External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Tue Jan 7 18:00:52 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-07 18:00:52 +00:00
parent 565b0c59a6
commit 4c0631f8ff
41 changed files with 3230 additions and 6327 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
waf_patterns/apache/attack.conf
View File

@@ -1,34 +1,20 @@
# Apache ModSecurity rules for ATTACK
SecRuleEngine On
SecRule REQUEST_URI "!@eq 0" "id:1024,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1025,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1026,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1027,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1028,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1249,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1250,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" "id:1251,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" "id:1252,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:bhttp/d|<(?:html|meta)b)" "id:1253,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1254,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1255,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" "id:1256,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1257,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" "id:1258,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1259,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx unix:[^|]*|" "id:1260,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1261,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1262,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1263,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1264,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1265,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1266,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 0" "id:1267,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ." "id:1268,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 1" "id:1269,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1270,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (][^]]+$|][^]]+[)" "id:1271,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1272,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1273,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [" "id:1274,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1180,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1183,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1142,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1177,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1182,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1176,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1184,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1179,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1181,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1185,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1143,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1186,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1187,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1178,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1188,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1189,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1190,phase:1,deny,status:403,log,msg:'attack attack detected'"