From 5488b147a59ec919e46608d9a0e1ba7f61a56801 Mon Sep 17 00:00:00 2001 From: "andre.bolinhas" Date: Tue, 17 Mar 2026 00:18:07 +0000 Subject: [PATCH] Update OWASP CRS rules to v4.24.1 Automated update via update-feed.sh CRS version: v4.24.1 Rules extracted: 277 --- rulesets.json | 2521 +++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 2355 insertions(+), 166 deletions(-) diff --git a/rulesets.json b/rulesets.json index 9452298..e92faf0 100644 --- a/rulesets.json +++ b/rulesets.json @@ -1,5 +1,5 @@ { - "build_datetime": "2026-03-10T11:55:25Z", + "build_datetime": "2026-03-17T00:18:06Z", "owasp_top_10": { "version": "2025", "url": "https://owasp.org/Top10/2025/", @@ -109,7 +109,7 @@ "name": "CRS Protocol Enforcement", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Protocol Enforcement (12 rules)", + "description": "OWASP CRS v4.24.1 — CRS Protocol Enforcement (17 rules)", "author": "OWASP CRS Project", "priority": 15, "enabled": true, @@ -132,7 +132,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920120", @@ -152,7 +153,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920160", @@ -172,7 +174,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920210", @@ -192,7 +195,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920260", @@ -213,7 +217,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/255/153/267/72" - ] + ], + "paranoia_level": 1 }, { "id": "920290", @@ -233,7 +238,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920330", @@ -253,7 +259,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920350", @@ -273,7 +280,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920470", @@ -293,7 +301,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/255/153" - ] + ], + "paranoia_level": 1 }, { "id": "920530", @@ -313,7 +322,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/255/153" - ] + ], + "paranoia_level": 1 }, { "id": "920500", @@ -333,7 +343,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT", "capec/1000/210/272" - ] + ], + "paranoia_level": 1 }, { "id": "920600", @@ -352,7 +363,113 @@ "paranoia-level/1", "OWASP_CRS", "OWASP_CRS/PROTOCOL-ENFORCEMENT" - ] + ], + "paranoia_level": 1 + }, + { + "id": "920230", + "name": "Multiple URL Encoding Detected", + "pattern": "%[0-9a-fA-F]{2}", + "targets": [ + "query" + ], + "action": "score", + "score": 5, + "severity": "medium", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153/267/120" + ], + "paranoia_level": 2 + }, + { + "id": "920121", + "name": "Attempted multipart/form-data bypass", + "pattern": "['\";=\\x5c]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ], + "paranoia_level": 2 + }, + { + "id": "920521", + "name": "Illegal Accept-Encoding header", + "pattern": "br|compress|deflate|(?:pack200-)?gzip|identity|\\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/255/153" + ], + "paranoia_level": 3 + }, + { + "id": "920275", + "name": "Invalid character in request headers (outside of very strict set)", + "pattern": "^(?:\\?[01])?$", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/210/272" + ], + "paranoia_level": 4 + }, + { + "id": "920460", + "name": "Abnormal character escapes in request", + "pattern": "(?:^|[^\\x5c])\\x5c[cdeghijklmpqwxyz123456789]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ENFORCEMENT", + "capec/1000/153/267" + ], + "paranoia_level": 4 } ] }, @@ -361,7 +478,7 @@ "name": "CRS Protocol Attack (HTTP Smuggling)", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Protocol Attack (HTTP Smuggling) (10 rules)", + "description": "OWASP CRS v4.24.1 — CRS Protocol Attack (HTTP Smuggling) (14 rules)", "author": "OWASP CRS Project", "priority": 5, "enabled": true, @@ -385,7 +502,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/33" - ] + ], + "paranoia_level": 1 }, { "id": "921120", @@ -405,7 +523,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/34" - ] + ], + "paranoia_level": 1 }, { "id": "921130", @@ -425,7 +544,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/34" - ] + ], + "paranoia_level": 1 }, { "id": "921140", @@ -445,7 +565,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/273" - ] + ], + "paranoia_level": 1 }, { "id": "921150", @@ -465,7 +586,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/33" - ] + ], + "paranoia_level": 1 }, { "id": "921160", @@ -485,7 +607,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/33" - ] + ], + "paranoia_level": 1 }, { "id": "921190", @@ -505,7 +628,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/34" - ] + ], + "paranoia_level": 1 }, { "id": "921200", @@ -524,7 +648,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/152/248/136" - ] + ], + "paranoia_level": 1 }, { "id": "921421", @@ -544,7 +669,8 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/255/153" - ] + ], + "paranoia_level": 1 }, { "id": "921240", @@ -564,7 +690,92 @@ "OWASP_CRS", "OWASP_CRS/PROTOCOL-ATTACK", "capec/1000/210/272/220/33" - ] + ], + "paranoia_level": 1 + }, + { + "id": "921151", + "name": "HTTP Header Injection Attack via payload (CR/LF detected)", + "pattern": "[\\n\\r]", + "targets": [ + "query" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/210/272/220/33" + ], + "paranoia_level": 2 + }, + { + "id": "921422", + "name": "Content-Type header: Dangerous content type outside the mime type declaration", + "pattern": "^[^\\s\\x0b,;]+[\\s\\x0b,;].*?\\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\\+/]))\\b", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/255/153" + ], + "paranoia_level": 2 + }, + { + "id": "921210", + "name": "HTTP Parameter Pollution after detecting bogus char after parameter array", + "pattern": "(][^\\]]+$|][^\\]]+\\[)", + "targets": [ + "query" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/152/137/15/460" + ], + "paranoia_level": 3 + }, + { + "id": "921220", + "name": "HTTP Parameter Pollution possible via array notation", + "pattern": "\\[", + "targets": [ + "query" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "protocol", + "enabled": true, + "tags": [ + "attack-protocol", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL-ATTACK", + "capec/1000/152/137/15/460" + ], + "paranoia_level": 4 } ] }, @@ -596,7 +807,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-LFI", "capec/1000/255/153/126" - ] + ], + "paranoia_level": 1 }, { "id": "930110", @@ -616,7 +828,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-LFI", "capec/1000/255/153/126" - ] + ], + "paranoia_level": 1 } ] }, @@ -625,7 +838,7 @@ "name": "CRS Remote File Inclusion (RFI)", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Remote File Inclusion (RFI) (3 rules)", + "description": "OWASP CRS v4.24.1 — CRS Remote File Inclusion (RFI) (4 rules)", "author": "OWASP CRS Project", "priority": 5, "enabled": true, @@ -649,7 +862,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RFI", "capec/1000/152/175/253" - ] + ], + "paranoia_level": 1 }, { "id": "931110", @@ -670,7 +884,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RFI", "capec/1000/152/175/253" - ] + ], + "paranoia_level": 1 }, { "id": "931120", @@ -690,7 +905,29 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RFI", "capec/1000/152/175/253" - ] + ], + "paranoia_level": 1 + }, + { + "id": "931131", + "name": "Possible Remote File Inclusion (RFI) Attack", + "pattern": "(?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)", + "targets": [ + "uri" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rfi", + "enabled": true, + "tags": [ + "attack-rfi", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RFI", + "capec/1000/152/175/253" + ], + "paranoia_level": 2 } ] }, @@ -699,7 +936,7 @@ "name": "CRS Remote Code Execution (RCE)", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Remote Code Execution (RCE) (16 rules)", + "description": "OWASP CRS v4.24.1 — CRS Remote Code Execution (RCE) (37 rules)", "author": "OWASP CRS Project", "priority": 3, "enabled": true, @@ -722,7 +959,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932235", @@ -742,7 +980,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932125", @@ -762,7 +1001,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932130", @@ -782,7 +1022,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932140", @@ -802,7 +1043,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932270", @@ -822,7 +1064,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932280", @@ -842,7 +1085,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932250", @@ -862,7 +1106,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932260", @@ -882,7 +1127,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932340", @@ -902,7 +1148,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932330", @@ -922,7 +1169,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932170", @@ -943,7 +1191,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932171", @@ -963,7 +1212,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932175", @@ -983,7 +1233,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932370", @@ -1003,7 +1254,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 }, { "id": "932380", @@ -1023,7 +1275,449 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-RCE", "capec/1000/152/248/88" - ] + ], + "paranoia_level": 1 + }, + { + "id": "932371", + "name": "Remote Command Execution: Windows Command Injection", + "pattern": "(?i)(?:[\\n\\r;`\\{]|\\|\\|?|&&?)[\\s\\x0b]*[\\s\\x0b\"'\\(,@]*(?:[\"'\\.-9A-Z_a-z]+/|(?:[\"'\\x5c\\^]*[0-9A-Z_a-z][\"'\\x5c\\^]*:[^\\x5c]*|[ \"'\\.-9A-Z\\x5c\\^_a-z]*)\\x5c)?[\"\\^]*a[\"\\^]*t[\"\\^]*[\\s\\x0b,\\./;<>].*(?:\\.[\"\\^]*[0-9A-Z_a-z]+)?\\b", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932231", + "name": "Remote Command Execution: Unix Command Injection", + "pattern": "(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*\\.[\\s\\x0b].*\\b", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932131", + "name": "Remote Command Execution: Unix Shell Expression Found", + "pattern": "\\$(?:\\((?:[^\\)]+|\\([^\\)]+\\))\\)|\\{[^\\}]+\\}|\\[[^\\]]*\\])|[<>]\\([^\\)]+\\)|/[0-9A-Z_a-z]*\\[[^\\]]+\\]", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932220", + "name": "Remote Command Execution: Unix Command Injection with pipe", + "pattern": "(?i).