44 This file is used to add LOCAL exceptions for your site. Often in this file
55 we would see rules that short-circuit inspection and allow certain
66 transactions to skip through inspection.
7-
8- `Example: SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "phase:1,id:'981033',t:none,nolog,pass,ctl:ruleEngine=Off"`
9- REQUEST-901-INITIALIZATION.conf : TODO
7+ REQUEST-901-INITIALIZATION.conf : >
8+ This file initializes the Core Rules and performs preparatory actions.
9+ It also fixes errors and omissions of variable definitions in the
10+ crs-setup.conf file. The crs-setup.conf can and should be edited by
11+ the user, but this file is part of the CRS installation and should
12+ not be altered.
1013REQUEST-913-SCANNER-DETECTION.conf : >
1114 These rules are concentrated around detecting security tools and
1215 scanners.
@@ -27,10 +30,30 @@ common:
2730 remote resource into the web application that will be executed.
2831 Exploiting this type of attack can lead to the web application or
2932 server being compromised.
30- REQUEST-932-APPLICATION-ATTACK-RCE.conf : TODO
31- REQUEST-933-APPLICATION-ATTACK-PHP.conf : TODO
32- REQUEST-934-APPLICATION-ATTACK-GENERIC.conf : TODO
33- REQUEST-941-APPLICATION-ATTACK-XSS.conf : TODO
33+ REQUEST-932-APPLICATION-ATTACK-RCE.conf : >
34+ These rules detect Unix and Windows command injection attacks. Command
35+ injections occur when an application executes shell commands without
36+ proper input escaping or validation. Attackers can exploit this by
37+ inserting command separators and additional commands into user input.
38+ This file also protects against Oracle WebLogic Remote Command
39+ Execution exploits.
40+ REQUEST-933-APPLICATION-ATTACK-PHP.conf : >
41+ These rules provide protection against PHP injection attacks. The
42+ rules detect PHP open tags (such as "<?php" and "<?"), PHP functions
43+ commonly used in exploits, and various PHP-based attack patterns that
44+ could lead to remote code execution or application compromise.
45+ REQUEST-934-APPLICATION-ATTACK-GENERIC.conf : >
46+ These rules detect generic application attacks including NodeJS
47+ insecure deserialization vulnerabilities and generic Remote Code
48+ Execution (RCE) signatures. This includes patterns like eval(),
49+ function constructors, String.fromCharCode(), and insecure
50+ deserialization markers used by node-serialize and funcster libraries.
51+ REQUEST-941-APPLICATION-ATTACK-XSS.conf : >
52+ These rules provide protection against Cross-Site Scripting (XSS)
53+ attacks by detecting malicious scripts, HTML tags, and JavaScript
54+ code in user input. The rules also detect path-based XSS exploits and
55+ include performance optimizations to minimize false positives while
56+ maintaining strong protection.
3457REQUEST-942-APPLICATION-ATTACK-SQLI.conf : >
3558 Within this configuration file we provide rules that protect against
3659 SQL injection attacks. SQLi attackers occur when an attacker passes
@@ -41,7 +64,12 @@ common:
4164REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf : >
4265 These rules focus around providing protection against Session Fixation
4366 attacks.
44- REQUEST-944-APPLICATION-ATTACK-JAVA.conf : TODO
67+ REQUEST-944-APPLICATION-ATTACK-JAVA.conf : >
68+ These rules detect Java-based attacks including Remote Command
69+ Execution exploits targeting Java classes. The rules provide
70+ protection against Apache Struts vulnerabilities (CVE-2017-5638,
71+ CVE-2017-9791, CVE-2017-9805) and Oracle WebLogic Remote Command
72+ Execution exploits (CVE-2017-10271).
4573REQUEST-949-BLOCKING-EVALUATION.conf : >
4674 These rules provide the anomaly based blocking for a given request. If
4775 you are in anomaly detection mode this file must not be deleted.
@@ -74,17 +102,83 @@ common:
74102
75103versioned :
76104 " 3 "
77- REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf : TODO
78- REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf : TODO
79- REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf : TODO
80- REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf : TODO
81- REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf : TODO
82- REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf : TODO
105+ REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf : >
106+ These exclusion rules remedy false positives in a default Drupal
107+ installation. They disable CRS checks on well-known parameter fields
108+ that often trigger false alarms, including session cookies, password
109+ fields, and article/node bodies. The exclusions are only active if
110+ crs_exclusions_drupal=1 is set in crs-setup.conf.
