Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024]

waf_patterns/apache/iis.conf

@@ -0,0 +1,17 @@
+# Apache ModSecurity rules for IIS
+SecRuleEngine On
+
+SecRule REQUEST_URI "@pm gzip compress deflate br zstd" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@rx [a-z]:x5cinetpubb" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@pmFromFile iis-errors.data" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "!@rx ^404$" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@rx bServer Error in.{0,50}?bApplicationb" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'iis attack detected'"