External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Fri Feb 28 10:03:59 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot] 2025-02-28 10:03:59 +00:00
parent b0a1204ea7
commit c2306aca23
5 changed files with 2001 additions and 2005 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2348
owasp_rules.json
View File

File diff suppressed because it is too large Load Diff

30
waf_patterns/haproxy/waf.acl
View File

@ -1,29 +1,25 @@
# HAProxy WAF ACL rules
# Rules for User-Agent
acl block_php_no_id hdr_reg(User-Agent) -i (<?([^x]|x[^m]|xm[^l]|xml[^s]|xml\$|\$)|<?php|[(/|x5c)?php])
acl block_exceptions_no_id hdr_sub(User-Agent) -i str -m str GET /
acl block_initialization_no_id hdr_reg(User-Agent) -i ^\.*\$
acl block_lfi_no_id hdr_reg(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|\$))
acl block_rfi_no_id hdr_reg(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
acl block_leakages_no_id hdr_reg(User-Agent) -i (<(TITLE>Index of\.*?<H|title>Index of\.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)
acl block_generic_no_id hdr_reg(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
acl block_attack_no_id hdr_sub(User-Agent) -i str -m !str 0
acl block_sql_no_id hdr_reg(User-Agent) -i (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])
acl block_xss_no_id hdr_sub(User-Agent) -i @detectXSS
acl block_enforcement_no_id hdr_sub(User-Agent) -i str -m !reg %{tx.allowed_methods}
acl block_sqli_no_id hdr_reg(User-Agent) -i (?i:sleep(s*?d*?s*?)|benchmark(\.*?,\.*?))
acl block_fixation_no_id hdr_reg(User-Agent) -i (?i:.cookieb\.*?;W*?(expires|domain)W*?=|bhttp-equivW+set-cookieb)
acl block_java_no_id hdr_reg(User-Agent) -i java.lang\.(runtime|processbuilder)
acl block_attack_no_id hdr_sub(User-Agent) -i str -m !str 0
acl block_rfi_no_id hdr_reg(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
acl block_exceptions_no_id hdr_sub(User-Agent) -i str -m str GET /
acl block_lfi_no_id hdr_reg(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|\$))
acl block_generic_no_id hdr_reg(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
acl block_xss_no_id hdr_reg(User-Agent) -i <script[^>]*>[sS]*?
acl block_php_no_id hdr_reg(User-Agent) -i (<?([^x]|x[^m]|xm[^l]|xml[^s]|xml\$|\$)|<?php|[(/|x5c)?php])
acl block_rce_no_id hdr_reg(User-Agent) -i \$(((\.*|(\.*)))|{\.*})|[<>](\.*)|/[0-9A-Z_a-z]*[!?\.+]
acl block_sqli_no_id hdr_reg(User-Agent) -i (?i:sleep(s*?d*?s*?)|benchmark(\.*?,\.*?))
acl block_java_no_id hdr_reg(User-Agent) -i java.lang\.(runtime|processbuilder)
acl block_sql_no_id hdr_reg(User-Agent) -i (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])
acl block_leakages_no_id hdr_reg(User-Agent) -i (<(TITLE>Index of\.*?<H|title>Index of\.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)
acl block_shells_no_id hdr_reg(User-Agent) -i (<title>r57 Shell Version [0-9\.]+</title>|<title>r57 shell</title>)
acl block_iis_no_id hdr_reg(User-Agent) -i [a-z]:x5cinetpubb
# High Severity Rules (Deny)
# Medium Severity Rules (Log)
http-request log if block_php_no_id or block_exceptions_no_id or block_initialization_no_id or block_lfi_no_id or block_rfi_no_id or block_leakages_no_id or block_generic_no_id or block_attack_no_id or block_sql_no_id or block_xss_no_id or block_enforcement_no_id or block_sqli_no_id or block_fixation_no_id or block_java_no_id or block_rce_no_id or block_shells_no_id or block_iis_no_id
# Low Severity Rules (Tarpit)
# Deny Actions
http-request log if block_initialization_no_id or block_enforcement_no_id or block_fixation_no_id or block_attack_no_id or block_rfi_no_id or block_exceptions_no_id or block_lfi_no_id or block_generic_no_id or block_xss_no_id or block_php_no_id or block_rce_no_id or block_sqli_no_id or block_java_no_id or block_sql_no_id or block_leakages_no_id or block_shells_no_id or block_iis_no_id

548
waf_patterns/nginx/waf_maps.conf
View File

File diff suppressed because one or more lines are too long

134
waf_patterns/nginx/waf_rules.conf
View File

@ -3,97 +3,97 @@
# Include this file inside server block
# WAF rules
if ($waf_block_php) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_exceptions) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_initialization) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_lfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_evaluation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_rfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_leakages) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_generic) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_attack) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_sql) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_xss) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_sqli) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_fixation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_attack) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_rfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_exceptions) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_lfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_enforcement) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_generic) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_xss) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_php) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_evaluation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_rce) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_sqli) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_java) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_rce) {
if ($waf_block_sql) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_leakages) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;

946
waf_patterns/traefik/middleware.toml
View File

File diff suppressed because one or more lines are too long