patterns/waf_patterns/caddy/rce.conf

@block_rce {
    path_regexp rce "(?i)(@lt 1|@lt 1|@rx (?i)(?:b[|@rx (?i)(?:b[|@pmFromFile windows-powershell-commands.data|@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b|@rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]|@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sx0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))|@rx ~(?:[+-](?:$|[sx0b0-9]+)|[0-9]+)|@rx (?i)(?:^|b[|@rx (?i)(?:^|b[|@rx !-d|@pmFromFile unix-shell.data|@rx ^(s*)s+{|@rx ^(s*)s+{|@rx ba[|@pmFromFile restricted-upload.data|@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b|@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b|@lt 2|@lt 2|@rx (?:b[|@rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]|@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]|@rx /|@rx s|@rx ^[^#]+|@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]))|@rx /|@rx s|@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{])|@rx /|@rx s|@rx (?i).|(?:[sx0b]*|b[|@rx (?i)[-0-9_a-z]+(?:[sx0b]*[|!@rx [0-9]s*'s*[0-9]|@rx ;[sx0b]*.[sx0b]*[|@rx rn.*?b(?:E(?:HLO [-.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [-.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}@.{1,255}>|R(?:CPT TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SETb)|VRFY .{1,64}(?: <.{1,64}@.{1,255}>|@.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20} (?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}=|[+/-9A-Z_a-zx17fx212a]{3}))?=|STARTTLSb|NOOPb(?: .{1,255})?)|@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[|@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))|@rx (?i)(?:^|b[|@rx (?i)(?:^|b[|@pmFromFile unix-shell.data|@lt 3|@lt 3|@rx (?:b[|@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sx0b&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[sx0b&)<>|]|pt(?:(?:itude)?[sx0b&)<>|]|-get)|r(?:[sx0b&)<>j|]|(?:p|ch)[sx0b&)<>|]|ia2c)|s(?:h?[sx0b&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sx0b&)<>|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[sx0b&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sx0b&)<>|]|c))|h[sx0b&)<>|])|tch[sx0b&)<>|])|lkid|pftrace|r(?:eaksw|idge[sx0b&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sx0b&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[sx0b&)<>|]|mp|p(?:[sx0b&)<>|]|io|ulimit)|s(?:h|cli[sx0b&)<>|]|plit|vtool)|u(?:t[sx0b&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sx0b&)<>|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[sx0b&)-<>|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sx0b&)<>|]|++)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sx0b&)<>|]|w(?:say|think))|r(?:ash[sx0b&)<>|]|on(?:[sx0b&)<>|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sx0b&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sx0b&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sx0b&)<>|]|n(?:v(?:[sx0b&)<>|]|-update)|d(?:if|sw))|qn|s(?:[sx0b&)<>h|]|ac)|x(?:(?:ec)?