patterns/waf_patterns/apache/evaluation.conf

# Apache ModSecurity rules for EVALUATION
SecRuleEngine On

SecRule REQUEST_URI "@ge\ 1" "id:1148,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1154,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1160,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1157,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1163,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1150,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1343,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1159,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1153,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1346,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1164,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1344,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1156,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1158,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1162,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1342,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1345,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1152,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1151,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1149,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1155,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1161,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1166,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1165,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for EVALUATION`
			`SecRuleEngine On`

Update: [Thu Jan 16 13:07:47 UTC 2025] 2025-01-16 13:07:47 +00:00			`SecRule REQUEST_URI "@ge\ 1" "id:1148,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1154,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1160,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1157,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1163,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1150,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1343,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1159,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1153,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1346,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1164,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1344,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1156,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1158,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1162,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1342,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq\ 1" "id:1345,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1152,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1151,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1149,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1155,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1161,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1166,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq\ 1" "id:1165,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`