├── templates
└── default
│ ├── ports.conf.erb
│ ├── headers.conf.erb
│ ├── index.html.erb
│ ├── scanners-headers.data.erb
│ ├── java-errors.data.erb
│ ├── php-variables.data.erb
│ ├── java-code-leakages.data.erb
│ ├── fastly_test_rules.conf.erb
│ ├── scanners-urls.data.erb
│ ├── iis-errors.data.erb
│ ├── php-function-names-933150.data.erb
│ ├── vhost.conf.erb
│ ├── crawlers-user-agents.data.erb
│ ├── scripting-user-agents.data.erb
│ ├── restricted-files.data.erb
│ ├── unix-shell.data.erb
│ ├── REQUEST-905-COMMON-EXCEPTIONS.conf.erb
│ ├── sql-errors.data.erb
│ ├── REQUEST-911-METHOD-ENFORCEMENT.conf.erb
│ ├── RESPONSE-959-BLOCKING-EVALUATION.conf.erb
│ ├── sql-function-names.data.erb
│ ├── RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example.erb
│ ├── REQUEST-949-BLOCKING-EVALUATION.conf.erb
│ ├── RESPONSE-952-DATA-LEAKAGES-JAVA.conf.erb
│ ├── RESPONSE-950-DATA-LEAKAGES.conf.erb
│ ├── RESPONSE-980-CORRELATION.conf.erb
│ ├── scanners-user-agents.data.erb
│ ├── windows-powershell-commands.data.erb
│ ├── RESPONSE-953-DATA-LEAKAGES-PHP.conf.erb
│ ├── REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf.erb
│ ├── REQUEST-931-APPLICATION-ATTACK-RFI.conf.erb
│ ├── RESPONSE-954-DATA-LEAKAGES-IIS.conf.erb
│ ├── php-config-directives.data.erb
│ ├── REQUEST-930-APPLICATION-ATTACK-LFI.conf.erb
│ ├── REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example.erb
│ ├── REQUEST-913-SCANNER-DETECTION.conf.erb
│ ├── modsecurity.conf.erb
│ ├── php-errors.data.erb
│ ├── REQUEST-912-DOS-PROTECTION.conf.erb
│ ├── REQUEST-910-IP-REPUTATION.conf.erb
│ ├── REQUEST-901-INITIALIZATION.conf.erb
│ ├── REQUEST-921-PROTOCOL-ATTACK.conf.erb
│ └── REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf.erb
├── CONTRIBUTORS.md
├── Berksfile
├── metadata.rb
├── .kitchen.yml
├── attributes
└── default.rb
├── Vagrantfile
├── README.md
├── test
└── integration
│ └── default
│ └── default_spec.rb
├── recipes
└── default.rb
└── LICENSE
/templates/default/ports.conf.erb:
--------------------------------------------------------------------------------
1 | Listen 0.0.0.0:443
2 |
--------------------------------------------------------------------------------
/CONTRIBUTORS.md:
--------------------------------------------------------------------------------
1 | ## Contributors
2 |
3 | The following people have contributed to the waf_tesbed project
4 |
5 | - Christian Peron
6 | - Zack Allen
7 |
--------------------------------------------------------------------------------
/Berksfile:
--------------------------------------------------------------------------------
1 | source 'https://supermarket.chef.io'
2 |
3 | metadata
4 | cookbook 'apt', '~> 3.0.0'
5 | cookbook 'git'
6 | cookbook 'poise-python', '~> 1.7.0'
7 |
--------------------------------------------------------------------------------
/templates/default/headers.conf.erb:
--------------------------------------------------------------------------------
1 |
2 | Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
3 | Header set Pragma "no-cache"
4 |
5 |
--------------------------------------------------------------------------------
/templates/default/index.html.erb:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | WAF Test Page
5 | Testing Site
6 |
7 | Nothing to see here.
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/templates/default/scanners-headers.data.erb:
--------------------------------------------------------------------------------
1 | acunetix-product
2 | (acunetix web vulnerability scanner
3 | acunetix-scanning-agreement
4 | acunetix-user-agreement
5 | myvar=1234
6 | x-ratproxy-loop
7 | bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14
8 | x-scanner
9 |
--------------------------------------------------------------------------------
/templates/default/java-errors.data.erb:
--------------------------------------------------------------------------------
1 | [java.lang.
2 | class java.lang.
3 | java.lang.NullPointerException
4 | java.rmi.ServerException
5 | at java.lang.
6 | onclick="toggle('full exception chain stacktrace')"
7 | at org.apache.catalina
8 | at org.apache.coyote.
9 | at org.apache.tomcat.
10 | at org.apache.jasper.
11 |
--------------------------------------------------------------------------------
/templates/default/php-variables.data.erb:
--------------------------------------------------------------------------------
1 | $GLOBALS
2 | $HTTP_COOKIE_VARS
3 | $HTTP_ENV_VARS
4 | $HTTP_GET_VARS
5 | $HTTP_POST_FILES
6 | $HTTP_POST_VARS
7 | $HTTP_RAW_POST_DATA
8 | $HTTP_REQUEST_VARS
9 | $HTTP_SERVER_VARS
10 | $_COOKIE
11 | $_ENV
12 | $_FILES
13 | $_GET
14 | $_POST
15 | $_REQUEST
16 | $_SERVER
17 | $_SESSION
18 | $argc
19 | $argv
20 |
--------------------------------------------------------------------------------
/metadata.rb:
--------------------------------------------------------------------------------
1 | name 'waf_testbed'
2 | maintainer 'Team Security'
3 | maintainer_email 'team-security@fastly.com'
4 | license 'apache'
5 | description 'Installs/Configures waf_testbed'
6 | long_description 'Installs/Configures waf_testbed'
7 | version '0.2.0'
8 |
9 | depends 'apt', '~> 3.0.0'
10 | depends 'httpd'
11 | depends 'git'
12 | depends 'poise-python'
13 |
--------------------------------------------------------------------------------
/templates/default/java-code-leakages.data.erb:
--------------------------------------------------------------------------------
1 | hello.html
3 | /actSensepostnottherenonotive
4 | /acunetix-wvs-test-for-some-inexistent-file
5 | /antidisestablishmentarianism
6 | /appscan_fingerprint/mac_address
7 | /arachni-
8 | /cybercop
9 | /nessus_is_probing_you_
10 | /nessustest
11 | /netsparker-
12 | /rfiinc.txt
13 | /thereisnowaythat-you-canbethere
14 | /w3af/remotefileinclude.html
15 | appscan_fingerprint
16 | w00tw00t.at.ISC.SANS.DFind
17 | w00tw00t.at.blackhats.romanian.anti-sec
18 |
--------------------------------------------------------------------------------
/templates/default/iis-errors.data.erb:
--------------------------------------------------------------------------------
1 | HTTP 403.6 - Forbidden: IP address rejected
2 | 500 Internal Server Error
3 | Microsoft VBScript runtime (0x8
4 | error '800
5 | Application uses a value of the wrong type for the current operation
6 | Microsoft VBScript compilation (0x8
7 | Microsoft VBScript compilation error
8 | Microsoft .NET Framework Version:
9 | A trappable error occurred in an external object. The script cannot continue running
10 | Microsoft VBScript runtime Error
11 | >Syntax error in string in query expression
12 | ADODB.Command
13 | Object required: '
14 |
--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
1 | #
2 | # apache2+mod_security vagrant box
3 | #
4 | Vagrant.configure(2) do |config|
5 | config.ssh.forward_agent = true
6 | config.vm.define 'modsec0' do |modsec_conf|
7 | modsec_conf.vm.box = 'ubuntu/trusty64'
8 | modsec_conf.berkshelf.enabled = true
9 | modsec_conf.berkshelf.berksfile_path = './Berksfile'
10 | modsec_conf.vm.network 'private_network', ip: '192.168.50.75'
11 | modsec_conf.vm.provider 'virtualbox' do |v|
12 | v.memory = 512
13 | v.cpus = 2
14 | end
15 | modsec_conf.vm.provision :chef_solo do |chef|
16 | chef.add_recipe('waf_testbed::default')
17 | end
18 | end
19 | end
20 |
--------------------------------------------------------------------------------
/templates/default/php-function-names-933150.data.erb:
--------------------------------------------------------------------------------
1 | __halt_compiler
2 | apache_child_terminate
3 | base64_decode
4 | bzdecompress
5 | call_user_func
6 | call_user_func_array
7 | call_user_method
8 | call_user_method_array
9 | convert_uudecode
10 | file_get_contents
11 | file_put_contents
12 | fsockopen
13 | gzdecode
14 | gzinflate
15 | gzuncompress
16 | include_once
17 | invokeargs
18 | pcntl_exec
19 | pcntl_fork
20 | pfsockopen
21 | posix_getcwd
22 | posix_getpwuid
23 | posix_getuid
24 | posix_uname
25 | ReflectionFunction
26 | require_once
27 | shell_exec
28 | str_rot13
29 | sys_get_temp_dir
30 | wp_remote_fopen
31 | wp_remote_get
32 | wp_remote_head
33 | wp_remote_post
34 | wp_remote_request
35 | wp_safe_remote_get
36 | wp_safe_remote_head
37 | wp_safe_remote_post
38 | wp_safe_remote_request
39 | zlib_decode
40 |
--------------------------------------------------------------------------------
/templates/default/vhost.conf.erb:
--------------------------------------------------------------------------------
1 |
2 | DocumentRoot /usr/local/waftest
3 |
4 | Order allow,deny
5 | Allow from all
6 | Require all granted
7 |
8 |
9 |
10 | DocumentRoot /usr/local/waftest
11 | SecRuleEngine <%= node['waf_testbed']['engine_mode'] %>
12 | SSLEngine on
13 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
14 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
15 | BrowserMatch "MSIE [2-6]" \
16 | nokeepalive ssl-unclean-shutdown \
17 | downgrade-1.0 force-response-1.0
18 | BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
19 |
20 | Order allow,deny
21 | Allow from all
22 | Require all granted
23 |
24 |
25 |
--------------------------------------------------------------------------------
/templates/default/crawlers-user-agents.data.erb:
--------------------------------------------------------------------------------
1 | # Search engine crawlers and other bots
2 |
3 | # site ripper
4 | # http://www.softbytelabs.com/en/BlackWidow/
5 | black widow
6 | blackwidow
7 | # crawler
8 | # 2006
9 | prowebwalker
10 | # generic crawler
11 | pymills-spider/
12 | # SEO
13 | # https://ahrefs.com/robot
14 | AhrefsBot
15 | # people database
16 | # https://pipl.com/bot/
17 | PiplBot
18 | # advertising targeting
19 | # https://www.grapeshot.com/crawler/
20 | GrapeshotCrawler/2.0
21 | grapeFX
22 | # SEO
23 | # http://www.searchmetrics.com/searchmetricsbot/
24 | SearchmetricsBot
25 | # SEO
26 | # https://moz.com/help/guides/moz-procedures/what-is-rogerbot
27 | rogerbot
28 | # SEO
29 | # http://www.majestic12.co.uk/projects/dsearch/mj12bot.php
30 | MJ12bot
31 | # news service
32 | Owlin bot
33 | # misbehaving spider
34 | Lingewoud-550-Spyder
35 |
--------------------------------------------------------------------------------
/templates/default/scripting-user-agents.data.erb:
--------------------------------------------------------------------------------
1 | # Generic HTTP clients (popular libraries)
2 |
3 | # http library
4 | # http://search.cpan.org/~opera/HTTP-DAV/DAV.pm
5 | dav.pm/v
6 | # http library
7 | # http://search.cpan.org/dist/libwww-perl/lib/LWP.pm
8 | libwww-perl
9 | # generic
10 | mozilla/4.0 (compatible)
11 | mozilla/4.0 (compatible; msie 6.0; win32)
12 | mozilla/5.0 sf/
13 | mozilla/5.0 sf//
14 | # http library
15 | # https://pypi.python.org/pypi/httplib2
16 | python-httplib2
17 | # http library
18 | # http://docs.python-requests.org/en/master/
19 | python-requests
20 | # http library
21 | # https://docs.python.org/2/library/urllib.html
22 | Python-urllib
23 | # http library
24 | # https://github.com/typhoeus/typhoeus
25 | typhoeus
26 | # http library
27 | # https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx
28 | winhttp.winhttprequest
29 |
--------------------------------------------------------------------------------
/templates/default/restricted-files.data.erb:
--------------------------------------------------------------------------------
1 | # Apache
2 | # (no slash; also guards against old.htaccess, old.htpasswd, etc.)
3 | .htaccess
4 | .htdigest
5 | .htpasswd
6 | # Version control
7 | /.git/
8 | /.gitignore
9 | /.hg/
10 | /.hgignore
11 | /.svn/
12 | # Wordpress
13 | wp-config.php
14 | wp-config.bak
15 | wp-config.old
16 | wp-config.temp
17 | wp-config.tmp
18 | wp-config.txt
19 | # Symfony
20 | /config/config.yml
21 | /config/config_dev.yml
22 | /config/config_prod.yml
23 | /config/config_test.yml
24 | /config/parameters.yml
25 | /config/routing.yml
26 | /config/security.yml
27 | /config/services.yml
28 | # Drupal
29 | /sites/default/default.settings.php
30 | /sites/default/settings.php
31 | # Magento
32 | /app/etc/local.xml
33 | # Sublime Text
34 | /sftp-config.json
35 | # ASP.NET
36 | /Web.config
37 | # Node
38 | /gruntfile.js
39 | /npm-debug.log
40 | # Composer
41 | /composer.json
42 | /composer.lock
43 | /packages.json
44 | # dotenv
45 | /.env
46 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # waf_testbed
2 |
3 | ## Purpose
4 |
5 | Cookbook to create a WAF rule testing environment. This cookbook will provision apache2,
6 | modsecurity and version 3.0.2 of the OWASP core ruleset. In addition, this cookbook will
7 | provision services for both HTTP/HTTPS. This cookbook installs the Framework for Testing WAFs
8 | (FTW) package in additional to the OWASP core ruleset regression tests (projects linked below).