\\|(?:[\\s\\x0b]*|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[arx][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:G[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?E[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?T|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[89][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?9|[au][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|c|(?:m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[dfu]|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[gr])|f[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[cgi]|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[dp]|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b)|j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:j[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|q)|k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|v)|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[cl]|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?m)|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[cr]|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[ex]|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p)|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:3[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|c)|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|z)|y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h))[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:[bdx]|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|q[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|l[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|(?:[nps]|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|z[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:4[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[dv]|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[dt]|[ghu]|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?))[\\s\\x0b&\\),<>\\|].*|a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?-[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:(?:b|(?:p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?t|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[ks])[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[jp][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?|s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)[\\s\\x0b&\\),<>\\|].*)|g[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10})|(?:d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m|[hr][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t|o|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?g)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*)|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:(?:(?:[at][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b|f|(?:k[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?g|h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|x[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?z)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?|r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?)?)[\\s\\x0b&\\),<>\\|].*|i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|[&\\),<>\\|]{1,10}|(?:[\\-\\.0-9A-Z_a-z][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?){1,10}[\\s\\x0b&\\),<>\\|\\}]{1,10}))))", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932281", + "name": "Remote Command Execution: Brace Expansion Found", + "pattern": "\\{[^\\s\\x0b,:\\}]*,[^\\s\\x0b]*\\}", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932210", + "name": "Remote Command Execution: SQLite System Command Execution", + "pattern": ";[\\s\\x0b]*\\.[\\s\\x0b]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932271", + "name": "Remote Command Execution: Unix Shell Expression Found", + "pattern": "~[0-9]+", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932300", + "name": "Remote Command Execution: SMTP Command Execution", + "pattern": "(?i)\\r\\n.*?\\b(?:E(?:HLO[\\s\\x0b][\\-\\.a-z]{1,255}|XPN[\\s\\x0b].{1,64})|HELO[\\s\\x0b][\\-\\.a-z]{1,255}|MAIL[\\s\\x0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[\\s\\x0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\\b)|VRFY[\\s\\x0b].{1,64}(?:[\\s\\x0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[\\s\\x0b][\\-0-9_a-z]{1,20}[\\s\\x0b](?:(?:[\\+/-9A-Z_a-z]{4})*(?:[\\+/-9A-Z_a-z]{2}=|[\\+/-9A-Z_a-z]{3}))?=|STARTTLS\\b|NOOP\\b(?:[\\s\\x0b].{1,255})?)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ], + "paranoia_level": 2 + }, + { + "id": "932310", + "name": "Remote Command Execution: IMAP Command Execution", + "pattern": "(?is)\\r\\n[0-9A-Z_a-z]{1,50}\\b (?:A(?:PPEND (?:[\"#%&\\*\\--9A-Z\\x5c_a-z]+)?(?: \\([ \\x5ca-z]+\\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\\+\\-][0-9]{4}\"?)? \\{[0-9]{1,20}\\+?\\}|UTHENTICATE [\\-0-9_a-z]{1,20}\\r\\n)|L(?:SUB (?:[\"#\\*\\.-9A-Z_a-z~]+)? (?:[\"%&\\*\\.-9A-Z\\x5c_a-z]+)?|ISTRIGHTS (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)?)|S(?:TATUS (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)? \\((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\\)|ETACL (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)? [\\+\\-][ac-eiklpr-twx]+?)|UID (?:COPY|FETCH|STORE) (?:[\\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%&\\*\\--9A-Z\\x5c_a-z]+)?)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ], + "paranoia_level": 2 + }, + { + "id": "932320", + "name": "Remote Command Execution: POP3 Command Execution", + "pattern": "(?is)\\r\\n.*?\\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\\-0-9_a-z]{1,20} (?:(?:[\\+/-9A-Z_a-z]{4})*(?:[\\+/-9A-Z_a-z]{2}=|[\\+/-9A-Z_a-z]{3}))?=))", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ], + "paranoia_level": 2 + }, + { + "id": "932236", + "name": "Remote Command Execution: Unix Command Injection (command without evasion)", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\\s\\x0b&\\),<>\\|]|a(?:a-[^\\s\\x0b]{1,10}\\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)[\\s\\x0b&\\),<>\\|]|p(?:t(?:[\\s\\x0b&\\),<>\\|]|-get)|parmor_[^\\s\\x0b]{1,10}\\b)|r(?:(?:p|ch)?[\\s\\x0b&\\),<>\\|]|j(?:[\\s\\x0b&\\),<>\\|]|-register|disp)|ia2c)|s(?:h[\\s\\x0b&\\),<>\\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|]))|c(?:[89]9(?:[\\s\\x0b&\\),<>\\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\\s\\x0b&\\),<>\\|]|p(?:(?:an|io)?[\\s\\x0b&\\),<>\\|]|ulimit)|s(?:(?:h|cli)[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:(?:t|rl)[\\s\\x0b&\\),<>\\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\\s\\x0b&\\),<>\\|]|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\\s\\x0b&\\),<>\\|]|n(?:v(?:[\\s\\x0b&\\),<>\\|]|-update)|d(?:if|sw)[\\s\\x0b&\\),<>\\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\\s\\x0b&\\),<>\\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:(?:n(?:d|ger)|sh)?[\\s\\x0b&\\),<>\\|]|le(?:[\\s\\x0b&\\),<>\\|]|test))|tp(?:[\\s\\x0b&\\),<>\\|]|stats|who)|acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|])|g(?:c(?:c[^\\s\\x0b]{1,10}\\b|ore[\\s\\x0b&\\),<>\\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:m[\\s\\x0b&\\),<>\\|]|ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-?[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:c(?:at)?|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:(?:bs|in)[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:s(?:h[\\s\\x0b&\\),<>\\|]|shell)|ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|])|l(?:d(?:d?[\\s\\x0b&\\),<>\\|]|config)|(?:[np]|inks|ynx)[\\s\\x0b&\\),<>\\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\\s\\x0b&\\),<>\\|]|b_release)|ua(?:[\\s\\x0b&\\),<>\\|]|(?:la)?tex)|z(?:4(?:[\\s\\x0b&\\),<>\\|]|c(?:[\\s\\x0b&\\),<>\\|]|at))|(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|ess(?:[\\s\\x0b&\\),<>\\|]|echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:ca(?:l|te)|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:squitto|unt[\\s\\x0b&\\),<>\\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\\s\\x0b&\\),<>\\|]|\\.(?:openbsd|traditional))|e(?:t(?:[\\s\\x0b&\\),<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\\s\\x0b&\\),<>\\|]|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:(?:d|ctave)[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:x|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:[\\s\\x0b&\\),<>\\|]|2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:[57]?[\\s\\x0b&\\),<>\\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|[^\\s\\x0b]{1,10}\\b)|dstat)|k(?:g(?:[\\s\\x0b&\\),<>\\|]|_?info)|exec|ill[\\s\\x0b&\\),<>\\|])|r(?:y?[\\s\\x0b&\\),<>\\|]|int(?:env|f[\\s\\x0b&\\),<>\\|]))|t(?:x[\\s\\x0b&\\),<>\\|]|ar(?:[\\s\\x0b&\\),<>\\|]|diff|grep))|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|s(?:(?:ed|ql)[\\s\\x0b&\\),<>\\|]|ftp)|y(?:3?versions|thon(?:[23]|[^\\s\\x0b]{1,10}\\b)))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\x0b&\\),<>\\|]|t(?:[\\s\\x0b&\\),<>\\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|(?:ft|na)p|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:d|ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:(?:facl)?[\\s\\x0b&\\),<>\\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\\s\\x0b&\\),<>\\|]|\\.distrib)|s(?:[\\s\\x0b&\\),<>\\|]|h(?:[\\s\\x0b&\\),<>\\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\\s\\x0b&\\),<>\\|]|do(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay))|vn(?:[\\s\\x0b&\\),<>\\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\\s\\x0b&\\),<>\\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\\s\\x0b&\\),<>\\|]|e(?:[ex][\\s\\x0b&\\),<>\\|]|lnet)|i(?:c[\\s\\x0b&\\),<>\\|]|me(?:datectl|out[\\s\\x0b&\\),<>\\|]))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:l(?:imit)?[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\\s\\x0b&\\),<>\\|]|diff)|(?:[ep]w|gr|rsh)[\\s\\x0b&\\),<>\\|]|sudo(?:-rs)?)|algrind|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:3m|c|a(?:ll|tch)|get)[\\s\\x0b&\\),<>\\|]|h(?:iptail[\\s\\x0b&\\),<>\\|]|o(?:ami|is[\\s\\x0b&\\),<>\\|]))|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:(?:x|pa)d|args|term)[\\s\\x0b&\\),<>\\|]|z(?:(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|]))|z(?:ip(?:[\\s\\x0b&\\),<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\\s\\x0b&\\),<>\\|]|oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|ypper))", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932239", + "name": "Remote Command Execution: Unix Command Injection found in user-agent or referer header", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\\s\\x0b&\\),<>\\|]|a(?:a-[^\\s\\x0b]{1,10}\\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)[\\s\\x0b&\\),<>\\|]|p(?:t(?:[\\s\\x0b&\\),<>\\|]|-get)|parmor_[^\\s\\x0b]{1,10}\\b)|r(?:(?:p|ch)?