External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Tue Jan 7 18:00:52 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-07 18:00:52 +00:00
parent 565b0c59a6
commit 4c0631f8ff
41 changed files with 3230 additions and 6327 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
waf_patterns/apache/java.conf
View File

@@ -1,37 +1,18 @@
# Apache ModSecurity rules for JAVA
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1001,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx java.lang.(?:runtime|processbuilder)" "id:1002,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1003,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:unmarshaller|base64data|java.)" "id:1004,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1005,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1006,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@pmFromFile java-classes.data" "id:1007,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx .*.(?:jsp|jspx).*$" "id:1008,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1009,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1010,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1011,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1012,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx xacxedx00x05" "id:1013,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" "id:1014,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1015,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx javab.+(?:runtime|processbuilder)" "id:1016,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" "id:1017,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1018,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1019,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" "id:1020,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1021,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1022,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)" "id:1023,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1185,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1186,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@pmFromFile java-code-leakages.data" "id:1187,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@pmFromFile java-errors.data" "id:1188,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1189,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1190,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1191,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1192,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1193,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1194,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "xacxedx00x05" "id:1199,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1201,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1205,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1200,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1194,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1191,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1193,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1197,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1198,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1203,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1204,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1192,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1202,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1195,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1196,phase:1,deny,status:403,log,msg:'java attack detected'"