9 |
10 | [FTW] (https://github.com/fastly/ftw)
11 |
12 | [OWASP regression tests] (https://github.com/SpiderLabs/OWASP-CRS-regressions)
13 |
14 | ## Dependencies
15 |
16 | To use the Vagrantfile, you will need the Berksfile plugin installed:
17 |
18 | % vagrant plugin install vagrant-berkshelf
19 |
20 | Change the following attribute to control the mode (block/log):
21 |
22 | ```
23 | default['waf_testbed']['engine_mode'] = 'On'
24 | ```
25 |
26 |
27 | To view the audit trails associated with mod security:
28 |
29 | ```
30 | /var/log/apache2/modsec_audit.log
31 | ```
32 |
33 | To view the logs associated with mod security:
34 |
35 | ```
36 | /var/log/apache2-default/error_log
37 | ```
38 |
--------------------------------------------------------------------------------
/templates/default/unix-shell.data.erb:
--------------------------------------------------------------------------------
1 | bin/bash
2 | bin/csh
3 | bin/dash
4 | bin/du
5 | bin/echo
6 | bin/less
7 | bin/ls
8 | bin/more
9 | bin/nc
10 | bin/ps
11 | bin/rbash
12 | bin/sh
13 | bin/sleep
14 | bin/su
15 | bin/tcsh
16 | bin/uname
17 | dev/fd/
18 | dev/null
19 | dev/stderr
20 | dev/stdin
21 | dev/stdout
22 | dev/tcp/
23 | dev/udp/
24 | dev/zero
25 | etc/group
26 | etc/master.passwd
27 | etc/passwd
28 | etc/pwd.db
29 | etc/shadow
30 | etc/shells
31 | etc/spwd.db
32 | proc/self/
33 | usr/bin/cc
34 | usr/bin/clang
35 | usr/bin/clang++
36 | usr/bin/curl
37 | usr/bin/env
38 | usr/bin/fetch
39 | usr/bin/file
40 | usr/bin/find
41 | usr/bin/ftp
42 | usr/bin/gcc
43 | usr/bin/head
44 | usr/bin/id
45 | usr/bin/less
46 | usr/bin/more
47 | usr/bin/nc
48 | usr/bin/nice
49 | usr/bin/nmap
50 | usr/bin/perl
51 | usr/bin/php
52 | usr/bin/php5
53 | usr/bin/php7
54 | usr/bin/python
55 | usr/bin/python2
56 | usr/bin/python3
57 | usr/bin/ruby
58 | usr/bin/tail
59 | usr/bin/top
60 | usr/bin/uname
61 | usr/bin/wget
62 | usr/bin/who
63 | usr/bin/whoami
64 | usr/bin/xargs
65 | usr/local/bin/bash
66 | usr/local/bin/curl
67 | usr/local/bin/nmap
68 | usr/local/bin/perl
69 | usr/local/bin/php
70 | usr/local/bin/python
71 | usr/local/bin/python2
72 | usr/local/bin/python3
73 | usr/local/bin/rbash
74 | usr/local/bin/ruby
75 | usr/local/bin/wget
76 |
--------------------------------------------------------------------------------
/test/integration/default/default_spec.rb:
--------------------------------------------------------------------------------
1 | describe service('apache2-default') do
2 | it { should be_enabled }
3 | it { should be_running }
4 | end
5 |
6 | describe port(80) do
7 | it { should be_listening }
8 | end
9 |
10 | describe port(443) do
11 | it { should be_listening }
12 | end
13 |
14 | describe package('libapache2-mod-security2') do
15 | it { should be_installed }
16 | end
17 |
18 | #
19 | # NB: It's possible that the engine is running in detection
20 | # mode. The following command should result in a log being
21 | # generated at the very least.
22 | #
23 | describe command('curl -X__FOOBAZ localhost') do
24 | # its(:stdout) { should match '403 Forbidden' }
25 | its(:exit_status) { should eq 0 }
26 | end
27 |
28 | describe command('curl -XGET localhost') do
29 | its(:stdout) { should match ' Testing Site
' }
30 | its(:exit_status) { should eq 0 }
31 | end
32 |
33 | describe command('curl -X_BOGUS_HEADER_TLS -k https://localhost') do
34 | its(:exit_status) { should eq 0 }
35 | end
36 |
37 | describe file('/var/log/apache2/modsec_audit.log') do
38 | it { should be_file }
39 | its (:content) { should match 'data "WAF testing: Got unauthorized method: __FOOBAZ"\]' }
40 | end
41 |
42 | describe file('/var/log/apache2/modsec_audit.log') do
43 | it { should be_file }
44 | its (:content) { should match 'data "WAF testing: Got unauthorized method: _BOGUS_HEADER_TLS"\]' }
45 | end
46 |
--------------------------------------------------------------------------------
/templates/default/REQUEST-905-COMMON-EXCEPTIONS.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 |
11 | # This file is used as an exception mechanism to remove common false positives
12 | # that may be encountered.
13 | #
14 | # Exception for Apache SSL pinger
15 | #
16 | SecRule REQUEST_LINE "@streq GET /" \
17 | "phase:1,\
18 | id:905100,\
19 | t:none,\
20 | pass,\
21 | nolog,\
22 | tag:'application-multi',\
23 | tag:'language-multi',\
24 | tag:'platform-apache',\
25 | tag:'attack-generic',\
26 | chain"
27 | SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
28 | "t:none,\
29 | ctl:ruleEngine=Off,\
30 | ctl:auditEngine=Off"
31 |
32 | #
33 | # Exception for Apache internal dummy connection
34 | #
35 | SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
36 | "phase:1,\
37 | id:905110,\
38 | t:none,\
39 | pass,\
40 | nolog,\
41 | tag:'application-multi',\
42 | tag:'language-multi',\
43 | tag:'platform-apache',\
44 | tag:'attack-generic',\
45 | chain"
46 | SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
47 | "t:none,\
48 | chain"
49 | SecRule REQUEST_HEADERS:User-Agent "^.*\(internal dummy connection\)$" \
50 | "t:none,\
51 | ctl:ruleEngine=Off,\
52 | ctl:auditEngine=Off"
53 |
54 |
55 |
--------------------------------------------------------------------------------
/templates/default/sql-errors.data.erb:
--------------------------------------------------------------------------------
1 | MySqlClient.
2 | Server message
3 | SQL error
4 | Oracle error
5 | JET Database Engine
6 | Procedure or function
7 | SQLite.Exception
8 | [IBM][CLI Driver][DB2/6000]
9 | the used select statements have different number of columns
10 | org.postgresql.util.PSQLException
11 | Access Database Engine
12 | Incorrect syntax near
13 | Syntax error in string in query expression
14 | SQLiteException
15 | ' doesn't exist
16 | CLI Driver
17 | on MySQL result index
18 | sybase
19 | com.informix.jdbc
20 | [MySQL][ODBC
21 | Error
22 | has occurred in the vicinity of:
23 | Sintaxis incorrecta cerca de
24 | MySQL server version for the right syntax to use
25 | com.mysql.jdbc.exceptions
26 | You have an error in your SQL syntax near
27 | You have an error in your SQL syntax;
28 | An illegal character has been found in the statement
29 | pg_query() [:
30 | supplied argument is not a valid MySQL
31 | mssql_query()
32 | mysql_fetch_array()
33 | Exception
34 | java.sql.SQLException
35 | Column count doesn't match value count at row
36 | Sybase message
37 | SQL Server
38 | PostgreSQL query failed:
39 | Dynamic SQL Error
40 | System.Data.SQLite.SQLiteException
41 | SQLite/JDBCDriver
42 | Unclosed quotation mark before the character string
43 | System.Data.SqlClient.
44 | Unclosed quotation mark after the character string
45 | System.Data.OleDb.OleDbException
46 | [DM_QUERY_E_SYNTAX]
47 | [SqlException
48 | Unexpected end of command in statement
49 | valid PostgreSQL result
50 | pg_exec() [:
51 | SQL Server
52 | [SQLITE_ERROR]
53 | Microsoft OLE DB Provider for ODBC Drivers
54 | PostgreSQL
55 | org.hsqldb.jdbc
56 | ADODB.Field (0x800A0BCD)
57 | SQL syntax
58 | Exception
59 | System.Data.SqlClient.SqlException
60 | Data type mismatch in criteria expression.
61 | Driver
62 | DB2 SQL error
63 | Sybase message:
64 | ORA-
65 | [Microsoft][ODBC SQL Server Driver]
66 | '80040e14'
67 | Microsoft OLE DB Provider for SQL Server
68 | in query expression
69 | Npgsql.
70 | valid MySQL result
71 | supplied argument is not a valid PostgreSQL result
72 | db2_
73 | Ingres SQLSTATE
74 | Column count doesn't match
75 | Warning
76 | [Microsoft][ODBC Microsoft Access Driver]
77 | [Macromedia][SQLServer JDBC Driver]
78 | Warning: ibase_
79 | Roadhouse.Cms.
80 | DB2 SQL error:
81 |
--------------------------------------------------------------------------------
/templates/default/REQUEST-911-METHOD-ENFORCEMENT.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
12 | #
13 |
14 |
15 |
16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:911011,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:911012,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
18 | #
19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
20 | #
21 |
22 | #
23 | # -=[ Allowed Request Methods ]=-
24 | #
25 | # tx.allowed_methods is defined in the crs-setup.conf file
26 | #
27 | SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
28 | "msg:'Method is not allowed by policy',\
29 | severity:'CRITICAL',\
30 | id:911100,\
31 | phase:request,\
32 | block,\
33 | rev:'2',\
34 | ver:'OWASP_CRS/3.0.0',\
35 | maturity:'9',\
36 | accuracy:'9',\
37 | tag:'application-multi',\
38 | tag:'language-multi',\
39 | tag:'platform-multi',\
40 | tag:'attack-generic',\
41 | tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\
42 | tag:'WASCTC/WASC-15',\
43 | tag:'OWASP_TOP_10/A6',\
44 | tag:'OWASP_AppSensor/RE1',\
45 | tag:'PCI/12.1',\
46 | logdata:'%{matched_var}',\
47 | setvar:'tx.msg=%{rule.msg}',\
48 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
49 | setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
50 |
51 |
52 |
53 |
54 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:911013,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
55 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:911014,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
56 | #
57 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
58 | #
59 |
60 |
61 |
62 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:911015,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
63 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:911016,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
64 | #
65 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
66 | #
67 |
68 |
69 |
70 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:911017,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
71 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:911018,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
72 | #
73 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
74 | #
75 |
76 |
77 |
78 | #
79 | # -= Paranoia Levels Finished =-
80 | #
81 | SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT"
82 |
83 |
--------------------------------------------------------------------------------
/templates/default/RESPONSE-959-BLOCKING-EVALUATION.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | # You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
11 | # it will work similarly to previous Mod CRS rules and will create an event in the error_log
12 | # file if there are any rules that match. If you would like to lessen the number of events
13 | # generated in the error_log file, you should increase the anomaly score threshold to
14 | # something like "@gt 20". This would only generate an event in the error_log file if
15 | # there are multiple lower severity rule matches or if any 1 higher severity item matches.
16 | #
17 | # You should also set the desired disruptive action (deny, redirect, etc...).