[\\s\\x0b&\\),<>\\|]|j(?:[\\s\\x0b&\\),<>\\|]|-register|disp)|ia2c)|s(?:h[\\s\\x0b&\\),<>\\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|]))|c(?:[89]9(?:[\\s\\x0b&\\),<>\\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\\s\\x0b&\\),<>\\|]|p(?:(?:an|io)?[\\s\\x0b&\\),<>\\|]|ulimit)|s(?:(?:h|cli)[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:t[\\s\\x0b&\\),<>\\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\\s\\x0b&\\),<>\\|]|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\\s\\x0b&\\),<>\\|]|n(?:v(?:[\\s\\x0b&\\),<>\\|]|-update)|d(?:if|sw)[\\s\\x0b&\\),<>\\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\\s\\x0b&\\),<>\\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:(?:n(?:d|ger)|sh)?[\\s\\x0b&\\),<>\\|]|le(?:[\\s\\x0b&\\),<>\\|]|test))|tp(?:[\\s\\x0b&\\),<>\\|]|stats|who)|acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|])|g(?:c(?:c[^\\s\\x0b]{1,10}\\b|ore[\\s\\x0b&\\),<>\\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:m[\\s\\x0b&\\),<>\\|]|ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-?[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:c(?:at)?|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:(?:bs|in)[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:s(?:h[\\s\\x0b&\\),<>\\|]|shell)|ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|])|l(?:d(?:d?[\\s\\x0b&\\),<>\\|]|config)|(?:[np]|ynx)[\\s\\x0b&\\),<>\\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\\s\\x0b&\\),<>\\|]|b_release)|ua(?:[\\s\\x0b&\\),<>\\|]|(?:la)?tex)|z(?:4(?:[\\s\\x0b&\\),<>\\|]|c(?:[\\s\\x0b&\\),<>\\|]|at))|(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|ess(?:[\\s\\x0b&\\),<>\\|]|echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:ca(?:l|te)|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:squitto|unt[\\s\\x0b&\\),<>\\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\\s\\x0b&\\),<>\\|]|\\.(?:openbsd|traditional))|e(?:t(?:[\\s\\x0b&\\),<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\\s\\x0b&\\),<>\\|]|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:(?:d|ctave)[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:x|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:[\\s\\x0b&\\),<>\\|]|2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:[57]?[\\s\\x0b&\\),<>\\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|[^\\s\\x0b]{1,10}\\b)|dstat)|k(?:g(?:[\\s\\x0b&\\),<>\\|]|_?info)|exec|ill[\\s\\x0b&\\),<>\\|])|r(?:y?[\\s\\x0b&\\),<>\\|]|int(?:env|f[\\s\\x0b&\\),<>\\|]))|t(?:x[\\s\\x0b&\\),<>\\|]|ar(?:[\\s\\x0b&\\),<>\\|]|diff|grep))|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|s(?:(?:ed|ql)[\\s\\x0b&\\),<>\\|]|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\x0b&\\),<>\\|]|t(?:[\\s\\x0b&\\),<>\\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:d|ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:(?:facl)?[\\s\\x0b&\\),<>\\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\\s\\x0b&\\),<>\\|]|\\.distrib)|s(?:[\\s\\x0b&\\),<>\\|]|h(?:[\\s\\x0b&\\),<>\\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\\s\\x0b&\\),<>\\|]|do(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay))|vn(?:[\\s\\x0b&\\),<>\\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\\s\\x0b&\\),<>\\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\\s\\x0b&\\),<>\\|]|e(?:[ex][\\s\\x0b&\\),<>\\|]|lnet)|i(?:c[\\s\\x0b&\\),<>\\|]|me(?:datectl|out[\\s\\x0b&\\),<>\\|]))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:l(?:imit)?[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\\s\\x0b&\\),<>\\|]|diff)|(?:[ep]w|gr|rsh)[\\s\\x0b&\\),<>\\|]|sudo(?:-rs)?)|algrind|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:c|a(?:ll|tch))[\\s\\x0b&\\),<>\\|]|h(?:iptail[\\s\\x0b&\\),<>\\|]|o(?:ami|is[\\s\\x0b&\\),<>\\|]))|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:(?:x|pa)d|args|term)[\\s\\x0b&\\),<>\\|]|z(?:(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|]))|z(?:ip(?:[\\s\\x0b&\\),<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\\s\\x0b&\\),<>\\|]|oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|ypper))", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 2 + }, + { + "id": "932232", + "name": "Remote Command Execution: Unix Command Injection", + "pattern": "(?:b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?2[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s)|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?f|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o|[\\s\\x0b&\\),<>\\|].*))\\b", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 3 + }, + { + "id": "932237", + "name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS", + "pattern": "(?i)\\b(?:(?:7z[arx]?|(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)[\\s\\x0b&\\),<>\\|]|a(?:a-[^\\s\\x0b]{1,10}\\b|(?:b|t(?:obm)?|w[ks]|l(?:ias|pine)|xel)[\\s\\x0b&\\),<>\\|]|p(?:t(?:(?:itude)?[\\s\\x0b&\\),<>\\|]|-get)|parmor_[^\\s\\x0b]{1,10}\\b)|r(?:(?:p|ch)?[\\s\\x0b&\\),<>\\|]|j(?:[\\s\\x0b&\\),<>\\|]|-register|disp)|ia2c)|s(?:h?[\\s\\x0b&\\),<>\\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))[\\s\\x0b&\\),<>\\|]|diff|e(?:grep|xe[\\s\\x0b&\\),<>\\|])|f?grep|ip2(?:[\\s\\x0b&\\),<>\\|]|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\\s\\x0b&\\),<>\\|]|c))|h[\\s\\x0b&\\),<>\\|])|tch[\\s\\x0b&\\),<>\\|])|lkid[\\s\\x0b&\\),<>\\|]|pftrace|r(?:eaksw|(?:idge|wap)[\\s\\x0b&\\),<>\\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\\s\\x0b&\\),<>\\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu[\\s\\x0b&\\),<>\\|]))|c(?:[89]9(?:[\\s\\x0b&\\),<>\\|]|-gcc)|(?:a(?:t|ncel|psh)|c|mp)[\\s\\x0b&\\),<>\\|]|p(?:(?:an|io)?[\\s\\x0b&\\),<>\\|]|ulimit)|s(?:(?:h|cli)[\\s\\x0b&\\),<>\\|]|plit|vtool)|u(?:t[\\s\\x0b&\\),<>\\|]|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)[\\s\\x0b&\\),<>\\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\\s\\x0b&\\),\\-<>\\|])|(?:flag|pas)s|g(?:passwd|rp[\\s\\x0b&\\),<>\\|]))|lang(?:\\+\\+|[\\s\\x0b&\\),<>\\|])|o(?:bc(?:[\\s\\x0b&\\),<>\\|]|run)|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\\s\\x0b&\\),<>\\|]|proc|w(?:say|think))|r(?:ash[\\s\\x0b&\\),<>\\|]|on(?:[\\s\\x0b&\\),<>\\|]|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)[\\s\\x0b&\\),<>\\|]|nf[\\s\\x0b&\\),<>\\|]?|hclient|m(?:esg[\\s\\x0b&\\),<>\\|]|idecode|setup)|o(?:(?:as|ne)[\\s\\x0b&\\),<>\\|]|cker[\\s\\x0b&\\),\\-<>\\|]|sbox)|pkg[\\s\\x0b&\\),\\-<>\\|])|e(?:(?:[bd]|qn|s(?:h|ac)?|cho|fax|grep|macs|val)[\\s\\x0b&\\),<>\\|]|n(?:v(?:[\\s\\x0b&\\),<>\\|]|-update)|d(?:if|sw)[\\s\\x0b&\\),<>\\|])|x(?:(?:ec|p(?:and|(?:ec|or)t|r))?[\\s\\x0b&\\),<>\\|]|iftool)|2fsck|asy_install)|f(?:(?:c|g(?:rep)?|mt|etch|lock|unction)[\\s\\x0b&\\),<>\\|]|i(?:(?:n(?:d|ger)|sh)?[\\s\\x0b&\\),<>\\|]|le(?:[\\s\\x0b&\\),<>\\|]|test))|tp(?:[\\s\\x0b&\\),<>\\|]|stats|who)|acter|d(?:(?:find|isk)[\\s\\x0b&\\),<>\\|]|u?mount)|o(?:ld[\\s\\x0b&\\),<>\\|]|reach)|ping[\\s\\x0b&\\),6<>\\|])|g(?:c(?:c[^\\s\\x0b]{1,10}\\b|ore[\\s\\x0b&\\),<>\\|])|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))[\\s\\x0b&\\),<>\\|]|e(?:m[\\s\\x0b&\\),<>\\|]|ni(?:e[\\s\\x0b&\\),<>\\|]|soimage)|t(?:cap|facl[\\s\\x0b&\\),<>\\|]))|hc(?:-?[\\s\\x0b&\\),<>\\|]|i[\\s\\x0b&\\),\\-<>\\|])|r(?:(?:c(?:at)?|ep)[\\s\\x0b&\\),<>\\|]|oupmod)|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))[\\s\\x0b&\\),<>\\|]|e(?:ad[\\s\\x0b&\\),<>\\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op[\\s\\x0b&\\),<>\\|]|passwd))|i(?:(?:d|rb|conv|nstall)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top[\\s\\x0b&\\),<>\\|])|onice|spell)|j(?:(?:js|q|ava|exec)[\\s\\x0b&\\),<>\\|]|o(?:(?:bs|in)[\\s\\x0b&\\),<>\\|]|urnalctl)|runscript)|k(?:s(?:h[\\s\\x0b&\\),<>\\|]|shell)|ill(?:[\\s\\x0b&\\),<>\\|]|all)|nife[\\s\\x0b&\\),<>\\|])|l(?:d(?:d?[\\s\\x0b&\\),<>\\|]|config)|(?:[np]|ynx)[\\s\\x0b&\\),<>\\|]|s(?:(?:-F|cpu|hw|mod|of|pci|usb)?[\\s\\x0b&\\),<>\\|]|b_release)|ua(?:[\\s\\x0b&\\),<>\\|]|(?:la)?tex)|z(?:4(?:[\\s\\x0b&\\),<>\\|]|c(?:[\\s\\x0b&\\),<>\\|]|at))|(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|diff|[ef]?grep|less|m(?:a(?:[\\s\\x0b&\\),<>\\|]|dec|info)|ore))|a(?:st(?:(?:comm)?[\\s\\x0b&\\),<>\\|]|log(?:in)?)|tex[\\s\\x0b&\\),<>\\|])|ess(?:[\\s\\x0b&\\),<>\\|]|echo|(?:fil|pip)e)|ftp(?:[\\s\\x0b&\\),<>\\|]|get)|o(?:(?:ca(?:l|te)|ok)[\\s\\x0b&\\),<>\\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:(?:a(?:n|il[qx]?|ke|wk)|tr|v|utt)[\\s\\x0b&\\),<>\\|]|k(?:(?:dir|nod)[\\s\\x0b&\\),<>\\|]|fifo|temp)|locate|o(?:(?:re|unt)[\\s\\x0b&\\),<>\\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\\s\\x0b&\\),<>\\|]|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:(?:at)?[\\s\\x0b&\\),<>\\|]|\\.(?:openbsd|traditional))|e(?:t(?:[\\s\\x0b&\\),<>\\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|m(?:ap)?|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)[\\s\\x0b&\\),<>\\|]|s(?:enter|lookup|tat[\\s\\x0b&\\),<>\\|]))|o(?:(?:d|ctave)[\\s\\x0b&\\),<>\\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg[\\s\\x0b&\\),<>\\|]))|p(?:a(?:(?:x|cman|rted|tch)[\\s\\x0b&\\),<>\\|]|s(?:swd|te[\\s\\x0b&\\),<>\\|]))|d(?:b(?:[\\s\\x0b&\\),<>\\|]|2mb|3[\\s\\x0b&\\),\\.<>\\|])|f(?:la)?tex|ksh[\\s\\x0b&\\),<>\\|])|(?:f(?:tp)?|g(?:rep)?|(?:w|op)d|xz|u(?:ppet|shd))[\\s\\x0b&\\),<>\\|]|hp(?:[57]?[\\s\\x0b&\\),<>\\|]|-cgi)|i(?:(?:co?|gz|ng6?)[\\s\\x0b&\\),<>\\|]|p(?:[\\s\\x0b&\\),<>\\|]|[^\\s\\x0b]{1,10}\\b)|dstat)|k(?:g(?:[\\s\\x0b&\\),<>\\|]|_?info)|exec|ill[\\s\\x0b&\\),<>\\|])|r(?:y?[\\s\\x0b&\\),<>\\|]|int(?:env|f[\\s\\x0b&\\),<>\\|]))|s(?:(?:ed|ql)?[\\s\\x0b&\\),<>\\|]|ftp)|t(?:x[\\s\\x0b&\\),<>\\|]|ar(?:[\\s\\x0b&\\),<>\\|]|diff|grep))|er(?:(?:f|ms)[\\s\\x0b&\\),<>\\|]|l(?:5?[\\s\\x0b&\\),<>\\|]|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|cp?|bash|nano|oute|vi(?:ew|m))[\\s\\x0b&\\),<>\\|]|e(?:(?:d(?:carpet)?|v|boot|name|p(?:eat|lace))[\\s\\x0b&\\),<>\\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\\s\\x0b&\\),<>\\|]|t(?:[\\s\\x0b&\\),<>\\|]|-(?:dump|tar))|user)|pm(?:(?:db)?[\\s\\x0b&\\),<>\\|]|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\\s\\x0b&\\),<>\\|])|u(?:by[^\\s\\x0b]{1,10}\\b|n(?:-(?:mailcap|parts)|c[\\s\\x0b&\\),<>\\|])))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh)|plit)[\\s\\x0b&\\),<>\\|]|e(?:(?:d|ndmail|rvice)[\\s\\x0b&\\),<>\\|]|t(?:(?:facl)?[\\s\\x0b&\\),<>\\|]|arch|cap|env|sid))|h(?:(?:u(?:f|tdown))?