patterns/waf_patterns/apache/evaluation.conf

# Apache ModSecurity rules for EVALUATION
SecRuleEngine On

SecRule REQUEST_URI "@ge\ 2" "id:1281,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1317,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1288,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1271,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1322,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1321,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1275,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1326,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1276,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1280,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1285,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1316,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1325,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1270,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1320,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1274,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1279,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1319,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1273,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1284,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1283,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1286,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1287,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1324,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1278,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1318,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1323,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1327,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1272,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1277,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1282,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for EVALUATION`
			`SecRuleEngine On`

Update: [Tue Jan 28 00:25:35 UTC 2025] 2025-01-28 00:25:35 +00:00			`SecRule REQUEST_URI "@ge\ 2" "id:1281,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1317,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1288,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1271,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1322,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1321,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1275,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1326,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1276,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1280,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1285,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1316,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1325,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1270,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1320,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1274,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1279,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1319,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1273,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1284,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1283,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq\ 1" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1286,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@eq\ 1" "id:1287,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1324,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 1" "id:1278,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1318,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1323,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1327,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 2" "id:1272,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 4" "id:1277,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`
			`SecRule REQUEST_URI "@ge\ 3" "id:1282,phase:1,deny,status:403,log,msg:'evaluation attack detected'"`