18 | #
19 |
20 | #
21 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
22 | #
23 |
24 | # Alert and Block on High Anomaly Scores - this would block outbound data leakages
25 | #
26 | SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
27 | "phase:4,\
28 | id:959100,\
29 | tag:'anomaly-evaluation',\
30 | t:none,\
31 | deny,\
32 | msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
33 |
34 |
35 |
36 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:959011,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
37 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:959012,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
38 | #
39 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
40 | #
41 |
42 |
43 |
44 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:959013,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
45 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:959014,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
46 | #
47 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
48 | #
49 |
50 |
51 |
52 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:959015,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
53 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:959016,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
54 | #
55 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
56 | #
57 |
58 |
59 |
60 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:959017,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
61 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:959018,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
62 | #
63 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
64 | #
65 |
66 |
67 |
68 | #
69 | # -= Paranoia Levels Finished =-
70 | #
71 | SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"
72 |
73 |
--------------------------------------------------------------------------------
/templates/default/sql-function-names.data.erb:
--------------------------------------------------------------------------------
1 | abs
2 | acos
3 | adddate
4 | addtime
5 | aes_decrypt
6 | aes_encrypt
7 | ascii
8 | asciistr
9 | asin
10 | atan
11 | atan2
12 | avg
13 | benchmark
14 | bin
15 | bin_to_num
16 | bit_and
17 | bit_count
18 | bit_length
19 | bit_or
20 | bit_xor
21 | cast
22 | ciel
23 | cieling
24 | char_length
25 | char
26 | character_length
27 | charset
28 | chr
29 | coalesce
30 | coercibility
31 | collation
32 | compress
33 | concat_ws
34 | concat
35 | connection_id
36 | conv
37 | convert_tz
38 | convert
39 | cos
40 | cot
41 | count
42 | dcount
43 | cr32
44 | curdate
45 | current_date
46 | current_time
47 | current_timestamp
48 | current_user
49 | curtime
50 | database
51 | date
52 | date_add
53 | date_format
54 | date_sub
55 | datediff
56 | day
57 | dayname
58 | dayofmonth
59 | dayofweek
60 | dayofyear
61 | decode
62 | default
63 | degrees
64 | des_decrypt
65 | des_encrypt
66 | dump
67 | elt
68 | encode
69 | encrypt
70 | exp
71 | export_set
72 | extract
73 | extractvalue
74 | field
75 | field_in_set
76 | find_in_set
77 | floor
78 | format
79 | found_rows
80 | from_base64
81 | from_days
82 | from_unixtime
83 | get_format
84 | get_lock
85 | greatest
86 | group_concat
87 | hex
88 | hextoraw
89 | rawtohex
90 | hour
91 | if
92 | ifnull
93 | in
94 | inet6_aton
95 | inet6_ntoa
96 | inet_aton
97 | inet_ntoa
98 | insert
99 | instr
100 | interval
101 | isnull
102 | is_free_lock
103 | is_ipv4_compat
104 | is_ipv4_mapped
105 | is_ipv4
106 | is_ipv6
107 | is_not_null
108 | is_not
109 | is_null
110 | is_used_lock
111 | last
112 | last_day
113 | last_inser_id
114 | lcase
115 | least
116 | left
117 | length
118 | ln
119 | load_file
120 | local
121 | localtimestamp
122 | locate
123 | log
124 | log2
125 | log10
126 | lower
127 | lpad
128 | ltrim
129 | make_set
130 | makedate
131 | master_pos_wait
132 | max
133 | md5
134 | microsecond
135 | mid
136 | min
137 | minute
138 | mod
139 | month
140 | monthname
141 | name_const
142 | not_in
143 | now
144 | nullif
145 | oct
146 | octet_length
147 | old_password
148 | ord
149 | password
150 | period_add
151 | period_diff
152 | pi
153 | position
154 | pow
155 | power
156 | procedure_analyse
157 | quarter
158 | quote
159 | radians
160 | rand
161 | release_lock
162 | repeat
163 | replace
164 | reverse
165 | right
166 | round
167 | row_count
168 | rpad
169 | rtrim
170 | schema
171 | sec_to_time
172 | second
173 | session_user
174 | sha
175 | sha1
176 | sha2
177 | sign
178 | sin
179 | pg_sleep
180 | sleep
181 | soundex
182 | space
183 | sqrt
184 | std
185 | stddev_pop
186 | stddev_samp
187 | str_to_date
188 | strcmp
189 | subdate
190 | substring
191 | substring_index
192 | substr
193 | subtime
194 | sum
195 | sysdate
196 | system_user
197 | tan
198 | time
199 | timestamp
200 | timestampadd
201 | timestampdiff
202 | timediff
203 | time_format
204 | time_to_sec
205 | to_base64
206 | todays
207 | toseconds
208 | tochar
209 | tonchar
210 | trim
211 | truncate
212 | ucase
213 | uncompress
214 | uncompressed_length
215 | unhex
216 | unix_timestamp
217 | updatexml
218 | upper
219 | user
220 | utc_date
221 | utc_time
222 | utc_timestamp
223 | uuid
224 | uuid_short
225 | values
226 | var_pop
227 | var_samp
228 | variance
229 | version
230 | week
231 | weekday
232 | weekofyear
233 | weight_string
234 | year
235 | yearweek
236 | xmltype
237 |
--------------------------------------------------------------------------------
/templates/default/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # The purpose of this file is to hold LOCAL exceptions for your site.
12 | # The types of rules that would go into this file are one where you want
13 | # to unconditionally disable rules or modify their actions during startup.
14 | #
15 | # Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
16 | # for a description of the rule exclusions mechanism and the correct
17 | # use of this file.
18 | #
19 |
20 | #
21 | # Example Exclusion Rule: To unconditionally disable a rule ID
22 | #
23 | # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
24 | # SecRuleRemoveById 942100
25 |
26 | # Example Exclusion Rule: Remove a group of rules
27 | #
28 | # ModSecurity Rule Exclusion: Disable PHP injection rules
29 | # SecRuleRemoveByTag "attack-injection-php"
30 |
31 | #
32 | # Example Exclusion Rule: To unconditionally remove parameter "foo" from
33 | # inspection for SQLi rules
34 | #
35 | # ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
36 | # SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
37 |
38 |
39 | # -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
40 | #
41 | # In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
42 | # and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
43 | # against your policy. To apply a disruptive action, they overwrite the default
44 | # actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
45 | # This 'deny' is by default paired with a 'status:403' action.
46 | #
47 | # In order to change the disruptive action from 'deny' to something else,
48 | # you must use SecRuleUpdateActionByID directives AFTER the CRS rules
49 | # are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
50 | #
51 | # These actions only apply when using Anomaly Mode.
52 | #
53 | # Default action: block with error 403
54 | # (No configuration needed in this file if you want the default behavior.)
55 | #
56 |
57 | # Example: redirect back to the homepage on blocking
58 | #
59 | # SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
60 | # SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
61 |
62 | # Example: redirect to another URL on blocking
63 | #
64 | # SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
65 | # SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
66 |
67 | # Example: send an error 404
68 | #
69 | # SecRuleUpdateActionById 949110 "t:none,deny,status:404"
70 | # SecRuleUpdateActionById 959100 "t:none,deny,status:404"
71 |
72 | # Example: drop the connection (best for DoS attacks)
73 | #
74 | # SecRuleUpdateActionById 949110 "t:none,drop"
75 | # SecRuleUpdateActionById 959100 "t:none,drop"
76 |
--------------------------------------------------------------------------------
/templates/default/REQUEST-949-BLOCKING-EVALUATION.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
12 | #
13 |
14 | SecMarker BEGIN_REQUEST_BLOCKING_EVAL
15 |
16 | # These rules use the anomaly score settings specified in the 10 config file.
17 | # You should also set the desired disruptive action (deny, redirect, etc...).
18 | #
19 | # -=[ IP Reputation Checks ]=-
20 | #
21 | # Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
22 | #
23 | SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
24 | "msg:'Request Denied by IP Reputation Enforcement.',\
25 | severity:CRITICAL,\
26 | phase:request,\
27 | id:949100,\
28 | deny,\
29 | log,\
30 | logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
31 | tag:'application-multi',\
32 | tag:'language-multi',\
33 | tag:'platform-multi',\
34 | tag:'attack-reputation-ip',\
35 | chain"
36 | SecRule TX:DO_REPUT_BLOCK "@eq 1" \
37 | "setvar:tx.inbound_tx_msg=%{tx.msg},\
38 | setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
39 |
40 |
41 | #
42 | # -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
43 | #
44 | SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
45 | "msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
46 | severity:CRITICAL,\
47 | phase:request,\
48 | id:949110,\
49 | t:none,\
50 | deny,\
51 | log,\
52 | tag:'application-multi',\
53 | tag:'language-multi',\
54 | tag:'platform-multi',\
55 | tag:'attack-generic',\
56 | setvar:tx.inbound_tx_msg=%{tx.msg},\
57 | setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
58 |
59 |
60 |
61 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:949011,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
62 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:949012,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
63 | #
64 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
65 | #
66 |
67 |
68 |
69 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:949013,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
70 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:949014,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
71 | #
72 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
73 | #
74 |
75 |
76 |
77 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:949015,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
78 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:949016,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
79 | #
80 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
81 | #
82 |
83 |
84 |
85 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:949017,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
86 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:949018,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
87 | #
88 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
89 | #
90 |
91 |
92 |
93 | #
94 | # -= Paranoia Levels Finished =-
95 | #
96 | SecMarker "END-REQUEST-949-BLOCKING-EVALUATION"
97 |
98 |
--------------------------------------------------------------------------------
/templates/default/RESPONSE-952-DATA-LEAKAGES-JAVA.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
12 | #
13 |
14 |
15 |
16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:952011,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:952012,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
18 | #
19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
20 | #
21 |
22 | #
23 | # -=[ Java Source Code Leakages ]=-
24 | #
25 | SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
26 | "phase:4,\
27 | rev:'3',\
28 | ver:'OWASP_CRS/3.0.0',\
29 | maturity:'9',\
30 | accuracy:'9',\
31 | t:none,\
32 | capture,\
33 | ctl:auditLogParts=+E,\
34 | block,\
35 | msg:'Java Source Code Leakage',\
36 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
37 | id:952100,\
38 | tag:'application-multi',\
39 | tag:'language-java',\
40 | tag:'platform-multi',\
41 | tag:'attack-disclosure',\
42 | tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\
43 | tag:'WASCTC/WASC-13',\
44 | tag:'OWASP_TOP_10/A6',\
45 | tag:'PCI/6.5.6',\
46 | severity:'ERROR',\
47 | setvar:'tx.msg=%{rule.msg}',\
48 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
49 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
50 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
51 |
52 | #
53 | # -=[ Java Errors ]=-
54 | #
55 | # Ref: https://github.com/andresriancho/w3af/blob/master/plugins/grep/error_pages.py
56 | #
57 | SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
58 | "phase:4,\
59 | rev:'3',\
60 | ver:'OWASP_CRS/3.0.0',\
61 | maturity:'9',\
62 | accuracy:'9',\
63 | t:none,\
64 | capture,\
65 | ctl:auditLogParts=+E,\
66 | block,\
67 | msg:'Java Errors',\
68 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
69 | id:952110,\
70 | tag:'application-multi',\
71 | tag:'language-java',\
72 | tag:'platform-multi',\
73 | tag:'attack-disclosure',\
74 | tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\
75 | tag:'WASCTC/WASC-13',\
76 | tag:'OWASP_TOP_10/A6',\
77 | tag:'PCI/6.5.6',\
78 | severity:'ERROR',\
79 | setvar:'tx.msg=%{rule.msg}',\
80 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
81 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
82 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
83 |
84 |
85 |
86 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:952013,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
87 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:952014,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
88 | #
89 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
90 | #
91 |
92 |
93 |
94 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:952015,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
95 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:952016,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
96 | #
97 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
98 | #
99 |
100 |
101 |
102 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:952017,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
103 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:952018,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
104 | #
105 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
106 | #
107 |
108 |
109 |
110 | #
111 | # -= Paranoia Levels Finished =-
112 | #
113 | SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA"
114 |
115 |
--------------------------------------------------------------------------------
/templates/default/RESPONSE-950-DATA-LEAKAGES.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | # The paranoia level skip rules 950020, 950021 and 950022 have odd
11 | # numbers not in sync with other paranoia level skip rules in other
12 | # files. This is done to avoid rule id collisions with CRSv2.
13 | # This is also true for rule 950130.
14 |
15 | #
16 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
17 | #
18 |
19 |
20 |
21 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:950020,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
22 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:950021,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
23 | #
24 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
25 | #
26 |
27 | #
28 | # -=[ Directory Listing ]=-
29 | #
30 | #SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?Index of.*?Index of|>\[To Parent Directory\]<\/[Aa]>
)" \
31 | # "phase:response,\
32 | # rev:'2',\
33 | # ver:'OWASP_CRS/3.0.0',\
34 | # maturity:'9',\
35 | # accuracy:'9',\
36 | # t:none,\
37 | # capture,\
38 | # ctl:auditLogParts=+E,\
39 | # block,\
40 | # msg:'Directory Listing',\
41 | # logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
42 | # id:950130,\
43 | # tag:'application-multi',\
44 | # tag:'language-multi',\
45 | # tag:'platform-multi',\
46 | # tag:'attack-disclosure',\
47 | # tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\
48 | # tag:'WASCTC/WASC-13',\
49 | # tag:'OWASP_TOP_10/A6',\
50 | # tag:'PCI/6.5.6',\
51 | # severity:'ERROR',\
52 | # setvar:'tx.msg=%{rule.msg}',\
53 | # setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
54 | # setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
55 | # setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
56 |
57 |
58 |
59 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:950013,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
60 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:950014,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
61 | #
62 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
63 | #
64 |
65 | #
66 | # -=[ The application is not available - 5xx level status code ]=-
67 | #
68 | SecRule RESPONSE_STATUS "^5\d{2}$" \
69 | "phase:response,\
70 | rev:'3',\
71 | ver:'OWASP_CRS/3.0.0',\
72 | maturity:'9',\
73 | accuracy:'9',\
74 | t:none,\
75 | capture,\
76 | ctl:auditLogParts=+E,\
77 | block,\
78 | msg:'The Application Returned a 500-Level Status Code',\
79 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
80 | id:950100,\
81 | tag:'application-multi',\
82 | tag:'language-multi',\
83 | tag:'platform-multi',\
84 | tag:'attack-disclosure',\
85 | tag:'WASCTC/WASC-13',\
86 | tag:'OWASP_TOP_10/A6',\
87 | tag:'PCI/6.5.6',\
88 | tag:'paranoia-level/2',\
89 | severity:'ERROR',\
90 | setvar:'tx.msg=%{rule.msg}',\
91 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
92 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
93 | setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
94 |
95 |
96 |
97 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:950015,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
98 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:950016,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
99 | #
100 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
101 | #
102 |
103 |
104 |
105 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:950017,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
106 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:950022,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
107 | #
108 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
109 | #
110 |
111 |
112 |
113 | #
114 | # -= Paranoia Levels Finished =-
115 | #
116 | SecMarker "END-RESPONSE-950-DATA-LEAKAGES"
117 |
118 |
--------------------------------------------------------------------------------
/templates/default/RESPONSE-980-CORRELATION.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # This file is used in post processing after the response has been sent to
12 | # the client (in the logging phase). Its purpose is to provide inbound+outbound
13 | # correlation of events to provide a more intelligent designation as to the outcome
14 | # or result of the transaction - meaning, was this a successful attack?