[\\s\\x0b&\\),<>\\|]|\\.distrib)|s(?:[\\s\\x0b&\\),<>\\|]|h(?:[\\s\\x0b&\\),<>\\|]|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\\s\\x0b&\\),<>\\|]|do(?:-rs|[\\s\\x0b&\\),<>_\\|]|edit|replay))|vn(?:[\\s\\x0b&\\),<>\\|]|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)[\\s\\x0b&\\),<>\\|]|elim)|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings[\\s\\x0b&\\),<>\\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:(?:[cr]|ilf?)[\\s\\x0b&\\),<>\\|]|sk(?:[\\s\\x0b&\\),<>\\|]|set))|(?:bl|o(?:p|uch)|ftp|mux)[\\s\\x0b&\\),<>\\|]|e(?:[ex][\\s\\x0b&\\),<>\\|]|lnet)|i(?:c[\\s\\x0b&\\),<>\\|]|me(?:(?:out)?[\\s\\x0b&\\),<>\\|]|datectl))|c(?:l?sh[\\s\\x0b&\\),<>\\|]|p(?:dump|ing|traceroute))|r(?:a(?:ceroute6?|p[\\s\\x0b&\\),<>\\|])|off[\\s\\x0b&\\),<>\\|])|shark)|u(?:l(?:imit)?[\\s\\x0b&\\),<>\\|]|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)[\\s\\x0b&\\),<>\\|]|expand|l(?:ink[\\s\\x0b&\\),<>\\|]|z(?:4[\\s\\x0b&\\),<>\\|]|ma))|pigz|z(?:ip[\\s\\x0b&\\),<>\\|]|std))|p(?:2date[\\s\\x0b&\\),<>\\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:[ep]w|gr|rsh)?[\\s\\x0b&\\),<>\\|]|m(?:[\\s\\x0b&\\),<>\\|]|diff)|sudo(?:-rs)?)|algrind|olatility[\\s\\x0b&\\),<>\\|])|w(?:(?:c|a(?:ll|tch))?[\\s\\x0b&\\),<>\\|]|h(?:o(?:(?:is)?[\\s\\x0b&\\),<>\\|]|ami)?|iptail[\\s\\x0b&\\),<>\\|])|i(?:reshark|sh[\\s\\x0b&\\),<>\\|]))|x(?:(?:(?:x|pa)d|args|term)[\\s\\x0b&\\),<>\\|]|z(?:(?:c(?:at|mp))?[\\s\\x0b&\\),<>\\|]|d(?:ec[\\s\\x0b&\\),<>\\|]|iff)|[ef]?grep|less|more)|e(?:latex|tex[\\s\\x0b&\\),<>\\|])|mo(?:dmap|re[\\s\\x0b&\\),<>\\|]))|z(?:ip(?:[\\s\\x0b&\\),<>\\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h[\\s\\x0b&\\),<>\\|]|oelim|td(?:[\\s\\x0b&\\),<>\\|]|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)[\\s\\x0b&\\),<>\\|]|[ef]grep|mo(?:dload|re[\\s\\x0b&\\),<>\\|])|ypper))(?:\\b|[^0-9A-Z_a-z])", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 3 + }, + { + "id": "932238", + "name": "Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?2[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|p[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n|s)|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|d[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?f|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o|[\\s\\x0b&\\),<>\\|].*))", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 3 + }, + { + "id": "932190", + "name": "Remote Command Execution: Wildcard bypass technique attempt", + "pattern": "(?i)/(?:[\\*\\?]+[/-9A-Z_a-z]|[/-9A-Z_a-z]+[\\*\\?])", + "targets": [ + "query" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 3 + }, + { + "id": "932350", + "name": "Remote Command Execution: Direct Unix Command Execution (No Arguments)", + "pattern": "(?i)(?:^|b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?y[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?b[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?x|(?:c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?d|e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?v|v[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?l)|w[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h)[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?[\\s\\x0b&\\),<>\\|].*|[ls][\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?r[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?a[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?c[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e|n[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?h[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?p|t[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?i[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?m[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?e[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?(?:[\\s\\x0b&\\),<>\\|].*|o[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?t)|[\\n\\r;=`\\{]|\\|\\|?|&&?|\\$(?:\\(\\(?|[\\[\\{])|<(?:\\(|<<)|>\\(|\\([\\s\\x0b]*\\))[\\s\\x0b]*(?:[\\$\\{]|(?:[\\s\\x0b]*\\(|!)[\\s\\x0b]*|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]*|\\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\\s\\x0b]+)*[\\s\\x0b]*[\"']*(?:[\"'-\\+\\--9\\?A-\\]_a-z\\|]+/)?[\"'\\x5c]*(?:(?:aptitud|unam)e|d(?:f|ir|mesg)|env|h(?:istory|ostname|top)|i(?:d|ostat)|l(?:ast|s)|mysql(?:[^\\s\\x0b]{1,10}\\b)?|p(?:s(?:ql)?|wd)|(?:reboo|vmsta)t|s(?:(?:cree|hutdow)n|et|u)|top|w(?:ho(?:ami|is)?)?)$", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 3 + }, + { + "id": "932301", + "name": "Remote Command Execution: SMTP Command Execution", + "pattern": "\\r\\n.*?\\b(?:DATA|QUIT|HELP(?: .{1,255})?)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ], + "paranoia_level": 3 + }, + { + "id": "932311", + "name": "Remote Command Execution: IMAP Command Execution", + "pattern": "(?is)\\r\\n[0-9A-Z_a-z]{1,50}\\b (?:C(?:(?:REATE|OPY [\\*,0-:]+) [\"#%&\\*\\--9A-Z\\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"#%&\\*\\-\\.0-9A-Z\\x5c_a-z]+|EX(?:AMINE [\"#%&\\*\\-\\.0-9A-Z\\x5c_a-z]+|PUNGE)|FETCH [\\*,0-:]+|L(?:IST [\"#\\*\\--9A-Z\\x5c_a-z~]+? [\"#%&\\*\\--9A-Z\\x5c_a-z]+|OG(?:IN [\\-\\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"#%&\\*\\--9A-Z\\x5c_a-z]+? [\"#%&\\*\\--9A-Z\\x5c_a-z]+|S(?:E(?:LECT [\"#%&\\*\\--9A-Z\\x5c_a-z]+|ARCH(?: CHARSET [\\-\\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \\x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\\*,0-:]+?|NKEYWORD \\x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\\*,0-:]+? [\\+\\-]?FLAGS(?:\\.SILENT)? (?:\\(\\x5c[a-z]{1,20}\\))?|ARTTLS)|UBSCRIBE [\"#%&\\*\\--9A-Z\\x5c_a-z]+)|UN(?:SUBSCRIBE [\"#%&\\*\\--9A-Z\\x5c_a-z]+|AUTHENTICATE)|NOOP)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ], + "paranoia_level": 3 + }, + { + "id": "932321", + "name": "Remote Command Execution: POP3 Command Execution", + "pattern": "\\r\\n.*?\\b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/137/134" + ], + "paranoia_level": 3 + }, + { + "id": "932331", + "name": "Remote Command Execution: Unix shell history invocation", + "pattern": "!(?:\\d|!)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-RCE", + "capec/1000/152/248/88" + ], + "paranoia_level": 3 } ] }, @@ -1032,7 +1726,7 @@ "name": "CRS PHP Injection", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS PHP Injection (11 rules)", + "description": "OWASP CRS v4.24.1 — CRS PHP Injection (18 rules)", "author": "OWASP CRS Project", "priority": 5, "enabled": true, @@ -1055,7 +1749,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933110", @@ -1075,7 +1770,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933120", @@ -1095,7 +1791,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933135", @@ -1115,7 +1812,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933140", @@ -1135,7 +1833,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933200", @@ -1155,7 +1854,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933160", @@ -1175,7 +1875,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933170", @@ -1195,7 +1896,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933180", @@ -1215,7 +1917,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933210", @@ -1235,7 +1938,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "933220", @@ -1255,7 +1959,155 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-PHP", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 + }, + { + "id": "933151", + "name": "PHP Injection Attack: Medium-Risk PHP Function Name Found", + "pattern": "(?i)\\b(?:a(?:c(?:cel_chdir|osh?)|ddc?slashes|pache_(?:child_terminate|get(?:_(?:modules|version)|env)|lookup_uri|note |re(?:quest|sponse)_headers|setenv)|r(?:ray_(?:c(?:h(?:ange_key_case|unk)|o(?:lumn|mbine|unt_values))|diff(?:_(?:assoc|key|u(?:assoc|key)))?|f(?:ill(?:_keys)?|lip)|i(?:ntersect(?:_(?:assoc|key|u(?:assoc|key)))?|s_list)|key(?:_(?:fir|la)st|s)|m(?:ap|erge(?:_recursive)?|ultisort)|p(?:ad|op|roduct)|r(?:and|e(?:(?:duc|vers)e|place(?:_recursive)?))|s(?:earch|p?lice|um)|u(?:(?:diff|intersect)(?:_u?assoc)?|n(?:ique|shift))|walk(?:_recursive)?)|sort)|s(?:inh|ort|sert_options)|tan[2h]?)|b(?:ase(?:64_(?:de|en)code|_convert)|c(?:add|comp|div|m(?:od|ul)|pow(?:mod)?|s(?:cale|qrt|ub))|in(?:2hex|d(?:_textdomain_codeset|ec|textdomain))|oolval|z(?:(?:de)?compress|err(?:no|(?:o|st)r)|open|read))|c(?:al(?:_(?:days_in_month|(?:from|to)_jd|info)|l_user_func_array)|eil|h(?:(?:di)?r|grp|mod|own|unk_split)|l(?:ass_(?:alia|(?:implem|par)ent|use)s|earstatcache|ose(?:dir|log))|o(?:llator_(?:asort|c(?:ompar|reat)e|get_(?:(?:attribut|error_(?:cod|messag)|local)e|s(?:ort_key|trength))|s(?:et_(?:attribute|strength)|ort(?:_with_sort_keys)?))|m_(?:create_guid|event_sink|get_active_object|load_typelib|message_pump|print_typeinfo)|n(?:fig_get_hash|nection_(?:aborted|status)|vert_uu(?:de|en)code)|unt_chars)|rc32|type_(?:al(?:num|pha)|cntrl|(?:x?digi|p(?:rin|unc))t|graph|(?:low|upp)er|space)|url_(?:(?:c(?:los|opy_handl)|file_creat|paus)e|e(?:rr(?:no|or)|scape|xec)|getinfo|(?:ini|rese)t|multi_(?:(?:(?:add|remove)_handl|clos)e|e(?:rrno|xec)|getcontent|in(?:fo_read|it)|s(?:e(?:lec|top)t|trerror))|s(?:etopt(?:_array)?|hare_(?:close|errno|init|s(?:etopt|trerror))|trerror)|u(?:nescape|pkeep)|version))|d(?:ate(?:_(?:add|create(?:_(?:from_format|immutable(?:_from_format)?))?|d(?:(?:ate_s|efault_timezone_[gs])et|iff)|(?:forma|(?:offset_g|time(?:_s|(?:stamp|zone)_[gs]))e)t|get_last_errors|i(?:nterval_(?:create_from_date_string|format)|sodate_set)|modify|parse(?:_from_format)?|su(?:b|n(?:_info|rise|set)))|fmt_(?:(?:creat|localtim|pars)e|format(?:_object)?|get_(?:calendar(?:_object)?|(?:datetyp|error_(?:cod|messag)|local)e|pattern|time(?:type|zone(?:_id)?))|is_lenient|set_(?:calendar|lenient|pattern|timezone)))|ba_(?:(?:clos|delet|replac)e|(?:exist|handler)s|f(?:etch|irstkey)|(?:inser|key_spli|lis)t|nextkey|op(?:en|timize)|popen|sync)|(?:cn?)?gettext|e(?:bug_(?:(?:print_)?backtrace|zval_dump)|c(?:bin|hex)|flate_(?:add|init)|g2rad)|isk_(?:free|total)_space|l_test_test[12]|n(?:gettext|s_(?:check_record|get_(?:mx|record)))|om_import_simplexml)|e(?:aster_da(?:te|ys)|n(?:chant_(?:broker_(?:d(?:escribe|ict_exists)|free(?:_dict)?|get_(?:dict_path|error)|(?:ini|request_(?:pwl_)?dic)t|list_dicts|set_(?:dict_path|ordering))|dict_(?:add(?:_to_session)?|(?:quick_)?check|describe|get_error|is_added|s(?:tore_replacemen|ugges)t))|um_exists)|rror_(?:(?:clear|get)_last|(?:lo|reportin)g)|scapeshell(?:arg|cmd)|x(?:if_(?:imagetype|read_data|t(?:agname|humbnail))|pm1|tension_loaded))|f(?:astcgi_finish_request|d(?:atasync|iv)|eof|f(?:i_trampoline|lush)|get(?:c(?:sv)?|s)|i(?:l(?:e_put_contents|ter_(?:has_var|i(?:d|nput(?:_array)?)|list|var(?:_array)?))|nfo_(?:buffer|(?:clos|fil)e|open|set_flags))|loatval|(?:mo|re(?:a|nchtoj))d|nmatch|orward_static_call(?:_array)?