user_agent $bad_bot {\n"
150 |     for bot in bots:
151 |         content += f'    "~*{bot}" 1;\n'
152 |     content += "    default 0;\n}\n"
153 |     write_to_file(path, content)
154 | 
155 | 
156 | def generate_apache_conf(bots):
157 |     """
158 |     Generate Apache WAF configuration for blocking bots.
159 |     """
160 |     path = Path(OUTPUT_DIRS['apache'], "bots.conf")
161 |     content = "SecRuleEngine On\n"
162 |     for bot in bots:
163 |         content += f'SecRule REQUEST_HEADERS:User-Agent "@contains {bot}" "id:3000,phase:1,deny,status:403"\n'
164 |     write_to_file(path, content)
165 | 
166 | 
167 | def generate_traefik_conf(bots):
168 |     """
169 |     Generate Traefik WAF configuration for blocking bots.
170 |     """
171 |     path = Path(OUTPUT_DIRS['traefik'], "bots.toml")
172 |     content = "[http.middlewares]\n[http.middlewares.bad_bot_block]\n  [http.middlewares.bad_bot_block.plugin.badbot]\n    userAgent = [\n"
173 |     for bot in bots:
174 |         content += f'      "{bot}",\n'
175 |     content += "    ]\n"
176 |     write_to_file(path, content)
177 | 
178 | 
179 | def generate_haproxy_conf(bots):
180 |     """
181 |     Generate HAProxy WAF configuration for blocking bots.
182 |     """
183 |     path = Path(OUTPUT_DIRS['haproxy'], "bots.acl")
184 |     content = "# HAProxy WAF - Bad Bot Blocker\n"
185 |     for bot in bots:
186 |         content += f'acl bad_bot hdr_sub(User-Agent) -i {bot}\n'
187 |     content += "http-request deny if bad_bot\n"
188 |     write_to_file(path, content)
189 | 
190 | 
191 | if __name__ == "__main__":
192 |     # Ensure output directories exist
193 |     for output_dir in OUTPUT_DIRS.values():
194 |         Path(output_dir).mkdir(parents=True, exist_ok=True)
195 | 
196 |     # Fetch bot patterns
197 |     bots = fetch_bot_list()
198 | 
199 |     # Generate WAF configurations
200 |     generate_nginx_conf(bots)
201 |     generate_apache_conf(bots)
202 |     generate_traefik_conf(bots)
203 |     generate_haproxy_conf(bots)
204 | 
205 |     logging.info("[✔] Bot blocking configurations generated for all platforms.")


--------------------------------------------------------------------------------
/waf_patterns/apache/sqli.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for SQLI
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "\^\(\?:and\|or\)\$" "id:1313,phase:1,deny,status:403,log,msg:'sqli attack detected'"
 5 | SecRule REQUEST_URI "\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" "id:1294,phase:1,deny,status:403,log,msg:'sqli attack detected'"
 6 | SecRule REQUEST_URI "\^\(\?:\[\^'\]\*'\|\[\^"\]\*"\|\[\^`\]\*`\)\[sv\]\*;" "id:1295,phase:1,deny,status:403,log,msg:'sqli attack detected'"
 7 | SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1300,phase:1,deny,status:403,log,msg:'sqli attack detected'"
 8 | SecRule REQUEST_URI "\^\.\*\?x5c\['"`\]\(\?:\.\*\?\['"`\]\)\?s\*\(\?:and\|or\)b" "id:1314,phase:1,deny,status:403,log,msg:'sqli attack detected'"
 9 | SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{3\}\)" "id:1322,phase:1,deny,status:403,log,msg:'sqli attack detected'"
10 | SecRule REQUEST_URI "\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" "id:1307,phase:1,deny,status:403,log,msg:'sqli attack detected'"
11 | SecRule REQUEST_URI "\(\?:\^s\*\["'`;\]\+\|\["'`\]\+s\*\$\)" "id:1297,phase:1,deny,status:403,log,msg:'sqli attack detected'"
12 | SecRule REQUEST_URI "\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^"\]\*\?\(\?:"\[\^"\]\*\?"\[\^"\]\*\?\)\*\?"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1312,phase:1,deny,status:403,log,msg:'sqli attack detected'"
13 | SecRule REQUEST_URI "\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" "id:1290,phase:1,deny,status:403,log,msg:'sqli attack detected'"
14 | SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\["'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\["'`\]\|like\[sv\]\*\?\["'`\]%\|select\[sv\]\+\?\[sv"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" "id:1302,phase:1,deny,status:403,log,msg:'sqli attack detected'"
15 | SecRule REQUEST_URI "\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\["'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" "id:1293,phase:1,deny,status:403,log,msg:'sqli attack detected'"
16 | SecRule REQUEST_URI "\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" "id:1316,phase:1,deny,status:403,log,msg:'sqli attack detected'"
17 | SecRule REQUEST_URI "\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" "id:1289,phase:1,deny,status:403,log,msg:'sqli attack detected'"
18 | SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{12\}\)" "id:1308,phase:1,deny,status:403,log,msg:'sqli attack detected'"
19 | SecRule REQUEST_URI "\["'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\["'`d\]" "id:1317,phase:1,deny,status:403,log,msg:'sqli attack detected'"
20 | SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{6\}\)" "id:1319,phase:1,deny,status:403,log,msg:'sqli attack detected'"
21 | SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\["'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\["'`\]\$\|\["'x5c`\]\*\?\(\?:\["'0\-9`\]\+\|\[\^"'`\]\+\["'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\["'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\["'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\["'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\["'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" "id:1303,phase:1,deny,status:403,log,msg:'sqli attack detected'"
22 | SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{2\}\)" "id:1323,phase:1,deny,status:403,log,msg:'sqli attack detected'"