15 | #
16 |
17 | #
18 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
19 | #
20 |
21 | #
22 | # -=[ Correlated Successful Attack ]=-
23 | #
24 | SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
25 | "chain,\
26 | phase:logging,\
27 | id:980100,\
28 | t:none,\
29 | log,\
30 | pass,\
31 | tag:'event-correlation',\
32 | skipAfter:END_CORRELATION,\
33 | severity:'EMERGENCY',\
34 | msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
35 | SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
36 |
37 |
38 | #
39 | # -=[ Correlated Attack Attempt ]=-
40 | #
41 | SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
42 | "chain,\
43 | phase:logging,\
44 | id:980110,\
45 | t:none,\
46 | log,\
47 | pass,\
48 | tag:'event-correlation',\
49 | skipAfter:END_CORRELATION,\
50 | severity:'ALERT',\
51 | msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
52 | SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
53 |
54 | SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
55 | "chain,\
56 | phase:logging,\
57 | id:980120,\
58 | t:none,\
59 | log,noauditlog,\
60 | pass,\
61 | tag:'event-correlation',\
62 | skipAfter:END_CORRELATION,\
63 | msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}): %{tx.inbound_tx_msg}'"
64 | SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}"
65 |
66 | SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
67 | "phase:logging,\
68 | id:980130,\
69 | t:none,\
70 | log,noauditlog,\
71 | pass,\
72 | tag:'event-correlation',\
73 | msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}'"
74 |
75 | SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
76 | "phase:logging,\
77 | id:980140,\
78 | t:none,\
79 | log,noauditlog,\
80 | pass,\
81 | tag:'event-correlation',\
82 | msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
83 |
84 | SecMarker END_CORRELATION
85 |
86 |
87 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:980011,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
88 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:980012,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
89 | #
90 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
91 | #
92 |
93 |
94 |
95 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:980013,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
96 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:980014,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
97 | #
98 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
99 | #
100 |
101 |
102 |
103 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:980015,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
104 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:980016,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
105 | #
106 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
107 | #
108 |
109 |
110 |
111 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:980017,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
112 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:980018,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION"
113 | #
114 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
115 | #
116 |
117 |
118 |
119 | #
120 | # -= Paranoia Levels Finished =-
121 | #
122 | SecMarker "END-RESPONSE-980-CORRELATION"
123 |
124 |
--------------------------------------------------------------------------------
/templates/default/scanners-user-agents.data.erb:
--------------------------------------------------------------------------------
1 | # Vulnerability scanners, bruteforce password crackers and exploitation tools
2 |
3 | # password cracker
4 | # http://sectools.org/tool/hydra/
5 | (hydra)
6 | # vuln scanner
7 | # http://virtualblueness.net/nasl.html
8 | .nasl
9 | # sql injection
10 | # https://sourceforge.net/projects/absinthe/
11 | absinthe
12 | # email harvesting
13 | # dead? 2004
14 | advanced email extractor
15 | # vuln scanner
16 | # http://www.arachni-scanner.com/
17 | arachni/
18 | #
19 | autogetcontent
20 | # nessus frontend
21 | # http://www.crossley-nilsen.com/Linux/Bilbo_-_Nessus_WEB/bilbo_-_nessus_web.html
22 | # dead? 2003
23 | bilbo
24 | # Backup File Artifacts Checker
25 | # https://github.com/mazen160/bfac
26 | BFAC
27 | # password cracker
28 | # http://sectools.org/tool/brutus/
29 | brutus
30 | brutus/aet
31 | # sql injection
32 | # https://www.notsosecure.com/bsqlbf-v2-blind-sql-injection-brute-forcer/
33 | bsqlbf
34 | # vuln scanner
35 | # http://freecode.com/projects/cgichk dead? 2001
36 | cgichk
37 | # vuln scanner
38 | # https://sourceforge.net/projects/cisco-torch/
39 | cisco-torch
40 | # vuln scanner
41 | # https://github.com/stasinopoulos/commix
42 | commix
43 | # MS FrontPage vuln scanner?
44 | core-project/1.0
45 | # vuln scanner?
46 | crimscanner/
47 | # vuln scanner
48 | datacha0s
49 | # hidden page scanner
50 | # https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
51 | dirbuster
52 | # vuln scanner
53 | # https://sourceforge.net/projects/dominohunter/
54 | domino hunter
55 | # vuln scanner - directory traversal fuzzer
56 | # https://github.com/wireghoul/dotdotpwn
57 | dotdotpwn
58 | #
59 | #
60 | email extractor
61 | # vuln scanner
62 | fhscan core 1.
63 | #
64 | floodgate
65 | #
66 | get-minimal
67 | # vuln scanner
68 | gootkit auto-rooter scanner
69 | #
70 | grabber
71 | # vuln scanner
72 | # https://sourceforge.net/projects/grendel/
73 | grendel-scan
74 | # sql injection
75 | havij
76 | # vuln scanner - path disclosure finder
77 | # http://seclists.org/fulldisclosure/2010/Sep/375
78 | inspath
79 | #
80 | internet ninja
81 | # vuln scanner
82 | jaascois
83 | # vuln scanner
84 | zmeu
85 | # port scanner
86 | # https://github.com/robertdavidgraham/masscan
87 | masscan
88 | # vuln scanner
89 | # http://www.severus.org/sacha/metis/
90 | metis
91 | # vuln scanner
92 | morfeus fucking scanner
93 | # sql injection
94 | # https://github.com/dtrip/mysqloit
95 | mysqloit
96 | # vuln scanner
97 | # http://www.nstalker.com/
98 | n-stealth
99 | # vuln scanner
100 | # http://www.tenable.com/products/nessus-vulnerability-scanner
101 | nessus
102 | # vuln scanner
103 | # https://www.netsparker.com/web-vulnerability-scanner/
104 | netsparker
105 | # vuln scanner
106 | # https://cirt.net/Nikto2
107 | nikto
108 | # vuln scanner
109 | nmap nse
110 | nmap scripting engine
111 | nmap-nse
112 | # vuln scanner
113 | # http://www.nsauditor.com/
114 | nsauditor
115 | # vuln scanner
116 | # http://www.openvas.org/
117 | openvas
118 | # sql injection
119 | # http://www.vealtel.com/software/nosec/pangolin/
120 | pangolin
121 | # web proxy & vuln scanner
122 | # https://sourceforge.net/projects/paros/
123 | paros
124 | # phpmyadmin vuln scanner
125 | # dead 2005?
126 | pmafind
127 | #
128 | prog.customcrawler
129 | # vuln scanner
130 | # https://www.qualys.com/suite/web-application-scanning/
131 | qualys was
132 | #
133 | s.t.a.l.k.e.r.
134 | #
135 | security scan
136 | # vuln scanner
137 | # https://sourceforge.net/projects/springenwerk/
138 | springenwerk
139 | # sql injection
140 | # http://www.sqlpowerinjector.com/
141 | sql power injector
142 | # sql injection
143 | # http://sqlmap.org/
144 | sqlmap
145 | # sql injection
146 | # http://sqlninja.sourceforge.net/
147 | sqlninja
148 | # password cracker
149 | # http://foofus.net/goons/jmk/medusa/medusa.html
150 | teh forest lobster
151 | #
152 | this is an exploit
153 | # vuln scanner?
154 | toata dragostea
155 | toata dragostea mea pentru diavola
156 | # SQL bot
157 | # http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=22142&signatureSubId=0
158 | uil2pn
159 | # badly scripted UAs (e.g. User-Agent: User-Agent: foo)
160 | user-agent:
161 | # vuln scannr
162 | # https://subgraph.com/vega/
163 | vega/
164 | # vuln scanner
165 | # dead?
166 | voideye
167 | # vuln scanner
168 | # http://w3af.org/
169 | w3af.sf.net
170 | w3af.sourceforge.net
171 | w3af.org
172 | # site scanner (legacy)
173 | # http://www.robotstxt.org/db/webbandit.html
174 | webbandit
175 | # vuln scanner
176 | # http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/
177 | webinspect
178 | # site scanner
179 | # http://www.scrt.ch/en/attack/downloads/webshag
180 | webshag
181 | # vuln scanner
182 | # dead?
183 | webtrends security analyzer
184 | # vuln scanner
185 | # https://github.com/hhucn/webvulnscan
186 | webvulnscan
187 | # web technology scanner
188 | # https://www.morningstarsecurity.com/research/whatweb
189 | whatweb
190 | # vuln scanner
191 | whcc/
192 | # exploit poc
193 | wordpress hash grabber
194 | # exploit
195 | xmlrpc exploit
196 | # wordpress vuln scanner
197 | # https://wpscan.org/
198 | WPScan
199 |
--------------------------------------------------------------------------------
/recipes/default.rb:
--------------------------------------------------------------------------------
1 | #
2 | # Cookbook Name:: waf_testbed
3 | # Recipe:: default
4 | #
5 | # Copyright (c) 2016 Fastly, Inc. All Rights Reserved.
6 |
7 | include_recipe 'apt'
8 | include_recipe 'git'
9 | include_recipe 'poise-python'
10 |
11 | #
12 | # install framework for testings WAFS (FTW) via python
13 | python_runtime '2'
14 |
15 | # use an experimental FTW branch
16 | # if enabled, use a specified ftw branch instead of installing from pip
17 | if node['waf_testbed']['ftw']['use_git'] then
18 | git '/opt/ftw' do
19 | repository 'https://github.com/fastly/ftw.git'
20 | branch node['waf_testbed']['ftw']['branch']
21 | action :sync
22 | notifies :run, 'python_execute[install ftw]', :immediately
23 | end
24 | python_execute 'install ftw' do
25 | action :nothing
26 | command '-m pip install -e .'
27 | cwd '/opt/ftw'
28 | end
29 | else
30 | python_package 'ftw' do
31 | version node['waf_testbed']['ftw']['pip_version']
32 | end
33 | end
34 |
35 |
36 | #
37 | # Checkout the latest CRS regression tests
38 | git '/opt/owasp-crs-regressions' do
39 | repository 'https://github.com/SpiderLabs/OWASP-CRS-regressions.git'
40 | revision 'master'
41 | action :sync
42 | end
43 |
44 | # NB: for debugging purposes
45 | package 'curl' do
46 | action :install
47 | end
48 |
49 | httpd_service 'default' do
50 | action [ :create, :start ]
51 | end
52 |
53 | httpd_module 'security2' do
54 | action :create
55 | end
56 |
57 | httpd_module 'unique_id' do
58 | action :create
59 | end
60 |
61 | httpd_module 'headers' do
62 | action :create
63 | end
64 |
65 | httpd_module 'ssl' do
66 | action :create
67 | end
68 |
69 | httpd_module 'socache_shmcb' do
70 | action :create
71 | end
72 |
73 | directory '/usr/local/waftest' do
74 | owner 'root'
75 | group 'root'
76 | mode 0755
77 | action :create
78 | end
79 |
80 | template '/usr/local/waftest/index.html' do
81 | source 'index.html.erb'
82 | owner 'root'
83 | group 'root'
84 | mode 0755
85 | action :create
86 | notifies :restart, 'httpd_service[default]'
87 | end
88 |
89 | httpd_config "crs-setup" do
90 | source 'crs-setup.conf.erb'
91 | notifies :restart, 'httpd_service[default]'
92 | end
93 |
94 | httpd_config "modsecurity" do
95 | source 'modsecurity.conf.erb'
96 | notifies :restart, 'httpd_service[default]'
97 | end
98 |
99 | httpd_config "headers" do
100 | source 'headers.conf.erb'
101 | notifies :restart, 'httpd_service[default]'
102 | end
103 |
104 | httpd_config "vhost" do
105 | source 'vhost.conf.erb'
106 | notifies :restart, 'httpd_service[default]'
107 | end
108 |
109 | httpd_config 'fastly_test_rules' do
110 | source 'fastly_test_rules.conf.erb'
111 | notifies :restart, 'httpd_service[default]'
112 | end
113 |
114 | httpd_config 'ports' do
115 | source 'ports.conf.erb'
116 | notifies :restart, 'httpd_service[default]'
117 | end
118 |
119 | template '/etc/modsecurity/unicode.mapping' do
120 | source 'unicode.mapping.erb'
121 | notifies :restart, 'httpd_service[default]'
122 | end
123 |
124 | msc_rules_collection = [
125 | "REQUEST-901-INITIALIZATION.conf",
126 | "REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf",
127 | "REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf",
128 | "REQUEST-905-COMMON-EXCEPTIONS.conf",
129 | "REQUEST-910-IP-REPUTATION.conf",
130 | "REQUEST-911-METHOD-ENFORCEMENT.conf",
131 | "REQUEST-912-DOS-PROTECTION.conf",
132 | "REQUEST-913-SCANNER-DETECTION.conf",
133 | "REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
134 | "REQUEST-921-PROTOCOL-ATTACK.conf",
135 | "REQUEST-930-APPLICATION-ATTACK-LFI.conf",
136 | "REQUEST-931-APPLICATION-ATTACK-RFI.conf",
137 | "REQUEST-932-APPLICATION-ATTACK-RCE.conf",
138 | "REQUEST-933-APPLICATION-ATTACK-PHP.conf",
139 | "REQUEST-941-APPLICATION-ATTACK-XSS.conf",
140 | "REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
141 | "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf",
142 | "REQUEST-949-BLOCKING-EVALUATION.conf",
143 | "RESPONSE-950-DATA-LEAKAGES.conf",
144 | "RESPONSE-951-DATA-LEAKAGES-SQL.conf",
145 | "RESPONSE-952-DATA-LEAKAGES-JAVA.conf",
146 | "RESPONSE-953-DATA-LEAKAGES-PHP.conf",
147 | "RESPONSE-954-DATA-LEAKAGES-IIS.conf",
148 | "RESPONSE-959-BLOCKING-EVALUATION.conf",
149 | "RESPONSE-980-CORRELATION.conf",
150 | "crawlers-user-agents.data",
151 | "iis-errors.data",
152 | "java-code-leakages.data",
153 | "java-errors.data",
154 | "lfi-os-files.data",
155 | "php-config-directives.data",
156 | "php-errors.data",
157 | "php-function-names-933150.data",
158 | "php-function-names-933151.data",
159 | "php-variables.data",
160 | "restricted-files.data",
161 | "scanners-headers.data",
162 | "scanners-urls.data",
163 | "scanners-user-agents.data",
164 | "scripting-user-agents.data",
165 | "sql-errors.data",
166 | "sql-function-names.data",
167 | "unix-shell.data",
168 | "windows-powershell-commands.data"
169 | ]
170 |
171 | msc_rules_collection.each do |t|
172 | template "/etc/modsecurity/#{t}" do
