External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Sun Dec 22 00:28:28 UTC 2024]

Browse Source
This commit is contained in:
github-actions[bot]
2024-12-22 00:28:28 +00:00
parent b05a7d87c2
commit 1e4bb70b5d
50 changed files with 428 additions and 577 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
waf_patterns/apache/attack.conf
View File

@@ -11,17 +11,18 @@ SecRule REQUEST_URI "@rx [nr]" "id:1000,phase:1,deny,status:403,log,msg:'attack
SecRule REQUEST_URI "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx unix:[^|]*|" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 0" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ." "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 1" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (][^]]+$|][^]]+[)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
@@ -29,6 +30,5 @@ SecRule REQUEST_URI "@rx [" "id:1000,phase:1,deny,status:403,log,msg:'attack att
SecRule REQUEST_URI "!@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [^x21-x7E][x21-x39x3B-x7E]*:" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"