patterns/waf_patterns/apache/iis.conf

# Apache ModSecurity rules for IIS
SecRuleEngine On

SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1291,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "!@rx\ \^404\$" "id:1293,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1292,phase:1,deny,status:403,log,msg:'iis attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for IIS`
			`SecRuleEngine On`

Update: [Fri Feb 7 00:25:52 UTC 2025] 2025-02-07 00:25:52 +00:00			`SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1291,phase:1,deny,status:403,log,msg:'iis attack detected'"`
			`SecRule REQUEST_URI "!@rx\ \^404\$" "id:1293,phase:1,deny,status:403,log,msg:'iis attack detected'"`
			`SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'"`
			`SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\\|40e31\)'\.\{1,40\}\?Timeout\ expired\\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1292,phase:1,deny,status:403,log,msg:'iis attack detected'"`