173 | source "#{t}.erb"
174 | owner 'root'
175 | group 'root'
176 | notifies :restart, 'httpd_service[default]'
177 | end
178 | end
179 |
--------------------------------------------------------------------------------
/templates/default/windows-powershell-commands.data.erb:
--------------------------------------------------------------------------------
1 | powershell.exe
2 | Add-BitsFile
3 | Add-Computer
4 | Add-Content
5 | Add-History
6 | Add-Member
7 | Add-PSSnapin
8 | Add-Type
9 | Checkpoint-Computer
10 | Clear-Content
11 | Clear-EventLog
12 | Clear-History
13 | Clear-Item
14 | Clear-ItemProperty
15 | Clear-Variable
16 | Compare-Object
17 | Complete-BitsTransfer
18 | Complete-Transaction
19 | Connect-WSMan
20 | ConvertFrom-CSV
21 | ConvertFrom-SecureString
22 | ConvertFrom-StringData
23 | Convert-Path
24 | ConvertTo-CSV
25 | ConvertTo-Html
26 | ConvertTo-SecureString
27 | ConvertTo-XML
28 | Copy-Item
29 | Copy-ItemProperty
30 | Debug-Process
31 | Disable-ComputerRestore
32 | Disable-PSBreakpoint
33 | Disable-PSSessionConfiguration
34 | Disable-WSManCredSSP
35 | Disconnect-WSMan
36 | Enable-ComputerRestore
37 | Enable-PSBreakpoint
38 | Enable-PSRemoting
39 | Enable-PSSessionConfiguration
40 | Enable-WSManCredSSP
41 | Enter-PSSession
42 | Exit-PSSession
43 | Export-Alias
44 | Export-Clixml
45 | Export-Console
46 | Export-Counter
47 | Export-CSV
48 | Export-FormatData
49 | Export-ModuleMember
50 | Export-PSSession
51 | ForEach-Object
52 | Format-Custom
53 | Format-List
54 | Format-Table
55 | Format-Wide
56 | Get-Acl
57 | Get-Alias
58 | Get-AppLockerFileInformation
59 | Get-AppLockerPolicy
60 | Get-AuthenticodeSignature
61 | Get-BitsTransfer
62 | Get-ChildItem
63 | Get-Command
64 | Get-ComputerRestorePoint
65 | Get-Content
66 | Get-Counter
67 | Get-Credential
68 | Get-Culture
69 | Get-Event
70 | Get-EventLog
71 | Get-EventSubscriber
72 | Get-ExecutionPolicy
73 | Get-FormatData
74 | Get-History
75 | Get-Host
76 | Get-HotFix
77 | Get-Item
78 | Get-ItemProperty
79 | Get-Job
80 | Get-Location
81 | Get-Member
82 | Get-Module
83 | Get-PfxCertificate
84 | Get-Process
85 | Get-PSBreakpoint
86 | Get-PSCallStack
87 | Get-PSDrive
88 | Get-PSProvider
89 | Get-PSSession
90 | Get-PSSessionConfiguration
91 | Get-PSSnapin
92 | Get-Random
93 | Get-Service
94 | Get-TraceSource
95 | Get-Transaction
96 | Get-TroubleshootingPack
97 | Get-UICulture
98 | Get-Unique
99 | Get-Variable
100 | Get-WinEvent
101 | Get-WmiObject
102 | Get-WSManCredSSP
103 | Get-WSManInstance
104 | Group-Object
105 | Import-Alias
106 | Import-Clixml
107 | Import-Counter
108 | Import-CSV
109 | Import-LocalizedData
110 | Import-Module
111 | Import-PSSession
112 | Invoke-Command
113 | Invoke-Expression
114 | Invoke-History
115 | Invoke-Item
116 | Invoke-TroubleshootingPack
117 | Invoke-WmiMethod
118 | Invoke-WSManAction
119 | Join-Path
120 | Limit-EventLog
121 | Measure-Command
122 | Measure-Object
123 | Move-Item
124 | Move-ItemProperty
125 | New-Alias
126 | New-AppLockerPolicy
127 | New-Event
128 | New-EventLog
129 | New-Item
130 | New-ItemProperty
131 | New-Module
132 | New-ModuleManifest
133 | New-Object
134 | New-PSDrive
135 | New-PSSession
136 | New-PSSessionOption
137 | New-Service
138 | New-TimeSpan
139 | New-Variable
140 | New-WebServiceProxy
141 | New-WSManInstance
142 | New-WSManSessionOption
143 | Out-Default
144 | Out-File
145 | Out-GridView
146 | Out-Host
147 | Out-Null
148 | Out-Printer
149 | Out-String
150 | Pop-Location
151 | Push-Location
152 | Read-Host
153 | Receive-Job
154 | Register-EngineEvent
155 | Register-ObjectEvent
156 | Register-PSSessionConfiguration
157 | Register-WmiEvent
158 | Remove-BitsTransfer
159 | Remove-Computer
160 | Remove-Event
161 | Remove-EventLog
162 | Remove-Item
163 | Remove-ItemProperty
164 | Remove-Job
165 | Remove-Module
166 | Remove-PSBreakpoint
167 | Remove-PSDrive
168 | Remove-PSSession
169 | Remove-PSSnapin
170 | Remove-Variable
171 | Remove-WmiObject
172 | Remove-WSManInstance
173 | Rename-Item
174 | Rename-ItemProperty
175 | Reset-ComputerMachinePassword
176 | Resolve-Path
177 | Restart-Computer
178 | Restart-Service
179 | Restore-Computer
180 | Resume-BitsTransfer
181 | Resume-Service
182 | Select-Object
183 | Select-String
184 | Select-XML
185 | Send-MailMessage
186 | Set-Acl
187 | Set-Alias
188 | Set-AppLockerPolicy
189 | Set-AuthenticodeSignature
190 | Set-BitsTransfer
191 | Set-Content
192 | Set-Date
193 | Set-ExecutionPolicy
194 | Set-Item
195 | Set-ItemProperty
196 | Set-Location
197 | Set-PSBreakpoint
198 | Set-PSDebug
199 | Set-PSSessionConfiguration
200 | Set-Service
201 | Set-StrictMode
202 | Set-TraceSource
203 | Set-Variable
204 | Set-WmiInstance
205 | Set-WSManInstance
206 | Set-WSManQuickConfig
207 | Show-EventLog
208 | Sort-Object
209 | Split-Path
210 | Start-BitsTransfer
211 | Start-Job
212 | Start-Process
213 | Start-Service
214 | Start-Sleep
215 | Start-Transaction
216 | Start-Transcript
217 | Stop-Computer
218 | Stop-Job
219 | Stop-Process
220 | Stop-Service
221 | Stop-Transcript
222 | Suspend-BitsTransfer
223 | Suspend-Service
224 | Tee-Object
225 | Test-AppLockerPolicy
226 | Test-ComputerSecureChannel
227 | Test-Connection
228 | Test-ModuleManifest
229 | Test-Path
230 | Test-WSMan
231 | Trace-Command
232 | Undo-Transaction
233 | Unregister-Event
234 | Unregister-PSSessionConfiguration
235 | Update-FormatData
236 | Update-List
237 | Update-TypeData
238 | Use-Transaction
239 | Wait-Event
240 | Wait-Job
241 | Wait-Process
242 | Where-Object
243 | Write-Debug
244 | Write-Error
245 | Write-EventLog
246 | Write-Host
247 | Write-Output
248 | Write-Progress
249 | Write-Verbose
250 | Write-Warning
251 | -EncodedCommand
252 | -ExecutionPolicy
253 | -PSConsoleFile
254 |
--------------------------------------------------------------------------------
/templates/default/RESPONSE-953-DATA-LEAKAGES-PHP.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
12 | #
13 |
14 |
15 |
16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:953011,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:953012,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
18 | #
19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
20 | #
21 |
22 | #
23 | # -=[ PHP Error Message Leakage ]=-
24 | #
25 | SecRule RESPONSE_BODY "@pmf php-errors.data" \
26 | "msg:'PHP Information Leakage',\
27 | id:953100,\
28 | phase:response,\
29 | ver:'OWASP_CRS/3.0.0',\
30 | rev:'3',\
31 | maturity:'9',\
32 | accuracy:'9',\
33 | t:none,\
34 | capture,\
35 | ctl:auditLogParts=+E,\
36 | block,\
37 | severity:'ERROR',\
38 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
39 | tag:'application-multi',\
40 | tag:'language-php',\
41 | tag:'platform-multi',\
42 | tag:'attack-disclosure',\
43 | tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\
44 | tag:'WASCTC/WASC-13',\
45 | tag:'OWASP_TOP_10/A6',\
46 | tag:'PCI/6.5.6',\
47 | setvar:'tx.msg=%{rule.msg}',\
48 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
49 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
50 |
51 | #
52 | # -=[ PHP source code leakage ]=-
53 | #
54 | # Detect some common PHP keywords in output.
55 | #
56 | SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
57 | "phase:response,\
58 | rev:'2',\
59 | ver:'OWASP_CRS/3.0.0',\
60 | maturity:'9',\
61 | accuracy:'9',\
62 | t:none,\
63 | capture,\
64 | ctl:auditLogParts=+E,\
65 | block,\
66 | msg:'PHP source code leakage',\
67 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
68 | id:953110,\
69 | tag:'application-multi',\
70 | tag:'language-php',\
71 | tag:'platform-multi',\
72 | tag:'attack-disclosure',\
73 | tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
74 | tag:'WASCTC/WASC-13',\
75 | tag:'OWASP_TOP_10/A6',\
76 | tag:'PCI/6.5.6',\
77 | severity:'ERROR',\
78 | setvar:'tx.msg=%{rule.msg}',\
79 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
80 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
81 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
82 |
83 | # Detect the presence of the PHP open tag ".{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)
Timeout expired
)|internal server error<\/h1>.*?part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
52 | "phase:4,\
53 | rev:'3',\
54 | ver:'OWASP_CRS/3.0.0',\
55 | maturity:'9',\
56 | accuracy:'9',\
57 | t:none,\
58 | capture,\
59 | ctl:auditLogParts=+E,\
60 | block,\
61 | msg:'Application Availability Error',\
62 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
63 | id:954110,\
64 | tag:'application-multi',\
65 | tag:'language-multi',\
66 | tag:'platform-iis',\
67 | tag:'platform-windows',\
68 | tag:'attack-disclosure',\
69 | tag:'WASCTC/WASC-13',\
70 | tag:'OWASP_TOP_10/A6',\
71 | tag:'PCI/6.5.6',\
72 | severity:'ERROR',\
73 | setvar:'tx.msg=%{rule.msg}',\
74 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
75 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
76 | setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
77 |
78 | #
79 | # IIS Errors leakage
80 | #
81 | SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \
82 | "phase:4,\
83 | rev:'2',\
84 | ver:'OWASP_CRS/3.0.0',\
85 | maturity:'9',\
86 | accuracy:'9',\
87 | t:none,\
88 | capture,\
89 | ctl:auditLogParts=+E,\
90 | block,\
91 | msg:'IIS Information Leakage',\
92 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
93 | id:954120,\
94 | tag:'application-multi',\
95 | tag:'language-multi',\
96 | tag:'platform-iis',\
97 | tag:'platform-windows',\
98 | tag:'attack-disclosure',\
99 | tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
100 | tag:'WASCTC/WASC-13',\
101 | tag:'OWASP_TOP_10/A6',\
102 | tag:'PCI/6.5.6',\
103 | severity:'ERROR',\
104 | setvar:'tx.msg=%{rule.msg}',\
105 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
106 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
107 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
108 |
109 |
110 | SecRule RESPONSE_STATUS "!^404$" \
111 | "phase:4,\
112 | rev:'2',\
113 | ver:'OWASP_CRS/3.0.0',\
114 | maturity:'9',\
115 | accuracy:'9',\
116 | t:none,\
117 | capture,\
118 | ctl:auditLogParts=+E,\
119 | block,\
120 | msg:'IIS Information Leakage',\
121 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
122 | id:954130,\
123 | tag:'application-multi',\
124 | tag:'language-multi',\
125 | tag:'platform-iis',\
126 | tag:'platform-windows',\
127 | tag:'attack-disclosure',\
128 | tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
129 | tag:'WASCTC/WASC-13',\
130 | tag:'OWASP_TOP_10/A6',\
131 | tag:'PCI/6.5.6',\
132 | severity:'ERROR',\
133 | chain"
134 | SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
135 | "t:none,\
136 | capture,\
137 | setvar:'tx.msg=%{rule.msg}',\
138 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
139 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\
140 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
141 |
142 |
143 |
144 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:954013,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
145 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:954014,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
146 | #
147 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
148 | #
149 |
150 |
151 |
152 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:954015,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
153 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:954016,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
154 | #
155 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
156 | #
157 |
158 |
159 |
160 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:954017,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
161 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:954018,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
162 | #
163 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
164 | #
165 |
166 |
167 |
168 | #
169 | # -= Paranoia Levels Finished =-
170 | #
171 | SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS"
172 |
173 |
--------------------------------------------------------------------------------
/templates/default/php-config-directives.data.erb:
--------------------------------------------------------------------------------
1 | allow_call_time_pass_reference
2 | allow_url_fopen
3 | allow_url_include
4 | always_populate_raw_post_data
5 | arg_separator.input
6 | arg_separator.output
7 | asp_tags
8 | assert.active
9 | assert.bail
10 | assert.callback
11 | assert.quiet_eval
12 | assert.warning
13 | auto_append_file
14 | auto_detect_line_endings
15 | auto_globals_jit
16 | auto_prepend_file
17 | bcmath.scale
18 | birdstep.max_links
19 | browscap
20 | cgi.fix_pathinfo
21 | cgi.force_redirect
22 | cgi.nph
23 | cgi.redirect_status_env
24 | cgi.rfc2616_headers
25 | com.allow_dcom
26 | com.autoregister_casesensitive
27 | com.autoregister_typelib
28 | com.autoregister_verbose
29 | com.code_page
30 | com.typelib_file
31 | date.default_latitude
32 | date.default_longitude
33 | date.sunrise_zenith
34 | date.sunset_zenith
35 | date.timezone
36 | dba.default_handler
37 | default_charset
38 | default_mimetype
39 | default_socket_timeout
40 | define_syslog_variables
41 | disable_classes
42 | disable_functions
43 | display_errors
44 | display_startup_errors
45 | doc_root
46 | docref_ext
47 | docref_root
48 | enable_dl
49 | error_append_string
50 | error_log
51 | error_prepend_string
52 | error_reporting
53 | exif.decode_jis_intel
54 | exif.decode_jis_motorola
55 | exif.decode_unicode_intel
56 | exif.decode_unicode_motorola
57 | exif.encode_jis
58 | exif.encode_unicode
59 | expose_php
60 | extension_dir
61 | fastcgi.impersonate
62 | fastcgi.logging
63 | file_uploads
64 | filter.default
65 | filter.default_flags
66 | gd.jpeg_ignore_warning