23 | SecRule REQUEST_URI "!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" "id:1309,phase:1,deny,status:403,log,msg:'sqli attack detected'"
24 | SecRule REQUEST_URI "\(\?i\)union\.\*\?select\.\*\?from" "id:1292,phase:1,deny,status:403,log,msg:'sqli attack detected'"
25 | SecRule REQUEST_URI "@detectSQLi" "id:1288,phase:1,deny,status:403,log,msg:'sqli attack detected'"
26 | SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" "id:1311,phase:1,deny,status:403,log,msg:'sqli attack detected'"
27 | SecRule REQUEST_URI "W\{4\}" "id:1320,phase:1,deny,status:403,log,msg:'sqli attack detected'"
28 | SecRule REQUEST_URI "\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\["'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\["'`\]\|;\.\*\?:\[sv\]\*\?goto\)" "id:1291,phase:1,deny,status:403,log,msg:'sqli attack detected'"
29 | SecRule REQUEST_URI "\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" "id:1304,phase:1,deny,status:403,log,msg:'sqli attack detected'"
30 | SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{8\}\)" "id:1318,phase:1,deny,status:403,log,msg:'sqli attack detected'"
31 | SecRule REQUEST_URI "\(\?i:b0x\[a\-fd\]\{3,\}\)" "id:1310,phase:1,deny,status:403,log,msg:'sqli attack detected'"
32 | SecRule REQUEST_URI "@streq\ %\{TX\.2\}" "id:1299,phase:1,deny,status:403,log,msg:'sqli attack detected'"
33 | SecRule REQUEST_URI "@detectSQLi" "id:1315,phase:1,deny,status:403,log,msg:'sqli attack detected'"
34 | SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1298,phase:1,deny,status:403,log,msg:'sqli attack detected'"
35 | SecRule REQUEST_URI "\(\?i\)1\.e\[\(\-\),\]" "id:1296,phase:1,deny,status:403,log,msg:'sqli attack detected'"
36 | SecRule REQUEST_URI "';" "id:1321,phase:1,deny,status:403,log,msg:'sqli attack detected'"
37 | SecRule REQUEST_URI "!@streq\ %\{TX\.2\}" "id:1301,phase:1,deny,status:403,log,msg:'sqli attack detected'"
38 | SecRule REQUEST_URI "\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\ \?\[<\->\]\+\)" "id:1306,phase:1,deny,status:403,log,msg:'sqli attack detected'"
39 | SecRule REQUEST_URI "\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" "id:1305,phase:1,deny,status:403,log,msg:'sqli attack detected'"
40 | 


--------------------------------------------------------------------------------
/waf_patterns/apache/enforcement.conf:
--------------------------------------------------------------------------------
 1 | # Apache ModSecurity rules for ENFORCEMENT
 2 | SecRuleEngine On
 3 | 
 4 | SecRule REQUEST_URI "@eq\ 0" "id:1205,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
 5 | SecRule REQUEST_URI "@gt\ 1" "id:1195,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
 6 | SecRule REQUEST_URI "\^\$" "id:1159,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
 7 | SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1201,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
 8 | SecRule REQUEST_URI "@eq\ 1" "id:1154,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
 9 | SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1164,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
10 | SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1171,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
11 | SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1179,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
12 | SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1215,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
13 | SecRule REQUEST_URI "@eq\ 1" "id:1172,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
14 | SecRule REQUEST_URI "!@streq\ JSON" "id:1192,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
15 | SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1162,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
16 | SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1193,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
17 | SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1216,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
18 | SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1208,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
19 | SecRule REQUEST_URI "@eq\ 1" "id:1174,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
20 | SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1182,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
21 | SecRule REQUEST_URI "@eq\ 0" "id:1209,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
22 | SecRule REQUEST_URI "!@rx\ \^0\$" "id:1167,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
23 | SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1199,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
24 | SecRule REQUEST_URI "\^\$" "id:1163,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
25 | SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1183,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
26 | SecRule REQUEST_URI "@gt\ 0" "id:1213,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
27 | SecRule REQUEST_URI "@eq\ 1" "id:1176,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
28 | SecRule REQUEST_URI "@streq\ POST" "id:1145,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
29 | SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1218,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
30 | SecRule REQUEST_URI "@eq\ 0" "id:1202,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
31 | SecRule REQUEST_URI "@eq\ 0" "id:1147,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
32 | SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1161,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
