Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024]

waf_patterns/nginx/iis.conf

@@ -0,0 +1,64 @@
+# Nginx WAF rules for IIS
+location / {
+    set $attack_detected 0;
+
+    if ($request_uri ~* "@pm gzip compress deflate br zstd") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 1") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 1") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@rx [a-z]:x5cinetpubb") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@pmFromFile iis-errors.data") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "!@rx ^404$") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@rx bServer Error in.{0,50}?bApplicationb") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 2") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 2") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 3") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 3") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 4") {
+        set $attack_detected 1;
+    }
+
+    if ($request_uri ~* "@lt 4") {
+        set $attack_detected 1;
+    }
+
+    if ($attack_detected = 1) {
+        return 403;
+    }
+}