patterns/waf_patterns/apache/attack.conf

# Apache ModSecurity rules for ATTACK
SecRuleEngine On

SecRule REQUEST_URI "!@eq 0" "id:1115,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1116,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1117,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1118,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1119,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1442,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1443,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" "id:1444,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" "id:1445,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:bhttp/d|<(?:html|meta)b)" "id:1446,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1447,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1448,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" "id:1449,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1450,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" "id:1451,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1452,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx unix:[^|]*|" "id:1453,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1454,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1455,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1456,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1457,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1458,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1459,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 0" "id:1460,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ." "id:1461,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 1" "id:1462,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1463,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (][^]]+$|][^]]+[)" "id:1464,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1465,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1466,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [" "id:1467,phase:1,deny,status:403,log,msg:'attack attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for ATTACK`
			`SecRuleEngine On`

Update: [Sat Jan 4 00:25:48 UTC 2025] 2025-01-04 00:25:48 +00:00			`SecRule REQUEST_URI "!@eq 0" "id:1115,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "!@within \|%{tx.allowed_request_content_type_charset}\|" "id:1116,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx ^content-types:s(.*)$" "id:1117,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			SecRule REQUEST_URI "!@rx ^(?:(?:\|[^!-"(-),/:-?[-]{}]+)/(?:\|[^!-"(-),/:-?[-]{}]+)\|)(?:[sv];[sv](?:charset[sv]=[sv]"?(?:iso-8859-15?\|utf-8\|windows-1252)b"?\|(?:[^sv -"(-),/:-?[-]c{}]\|c(?:[^!-"(-),/:-?[-]h{}]\|h(?:[^!-"(-),/:-?[-]a{}]\|a(?:[^!-"(-),/:-?[-]r{}]\|r(?:[^!-"(-),/:-?[-]s{}]\|s(?:[^!-"(-),/:-?[-]e{}]\|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}][sv]=[sv][^!(-),/:-?[-]{}]+);?)(?:[sv],[sv](?:(?:\|[^!-"(-),/:-?[-]{}]+)/(?:\|[^!-"(-),/:-?[-]{}]+)\|)(?:[sv];[sv](?:charset[sv]=[sv]"?(?:iso-8859-15?\|utf-8\|windows-1252)b"?\|(?:[^sv -"(-),/:-?[-]c{}]\|c(?:[^!-"(-),/:-?[-]h{}]\|h(?:[^!-"(-),/:-?[-]a{}]\|a(?:[^!-"(-),/:-?[-]r{}]\|r(?:[^!-"(-),/:-?[-]s{}]\|s(?:[^!-"(-),/:-?[-]e{}]\|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}][sv]=[sv][^!(-),/:-?[-]{}]+);?))*$" "id:1118,phase:1,deny,status:403,log,msg:'attack attack detected'"
			`SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1119,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1442,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1443,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx (?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock)s+[^s]+s+http/d" "id:1444,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx [rn]W?(?:content-(?:type\|length)\|set-cookie\|location):sw" "id:1445,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx (?:bhttp/d\|<(?:html\|meta)b)" "id:1446,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx [nr]" "id:1447,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx [nr]" "id:1448,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx [nr]+(?:s\|location\|refresh\|(?:set-)?cookie\|(?:x-)?(?:forwarded-(?:for\|host\|server)\|host\|via\|remote-ip\|remote-addr\|originating-IP))s*:" "id:1449,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx [nr]" "id:1450,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx ^[^:()&\|!<>~])s(?:((?:[^,()=&\|!<>~]+[><~]?=\|s[&!\|]s(?:)\|()?s)\|)s(s[&\|!]s\|[&!\|]s([^()=&\|!<>~]+[><~]?=[^:()&\|!<>~])" "id:1451,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json\|(?:application/(?:soap+)?\|text/)xml)" "id:1452,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx unix:[^\|]*\|" "id:1453,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1454,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1455,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx [nr]" "id:1456,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex\|multipar)t\|application)\|((?:audi\|vide)o\|image\|cs[sv]\|(?:vn\|relate)d\|p(?:df\|lain)\|json\|(?:soa\|cs)p\|x(?:ml\|-www-form-urlencoded)\|form-data\|x-amf\|(?:octe\|repor)t\|stream)\|([+/]))b" "id:1457,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1458,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1459,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@gt 0" "id:1460,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx ." "id:1461,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@gt 1" "id:1462,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1463,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx (][^]]+$\|][^]]+[)" "id:1464,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1465,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1466,phase:1,deny,status:403,log,msg:'attack attack detected'"`
			`SecRule REQUEST_URI "@rx [" "id:1467,phase:1,deny,status:403,log,msg:'attack attack detected'"`