[sx0b&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sx0b&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sx0b&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sx0b&)<>|]|le(?:[sx0b&)<>|]|test))|mt|tp(?:[sx0b&)<>|]|stats|who)|acter|o(?:ld[sx0b&)<>|]|reach)|ping)|g(?:c(?:c[^sx0b]|ore)|db|e(?:(?:m|tfacl)[sx0b&)<>|]|ni(?:e[sx0b&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sx0b&)<>|]|nsh)|(?:o|awk)[sx0b&)<>|]|pg|r(?:c|ep[sx0b&)<>|]|oup(?:[sx0b&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sx0b&)<>|]|e(?:ad[sx0b&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sx0b&)<>|]|onice|spell)|j(?:js|q|ava[sx0b&)<>|]|exec|o(?:(?:bs|in)[sx0b&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sx0b&)<>|]|all)|nife[sx0b&)<>|])|l(?:d(?:d?[sx0b&)<>|]|config)|(?:[np]|ynx)[sx0b&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sx0b&)<>|]|(?:la)?tex)|z(?:[sx0b&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sx0b&)<>|]|co
}
respond @block_rce 403
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024] 2024-12-21 00:30:30 +00:00			`@block_rce {`
			path_regexp rce "(?i)(@lt 1\|@lt 1\|@rx (?i)(?:b[\|@rx (?i)(?:b[\|@pmFromFile windows-powershell-commands.data\|@rx (?i)(?:[nr;`{]\|\|\|?\|&&?)[sx0b][sx0b\|@rx $(?:((?:.\|(.)))\|{.}\|[.])\|[<>](.)\|/[0-9A-Z_a-z][!?.+]\|@rx b(?:for(?:/[dflr].)? %+[^ ]+ in(.)[sx0b]?do\|if(?:/i)?(?: not)?(?: (?:e(?:xist\|rrorlevel)\|defined\|cmdextversion)b\|[ (].(?:b(?:g(?:eq\|tr)\|equ\|neq\|l(?:eq\|ss))b\|==)))\|@rx ~(?:[+-](?:$\|[sx0b0-9]+)\|[0-9]+)\|@rx (?i)(?:^\|b[\|@rx (?i)(?:^\|b[\|@rx !-d\|@pmFromFile unix-shell.data\|@rx ^(s)s+{\|@rx ^(s)s+{\|@rx ba[\|@pmFromFile restricted-upload.data\|@rx (?i)(?:[nr;`{]\|\|\|?\|&&?)[sx0b][sx0b\|@rx (?i)(?:[nr;`{]\|\|\|?\|&&?)[sx0b][sx0b\|@lt 2\|@lt 2\|@rx (?:b[\|@rx $(?:((?:.\|(.)))\|{.}\|[.])\|[<>](.)\|/[0-9A-Z_a-z][!?.+]\|@rx ['?x5c`][^n/]+/\|/[^/]+?['?x5c`]\|$[!#$(-0-9?-[_a-{]\|@rx /\|@rx s\|@rx ^[^#]+\|@rx ^[^.]+.[^;?]+[;?](.(['?x5c`][^n/]+/\|/[^/]+?['?x5c`]\|$[!#$(-0-9?-[_a-{]))\|@rx /\|@rx s\|@rx ^[^.]?(?:['?x5c`][^n/]+/\|/[^/]+?['?x5c`]\|$[!#$(-0-9?-[_a-{])\|@rx /\|@rx s\|@rx (?i).\|(?:[sx0b]\|b[\|@rx (?i)[-0-9_a-z]+(?:[sx0b][\|!@rx [0-9]s's[0-9]\|@rx ;[sx0b].[sx0b][\|@rx rn.?b(?:E(?:HLO [-.A-Za-zx17fx212a]{1,255}\|XPN .{1,64})\|HELO [-.A-Za-zx17fx212a]{1,255}\|MAIL FROM:<.{1,64}@.{1,255}>\|R(?:CPT TO:(?:<.{1,64}@.{1,255}>\| )?<.{1,64}>\|SETb)\|VRFY .{1,64}(?: <.{1,64}@.{1,255}>\|@.{1,255})\|AUTH [-0-9A-Z_a-zx17fx212a]{1,20} (?:(?:[+/-9A-Z_a-zx17fx212a]{4})(?:[+/-9A-Z_a-zx17fx212a]{2}=\|[+/-9A-Z_a-zx17fx212a]{3}))?=\|STARTTLSb\|NOOPb(?: .{1,255})?)\|@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\|@rx (?is)rn.?b(?:(?:LIST\|TOP [0-9]+)(?: [0-9]+)?\|U(?:SER .+?\|IDL(?: [0-9]+)?)\|PASS .+?\|(?:RETR\|DELE) [0-9]+?