patterns/waf_patterns/apache/evaluation.conf

# Apache ModSecurity rules for EVALUATION
SecRuleEngine On

SecRule REQUEST_URI "@ge 1" "id:1052,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1053,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1054,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1055,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1056,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1057,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1058,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1059,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1060,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1061,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1062,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1063,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1064,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1065,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1066,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1067,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1068,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1069,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1070,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1071,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1072,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1073,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1074,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1075,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1076,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1077,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1078,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1582,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1583,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1584,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1585,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1586,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1587,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1588,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1589,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1590,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1591,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1592,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1593,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1594,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1595,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1596,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1597,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1598,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1599,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1600,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1601,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1602,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1603,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1604,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1605,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1606,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1607,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1608,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for EVALUATION`
			`SecRuleEngine On`

Update: [Sat Jan 4 00:25:48 UTC 2025] 2025-01-04 00:25:48 +00:00			`SecRule REQUEST_URI "@ge 1" "id:1052,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 1" "id:1053,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1054,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1055,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1056,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1057,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1058,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1059,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 1" "id:1060,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 1" "id:1061,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1062,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1063,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1064,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1065,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1066,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1067,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1068,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq 1" "id:1069,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1070,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1071,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1072,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1073,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1074,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1075,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1076,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1077,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1078,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 1" "id:1582,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 1" "id:1583,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1584,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1585,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1586,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1587,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1588,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1589,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 1" "id:1590,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 1" "id:1591,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1592,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 2" "id:1593,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1594,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 3" "id:1595,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1596,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge 4" "id:1597,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1598,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq 1" "id:1599,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1600,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1601,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1602,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1603,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1604,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1605,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1606,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1607,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1608,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`