Update: [Fri Feb 7 00:25:52 UTC 2025]

2025-12-29 16:15:12 +00:00 · 2025-02-07 00:25:52 +00:00
parent 1cebb95fc3
commit cf21042b9c
28 changed files with 2897 additions and 2885 deletions
--- a/waf_patterns/apache/enforcement.conf
+++ b/waf_patterns/apache/enforcement.conf
@@ -1,82 +1,82 @@
 # Apache ModSecurity rules for ENFORCEMENT
 SecRuleEngine On

-SecRule REQUEST_URI "\^\$" "id:1044,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\['";=\]" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\.\*\$" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@streq\ JSON" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1051,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1052,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "x25" "id:1033,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^0\$" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1035,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1027,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1050,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1053,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@streq\ POST" "id:1026,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1042,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\$" "id:1041,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ 50" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUtf8Encoding" "id:1036,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ 1" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1022,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^0\$" "id:1048,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "charset\.\*\?charset" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\.\*\$" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1037,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1043,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ 0" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1038,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1024,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1023,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1049,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1029,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1030,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\$" "id:1047,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "x25" "id:1031,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@contains\ \#" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\$" "id:1040,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1028,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUrlEncoding" "id:1032,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1046,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1039,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUrlEncoding" "id:1034,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1025,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1045,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1202,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@streq\ POST" "id:1190,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1229,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUtf8Encoding" "id:1200,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1235,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1260,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1186,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1208,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@contains\ \#" "id:1239,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\.\*\$" "id:1251,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUrlEncoding" "id:1196,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1201,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1228,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@streq\ JSON" "id:1237,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1199,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1250,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1226,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUrlEncoding" "id:1198,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1261,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1206,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1188,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1233,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1224,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1264,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1205,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1215,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1222,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^0\$" "id:1249,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1262,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1214,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1217,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1243,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1213,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\.\*\$" "id:1234,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ 0" "id:1258,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ 50" "id:1236,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1219,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1218,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1211,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1221,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1254,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1231,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1255,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^0\$" "id:1212,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1204,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1263,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1247,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1253,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1192,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1244,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1223,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1207,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1246,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1210,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1256,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1245,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1259,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1227,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ 1" "id:1240,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "charset\.\*\?charset" "id:1230,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1225,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1203,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1241,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1232,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\['";=\]" "id:1248,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1187,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1216,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "x25" "id:1195,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1238,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1252,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1220,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1193,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1257,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1189,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1194,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1209,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "x25" "id:1197,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1242,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1191,phase:1,deny,status:403,log,msg:'enforcement attack detected'"