2024-12-21 00:35:03 +00:00
|
|
|
# Apache ModSecurity rules for RCE
|
|
|
|
|
SecRuleEngine On
|
|
|
|
|
|
|
|
|
|
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@pmFromFile windows-powershell-commands.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx !-d" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx ba[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@pmFromFile restricted-upload.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?i).|(?:[sv]*|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?i)[-0-9_a-z]+(?:[sv]*[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "!@rx [0-9]s*'s*[0-9]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx ;[sv]*.[sv]*[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx (?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sv&)<>|]|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:[sv&)<>|]|-update)|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:(?:f|ms)[sv&)<>|]|l(?:[sv&)5<>|]|sh))|opd|u(?:ppet[sv&)<>|]|shd)|y(?:thon[2-3]|3?versions))|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:(?:facl)?[sv&)<>|]|arch|env|sid)|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-22 00:28:28 +00:00
|
|
|
SecRule REQUEST_URI "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
2024-12-21 00:35:03 +00:00
|
|
|
SecRule REQUEST_URI "@rx !(?:d|!)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
|
|
|
|
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