67 | highlight.bg
68 | highlight.comment
69 | highlight.default
70 | highlight.html
71 | highlight.keyword
72 | highlight.string
73 | html_errors
74 | ibase.allow_persistent
75 | ibase.dateformat
76 | ibase.default_charset
77 | ibase.default_db
78 | ibase.default_password
79 | ibase.default_user
80 | ibase.max_links
81 | ibase.max_persistent
82 | ibase.timeformat
83 | ibase.timestampformat
84 | iconv.input_encoding
85 | iconv.internal_encoding
86 | iconv.output_encoding
87 | ignore_repeated_errors
88 | ignore_repeated_source
89 | ignore_user_abort
90 | implicit_flush
91 | include_path
92 | intl.default_locale
93 | intl.error_level
94 | ldap.max_links
95 | log_errors
96 | log_errors_max_len
97 | magic_quotes_gpc
98 | magic_quotes_runtime
99 | magic_quotes_sybase
100 | mail.add_x_header
101 | mail.force_extra_parameters
102 | mail.log
103 | max_execution_time
104 | max_file_uploads
105 | max_input_nesting_level
106 | max_input_time
107 | mbstring.detect_order
108 | mbstring.encoding_translation
109 | mbstring.func_overload
110 | mbstring.http_input
111 | mbstring.http_output
112 | mbstring.http_output_conv_mimetype
113 | mbstring.internal_encoding
114 | mbstring.language
115 | mbstring.script_encoding
116 | mbstring.strict_detection
117 | mbstring.substitute_character
118 | mcrypt.algorithms_dir
119 | mcrypt.modes_dir
120 | memory_limit
121 | mssql.allow_persistent
122 | mssql.batchsize
123 | mssql.charset
124 | mssql.compatability_mode
125 | mssql.connect_timeout
126 | mssql.datetimeconvert
127 | mssql.max_links
128 | mssql.max_persistent
129 | mssql.max_procs
130 | mssql.min_error_severity
131 | mssql.min_message_severity
132 | mssql.secure_connection
133 | mssql.textlimit
134 | mssql.textsize
135 | mssql.timeout
136 | mysql.allow_local_infile
137 | mysql.allow_persistent
138 | mysql.cache_size
139 | mysql.connect_timeout
140 | mysql.default_host
141 | mysql.default_password
142 | mysql.default_port
143 | mysql.default_socket
144 | mysql.default_user
145 | mysql.max_links
146 | mysql.max_persistent
147 | mysql.trace_mode
148 | mysqli.allow_local_infile
149 | mysqli.allow_persistent
150 | mysqli.cache_size
151 | mysqli.default_host
152 | mysqli.default_port
153 | mysqli.default_pw
154 | mysqli.default_socket
155 | mysqli.default_user
156 | mysqli.max_links
157 | mysqli.max_persistent
158 | mysqli.reconnect
159 | mysqlnd.collect_memory_statistics
160 | mysqlnd.collect_statistics
161 | mysqlnd.net_cmd_buffer_size
162 | mysqlnd.net_read_buffer_size
163 | oci8.connection_class
164 | oci8.default_prefetch
165 | oci8.events
166 | oci8.max_persistent
167 | oci8.old_oci_close_semantics
168 | oci8.persistent_timeout
169 | oci8.ping_interval
170 | oci8.privileged_connect
171 | oci8.statement_cache_size
172 | odbc.allow_persistent
173 | odbc.check_persistent
174 | odbc.default_db
175 | odbc.default_pw
176 | odbc.default_user
177 | odbc.defaultbinmode
178 | odbc.defaultlrl
179 | odbc.max_links
180 | odbc.max_persistent
181 | open_basedir
182 | output_buffering
183 | output_handler
184 | pcre.backtrack_limit
185 | pcre.recursion_limit
186 | pdo_mysql.cache_size
187 | pdo_mysql.default_socket
188 | pdo_odbc.connection_pooling
189 | pgsql.allow_persistent
190 | pgsql.auto_reset_persistent
191 | pgsql.ignore_notice
192 | pgsql.log_notice
193 | pgsql.max_links
194 | pgsql.max_persistent
195 | phar.cache_list
196 | phar.readonly
197 | phar.require_hash
198 | post_max_size
199 | realpath_cache_size
200 | realpath_cache_ttl
201 | register_argc_argv
202 | register_globals
203 | register_long_arrays
204 | report_memleaks
205 | report_zend_debug
206 | request_order
207 | safe_mode
208 | safe_mode_allowed_env_vars
209 | safe_mode_exec_dir
210 | safe_mode_gid
211 | safe_mode_include_dir
212 | safe_mode_protected_env_vars
213 | sendmail_from
214 | sendmail_path
215 | serialize_precision
216 | session.auto_start
217 | session.bug_compat_42
218 | session.bug_compat_warn
219 | session.cache_expire
220 | session.cache_limiter
221 | session.cookie_domain
222 | session.cookie_httponly
223 | session.cookie_lifetime
224 | session.cookie_path
225 | session.cookie_secure
226 | session.entropy_file
227 | session.entropy_length
228 | session.gc_divisor
229 | session.gc_maxlifetime
230 | session.gc_probability
231 | session.hash_bits_per_character
232 | session.hash_function
233 | session.name
234 | session.referer_check
235 | session.save_handler
236 | session.save_path
237 | session.serialize_handler
238 | session.use_cookies
239 | session.use_only_cookies
240 | session.use_trans_sid
241 | short_open_tag
242 | soap.wsdl_cache_dir
243 | soap.wsdl_cache_enabled
244 | soap.wsdl_cache_limit
245 | soap.wsdl_cache_ttl
246 | sql.safe_mode
247 | sqlite.assoc_case
248 | sqlite3.extension_dir
249 | sybct.allow_persistent
250 | sybct.deadlock_retry_count
251 | sybct.hostname
252 | sybct.login_timeout
253 | sybct.max_links
254 | sybct.max_persistent
255 | sybct.min_client_severity
256 | sybct.min_server_severity
257 | sybct.timeout
258 | sysvshm.init_mem
259 | tidy.clean_output
260 | tidy.default_config
261 | track_errors
262 | unserialize_callback_func
263 | upload_max_filesize
264 | upload_tmp_dir
265 | url_rewriter.tags
266 | user_agent
267 | user_dir
268 | user_ini.cache_ttl
269 | user_ini.filename
270 | variables_order
271 | xmlrpc_error_number
272 | xmlrpc_errors
273 | y2k_compliance
274 | zlib.output_compression
275 | zlib.output_compression_level
276 | zlib.output_handler
277 |
--------------------------------------------------------------------------------
/templates/default/REQUEST-930-APPLICATION-ATTACK-LFI.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
12 | #
13 |
14 |
15 |
16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:930011,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:930012,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
18 | #
19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
20 | #
21 |
22 | #
23 | # -=[ Directory Traversal Attacks ]=-
24 | #
25 | # Ref: https://github.com/wireghoul/dotdotpwn
26 | #
27 | # [ Encoded /../ Payloads ]
28 | #
29 | SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \
30 | "phase:request,\
31 | msg:'Path Traversal Attack (/../)',\
32 | id:930100,\
33 | ver:'OWASP_CRS/3.0.0',\
34 | rev:'3',\
35 | maturity:'9',\
36 | accuracy:'7',\
37 | t:none,\
38 | block,\
39 | severity:CRITICAL,\
40 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
41 | capture,\
42 | tag:'application-multi',\
43 | tag:'language-multi',\
44 | tag:'platform-multi',\
45 | tag:'attack-lfi',\
46 | tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
47 | setvar:'tx.msg=%{rule.msg}',\
48 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
49 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
50 | setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
51 |
52 | #
53 | # [ Decoded /../ Payloads ]
54 | #
55 | SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \
56 | "phase:request,\
57 | msg:'Path Traversal Attack (/../)',\
58 | id:930110,\
59 | ver:'OWASP_CRS/3.0.0',\
60 | rev:'1',\
61 | maturity:'9',\
62 | accuracy:'7',\
63 | multiMatch,\
64 | t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
65 | block,\
66 | severity:CRITICAL,\
67 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
68 | capture,\
69 | tag:'application-multi',\
70 | tag:'language-multi',\
71 | tag:'platform-multi',\
72 | tag:'attack-lfi',\
73 | tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
74 | setvar:'tx.msg=%{rule.msg}',\
75 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
76 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
77 | setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
78 |
79 | #
80 | # -=[ OS File Access ]=-
81 | #
82 | # Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
83 | #
84 | SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \
85 | "phase:request,\
86 | msg:'OS File Access Attempt',\
87 | rev:'4',\
88 | ver:'OWASP_CRS/3.0.0',\
89 | maturity:'9',\
90 | accuracy:'9',\
91 | capture,\
92 | t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
93 | block,\
94 | id:930120,\
95 | tag:'application-multi',\
96 | tag:'language-multi',\
97 | tag:'platform-multi',\
98 | tag:'attack-lfi',\
99 | tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
100 | tag:'WASCTC/WASC-33',\
101 | tag:'OWASP_TOP_10/A4',\
102 | tag:'PCI/6.5.4',\
103 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
104 | severity:'CRITICAL',\
105 | setvar:'tx.msg=%{rule.msg}',\
106 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
107 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
108 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
109 |
110 | #
111 | # -=[ Restricted File Access ]=-
112 | #
113 | # Detects attempts to retrieve application source code, metadata,
114 | # credentials and version control history possibly reachable in a web root.
115 | #
116 | SecRule REQUEST_FILENAME "@pmf restricted-files.data" \
117 | "phase:request,\
118 | msg:'Restricted File Access Attempt',\
119 | rev:'1',\
120 | ver:'OWASP_CRS/3.0.0',\
121 | maturity:'7',\
122 | accuracy:'8',\
123 | capture,\
124 | t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
125 | block,\
126 | id:930130,\
127 | tag:'application-multi',\
128 | tag:'language-multi',\
129 | tag:'platform-multi',\
130 | tag:'attack-lfi',\
131 | tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
132 | tag:'WASCTC/WASC-33',\
133 | tag:'OWASP_TOP_10/A4',\
134 | tag:'PCI/6.5.4',\
135 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
136 | severity:'CRITICAL',\
137 | setvar:'tx.msg=%{rule.msg}',\
138 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
139 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
140 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
141 |
142 |
143 |
144 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:930013,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
145 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:930014,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
146 | #
147 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
148 | #
149 |
150 |
151 |
152 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:930015,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
153 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:930016,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
154 | #
155 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
156 | #
157 |
158 |
159 |
160 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:930017,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
161 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:930018,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
162 | #
163 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
164 | #
165 |
166 |
167 |
168 | #
169 | # -= Paranoia Levels Finished =-
170 | #
171 | SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"
172 |
173 |
--------------------------------------------------------------------------------
/templates/default/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # The purpose of this file is to hold LOCAL exceptions for your site. The
12 | # types of rules that would go into this file are one where you want to
13 | # short-circuit inspection and allow certain transactions to pass through
14 | # inspection or if you want to alter rules that are applied.
15 | #
16 | # This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
17 | # very specific reason. Files affixed with the .example extension are designed
18 | # to contain user created/modified data. The '.example'. extension should be
19 | # renamed to end in .conf. The advantage of this is that when OWASP CRS is
20 | # updated, the updates will not overwrite a user generated configuration file.
21 | #
22 | # As a result of this design paradigm users are encouraged NOT to directly
23 | # modify rules. Instead they should use this
24 | # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
25 | # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
26 | # methods similar to the examples specified below.
27 | #
28 | # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
29 | # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
30 | # effectively maintains two different context: startup, and per transaction.
31 | # As a rule, directives are processed within the startup context. While they
32 | # can affect the per transaction context they generally remain fixed during the
33 | # execution of ModSecurity.
34 | #
35 | # As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
36 | # directive or one of its siblings would have to be placed AFTER the rule is
37 | # listed, otherwise it will not have knowledge of the rules existence (since
38 | # these rules are read in at the same time). This means that when using
39 | # directives that effect SecRules, these exceptions should be placed AFTER all
40 | # the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
41 | # designed such that it loads LAST.
42 | #
43 | # Conversely, ModSecurity supports several actions that can change the state of
44 | # the underlying configuration during the per transaction context, this is when
45 | # rules are being processed. Generally, these are accomplished by using the
46 | # 'ctl' action. As these are part of a rule, they will be evaluated in the
47 | # order rules are applied (by physical location, considering phases). As a
48 | # result of this ordering a 'ctl' action should be placed with consideration to
49 | # when it will be executed. This is particularly relevant for the 'ctl' options
50 | # that involve modifying ID's (such as ruleRemoveById). In these cases it is
51 | # important that such rules are placed BEFORE the rule ID they will affect.
