mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 09:45:34 +00:00
19 lines
3.2 KiB
Plaintext
19 lines
3.2 KiB
Plaintext
# Apache ModSecurity rules for JAVA
|
|
SecRuleEngine On
|
|
|
|
SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1100,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1098,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1105,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1107,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1099,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1110,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1111,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "xacxedx00x05" "id:1106,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1102,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1103,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1101,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1108,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1104,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1109,phase:1,deny,status:403,log,msg:'java attack detected'"
|
|
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1112,phase:1,deny,status:403,log,msg:'java attack detected'"
|