\|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}\|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=\|[+/-9A-Z_a-z]{3}))?=))\|@rx (?i)(?:^\|b[\|@rx (?i)(?:^\|b[\|@pmFromFile unix-shell.data\|@lt 3\|@lt 3\|@rx (?:b[\|@rx (?i)b(?:7z[arx]?\|(?:(?:GE\|POS)T\|HEAD)[sx0b&)<>\|]\|a(?:(?:b\|w[ks]\|l(?:ias\|pine)\|xel)[sx0b&)<>\|]\|pt(?:(?:itude)?[sx0b&)<>\|]\|-get)\|r(?:[sx0b&)<>j\|]\|(?:p\|ch)[sx0b&)<>\|]\|ia2c)\|s(?:h?[sx0b&)<>\|]\|cii(?:-xfr\|85)\|pell)\|t(?:[sx0b&)<>\|]\|obm)\|dd(?:group\|user)\|getty\|nsible)\|b(?:z(?:z[sx0b&)<>\|]\|c(?:at\|mp)\|diff\|e(?:grep\|xe)\|f?grep\|ip2(?:recover)?\|less\|more)\|a(?:s(?:e(?:32\|64\|n(?:ame[sx0b&)<>\|]\|c))\|h[sx0b&)<>\|])\|tch[sx0b&)<>\|])\|lkid\|pftrace\|r(?:eaksw\|idge[sx0b&)<>\|])\|sd(?:cat\|iff\|tar)\|u(?:iltin\|n(?:dler[sx0b&)<>\|]\|zip2)\|s(?:ctl\|ybox))\|y(?:ebug\|obu))\|c(?:[89]9\|(?:a(?:t\|ncel\|psh)\|c)[sx0b&)<>\|]\|mp\|p(?:[sx0b&)<>\|]\|io\|ulimit)\|s(?:h\|cli[sx0b&)<>\|]\|plit\|vtool)\|u(?:t[sx0b&)<>\|]\|psfilter)\|ertbot\|h(?:attr\|(?:dir\|root)[sx0b&)<>\|]\|e(?:ck_(?:by_ssh\|cups\|log\|memory\|raid\|s(?:sl_cert\|tatusfile))\|f[sx0b&)-<>\|])\|(?:flag\|pas)s\|g(?:passwd\|rp)\|mod\|o(?:om\|wn)\|sh)\|lang(?:[sx0b&)<>\|]\|++)\|o(?:(?:b\|pro)c\|(?:lumn\|m(?:m(?:and)?\|p(?:oser\|ress)))[sx0b&)<>\|]\|w(?:say\|think))\|r(?:ash[sx0b&)<>\|]\|on(?:[sx0b&)<>\|]\|tab)))\|d(?:(?:[du]\|i(?:(?:alo)?g\|r\|ff)\|a(?:sh\|te))[sx0b&)<>\|]\|n?f\|hclient\|m(?:esg\|idecode\|setup)\|o(?:as\|(?:cker\|ne)[sx0b&)<>\|]\|sbox)\|pkg\|vips)\|e(?:(?:[bd]\|cho)[sx0b&)<>\|]\|n(?:v(?:[sx0b&)<>\|]\|-update)\|d(?:if\|sw))\|qn\|s(?:[sx0b&)<>h\|]\|ac)\|x(?:(?:ec)?[sx0b&)<>\|]\|iftool\|p(?:(?:and\|(?:ec\|or)t)[sx0b&)<>\|]\|r))\|2fsck\|(?:asy_instal\|va)l\|fax\|grep\|macs)\|f(?:(?:c\|etch\|lock\|unction)[sx0b&)<>\|]\|d\|g(?:rep)?\|i(?:(?:n(?:d\|ger)\|sh)?[sx0b&)<>\|]\|le(?:[sx0b&)<>\|]\|test))\|mt\|tp(?:[sx0b&)<>\|]\|stats\|who)\|acter\|o(?:ld[sx0b&)<>\|]\|reach)\|ping)\|g(?:c(?:c[^sx0b]\|ore)\|db\|e(?:(?:m\|tfacl)[sx0b&)<>\|]\|ni(?:e[sx0b&)<>\|]\|soimage))\|hci?\|i(?:(?:t\|mp)[sx0b&)<>\|]\|nsh)\|(?:o\|awk)[sx0b&)<>\|]\|pg\|r(?:c\|ep[sx0b&)<>\|]\|oup(?:[sx0b&)<>\|]\|mod))\|tester\|unzip\|z(?:cat\|exe\|ip))\|h(?:(?:d\|up\|ash\|i(?:ghlight\|story))[sx0b&)<>\|]\|e(?:ad[sx0b&)<>\|]\|xdump)\|ost(?:id\|name)\|ping3\|t(?:digest\|op\|passwd))\|i(?:d\|p(?:6?tables\|config)?\|rb\|conv\|f(?:config\|top)\|nstall[sx0b&)<>\|]\|onice\|spell)\|j(?:js\|q\|ava[sx0b&)<>\|]\|exec\|o(?:(?:bs\|in)[sx0b&)<>\|]\|urnalctl)\|runscript)\|k(?:s(?:h\|shell)\|ill(?:[sx0b&)<>\|]\|all)\|nife[sx0b&)<>\|])\|l(?:d(?:d?[sx0b&)<>\|]\|config)\|(?:[np]\|ynx)[sx0b&)<>\|]\|s(?:-F\|b_release\|cpu\|hw\|mod\|of\|pci\|usb)?\|ua(?:[sx0b&)<>\|]\|(?:la)?tex)\|z(?:[sx0b&)4<>\|]\|4c(?:at)?\|c(?:at\|mp)\|diff\|[ef]?grep\|less\|m(?:a(?:dec\|info)?\|ore))\|a(?:st(?:[sx0b&)<>\|]\|co
			`}`
			`respond @block_rce 403`