|p(?:assthru|m_get_status|rintf|utcsv)|s(?:canf|eek|ockopen|tat|ync)|t(?:ell|ok|p_(?:a(?:lloc|ppend)|c(?:dup|h(?:dir|mod)|lose|onnect)|delete|exec|f(?:ge|pu)t|get(?:_option)?|login|m(?:dtm|kdir|lsd)|n(?:b_(?:continue|(?:f(?:ge|pu)|ge|pu)t)|list)|p(?:asv|ut|wd)|r(?:aw(?:list)?|ename|mdir)|s(?:et_option|(?:i[tz]|ystyp)e|sl_connect))|runcate)|unc_(?:get_args?|num_args)|write)|g(?:c_(?:(?:(?:collect_cycl|mem_cach)e|statu)s|disable|enabled?)|d_info|et(?:_(?:browser|c(?:(?:alled_clas|lass_(?:method|var))s|(?:fg_va|urrent_use)r)|de(?:bug_type|(?:clared_(?:(?:class|interfac)e|trait)|fined_(?:constant|function|var))s)|(?:extension_func|loaded_extension|m(?:angled_object_var|eta_tag)|parent_clas)s|h(?:eaders|tml_translation_table)|include(?:_path|d_files)|o(?:bject_vars|pen_basedir)|resource(?:_(?:id|type)|s))|(?:cw|lastmo)d|(?:dat|rusag)e|env|host(?:by(?:addr|namel?)|name)|imagesize(?:fromstring)?|my(?:[gpu]id|inode)|opt|protobyn(?:ame|umber)|servby(?:name|port)|t(?:ext|imeofday|ype))|m(?:(?:dat|(?:mk|strf)tim)e|p_(?:a(?:bs|[dn]d)|binomial|c(?:lrbit|mp|om)|div(?:_(?:qr?|r)|exact)|(?:expor|fac|hamdis|testbi)t|gcd(?:ext)?|i(?:mport|n(?:(?:i|ver)t|tval))|jacobi|(?:kronecke|x?o)r|l(?:cm|egendre)|m(?:od|ul)|ne(?:g|xtprime)|p(?:erfect_(?:power|square)|o(?:pcount|wm?)|rob_prime)|r(?:andom_(?:bits|range|seed)|oot(?:rem)?)|s(?:can[01]|etbit|ign|qrt(?:rem)?|trval|ub)))|r(?:apheme_(?:extract|s(?:tr(?:i(?:pos|str)|len|(?:ri?)?pos|str)|ubstr))|egoriantojd)|z(?:(?:un)?compress|(?:de(?:cod|flat)|encod|fil|inflat)e|open))|h(?:ash_(?:(?:algo|equal)s|copy|fi(?:le|nal)|h(?:kdf|mac(?:_(?:algos|file))?)|init|pbkdf2|update(?:_(?:file|stream))?)|e(?:ader(?:_re(?:gister_callback|move)|s_(?:lis|sen)t)|brev|x(?:2bin|dec))|ighlight_(?:file|string)|rtime|t(?:ml(?:(?:_entity|specialchars)_decode|entities)|tp_(?:build_query|response_code))|ypot)|i(?:conv(?:_(?:get_encoding|mime_(?:decode(?:_headers)?|encode)|s(?:et_encoding|tr(?:len|r?pos)|ubstr)))?|dn_to_(?:ascii|utf8)|gnore_user_abort|ma(?:ge(?:_type_to_(?:extension|mime_type)|a(?:ffine(?:matrix(?:conca|ge)t)?|lphablending|ntialias|rc|vif)|(?:bm|w(?:bm|eb))p|c(?:har(?:up)?|o(?:lor(?:a(?:llocate(?:alpha)?|t)|closest(?:alpha|hwb)?|deallocate|(?:exact|resolve)(?:alpha)?|match|s(?:et|forindex|total)|transparent)|nvolution|py(?:merge(?:gray)?|res(?:ampl|iz)ed)?)|r(?:eate(?:from(?:avif|(?:bm|w(?:bm|eb))p|g(?:d(?:2(?:part)?)?|if)|(?:jpe|(?:p|stri)n)g|tga|x[bp]m)|truecolor)?|op(?:auto)?))|d(?:ashedline|estroy)|ellipse|f(?:il(?:l(?:ed(?:arc|(?:ellips|rectangl)e|polygon)|toborder)?|ter)|lip|ont(?:height|width)|t(?:bbox|text))|g(?:ammacorrect|d2?|et(?:clip|interpolation)|if|rab(?:screen|window))|i(?:nterlace|struecolor)|jpeg|l(?:(?:ayereffec|oadfon)t|ine)|openpolygon|p(?:alette(?:copy|totruecolor)|ng|olygon)|r(?:e(?:ctangle|solution)|otate)|s(?:avealpha|cale|et(?:brush|clip|interpolation|pixel|style|t(?:hickness|ile))|tring(?:up)?|[xy])|t(?:ruecolortopalette|ypes)|xbm)|p_(?:(?:8bi|qprin)t|a(?:lerts|ppend)|b(?:ase64|inary|ody(?:struct)?)|c(?:heck|l(?:earflag_full|ose)|reatemailbox)|delete(?:mailbox)?|e(?:rrors|xpunge)|fetch(?:_overview|body|header|(?:mim|structur)e)|g(?:c|et(?:_quota(?:root)?|acl|mailboxes|subscribed))|header(?:info|s)|(?:is_)?open|l(?:ast_error|ist(?:scan)?|sub)|m(?:ail(?:_(?:co(?:mpose|py)|move)|boxmsginfo)?|ime_header_decode|sgno|utf7_to_utf8)|num_(?:msg|recent)|ping|r(?:e(?:namemailbox|open)|fc822_(?:parse_(?:adrlist|headers)|write_address))|s(?:avebody|e(?:arch|t(?:_quota|(?:ac|flag_ful)l))|ort|tatus|ubscribe)|t(?:hread|imeout)|u(?:id|n(?:delet|subscrib)e|tf(?:7_(?:de|en)code|8(?:_to_mutf7)?))))|n(?:_array|et_(?:ntop|pton)|flate_(?:add|get_(?:read_len|status)|init)|i_(?:get(?:_all)?|parse_quantity|restore|set)|t(?:div|erface_exists|l(?:_(?:error_nam|get_error_(?:cod|messag)|is_failur)e|cal_(?:a(?:dd|fter)|(?:befor|f(?:ield_differenc|rom_date_tim)|to_date_tim)e|c(?:lear|reate_instance)|equals|get(?:_(?:a(?:ctual_m(?:ax|in)imum|vailable_locales)|(?:day_of_week_typ|error_(?:cod|messag)|keyword_values_for_local)e|first_day_of_week|greatest_minimum|l(?:east_maximum|ocale)|m(?:aximum|inim(?:al_days_in_first_week|um))|now|(?:(?:repeat|skipp)ed_wall_time_op|weekend_transi)tion|t(?:ime(?:_zone)?|ype)))?|i(?:n_daylight_time|s_(?:equivalent_to|(?:lenien|se)t|weekend))|roll|set(?:_(?:(?:first_day_of|minimal_days_in_first)_week|lenient|(?:repeat|skipp)ed_wall_time_option|time(?:_zone)?))?)|gregcal_(?:(?:create_instanc|[gs]et_gregorian_chang)e|is_leap_year)|tz_(?:c(?:ount_equivalent_ids|reate_(?:default|enumeration|time_zone(?:_id_enumeration)?))|(?:(?:from|to)_date_time_zon|use_daylight_tim)e|get_(?:(?:canonical|windows)_id|d(?:isplay_name|st_savings)|e(?:quivalent_id|rror_(?:cod|messag)e)|(?:gm|offse)t|id(?:_for_windows_id)?|r(?:aw_offset|egion)|(?:tz_data_versio|unknow)n)|has_same_rules))))|p(?:2long|tc(?:embed|parse))|s_(?:bool|(?:(?:(?:c(?:all|ount)|(?:execu|wri)t)ab|uploaded_fi)l|i(?:nfinit|terabl)|re(?:adabl|sourc))e|f(?:i(?:l|nit)e|loat)|link|nan|s(?:calar|oap_fault|tring|ubclass_of))|terator_(?:(?:appl|to_arra)y|count))|j(?:d(?:dayofweek|monthname|to(?:french|gregorian|j(?:ewish|ulian)|unix))|(?:ewish|ulian)tojd|son_(?:last_error(?:_msg)?|validate)))[\\s\\x0b]*\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-injection-php", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-PHP", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "933152", + "name": "PHP Injection Attack: Medium-Risk PHP Function Name Found", + "pattern": "(?i)\\b(?:kr?sort|l(?:c(?:first|g_value|h(?:grp|own))|dap_(?:8859_to_t61|(?:ad|bin)d(?:_ext)?|co(?:mpare|nnect(?:_wallet)?|unt_(?:entri|referenc)es)|d(?:elete(?:_ext)?|n2ufn)|e(?:rr(?:(?:2st|o)r|no)|scape|x(?:op(?:_(?:passwd|refresh|sync|whoami))?|plode_dn))|f(?:irst_(?:(?:attribut|referenc)e|entry)|ree_result)|get_(?:(?:attribut|entri)es|(?:d|optio|values_le)n)|list|mod(?:_(?:add|del|replace)(?:_ext)?|ify_batch)|next_(?:(?:attribut|referenc)e|entry)|parse_(?:exop|re(?:ference|sult))|re(?:ad|name(?:_ext)?)|s(?:asl_bind|e(?:arch|t_(?:option|rebind_proc))|tart_tls)|t61_to_8859|unbind)|evenshtein|i(?:bxml_(?:(?:clear|use_internal)_errors|disable_entity_loader|get_(?:e(?:rrors|xternal_entity_loader)|last_error)|set_(?:external_entity_loader|streams_context))|nkinfo|tespeed_(?:finish_request|re(?:quest|sponse)_headers))|o(?:cal(?:e(?:_(?:(?:accept_from_htt|looku)p|(?:c(?:anonicaliz|ompos)|pars)e|filter_matches|get_(?:(?:all_variant|keyword)s|d(?:efault|isplay_(?:(?:languag|nam)e|region|(?:scrip|varian)t))|primary_language|region|script)|set_default)|conv)|time)|g1[0p]|ng2ip)|stat|trim)|m(?:b_(?:c(?:h(?:eck_encoding|r)|onvert_(?:case|encoding|kana|variables))|de(?:code_(?:mimeheader|numericentity)|tect_(?:encoding|order))|e(?:ncod(?:e_(?:mimeheader|numericentity)|ing_aliases)|reg(?:_(?:match|replace(?:_callback)?|search(?:_(?:(?:get(?:po|reg)|(?:set)?po|reg)s|init))?)|i(?:_replace)?)?)|get_info|http_(?:in|out)put|internal_encoding|l(?:anguage|ist_encodings)|o(?:rd|utput_handler)|p(?:arse_str|referred_mime_name)|regex_(?:encoding|set_options)|s(?:crub|end_mail|plit|tr(?:_(?:pad|split)|cut|i(?:mwidth|pos|str)|len|pos|r(?:chr|i(?:chr|pos)|pos)|(?:st|to(?:low|upp)e)r|width)|ubst(?:itute_character|r(?:_count)?)))|(?:(?:d5|ove_uploaded)_fil|e(?:mory_(?:get_(?:peak_)?|reset_peak_)usag|taphon)|i(?:crotim|me_content_typ))e|hash(?:_(?:count|get_(?:block_siz|hash_nam)e|keygen_s2k))?|k(?:dir|time)|sg(?:_(?:(?:get_queu|re(?:ceiv|move_queu))e|queue_exists|s(?:e(?:nd|t_queue)|tat_queue))|fmt_(?:create|(?:format|parse)(?:_message)?|get_(?:(?:error_(?:cod|messag)|local)e|pattern)|set_pattern))|t_(?:getrandmax|s?rand)|ysqli_(?:a(?:ffected_rows|utocommit)|begin_transaction|c(?:ha(?:nge_user|racter_set_name)|lose|o(?:mmit|nnect(?:_err(?:no|or))?))|d(?:ata_seek|ebug|ump_debug_info)|e(?:rr(?:no|or(?:_list)?)|xecute_query)|f(?:etch_(?:a(?:ll|rray|ssoc)|column|field(?:_direct|s)?|lengths|object|row)|ield_(?:count|seek|tell)|ree_result)|get_(?:c(?:harset|lient_(?:info|stats|version)|onnection_stats)|(?:host|proto)_info|(?:links_stat|warning)s|server_(?:info|version))|in(?:fo|it|sert_id)|kill|m(?:ore_results|ulti_query)|n(?:ext_result|um_(?:field|row)s)|options|p(?:ing|oll|repare)|query|r(?:e(?:a(?:l_(?:connect|escape_string|query)|p_async_query)|fresh|(?:lease_savepoin|por)t)|ollback)|s(?:(?:avepoin|sl_se)t|e(?:lect_db|t_charset)|qlstate|t(?:(?:a|ore_resul)t|mt_(?:a(?:ffected_rows|ttr_[gs]et)|bind_(?:param|result)|close|data_seek|e(?:rr(?:no|or(?:_list)?)|xecute)|f(?:etch|(?:ield_coun|ree_resul)t)|get_(?:result|warnings)|in(?:it|sert_id)|more_results|n(?:ext_result|um_rows)|p(?:aram_count|repare)|res(?:et|ult_metadata)|s(?:end_long_data|qlstate|tore_result))))|thread_(?:id|safe)|(?:use_resul|warning_coun)t))|n(?:(?:at(?:case)?sor|gettex)t|et_get_interfaces|l(?:2br|_langinfo)|ormalizer_(?:get_raw_decomposition|is_normalized|normalize)|umfmt_(?:create|(?:format|parse)(?:_currency)?|get_(?:(?:(?:text_)?attribut|error_(?:cod|messag)|local)e|pattern|symbol)|set_(?:(?:text_)?attribute|pattern|symbol)))|o(?:b_(?:clean|end_(?:clean|flush)|(?:implicit_)?flush|g(?:et_(?:c(?:lean|ontents)|flush|le(?:ngth|vel)|status)|zhandler)|list_handlers)|c(?:i(?:_(?:(?:bind_(?:array_)?|define_)by_name|c(?:ancel|l(?:ient_version|ose)|o(?:llection_(?:a(?:ppend|ssign)|element_(?:assign|get)|max|size|trim)|(?:mmi|nnec)t))|e(?:rror|xecute)|f(?:etch(?:_(?:a(?:ll|rray|ssoc)|object|row))?|ield_(?:is_null|(?:nam|s(?:cal|iz))e|precision|type(?:_raw)?)|ree_(?:collection|descriptor|statement))|get_implicit_resultset|lob_(?:(?:appen|loa|re(?:a|win))d|copy|e(?:of|rase|xport)|flush|i(?:mport|s_equal)|s(?:(?:av|iz)e|eek)|t(?:ell|runcate)|write)|n(?:ew_(?:c(?:o(?:llection|nnect)|ursor)|descriptor)|um_(?:field|row)s)|p(?:a(?:rs|ssword_chang)e|connect)|r(?:e(?:gister_taf_callback|sult)|ollback)|s(?:e(?:rver_version|t_(?:(?:ac|db_opera|edi)tion|c(?:all_timeout|lient_i(?:dentifier|nfo))|module_name|prefetch(?:_lob)?))|tatement_type)|unregister_taf_callback)|fetchinto|[gs]etbufferinglob)|tdec)|dbc_(?:autocommit|(?:binmod|data_sourc)e|c(?:lose(?:_all)?|o(?:lumn(?:privilege)?s|mmit|nnect(?:ion_string_(?:is_quoted|(?:should_)?quote))?)|ursor)|e(?:rror(?:msg)?|xec(?:ute)?)|f(?:etch_(?:array|into|object|row)|ield_(?:len|n(?:ame|um)|(?:scal|typ)e)|oreignkeys|ree_result)|gettypeinfo|longreadlen|n(?:ext_result|um_(?:field|row)s)|p(?:connect|r(?:epare|(?:imarykey|ocedure(?:column)?)s))|r(?:esult(?:_all)?