111+ REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf : >
112+ These exclusion rules remedy false positives in a default WordPress
113+ installation. They provide exceptions for WordPress login forms,
114+ admin panels, and other WordPress-specific functionality. The
115+ exclusions are only active if crs_exclusions_wordpress=1 is set in
116+ crs-setup.conf. Note that WordPress comment fields are NOT excluded
117+ from checking due to security concerns.
118+ REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf : >
119+ These exclusion rules remedy false positives in a default NextCloud
120+ installation. They likely work with OwnCloud as well. The rules
121+ provide exceptions for file uploads, WebDAV operations, and other
122+ NextCloud-specific functionality. The exclusions are only active if
123+ crs_exclusions_nextcloud=1 is set in crs-setup.conf.
124+ REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf : >
125+ These exclusion rules remedy false positives in a default DokuWiki
126+ installation. They provide exceptions for wiki page editing, autosave
127+ functionality, and file uploads. The exclusions are only active if
128+ crs_exclusions_dokuwiki=1 is set in crs-setup.conf.
129+ REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf : >
130+ These exclusion rules remedy false positives in a default cPanel
131+ environment. They provide exceptions for cPanel WHM server status
132+ requests and other cPanel-specific functionality. The exclusions are
133+ only active if crs_exclusions_cpanel=1 is set in crs-setup.conf.
134+ REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf : >
135+ These exclusion rules remedy false positives in a default XenForo
136+ forum installation. They provide exceptions for forum posts, image
137+ proxies, and other XenForo-specific functionality. The exclusions are
138+ only active if crs_exclusions_xenforo=1 is set in crs-setup.conf.
83139REQUEST-910-IP-REPUTATION.conf : >
84- These rules deal with detecting traffic from IPs that have
85- previously been involved with malicious activity, either on our local site or globally.
140+ These rules detect and block traffic from IP addresses that have
141+ previously been involved with malicious activity based on traffic
142+ violations detected in previous requests. When a client IP is
143+ flagged, subsequent requests from that IP are blocked during a
144+ timeout period.
86145REQUEST-912-DOS-PROTECTION.conf : >
87- The rules in this file will attempt to detect some level 7 DoS (Denial of Service) attacks against your server.
146+ These anti-automation rules detect application layer (Layer 7) Denial
147+ of Service attacks. The rules track request rates per IP address and
148+ identify burst patterns. When an IP exceeds the configured thresholds,
149+ it is temporarily blocked. The DoS counter tracks requests to
150+ non-static resources and raises blocking flags when limits are
151+ exceeded.
88152" 4 "
89- REQUEST-905-COMMON-EXCEPTIONS.conf : TODO
90- RESPONSE-955-WEB-SHELLS.conf : TODO
153+ REQUEST-905-COMMON-EXCEPTIONS.conf : >
154+ This file is used as an exception mechanism to remove common false
155+ positives that may be encountered. It includes exceptions for Apache
156+ SSL pinger, Apache internal dummy connections, and other legitimate
157+ traffic that should bypass CRS inspection.
158+ REQUEST-911-METHOD-ENFORCEMENT.conf : >
159+ These rules enforce the configured allowed HTTP methods policy. Requests using HTTP
160+ methods not explicitly permitted in the configuration (defined in
161+ tx.allowed_methods) will be blocked to prevent potential attacks
162+ using uncommon or dangerous HTTP methods.
163+ REQUEST-922-MULTIPART-ATTACK.conf : >
164+ These rules protect against multipart-related attacks and address the
165+ 3UWMWA6W vulnerability. They enforce strict policies on multipart
166+ content, including charset definitions and content-type headers.
167+ Requires ModSecurity version 2.9.6 or newer, or 3.0.8 or newer.
168+ REQUEST-999-COMMON-EXCEPTIONS-AFTER.conf : >
169+ This file contains common exception rules that remove false positives
170+ for well-known applications and services, such as Google Analytics
171+ cookies, Google Ads cookies, and other legitimate third-party
172+ services. This file must be loaded after all the request rules have
173+ been created.
174+ RESPONSE-955-WEB-SHELLS.conf : >
175+ These rules provide detection and blocking of web shells in response
176+ bodies. Web shells are malicious scripts uploaded to web servers that
177+ provide attackers with remote command execution capabilities. The
178+ rules detect PHP, JSP, ASP, and other types of web shells that may
179+ indicate a successful server compromise.
180+ RESPONSE-956-DATA-LEAKAGES-RUBY.conf : >
181+ These rules provide protection against data leakages that may occur
182+ from Ruby applications. The rules detect Ruby error messages and stack
183+ traces in response bodies that could reveal sensitive information
184+ about the application's internal structure.
0 commit comments