33 | SecRule REQUEST_URI "\['";=\]" "id:1203,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
34 | SecRule REQUEST_URI "@eq\ 0" "id:1168,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
35 | SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1148,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
36 | SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1219,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
37 | SecRule REQUEST_URI "@gt\ 50" "id:1191,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
38 | SecRule REQUEST_URI "@validateUtf8Encoding" "id:1155,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
39 | SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1198,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
40 | SecRule REQUEST_URI "\^\$" "id:1160,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
41 | SecRule REQUEST_URI "@validateUrlEncoding" "id:1151,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
42 | SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1175,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
43 | SecRule REQUEST_URI "@validateUrlEncoding" "id:1153,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
44 | SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1169,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
45 | SecRule REQUEST_URI "@eq\ 0" "id:1165,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
46 | SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1142,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
47 | SecRule REQUEST_URI "@contains\ \#" "id:1194,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
48 | SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1197,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
49 | SecRule REQUEST_URI "@eq\ 1" "id:1178,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
50 | SecRule REQUEST_URI "\^\.\*\$" "id:1206,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
51 | SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1187,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
52 | SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1143,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
53 | SecRule REQUEST_URI "@eq\ 0" "id:1158,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
54 | SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1184,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
55 | SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1144,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
56 | SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1177,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
57 | SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1181,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
58 | SecRule REQUEST_URI "@eq\ 1" "id:1180,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
59 | SecRule REQUEST_URI "x25" "id:1150,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
60 | SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1190,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
61 | SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1141,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
62 | SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1196,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
63 | SecRule REQUEST_URI "x25" "id:1152,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
64 | SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1210,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
65 | SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1173,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
66 | SecRule REQUEST_URI "@eq\ 0" "id:1146,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
67 | SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1157,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
68 | SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1214,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
69 | SecRule REQUEST_URI "charset\.\*\?charset" "id:1185,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
70 | SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1217,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
71 | SecRule REQUEST_URI "!@rx\ \^0\$" "id:1204,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
72 | SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1188,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
73 | SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1207,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
74 | SecRule REQUEST_URI "@ge\ 1" "id:1212,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
75 | SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1149,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
76 | SecRule REQUEST_URI "\^\$" "id:1166,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
77 | SecRule REQUEST_URI "\^\.\*\$" "id:1189,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
78 | SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1156,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
79 | SecRule REQUEST_URI "@eq\ 1" "id:1170,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
80 | SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1200,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
81 | SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1186,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
82 | SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1211,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
83 | 


--------------------------------------------------------------------------------