|ollback)|s(?:etoption|(?:pecialcolumn|tatistic)s)|table(?:privilege)?s)|p(?:cache_(?:compile_file|get_(?:configuration|status)|i(?:nvalidate|s_script_cached)|reset)|en(?:dir|log|ssl_(?:c(?:ipher_(?:iv|key)_length|ms_(?:(?:de|en)crypt|read|sign|verify)|sr_(?:export(?:_to_file)?|get_(?:public_key|subject)|new|sign))|d(?:(?:ecryp|iges)t|h_compute_key)|e(?:ncrypt|rror_string)|(?:get_(?:c(?:ert_location|ipher_method|urve_name)|md_method)|random_pseudo_byte)s|open|p(?:bkdf2|k(?:cs(?:12_(?:export(?:_to_file)?|read)|7_(?:(?:de|en)crypt|read|sign|verify))|ey_(?:(?:deriv|fre)e|export(?:_to_file)?|get_(?:details|p(?:rivate|ublic))|new))|(?:rivate|ublic)_(?:de|en)crypt)|s(?:eal|ign|pki_(?:export(?:_challenge)?|new|verify))|verify|x509_(?:check(?:_private_key|purpose)|export(?:_to_file)?|f(?:ingerprint|ree)|parse|read|verify))))|utput_(?:add_rewrite_var|reset_rewrite_vars))|p(?:a(?:rse_(?:ini_(?:file|string)|str)|ss(?:thru|word_(?:algos|get_info|(?:needs_re)?hash|verify))|thinfo)|c(?:lose|ntl_(?:a(?:larm|sync_signals)|exec|forkx?|get(?:_last_error|priority)|rfork|s(?:etpriority|ig(?:nal(?:_(?:dispatch|get_handler))?|procmask|timedwait|waitinfo)|trerror)|unshare|w(?:ait(?:pid)?|exitstatus|if(?:continu|exit|s(?:ignal|topp))ed|(?:stop|term)sig)))|do_drivers|fsockopen|g_(?:(?:affected_row|num_(?:field|row)|option)s|c(?:ancel_query|l(?:ient_encoding|ose)|o(?:n(?:nect(?:_poll|ion_(?:busy|reset|status))?|(?:sume_inpu|ver)t)|py_(?:from|to)))|d(?:bnam|elet)e|e(?:n(?:d_copy|ter_pipeline_mode)|scape_(?:bytea|identifier|literal|string)|x(?:ecut|it_pipeline_mod)e)|f(?:etch_(?:a(?:ll(?:_columns)?|rray|ssoc)|object|r(?:esult|ow))|ield(?:_(?:is_null|n(?:ame|um)|prtlen|size|t(?:able|ype(?:_oid)?))|isnull|prtlen)|lush|ree_result)|get_(?:notify|pid|result)|(?:hos|inser)t|l(?:ast_(?:error|notice|oid)|o_(?:(?:c(?:los|reat)|writ)e|(?:ex|im)port|open|read(?:_all)?|(?:see|unlin)k|t(?:ell|runcate)))|meta_data|p(?:arameter_status|(?:connec|or)t|i(?:ng|peline_s(?:tatus|ync))|(?:repar|ut_lin)e)|query(?:_params)?|result_(?:error(?:_field)?|s(?:eek|tatus))|s(?:e(?:lect|nd_(?:(?:execut|prepar)e|query(?:_params)?)|t_(?:client_encoding|error_(?:context_visibil|verbos)ity))|ocket)|t(?:ra(?:ce|nsaction_status)|ty)|u(?:n(?:escape_bytea|trace)|pdate)|version)|hp(?:_(?:ini_(?:loaded_file|scanned_files)|(?:s(?:api_nam|trip_whitespac)|unam)e)|credits|dbg_(?:break_(?:f(?:ile|unction)|method|next)|c(?:lea|olo)r|e(?:nd_oplog|xec)|get_executable|prompt|start_oplog)|info|version)|osix_(?:e?access|ctermid|f?pathconf|get(?:_last_error|(?:cw|(?:e[gu]|[su])i)d|g(?:id|r(?:gid|nam|oups))|login|p(?:g(?:id|rp)|p?id|w(?:nam|uid))|rlimit)|i(?:nitgroups|satty)|kill|mk(?:fifo|nod)|s(?:et(?:(?:e[gu]|p?g|[su])id|rlimit)|trerror|ysconf)|t(?:imes|tyname)|uname)|r(?:eg_(?:filter|grep|last_error(?:_msg)?|match_all|quote|replace_callback(?:_array)?|split)|o(?:c_(?:(?:clos|nic|terminat)e|get_status|open)|perty_exists))|spell_(?:add_to_(?:personal|session)|c(?:heck|lear_session|onfig_(?:(?:creat|ignor|mod)e|d(?:ata|ict)_dir|(?:persona|save_rep)l|r(?:epl|untogether)))|new(?:_(?:config|personal))?|s(?:(?:ave_wordli|ugge)s|tore_replacemen)t)|utenv)|quote(?:d_printable_(?:de|en)code|meta))[\\s\\x0b]*\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-injection-php", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-PHP", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "933153", + "name": "PHP Injection Attack: Medium-Risk PHP Function Name Found", + "pattern": "(?i)\\b(?:r(?:a(?:d2deg|ndom_(?:bytes|int)|wurl(?:de|en)code)|e(?:a(?:d(?:dir|(?:gz)?file|lin(?:e(?:_(?:(?:(?:add|list|write)_histor|re(?:ad_histor|displa))y|c(?:allback_(?:handler_(?:install|remove)|read_char)|lear_history|ompletion_function)|info|on_new_line))?|k))|lpath(?:_cache_(?:get|size))?)|gister_(?:shutdown|tick)_function|s(?:ourcebundle_(?:c(?:ount|reate)|get(?:_error_(?:cod|messag)e)?|locales)|tore_e(?:rror|xception)_handler)|wind(?:dir)?)|mdir|sort)|s(?:api_windows_(?:cp_(?:conv|[gs]et|is_utf8)|(?:generate_ctrl_even|vt100_suppor)t|set_ctrl_handler)|candir|e(?:m_(?:(?:acquir|re(?:leas|mov))e|get)|ssion_(?:(?:abor|unse)t|c(?:ache_(?:expire|limiter)|reate_id)|de(?:code|stroy)|(?:encod|(?:module_)?nam|write_clos)e|g(?:c|et_cookie_params)|id|re(?:g(?:enerate_id|ister_shutdown)|set)|s(?:ave_path|et_(?:cookie_params|save_handler)|ta(?:rt|tus)))|t(?:_(?:e(?:rror|xception)_handler|include_path|time_limit)|(?:(?:raw)?cooki|local)e))|h(?:a1(?:_file)?|ell_exec|m(?:_(?:(?:at|de)tach|(?:(?:ge|pu)t|has)_var|remove(?:_var)?)|op_(?:(?:clos|(?:dele|wri)t|siz)e|open|read)))|i(?:m(?:ilar_text|plexml_(?:import_dom|load_(?:file|string)))|nh)|nmp(?:[23]_(?:get(?:next)?|(?:real_)?walk|set)|_(?:get_(?:quick_print|valueretrieval)|read_mib|set_(?:(?:(?:enum|quick)_prin|oid_output_forma)t|valueretrieval))|get(?:next)?|(?:real)?walk|set)|o(?:cket_(?:a(?:ccept|ddrinfo_(?:bind|connect|explain|lookup)|tmark)|bind|c(?:l(?:ear_error|ose)|msg_space|onnect|reate(?:_(?:listen|pair))?)|(?:ex|im)port_stream|get(?:_option|(?:peer|sock)name)|l(?:ast_error|isten)|re(?:ad|cv(?:from|msg)?)|s(?:e(?:lect|nd(?:msg|to)?|t_(?:(?:non)?block|option))|hutdown|trerror)|w(?:rite|saprotocol_info_(?:(?:ex|im)port|release)))|dium_(?:(?:ad|(?:un)?pa)d|b(?:ase642bin|in2(?:base64|hex))|c(?:ompare|rypto_(?:a(?:ead_(?:aes256gcm_(?:(?:de|en)crypt|is_available|keygen)|chacha20poly1305_(?:(?:de|en)crypt|ietf_(?:(?:de|en)crypt|keygen)|keygen)|xchacha20poly1305_ietf_(?:(?:de|en)crypt|keygen))|uth(?:_(?:keygen|verify))?)|box(?:_(?:keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:al(?:_open)?|cretkey|ed_keypair)))?|core_ristretto255_(?:add|from_hash|is_valid_point|random|s(?:calar_(?:add|(?:complemen|inver)t|mul|negate|r(?:andom|educe)|sub)|ub))|generichash(?:_(?:final|init|keygen|update))?|k(?:df_(?:derive_from_key|keygen)|x_(?:client_session_keys|keypair|publickey|se(?:cretkey|ed_keypair|rver_session_keys)))|pwhash(?:_s(?:cryptsalsa208sha256(?:_str(?:_verify)?)?|tr(?:_(?:needs_rehash|verify))?))?|s(?:calarmult(?:_ristretto255(?:_base)?)?|ecret(?:box(?:_(?:keyg|op)en)?|stream_xchacha20poly1305_(?:(?:init_)?pu(?:ll|sh)|keygen|rekey))|horthash(?:_keygen)?|ign(?:_(?:(?:verify_)?detached|ed25519_[ps]k_to_curve25519|keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:cretkey|ed_keypair)))?|tream(?:_(?:keygen|x(?:chacha20(?:_(?:keygen|xor(?:_ic)?))?|or)))?)))|hex2bin|increment|mem(?:cmp|zero))|undex)|p(?:l_(?:autoload(?:_(?:call|(?:extens|funct)ions|(?:un)?register))?|classes|object_(?:hash|id))|rintf)|qrt|scanf|tr(?:_(?:contains|(?:decreme|word_cou)nt|ends_with|getcsv|i(?:ncrement|replace)|pad|r(?:epeat|ot13)|s(?:huffle|plit|tarts_with))|c(?:(?:asec)?mp|oll|spn)|eam_(?:bucket_(?:(?:ap|pre)pend|make_writeable|new)|co(?:ntext_(?:create|get_(?:default|(?:option|param)s)|set_(?:default|options?|params))|py_to_stream)|filter_(?:(?:ap|pre)pend|re(?:gister|move))|get_(?:(?:(?:conten|transpor)t|(?:filt|wrapp)er)s|line|meta_data)|is(?:_local|atty)|resolve_include_path|s(?:e(?:lect|t_(?:blocking|chunk_size|(?:read|write)_buffer|timeout))|ocket_(?:(?:accep|clien)t|enable_crypto|get_name|pair|recvfrom|s(?:e(?:ndto|rver)|hutdown))|upports_lock)|wrapper_(?:re(?:gister|store)|unregister))|ftime|i(?:p(?:c?slashe|o)s|str)|n(?:at)?c(?:asec)?mp|p(?:brk|time)|r(?:chr|ev|i?pos)|s(?:pn|tr)|t(?:ok|r)|val)|ubstr_(?:co(?:mpare|unt)|replace)|ys_get(?:_temp_dir|loadavg))|t(?:anh|e(?:mpnam|st[12]|xtdomain)|i(?:dy_(?:(?:access|error|warning)_count|c(?:lean_repair|onfig_count)|diagnose|get(?:_(?:body|config|error_buffer|h(?:ead|tml(?:_ver)?)|o(?:pt_doc|utput)|r(?:elease|oot)|status)|opt)|is_x(?:ht)?ml|(?:parse|repair)_(?:file|string))|me(?:_(?:nanosleep|sleep_until)|zone_(?:(?:(?:abbreviation|identifier)s_lis|(?:(?:locat|vers)ion|transitions)_ge)t|name_(?:from_abbr|get)|o(?:ffset_get|pen))))|mpfile|oken_(?:get_all|name)|r(?:a(?:it_exists|nsliterator_(?:create(?:_(?:from_rules|inverse))?|(?:get_error_(?:cod|messag)|transliterat)e|list_ids))|igger_error))|u(?:[ak]sort|cwords|mask|n(?:i(?:qi|xtoj)d|register_tick_function)|(?:rlde|tf8_(?:de|en))code|s(?:e_soap_error_handler|leep|ort))|v(?:ar(?:_(?:dump|export)|iant_(?:a(?:bs|[dn]d)|c(?:as?t|mp)|d(?:ate_(?:from|to)_timestamp|iv)|eqv|fix|get_type|i(?:div|mp|nt)|m(?:od|ul)|n(?:eg|ot)|x?or|pow|round|s(?:et(?:_type)?|ub)))|ersion_compare|[fs]?printf)|wordwrap|xml(?:_(?:error_string|get_(?:current_(?:byte_index|(?:column|line)_number)|error_code)|parse(?:_into_struct|r_(?:create(?:_ns)?|free|[gs]et_option))?|set_(?:(?:character_data|default|e(?:lement|nd_namespace_decl|xternal_entity_ref)|(?:notation|start_namespace|unparsed_entity)_decl|processing_instruction)_handler|object))|writer_(?:end_(?:attribute|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|element|pi)|f(?:lush|ull_end_element)|o(?:pen_(?:memory|uri)|utput_memory)|s(?:et_indent(?:_string)?|tart_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|pi))|text|write_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|dtd(?:_(?:attlist|e(?:lement|ntity)))?|pi|raw)))|z(?:end_(?:c(?:all_method|reate_unterminated_string)|get_(?:current_func_name|map_ptr_last|unit_enum)|iterable(?:_legacy)?|leak_(?:bytes|variable)|(?:number_or_string|string_or_(?:object|stdclass))(?:_or_null)?|t(?:e(?:rminate_string|st_(?:(?:(?:nullable_)?array|void)_return|c(?:ompile_string|r(?:ash|eate_throwing_resource))|deprecated|f(?:ill_packed_array|unc)|is_string_marked_as_valid_utf8|(?:override_libxml_global_sta|parameter_with_attribu)te|zend_(?:call_stack_(?:get|use_all)|ini_(?:parse_u?quantity|str))))|hread_id)|version|weakmap_(?:attach|dump|remove))|ip_(?:close|entry_(?:c(?:lose|ompress(?:edsize|ionmethod))|(?:filesiz|nam)e|open|read)|open|read)|lib_(?:(?:de|en)cod|get_coding_typ)e)|ZendTestNS2_(?:ZendSubNS_)?namespaced_(?:deprecated_)?func)[\\s\\x0b]*\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-injection-php", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-PHP", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "933131", + "name": "PHP Injection Attack: Variables Found", + "pattern": "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-injection-php", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-PHP", + "capec/1000/152/242" + ], + "paranoia_level": 3 + }, + { + "id": "933161", + "name": "PHP Injection Attack: Low-Value PHP Function Call Found", + "pattern": "(?i)\\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\\s\\x0b]|/\\*.*\\*/|(?:#|//).*)*\\(.*\\)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-injection-php", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-PHP", + "capec/1000/152/242" + ], + "paranoia_level": 3 + }, + { + "id": "933111", + "name": "PHP Injection Attack: PHP Script File Upload Found", + "pattern": ".