52 | # Unlike the setup context, by the time we process rules in the per-transaction
53 | # context, we are already aware of all the rule ID's. It is by this logic that
54 | # we include rules such as this BEFORE all the remaining rules. As a result
55 | # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
56 | #
57 | # As a general rule:
58 | # ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
59 | # ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
60 | # ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
61 | # ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
62 | # ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
63 | # ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
64 | # ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
65 | #
66 | # SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
67 | # SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
68 | # SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
69 | # SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
70 | # SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
71 | # SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
72 | # SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
73 | #
74 | #
75 | # What follows are a group of examples that show you how to perform rule
76 | # exclusions.
77 | #
78 | #
79 | # Example Exclusion Rule: Disable inspection for an authorized client
80 | #
81 | # This ruleset allows you to control how ModSecurity will handle traffic
82 | # originating from Authorized Vulnerability Scanning (AVS) sources. See
83 | # related blog post -
84 | # http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
85 | #
86 | # White-list ASV network block (no blocking or logging of AVS traffic) Update
87 | # IP network block as appropriate for your AVS traffic
88 | #
89 | # ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
90 | # SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
91 | # "phase:1,id:1000,pass,nolog,ctl:ruleEngine=Off"
92 | #
93 | #
94 | # Example Exclusion Rule: Removing a specific ARGS parameter from inspection
95 | # for an individual rule
96 | #
97 | # This rule shows how to conditionally exclude the "password"
98 | # parameter for rule 942100 when the REQUEST_URI is /index.php
99 | # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
100 | #
101 | # SecRule REQUEST_URI "@beginsWith /index.php" \
102 | # "id:1001,phase:1,pass,nolog, \
103 | # ctl:ruleRemoveTargetById=942100;ARGS:password"
104 | #
105 | #
106 | # Example Exclusion Rule: Removing a specific ARGS parameter from inspection
107 | # for only certain attacks
108 | #
109 | # Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
110 | # 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
111 | #
112 | # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
113 | # for all rules tagged attack-sqli
114 | # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
115 | # "id:1002,phase:request,pass,nolog,\
116 | # ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
117 | #
118 |
119 | # Example Exclusion Rule: Removing a specific ARGS parameter from inspection
120 | # for all CRS rules
121 | #
122 | # This rule illustrates that we can use tagging very effectively to whitelist a
123 | # common false positive across an entire ModSecurity instance. This can be done
124 | # because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
125 | # affect custom rules.
126 | #
127 | # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
128 | # for all CRS rules
129 | # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
130 | # "id:1003,phase:request,pass,nolog,\
131 | # ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
132 |
133 | #
134 | # Example Exclusion Rule: Removing a range of rules
135 | #
136 | # This rule illustrates that we can remove a rule range via a ctl action.
137 | # This uses the fact, that rules are grouped by topic in rule files covering
138 | # a certain id range.
139 | #
140 | # ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
141 | # SecRule REQUEST_FILENAME "@beginsWith /admin" \
142 | # "id:1004,phase:request,pass,nolog,\
143 | # ctl:ruleRemoveById=941000-942999"
144 | #
145 | #
146 | # The application specific rule exclusion files
147 | # REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
148 | # REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
149 | # bring additional examples which can be useful then tuning a service.
150 |
--------------------------------------------------------------------------------
/templates/default/REQUEST-913-SCANNER-DETECTION.conf.erb:
--------------------------------------------------------------------------------
1 | # ------------------------------------------------------------------------
2 | # OWASP ModSecurity Core Rule Set ver.3.0.2
3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
4 | #
5 | # The OWASP ModSecurity Core Rule Set is distributed under
6 | # Apache Software License (ASL) version 2
7 | # Please see the enclosed LICENSE file for full details.
8 | # ------------------------------------------------------------------------
9 |
10 | #
11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally)
12 | #
13 |
14 |
15 |
16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:913011,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:913012,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
18 | #
19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
20 | #
21 |
22 | #
23 | # -=[ Vulnerability Scanner Checks ]=-
24 | #
25 | # These rules inspect the default User-Agent and Header values sent by
26 | # various commercial and open source vuln scanners.
27 | #
28 | # The following rules contain User-Agent lists:
29 | # 913100 - security scanners (data file scanners-user-agents.data)
30 | # 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
31 | # 913102 - web crawlers/bots (data file crawlers-user-agents.data)
32 | #
33 | SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
34 | "msg:'Found User-Agent associated with security scanner',\
35 | severity:'CRITICAL',\
36 | id:913100,\
37 | rev:'2',\
38 | phase:request,\
39 | block,\
40 | t:none,\
41 | t:lowercase,\
42 | ver:'OWASP_CRS/3.0.0',\
43 | maturity:'9',\
44 | accuracy:'9',\
45 | capture,\
46 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
47 | tag:'application-multi',\
48 | tag:'language-multi',\
49 | tag:'platform-multi',\
50 | tag:'attack-reputation-scanner',\
51 | tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
52 | tag:'WASCTC/WASC-21',\
53 | tag:'OWASP_TOP_10/A7',\
54 | tag:'PCI/6.5.10',\
55 | setvar:'tx.msg=%{rule.msg}',\
56 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
57 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\
58 | setvar:ip.reput_block_flag=1,\
59 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
60 | setvar:'ip.reput_block_reason=%{rule.msg}'"
61 |
62 | SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
63 | "msg:'Found request header associated with security scanner',\
64 | severity:CRITICAL,\
65 | id:913110,\
66 | phase:request,\
67 | rev:'3',\
68 | ver:'OWASP_CRS/3.0.0',\
69 | maturity:'9',\
70 | accuracy:'9',\
71 | t:none,\
72 | t:lowercase,\
73 | block,\
74 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
75 | tag:'application-multi',\
76 | tag:'language-multi',\
77 | tag:'platform-multi',\
78 | tag:'attack-reputation-scanner',\
79 | tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
80 | tag:'WASCTC/WASC-21',\
81 | tag:'OWASP_TOP_10/A7',\
82 | tag:'PCI/6.5.10',\
83 | setvar:'tx.msg=%{rule.msg}',\
84 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
85 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\
86 | setvar:ip.reput_block_flag=1,\
87 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
88 | setvar:'ip.reput_block_reason=%{rule.msg}'"
89 |
90 |
91 | SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
92 | "msg:'Found request filename/argument associated with security scanner',\
93 | severity:CRITICAL,\
94 | id:913120,\
95 | phase:request,\
96 | rev:'3',\
97 | ver:'OWASP_CRS/3.0.0',\
98 | maturity:'9',\
99 | accuracy:'9',\
100 | t:none,\
101 | t:lowercase,\
102 | block,\
103 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
104 | tag:'application-multi',\
105 | tag:'language-multi',\
106 | tag:'platform-multi',\
107 | tag:'attack-reputation-scanner',\
108 | tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
109 | tag:'WASCTC/WASC-21',\
110 | tag:'OWASP_TOP_10/A7',\
111 | tag:'PCI/6.5.10',\
112 | setvar:'tx.msg=%{rule.msg}',\
113 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
114 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\
115 | setvar:ip.reput_block_flag=1,\
116 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
117 | setvar:'ip.reput_block_reason=%{rule.msg}'"
118 |
119 |
120 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:913013,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
121 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:913014,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
122 | #
123 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
124 | #
125 |
126 |
127 | #
128 | # -=[ Scripting/Generic User-Agents ]=-
129 | #
130 | # This rule detects user-agents associated with various HTTP client libraries
131 | # and scripting languages. Detection suggests attempted access by some
132 | # automated tool.
133 | #
134 | # This rule is a sibling of rule 913100.
135 | #
136 | SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
137 | "msg:'Found User-Agent associated with scripting/generic HTTP client',\
138 | severity:'CRITICAL',\
139 | id:913101,\
140 | rev:'1',\
141 | phase:request,\
142 | block,\
143 | t:none,\
144 | t:lowercase,\
145 | ver:'OWASP_CRS/3.0.0',\
146 | maturity:'9',\
147 | accuracy:'7',\
148 | capture,\
149 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
150 | tag:'application-multi',\
151 | tag:'language-multi',\
152 | tag:'platform-multi',\
153 | tag:'attack-reputation-scripting',\
154 | tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\
155 | tag:'WASCTC/WASC-21',\
156 | tag:'OWASP_TOP_10/A7',\
157 | tag:'PCI/6.5.10',\
158 | tag:'paranoia-level/2',\
159 | setvar:'tx.msg=%{rule.msg}',\
160 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
161 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{matched_var_name}=%{matched_var},\
162 | setvar:ip.reput_block_flag=1,\
163 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
164 | setvar:'ip.reput_block_reason=%{rule.msg}'"
165 |
166 |
167 |
168 | #
169 | # -=[ Crawler User-Agents ]=-
170 | #
171 | # This rule detects user-agents associated with various crawlers, SEO tools,
172 | # and bots, which have been reported to potentially misbehave.
173 | # These crawlers can have legitimate uses when used with authorization.
174 | #
175 | # This rule is a sibling of rule 913100.
176 | #
177 | SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
178 | "msg:'Found User-Agent associated with web crawler/bot',\
179 | severity:'CRITICAL',\
180 | id:913102,\
181 | rev:'1',\
182 | phase:request,\
183 | block,\
184 | t:none,\
185 | t:lowercase,\
186 | ver:'OWASP_CRS/3.0.0',\
187 | maturity:'9',\
188 | accuracy:'9',\
189 | capture,\
190 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
191 | tag:'application-multi',\
192 | tag:'language-multi',\
193 | tag:'platform-multi',\
194 | tag:'attack-reputation-crawler',\
195 | tag:'OWASP_CRS/AUTOMATION/CRAWLER',\
196 | tag:'WASCTC/WASC-21',\
197 | tag:'OWASP_TOP_10/A7',\
198 | tag:'PCI/6.5.10',\
199 | tag:'paranoia-level/2',\
200 | setvar:'tx.msg=%{rule.msg}',\
201 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
202 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{matched_var_name}=%{matched_var},\
203 | setvar:ip.reput_block_flag=1,\
204 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
205 | setvar:'ip.reput_block_reason=%{rule.msg}'"
206 |
207 |
208 |
209 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:913015,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
210 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:913016,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
211 | #
212 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
213 | #
214 |
215 |
216 |
217 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:913017,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
218 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:913018,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
219 | #
220 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
221 | #
222 |
223 |
224 |
225 | #
226 | # -= Paranoia Levels Finished =-
227 | #
228 | SecMarker "END-REQUEST-913-SCANNER-DETECTION"
229 |
230 |
--------------------------------------------------------------------------------
/templates/default/modsecurity.conf.erb:
--------------------------------------------------------------------------------
1 | # -- Rule engine initialization ----------------------------------------------
2 |
3 | # Enable ModSecurity, attaching it to every transaction. Use detection
4 | # only to start with, because that minimises the chances of post-installation
5 | # disruption.
6 | #
7 | #SecRuleEngine DetectionOnly
8 | SecRuleEngine <%= node['waf_testbed']['engine_mode'] %>
9 |
10 |
11 | # -- Request body handling ---------------------------------------------------
12 |
13 | # Allow ModSecurity to access request bodies. If you don't, ModSecurity
14 | # won't be able to see any POST parameters, which opens a large security
15 | # hole for attackers to exploit.
16 | #
17 | SecRequestBodyAccess On
18 |
19 |
20 | # Enable XML request body parser.
21 | # Initiate XML Processor in case of xml content-type
22 | #
23 | SecRule REQUEST_HEADERS:Content-Type "text/xml" \
24 | "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
25 |
26 |
27 | # Maximum request body size we will accept for buffering. If you support
28 | # file uploads then the value given on the first line has to be as large
29 | # as the largest file you are willing to accept. The second value refers
30 | # to the size of data, with files excluded. You want to keep that value as
31 | # low as practical.
32 | #
33 | SecRequestBodyLimit 13107200
34 | SecRequestBodyNoFilesLimit 131072
35 |
36 | # Store up to 128 KB of request body data in memory. When the multipart
37 | # parser reachers this limit, it will start using your hard disk for
38 | # storage. That is slow, but unavoidable.
39 | #
40 | SecRequestBodyInMemoryLimit 131072
41 |
42 | # What do do if the request body size is above our configured limit.
43 | # Keep in mind that this setting will automatically be set to ProcessPartial
44 | # when SecRuleEngine is set to DetectionOnly mode in order to minimize
45 | # disruptions when initially deploying ModSecurity.
46 | #
47 | SecRequestBodyLimitAction Reject
48 |
49 | # Verify that we've correctly processed the request body.
50 | # As a rule of thumb, when failing to process a request body
51 | # you should reject the request (when deployed in blocking mode)
52 | # or log a high-severity alert (when deployed in detection-only mode).
53 | #
54 | SecRule REQBODY_ERROR "!@eq 0" \
55 | "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
56 |
57 | # By default be strict with what we accept in the multipart/form-data
58 | # request body. If the rule below proves to be too strict for your
59 | # environment consider changing it to detection-only. You are encouraged
60 | # _not_ to remove it altogether.
61 | #
62 | SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
63 | "id:'200002',phase:2,t:none,log,deny,status:44, \
64 | msg:'Multipart request body failed strict validation: \
65 | PE %{REQBODY_PROCESSOR_ERROR}, \
66 | BQ %{MULTIPART_BOUNDARY_QUOTED}, \
67 | BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
68 | DB %{MULTIPART_DATA_BEFORE}, \
69 | DA %{MULTIPART_DATA_AFTER}, \
70 | HF %{MULTIPART_HEADER_FOLDING}, \
71 | LF %{MULTIPART_LF_LINE}, \
72 | SM %{MULTIPART_MISSING_SEMICOLON}, \
73 | IQ %{MULTIPART_INVALID_QUOTING}, \
74 | IP %{MULTIPART_INVALID_PART}, \
75 | IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
76 | FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
77 |
78 | # Did we see anything that might be a boundary?
