patterns/waf_patterns/apache/evaluation.conf

# Apache ModSecurity rules for EVALUATION
SecRuleEngine On

SecRule REQUEST_URI "@ge\ 1" "id:1153,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1157,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1162,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1156,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1166,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1281,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1287,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1291,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1286,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1171,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1290,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1167,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1280,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1284,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1161,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1155,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1165,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1164,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1289,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1160,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1285,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1296,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1294,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1295,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1154,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1279,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1158,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1283,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1288,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1163,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1282,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1292,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1159,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1170,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1169,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1168,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1293,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1297,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for EVALUATION`
			`SecRuleEngine On`

Update: [Tue Jan 21 00:25:04 UTC 2025] 2025-01-21 00:25:04 +00:00			`SecRule REQUEST_URI "@ge\ 1" "id:1153,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1157,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1162,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1156,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1166,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1281,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1287,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1291,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1286,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1171,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1290,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1167,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1280,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1284,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1161,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1155,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1165,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1164,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1289,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1160,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1285,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq\ 1" "id:1296,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1294,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1295,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1154,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1279,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1158,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1283,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1288,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1163,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1282,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1292,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1159,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq\ 1" "id:1170,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1169,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1168,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1293,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1297,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`