*\\.ph(?:p\\d*|tml|ar|ps|t|pt)\\..*$", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-injection-php", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-PHP", + "capec/1000/152/242" + ], + "paranoia_level": 3 + }, + { + "id": "933211", + "name": "PHP Injection Attack: Variable Function Call Found", + "pattern": "(?:\\((?:.+\\)(?:[\"'][\\-0-9A-Z_a-z]+[\"'])?\\(.+|[^\\)]*string[^\\)]*\\)[\\s\\x0b\"'\\-\\.0-9A-\\[\\]_a-\\{\\}]+\\([^\\)]*)|(?:\\[[0-9]+\\]|\\{[0-9]+\\}|\\$[^\\(\\),\\./;\\x5c]+|[\"'][\\-0-9A-Z\\x5c_a-z]+[\"'])\\(.+)\\)(?:;|$)?", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-injection-php", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-PHP", + "capec/1000/152/242" + ], + "paranoia_level": 3 } ] }, @@ -1264,7 +2116,7 @@ "name": "CRS Generic Application Attack", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Generic Application Attack (5 rules)", + "description": "OWASP CRS v4.24.1 — CRS Generic Application Attack (9 rules)", "author": "OWASP CRS Project", "priority": 5, "enabled": true, @@ -1288,7 +2140,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-GENERIC", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "934130", @@ -1309,7 +2162,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-GENERIC", "capec/1/180/77" - ] + ], + "paranoia_level": 1 }, { "id": "934150", @@ -1330,7 +2184,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-GENERIC", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "934160", @@ -1351,7 +2206,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-GENERIC", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "934170", @@ -1371,7 +2227,95 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-GENERIC", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 + }, + { + "id": "934101", + "name": "Node.js Injection Attack 2/2", + "pattern": "(?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\\s\\x0b]*\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "attack-injection-generic", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-GENERIC", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "934120", + "name": "Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address", + "pattern": "(?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip):/?/?(?:[0-9]{7,10}|(?:0x[0-9a-f]{2}\\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\\.(?:[0-9]{1,3}\\.[0-9]{5}|[0-9]{8})|(?:\\x5c\\x5c[\\-0-9a-z]\\.?_?)+|\\[[0-:a-f]+(?:[\\.0-9]+|%[0-9A-Z_a-z]+)?\\]|[a-z][\\-\\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\\s\\x0b]*&?@(?:(?:[0-9]{1,3}\\.){3}[0-9]{1,3}|[a-z][\\-\\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\\.0-9]{0,11}(?:\\x{e2}(?:\\x91[\\xa0-\\x{bf}]|\\x92[\\x80-\\x{bf}]|\\x93[\\x80-\\x{a9}\\x{ab}-\\x{bf}])|\\x{e3}\\x80\\x82)+)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-ssrf", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-GENERIC", + "capec/1000/225/664" + ], + "paranoia_level": 2 + }, + { + "id": "934140", + "name": "Perl Injection Attack", + "pattern": "@+\\{[\\s\\x0b]*\\[", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-rce", + "attack-injection-generic", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-GENERIC", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "934180", + "name": "SSTI Attack", + "pattern": "(?:\\{%[^%}]*%}|<%=?[^%>]*%>)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "rce", + "enabled": true, + "tags": [ + "attack-ssti", + "attack-injection-generic", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-GENERIC", + "capec/1000/152/242" + ], + "paranoia_level": 2 } ] }, @@ -1380,7 +2324,7 @@ "name": "CRS Cross-Site Scripting (XSS)", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Cross-Site Scripting (XSS) (24 rules)", + "description": "OWASP CRS v4.24.1 — CRS Cross-Site Scripting (XSS) (30 rules)", "author": "OWASP CRS Project", "priority": 5, "enabled": true, @@ -1403,7 +2347,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941110", @@ -1423,7 +2368,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941120", @@ -1443,7 +2389,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941130", @@ -1463,7 +2410,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941140", @@ -1483,7 +2431,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941160", @@ -1503,7 +2452,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941170", @@ -1523,7 +2473,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941190", @@ -1543,7 +2494,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941200", @@ -1563,7 +2515,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941210", @@ -1583,7 +2536,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941220", @@ -1603,7 +2557,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941230", @@ -1623,7 +2578,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941240", @@ -1643,7 +2599,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941250", @@ -1663,7 +2620,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941260", @@ -1683,7 +2641,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941270", @@ -1703,7 +2662,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941280", @@ -1723,7 +2683,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941290", @@ -1743,7 +2704,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941300", @@ -1763,7 +2725,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941350", @@ -1783,7 +2746,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941360", @@ -1803,7 +2767,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242/63" - ] + ], + "paranoia_level": 1 }, { "id": "941370", @@ -1823,7 +2788,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242/63" - ] + ], + "paranoia_level": 1 }, { "id": "941390", @@ -1843,7 +2809,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "941400", @@ -1863,7 +2830,135 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-XSS", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 + }, + { + "id": "941101", + "name": "XSS Attack Detected via libinjection", + "pattern": "@detectXSS", + "targets": [ + "headers", + "uri" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "941150", + "name": "XSS Filter - Category 5: Disallowed HTML Attributes", + "pattern": "(?i)\\b(?:s(?:tyle|rc)|href)\\b[\\s\\S]*?=", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "941320", + "name": "Possible XSS Attack Detected - HTML Tag Handler", + "pattern": "<(?:a(?:bbr|cronym|ddress|pplet|rea|udioscope)?|b(?:ase(?:front)?|do|gsound|ig|l(?:(?:ackfac|ockquot)e|ink)|ody|[qr]|utton)?|c(?:aption|enter|ite|o(?:de|l(?:group)?|mment))|d(?:[dt]|e?l|fn|i[rv])|em(?:bed)?|f(?:ieldset|n|o(?:nt|rm)|rame(?:set)?)|h(?:[1r]|ead|tml)|i(?:frame|layer|mg|n(?:put|s)|sindex)?|k(?:db|eygen)|l(?:a(?:bel|yer)|egend|i(?:mittext|nk|sting)?)|m(?:a(?:p|rquee)|e(?:nu|ta)|ulticol)|no(?:br|embed|frames|s(?:cript|martquotes))|o(?:bject|l|pt(?:group|ion))|p(?:aram|laintext|re)?|q|r(?:t|uby)|s(?:amp|cript|e(?:lect|rver)|hadow|idebar|mall|pa(?:cer|n)|t(?:r(?:ike|ong)|yle)|u[bp])?|t(?:(?:ab|it)le|body|[dr]|extarea|(?:foo)?t|h(?:ead)?)|ul?|(?:va|wb)r|xm[lp])[^0-9A-Z_a-z]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242/63" + ], + "paranoia_level": 2 + }, + { + "id": "941330", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i)[\"'] *(?:[^ '0-:_a-z~]|in).*?(?:(?:l|\\x5cu006C)(?:o|\\x5cu006F)(?:c|\\x5cu0063)(?:a|\\x5cu0061)(?:t|\\x5cu0074)(?:i|\\x5cu0069)(?:o|\\x5cu006F)(?:n|\\x5cu006E)|(?:n|\\x5cu006E)(?:a|\\x5cu0061)(?:m|\\x5cu006D)(?:e|\\x5cu0065)|(?:o|\\x5cu006F)(?:n|\\x5cu006E)(?:e|\\x5cu0065)(?:r|\\x5cu0072)(?:r|\\x5cu0072)(?:o|\\x5cu006F)(?:r|\\x5cu0072)|(?:v|\\x5cu0076)(?:a|\\x5cu0061)(?:l|\\x5cu006C)(?:u|\\x5cu0075)(?:e|\\x5cu0065)(?:O|\\x5cu004F)(?:f|\\x5cu0066)).*?=", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "941340", + "name": "IE XSS Filters - Attack Detected", + "pattern": "(?i)[\"\\'][ ]*(?:[^a-z0-9~_:\\' ]|in).+?[.].+?=", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242" + ], + "paranoia_level": 2 + }, + { + "id": "941380", + "name": "AngularJS client side template injection detected", + "pattern": "\\{\\{.*?}}", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "xss", + "enabled": true, + "tags": [ + "attack-xss", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-XSS", + "capec/1000/152/242/63" + ], + "paranoia_level": 2 } ] }, @@ -1872,7 +2967,7 @@ "name": "CRS SQL Injection (SQLi)", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS SQL Injection (SQLi) (20 rules)", + "description": "OWASP CRS v4.24.1 — CRS SQL Injection (SQLi) (56 rules)", "author": "OWASP CRS Project", "priority": 3, "enabled": true, @@ -1895,7 +2990,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942140", @@ -1915,7 +3011,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942151", @@ -1935,7 +3032,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942160", @@ -1955,7 +3053,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942170", @@ -1975,7 +3074,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942190", @@ -1995,7 +3095,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942220", @@ -2015,7 +3116,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942230", @@ -2035,7 +3137,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942240", @@ -2055,7 +3158,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942250", @@ -2075,7 +3179,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942270", @@ -2095,7 +3200,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942280", @@ -2115,7 +3221,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942290", @@ -2135,7 +3242,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942320", @@ -2155,7 +3263,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942350", @@ -2175,7 +3284,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942360", @@ -2195,7 +3305,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942500", @@ -2215,7 +3326,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942540", @@ -2235,7 +3347,8 @@ "OWASP_CRS/ATTACK-SQLI", "paranoia-level/1", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942560", @@ -2255,7 +3368,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 }, { "id": "942550", @@ -2275,7 +3389,768 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SQLI", "capec/1000/152/248/66" - ] + ], + "paranoia_level": 1 + }, + { + "id": "942120", + "name": "SQL Injection Attack: SQL Operator Detected", + "pattern": "(?i)[!