External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Fri Jan 31 00:25:27 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-31 00:25:27 +00:00
parent c0a6dd804a
commit 4f409f223d
24 changed files with 2747 additions and 2747 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
waf_patterns/apache/attack.conf
View File

@@ -1,20 +1,20 @@
# Apache ModSecurity rules for ATTACK
SecRuleEngine On
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1046,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1251,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1248,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1246,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1250,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1254,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1258,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1259,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1255,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1253,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1247,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1252,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1047,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1256,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1249,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1245,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1257,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1049,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1033,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1045,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1046,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1055,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1044,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1048,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1053,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1051,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1054,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1050,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1034,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1056,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1042,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1043,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1052,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1047,phase:1,deny,status:403,log,msg:'attack attack detected'"