79 | #
80 | SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
81 | "id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
82 |
83 | # PCRE Tuning
84 | # We want to avoid a potential RegEx DoS condition
85 | #
86 | SecPcreMatchLimit 1000
87 | SecPcreMatchLimitRecursion 1000
88 |
89 | # Some internal errors will set flags in TX and we will need to look for these.
90 | # All of these are prefixed with "MSC_". The following flags currently exist:
91 | #
92 | # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
93 | #
94 | SecRule TX:/^MSC_/ "!@streq 0" \
95 | "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
96 |
97 |
98 | # -- Response body handling --------------------------------------------------
99 |
100 | # Allow ModSecurity to access response bodies.
101 | # You should have this directive enabled in order to identify errors
102 | # and data leakage issues.
103 | #
104 | # Do keep in mind that enabling this directive does increases both
105 | # memory consumption and response latency.
106 | #
107 | SecResponseBodyAccess On
108 |
109 | # Which response MIME types do you want to inspect? You should adjust the
110 | # configuration below to catch documents but avoid static files
111 | # (e.g., images and archives).
112 | #
113 | SecResponseBodyMimeType text/plain text/html text/xml
114 |
115 | # Buffer response bodies of up to 512 KB in length.
116 | SecResponseBodyLimit 524288
117 |
118 | # What happens when we encounter a response body larger than the configured
119 | # limit? By default, we process what we have and let the rest through.
120 | # That's somewhat less secure, but does not break any legitimate pages.
121 | #
122 | SecResponseBodyLimitAction ProcessPartial
123 |
124 |
125 | # -- Filesystem configuration ------------------------------------------------
126 |
127 | # The location where ModSecurity stores temporary files (for example, when
128 | # it needs to handle a file upload that is larger than the configured limit).
129 | #
130 | # This default setting is chosen due to all systems have /tmp available however,
131 | # this is less than ideal. It is recommended that you specify a location that's private.
132 | #
133 | SecTmpDir /tmp/
134 |
135 | # The location where ModSecurity will keep its persistent data. This default setting
136 | # is chosen due to all systems have /tmp available however, it
137 | # too should be updated to a place that other users can't access.
138 | #
139 | SecDataDir /tmp/
140 |
141 |
142 | # -- File uploads handling configuration -------------------------------------
143 |
144 | # The location where ModSecurity stores intercepted uploaded files. This
145 | # location must be private to ModSecurity. You don't want other users on
146 | # the server to access the files, do you?
147 | #
148 | #SecUploadDir /opt/modsecurity/var/upload/
149 |
150 | # By default, only keep the files that were determined to be unusual
151 | # in some way (by an external inspection script). For this to work you
152 | # will also need at least one file inspection rule.
153 | #
154 | #SecUploadKeepFiles RelevantOnly
155 |
156 | # Uploaded files are by default created with permissions that do not allow
157 | # any other user to access them. You may need to relax that if you want to
158 | # interface ModSecurity to an external program (e.g., an anti-virus).
159 | #
160 | #SecUploadFileMode 0600
161 |
162 |
163 | # -- Debug log configuration -------------------------------------------------
164 |
165 | # The default debug log configuration is to duplicate the error, warning
166 | # and notice messages from the error log.
167 | #
168 | #SecDebugLog /opt/modsecurity/var/log/debug.log
169 | #SecDebugLogLevel 3
170 |
171 |
172 | # -- Audit log configuration -------------------------------------------------
173 |
174 | # Log the transactions that are marked by a rule, as well as those that
175 | # trigger a server error (determined by a 5xx or 4xx, excluding 404,
176 | # level response status codes).
177 | #
178 | SecAuditEngine RelevantOnly
179 | SecAuditLogRelevantStatus "^(?:5|4(?!04))"
180 |
181 | # Log everything we know about a transaction.
182 | SecAuditLogParts ABIJDEFHZ
183 |
184 | # Use a single file for logging. This is much easier to look at, but
185 | # assumes that you will use the audit log only ocassionally.
186 | #
187 | SecAuditLogType Serial
188 | SecAuditLog /var/log/apache2/modsec_audit.log
189 |
190 | # Specify the path for concurrent audit logging.
191 | #SecAuditLogStorageDir /opt/modsecurity/var/audit/
192 |
193 |
194 | # -- Miscellaneous -----------------------------------------------------------
195 |
196 | # Use the most commonly used application/x-www-form-urlencoded parameter
197 | # separator. There's probably only one application somewhere that uses
198 | # something else so don't expect to change this value.
199 | #
200 | SecArgumentSeparator &
201 |
202 | # Settle on version 0 (zero) cookies, as that is what most applications
203 | # use. Using an incorrect cookie version may open your installation to
204 | # evasion attacks (against the rules that examine named cookies).
205 | #
206 | SecCookieFormat 0
207 |
208 | # Specify your Unicode Code Point.
209 | # This mapping is used by the t:urlDecodeUni transformation function
210 | # to properly map encoded data to your language. Properly setting
211 | # these directives helps to reduce false positives and negatives.
212 | #
213 | SecUnicodeMapFile /etc/modsecurity/unicode.mapping 20127
214 | IncludeOptional "/etc/modsecurity/*.conf"
215 | SecAction "phase:1,t:none,nolog,pass,\
216 | id:23423423423,\
217 | setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',\
218 | setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',"
219 |
--------------------------------------------------------------------------------
/templates/default/php-errors.data.erb:
--------------------------------------------------------------------------------
1 | Warning:
2 | No row with the given identifier
3 | open_basedir restriction in effect
4 | eval()'d code on line
5 | Cannot execute a blank command in
6 | Fatal error: preg_replace
7 | thrown in
8 | #0 {main}
9 | Stack trace:
10 | on line
11 | () cannot be called statically
12 | - not a Class::Method
13 | ::__toString() must not throw an exception
14 | Access to undeclared static property:
15 | An iterator cannot be used with foreach by reference
16 | Array callback has to contain indices 0 and 1
17 | Arrived at end of main loop which shouldn't happen
18 | Attempt to destruct pending exception
19 | Attempt to unset static property
20 | Balloc() allocation exceeds list boundary
21 | Balloc() failed to allocate memory
22 | Base lambda function for closure not found
23 | Call to a member function
24 | Call to private
25 | Call to protected
26 | Call to undefined function
27 | Call to undefined method
28 | Can only throw objects
29 | Cannot access empty property
30 | Cannot access parent:: when current class scope has no parent
31 | Cannot access parent:: when no class scope is active
32 | Cannot access property started with '\\0'
33 | Cannot access self:: when no class scope is active
34 | Cannot access static:: when no class scope is active
35 | Cannot access undefined property for object with overloaded property access
36 | Cannot assign by reference to overloaded object
37 | Cannot break/continue %d level%s
38 | Cannot call abstract method
39 | Cannot call constructor
40 | Cannot call forward_static_call() when no class scope is active
41 | Cannot call non static method
42 | Cannot call overloaded function for non-object
43 | Cannot call private
44 | Cannot create references to/from string offsets
45 | Cannot create references to/from string offsets nor overloaded objects
46 | Cannot declare self-referencing constant
47 | Cannot destroy active lambda function
48 | Cannot get arguments for
49 | Cannot increment/decrement overloaded objects nor string offsets
50 | Cannot instantiate abstract class
51 | Cannot instantiate interface
52 | Cannot instantiate trait
53 | Cannot override final
54 | Cannot pass parameter
55 | Cannot redeclare
56 | Cannot redeclare class
57 | Cannot register a reverse output handler conflict outside of MINIT
58 | Cannot register an output handler alias outside of MINIT
59 | Cannot register an output handler conflict outside of MINIT
60 | Cannot resume an already running generator
61 | Cannot return string offsets by reference
62 | Cannot set non exception as previous exception
63 | Cannot unset string offsets
64 | Cannot use [] for reading
65 | Cannot use assign-op operators with overloaded objects nor string offsets
66 | Cannot use object as array
67 | Cannot use object of type
68 | Cannot use string offset as an array
69 | Cannot use string offset as an object
70 | Cannot yield from finally in a force-closed generator
71 | Cannot yield string offsets by reference
72 | Class entry requested for an object without PHP class
73 | Class name must be a valid object or a string
74 | Corrupted fcall_info provided to zend_call_function()
75 | DCOM has been disabled by your administrator [com.allow_dcom=0]
76 | DateFormat class not defined
77 | DateTimeInterface can't be implemented by user classes
78 | EXTREMELY fatal error: jmpbuf unrecoverable; terminating
79 | EXTREMELY fatal error: jmpbuf unrecoverable; terminating.
80 | EXTREMELY fatal error: longjmp returned control; terminating
81 | Encoding: '*' may only be first arraySize value in list
82 | Encoding: Attribute
83 | Encoding: Can't decode apache map, missing key
84 | Encoding: Can't decode apache map, missing value
85 | Encoding: Can't decode apache map, only Strings or Longs are allowd as keys
86 | Encoding: Cannot find encoding
87 | Encoding: Element
88 | Encoding: Error calling from_xml callback
89 | Encoding: Error calling to_xml callback
90 | Encoding: External reference
91 | Encoding: Internal Error
92 | Encoding: Invalid timestamp
93 | Encoding: SoapVar has no 'enc_type' property
94 | Encoding: Unresolved reference
95 | Encoding: Violation of encoding rules
96 | Encoding: Violation of id and ref information items
97 | Encoding: object has no '
98 | Encoding: object has no 'any' property
99 | Encoding: string '
100 | Error installing signal handler for
101 | Exception thrown without a stack frame
102 | Exceptions must be valid objects derived from the Exception base class
103 | Failed to clone SpoofChecker object
104 | Failed to register IntlDateFormatter class
105 | Failed to register MessageFormatter class
106 | Failed to register NumberFormatter class
107 | Failed to register ResourceBundle class
108 | Field width %d is too long
109 | First array member is not a valid class name or object
110 | Function name must be a string
111 | Illegal length modifier specified
112 | Illegal offset type
113 | Input string is too long
114 | Invalid RelaxNG Validation Context
115 | Invalid Schema Validation Context
116 | Invalid opcode
117 | Invalid serialization data for DatePeriod object
118 | Invalid serialization data for DateTime object
119 | Invalid serialization data for DateTimeImmutable object
120 | Maximum execution time of
121 | Method name must be a string
122 | Need to supply an object when throwing an exception
123 | Nesting level too deep - recursive dependency?
124 | NumberFormatter class not defined
125 | Object does not support method calls
126 | Only variables can be passed by reference
127 | PDO: driver
128 | Parsing Schema: or expected in complexContent
129 | Parsing Schema: attribute
130 | Parsing Schema: attribute has both 'ref' and 'type' attributes
131 | Parsing Schema: attribute has both 'ref' attribute and subtype
132 | Parsing Schema: attribute has both 'type' attribute and subtype
133 | Parsing Schema: attribute has no 'name' nor 'ref' attributes
134 | Parsing Schema: attributeGroup
135 | Parsing Schema: attributeGroup has both 'ref' attribute and subattribute
136 | Parsing Schema: attributeGroup has no 'name' nor 'ref' attributes
137 | Parsing Schema: can't import schema from
138 | Parsing Schema: complexType has no 'name' attribute
139 | Parsing Schema: element has both 'default' and 'fixed' attributes
140 | Parsing Schema: element has both 'itemType' attribute and subtype
141 | Parsing Schema: element has both 'ref' and 'fixed' attributes
142 | Parsing Schema: element has both 'ref' and 'nillable' attributes
143 | Parsing Schema: element has both 'ref' and 'type' attributes
144 | Parsing Schema: element has both 'ref' attribute and subtype
145 | Parsing Schema: element has both 'type' attribute and subtype
146 | Parsing Schema: element has no 'name' nor 'ref' attributes
147 | Parsing Schema: expected or in simpleContent
148 | Parsing Schema: expected , or in simpleType
149 | Parsing Schema: extension has no 'base' attribute
150 | Parsing Schema: group has both 'ref' attribute and subcontent
151 | Parsing Schema: group has no 'name' nor 'ref' attributes
152 | Parsing Schema: include has no 'schemaLocation' attribute
153 | Parsing Schema: missing restriction value
154 | Parsing Schema: redefine has no 'schemaLocation' attribute
155 | Parsing Schema: restriction has no 'base' attribute
156 | Parsing Schema: simpleType has no 'name' attribute
157 | Parsing Schema: unexpected
158 | Parsing Schema: unresolved element 'ref' attribute
159 | Parsing Schema: unresolved group 'ref' attribute
160 | Parsing WSDL:
161 | Parsing WSDL: has no name attribute
162 | Parsing WSDL: with name
163 | Parsing WSDL: has no name attribute
164 | Parsing WSDL:
165 | Parsing WSDL: has no name attribute
166 | Parsing WSDL:
167 | Parsing WSDL: has no name attribute
168 | Parsing WSDL: Could not find any usable binding services in WSDL.
169 | Parsing WSDL: Couldn't bind to service
170 | Parsing WSDL: Couldn't find in
171 | Parsing WSDL: Couldn't load from
172 | Parsing WSDL: Missing 'name' attribute for
173 | Parsing WSDL: Missing 'name' attribute for
174 | Parsing WSDL: Missing 'type' attribute for
175 | Parsing WSDL: Missing with name
176 | Parsing WSDL: Missing with name
177 | Parsing WSDL: Missing / with name
178 | Parsing WSDL: Missing message attribute for
179 | Parsing WSDL: Missing name for of
180 | Parsing WSDL: Missing name for of
181 | Parsing WSDL: Missing name for