=]=|&&|\\|\\||->|>[=>]|<(?:[<=]|>(?:[\\s\\x0b]+binary)?)|\\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\\s\\x0b]*\\()|r(?:egexp|like)[\\s\\x0b]+binary|not[\\s\\x0b]+between[\\s\\x0b]+(?:0[\\s\\x0b]+and|(?:'[^']*'|\"[^\"]*\")[\\s\\x0b]+and[\\s\\x0b]+(?:'[^']*'|\"[^\"]*\"))|is[\\s\\x0b]+null|like[\\s\\x0b]+(?:null|[0-9A-Z_a-z]+[\\s\\x0b]+escape\\b)|(?:^|[^0-9A-Z_a-z])in[\\s\\x0b\\+]*\\([\\s\\x0b\"0-9]+[^\\(\\)]*\\)|[!<->][\\s\\x0b]*all\\b", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942150", + "name": "SQL Injection Attack: SQL function name detected", + "pattern": "(?i)\\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942180", + "name": "Detects basic SQL authentication bypass attempts 1/3", + "pattern": "(?i)(?:/\\*)+[\"'`]+[\\s\\x0b]?(?:--|[#\\{]|/\\*)?|[\"'`](?:[\\s\\x0b]*(?:(?:x?or|and|div|like|between)[\\s\\x0b\\-0-9A-Z_a-z]+[\\(\\)\\+-\\-<->][\\s\\x0b]*[\"'0-9`]|[!=\\|](?:[\\s\\x0b!\\+\\-0-9=]+[^\\[]*[\"'\\(`].*|[\\s\\x0b!0-9=]+[^0-9]*[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'\\(0-9A-Z_-z]|;)|(?:[<>~]+|[\\s\\x0b]*[^\\s\\x0b0-9A-Z_a-z]?=[\\s\\x0b]*|[^0-9A-Z_a-z]*?[\\+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][\\s\\x0b]+[\"'`][\\s\\x0b]+[0-9]|^admin[\\s\\x0b]*?[\"'`]|[\\s\\x0b\"'\\(`][\\s\\x0b]*?glob[^0-9A-Z_a-z]+[\"'\\(0-9A-Z_-z]|[\\s\\x0b]is[\\s\\x0b]*?0[^0-9A-Z_a-z]|where[\\s\\x0b][\\s\\x0b,-\\.0-9A-Z_a-z]+[\\s\\x0b]=", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942200", + "name": "Detects MySQL comment-/space-obfuscated injections and backtick termination", + "pattern": "(?i)(?:,[^\\)]*?(?:[0-9a-f]+|\\([0-9a-f]+\\))|\\([^,]+(?:,[\\s\\x0b]*[0-9a-f]+)+\\))(?:$|[\"'`](?:$|[^\"'`]+[\"'`])|(?:\\r?\\n)?\\z)|,[^\\)]*?[\"'`][^\"'`]+[\"'`]|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\\s\\x0b]*?\\([\\s\\x0b]*?space[\\s\\x0b]*?\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942210", + "name": "Detects chained SQL injection attempts 1/2", + "pattern": "(?i)(?:&&|\\|\\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\\s\\x0b\\(]+[0-9A-Z_a-z]+[\\s\\x0b\\)]*?[!\\+=]+[\\s\\x0b0-9]*?[\"'-\\)=`]|[0-9](?:[\\s\\x0b]*?(?:and|between|div|like|x?or)[\\s\\x0b]*?[0-9]+[\\s\\x0b]*?[\\+\\-]|[\\s\\x0b]+group[\\s\\x0b]+by.+\\()|/[0-9A-Z_a-z]+;?[\\s\\x0b]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\\s\\x0b]*?(?:alter|drop|(?:insert|update)[\\s\\x0b]*?[0-9A-Z_a-z]{2,})|@.+=[\\s\\x0b]*?\\([\\s\\x0b]*?select|[^0-9A-Z_a-z]SET[\\s\\x0b]*?@[0-9A-Z_a-z]+", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942260", + "name": "Detects basic SQL authentication bypass attempts 2/3", + "pattern": "(?i)[\"'`][\\s\\x0b]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\\|\\||&&)[\\s\\x0b]+[\\s\\x0b0-9A-Z_a-z]+=[\\s\\x0b]*?[0-9A-Z_a-z]+[\\s\\x0b]*?having[\\s\\x0b]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][\\s\\x0b]+like[\\s\\x0b]+[\"'`]|like[\\s\\x0b]*?[\"'`]%|select[\\s\\x0b]+?[\\s\\x0b\"'-\\),-\\.0-9A-\\[\\]_-z]+from[\\s\\x0b]+", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942300", + "name": "Detects MySQL comments, conditions and ch(a)r injections", + "pattern": "(?i)\\)[\\s\\x0b]*?when[\\s\\x0b]*?[0-9]+[\\s\\x0b]*?then|[\"'`][\\s\\x0b]*?(?:[#\\{]|--)|/\\*![\\s\\x0b]?[0-9]+|\\b(?:(?:binary|cha?r)[\\s\\x0b]*?\\([\\s\\x0b]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\\s\\x0b]+[0-9A-Z_a-z]+\\()|(?:\\|\\||&&)[\\s\\x0b]*?[0-9A-Z_a-z]+\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942310", + "name": "Detects chained SQL injection attempts 2/2", + "pattern": "(?i)(?:\\([\\s\\x0b]*?select[\\s\\x0b]*?[0-9A-Z_a-z]+|coalesce|order[\\s\\x0b]+by[\\s\\x0b]+if[0-9A-Z_a-z]*?)[\\s\\x0b]*?\\(|\\*/from|\\+[\\s\\x0b]*?[0-9]+[\\s\\x0b]*?\\+[\\s\\x0b]*?@|[0-9A-Z_a-z][\"'`][\\s\\x0b]*?(?:(?:[\\+\\-=@\\|]+[\\s\\x0b]+?)+|[\\+\\-=@\\|]+)[\\(0-9]|@@[0-9A-Z_a-z]+[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[\\s\\x0b]*?(?:if|while|begin)|[\\s\\x0b0-9]+=[\\s\\x0b]*?[0-9])|[\\s\\x0b\\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\\s\\x0b\\(]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942330", + "name": "Detects classic SQL injection probings 1/3", + "pattern": "(?i)[\"'`][\\s\\x0b]*?\\b(?:x?or|div|like|between|and)\\b[\\s\\x0b]*?[\"'`]?[0-9]|\\x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'\\x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[\\s\\x0b]*?\\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\\|\\||&&)\\b[\\s\\x0b]*?[\"'0-9A-Z_-z][!&\\(\\)\\+-\\.@])|[^\\s\\x0b0-9A-Z_a-z][0-9A-Z_a-z]+[\\s\\x0b]*?[\\-\\|][\\s\\x0b]*?[\"'`][\\s\\x0b]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\\s\\x0b]+(?:and|x?or|div|like|between)\\b[\\s\\x0b]*?[\"'0-9`]+|[\\-0-9A-Z_a-z]+[\\s\\x0b](?:and|x?or|div|like|between)\\b[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z])|[^\\s\\x0b0-:A-Z_a-z][\\s\\x0b]*?[0-9][^0-9A-Z_a-z]+[^\\s\\x0b0-9A-Z_a-z][\\s\\x0b]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942340", + "name": "Detects basic SQL authentication bypass attempts 3/3", + "pattern": "(?i)in[\\s\\x0b]*?\\(+[\\s\\x0b]*?select|(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[\\s\\x0b]+|(?:\\|\\||&&)[\\s\\x0b]*?)[\\s\\x0b\\+0-9A-Z_a-z]+(?:regexp[\\s\\x0b]*?\\(|sounds[\\s\\x0b]+like[\\s\\x0b]*?[\"'`]|[0-9=]+x)|[\"'`](?:[\\s\\x0b]*?(?:(?:[0-9]+[\\s\\x0b]*?(?:--|#)|is[\\s\\x0b]*?(?:[0-9][^\"'`]+[\"'`]?[0-9A-Z_a-z]|[\\.0-9]+[\\s\\x0b]*?[^0-9A-Z_a-z][^\"'`]*[\"'`])|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)[\\s\\x0b]+|(?:\\|\\||&&)[\\s\\x0b]*?)(?:array[\\s\\x0b]*?\\[|(?:tru|fals)e\\b|[0-9A-Z_a-z]+(?:[\\s\\x0b]*?!?~|[\\s\\x0b]+(?:not[\\s\\x0b]+)?similar[\\s\\x0b]+to[\\s\\x0b]+))|[%&<->\\^]+[0-9]+[\\s\\x0b]*?(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between)=)|(?:[^0-9A-Z_a-z]+[\\+\\-0-9A-Z_a-z]+[\\s\\x0b]*?=[\\s\\x0b]*?[0-9][^0-9A-Z_a-z]+|\\|?[\\-0-9A-Z_a-z]{3,}[^\\s\\x0b,\\.0-9A-Z_a-z]+)[\"'`])|\\bexcept[\\s\\x0b]+(?:select\\b|values[\\s\\x0b]*?\\()", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942361", + "name": "Detects basic SQL injection based on keyword alter or union", + "pattern": "(?i:^[\\W\\d]+\\s*?(?:alter|union)\\b)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942362", + "name": "Detects concatenated basic SQL injection and SQLLFI attempts", + "pattern": "(?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\s\\x0b]+(?:char|group_concat|load_file)[\\s\\x0b]?\\(?|end[\\s\\x0b]*?\\);|[\\s\\x0b\\(]load_file[\\s\\x0b]*?\\(|[\"'`][\\s\\x0b]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\\s\\x0b]+as\\b[\\s\\x0b]*[\"'0-9A-Z_-z]+[\\s\\x0b]*\\bfrom|^[^A-Z_a-z]+[\\s\\x0b]*?(?:create[\\s\\x0b]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\\s\\x0b]*(?:all|(?:sele|distin)ct))|alter[\\s\\x0b]*(?:a(?:(?:ggregat|pplication[\\s\\x0b]*rol)e|s(?:sembl|ymmetric[\\s\\x0b]*ke)y|u(?:dit|thorization)|vailability[\\s\\x0b]*group)|b(?:roker[\\s\\x0b]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\\s\\x0b]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\\s\\x0b]*group|in)))|m(?:a(?:s(?:k|ter[\\s\\x0b]*key)|terialized)|e(?:ssage[\\s\\x0b]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\\s\\x0b]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\\s\\x0b]*schema|srobject)))\\b)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942370", + "name": "Detects classic SQL injection probings 2/3", + "pattern": "(?i)[\"'`](?:[\\s\\x0b]*?(?:(?:\\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[\\s\\x0b][^0-9]+[\\-0-9A-Z_a-z]+[^0-9]*)[0-9]|[^\\s\\x0b0-9\\?A-Z_a-z]+[\\s\\x0b]*?[^\\s\\x0b0-9A-Z_a-z]+[\\s\\x0b]*?[\"'`]|[^\\s\\x0b0-9A-Z_a-z]+[\\s\\x0b]*?[^A-Z_a-z](?:[^#]*#|.*?--))|[^\\*]*\\*[\\s\\x0b]*?[0-9])|\\^[\"'`]|[%\\(-\\+\\-<>][\\-0-9A-Z_a-z]+[^\\s\\x0b0-9A-Z_a-z]+[\"'`][^,]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942380", + "name": "SQL Injection Attack", + "pattern": "(?i)\\b(?:having\\b(?:[\\s\\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[\\s\\x0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\\?\\[]+))|ex(?:ecute(?:\\(|[\\s\\x0b]{1,5}[\\$\\.0-9A-Z_a-z]{1,5}[\\s\\x0b]{0,3})|ists[\\s\\x0b]*?\\([\\s\\x0b]*?select\\b)|(?:create[\\s\\x0b]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\\()|select.*?case|from.*?limit|order[\\s\\x0b]by|exists[\\s\\x0b](?:[\\s\\x0b]select|s(?:elect[^\\s\\x0b](?:if(?:null)?[\\s\\x0b]\\(|top|concat)|ystem[\\s\\x0b]\\()|\\bhaving\\b[\\s\\x0b]+[0-9]{1,10}|'[^=]{1,10}')", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942390", + "name": "SQL Injection Attack", + "pattern": "(?i)\\b(?:or\\b(?:[\\s\\x0b]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\\s\\x0b]?[<->]+|[\\s\\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\\s\\x0b]*?[<->])?)|xor\\b[\\s\\x0b]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\\s\\x0b]*?[<->])?)|'[\\s\\x0b]+x?or[\\s\\x0b]+.{1,20}[!\\+\\-<->]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942400", + "name": "SQL Injection Attack", + "pattern": "(?i)\\band\\b(?:[\\s\\x0b]+(?:[0-9]{1,10}[\\s\\x0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942410", + "name": "SQL Injection Attack", + "pattern": "(?i)\\b(?:a(?:(?:b|co)s|vg)|bin|c(?:(?:as|o(?:nver|un))t|h(?:ar(?:set)?|r))|d(?:a(?:te|y)|e(?:fault|grees))|elt|f(?:ield|loor|ormat)|(?:hou|quarte|yea)r|i[fns]|l(?:ast|e(?:ft|ngth)|n|ikelihood|o(?:cal|g|wer))|m(?:ax|in(?:ute)?|o(?:d|nth))|now|p(?:assword|i|o(?:sition|wer))|r(?:awtonhex(?:toraw)?|e(?:p(?:eat|lace)|verse)|ight|ound)|s(?:econd|ign|leep|pace|tddev|um)|t(?:an|ime|o_(?:n?char|(?:day|second)s))|u(?:nlikely|(?:pp|s)er)|v(?:alues|ersion)|week)[^0-9A-Z_a-z]*?\\(", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942470", + "name": "SQL Injection Attack", + "pattern": "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942480", + "name": "SQL Injection Attack", + "pattern": "(?i)\\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\\.|elete\\b[^0-9A-Z_a-z]*?\\bfrom)|(?:group\\b.*?\\bby\\b.{1,100}?\\bhav|overlay\\b[^0-9A-Z_a-z]*?\\(.*?\\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\\b[^0-9A-Z_a-z]*?\\bjoin|sert\\b[^0-9A-Z_a-z]*?\\binto|to\\b[^0-9A-Z_a-z]*?\\b(?:dump|out)file)|load\\b[^0-9A-Z_a-z]*?\\bdata\\b.*?\\binfile|s(?:elect\\b.{1,100}?\\b(?:(?:.*?\\bdump\\b.*|(?:count|length)\\b.{1,100}?)\\bfrom|(?:data_typ|from\\b.{1,100}?\\bwher)e|instr|to(?:_(?:cha|numbe)r|p\\b.{1,100}?\\bfrom))|ys_context)|u(?:nion\\b.{1,100}?\\bselect|tl_inaddr))\\b|print\\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\\(a|@@version|;[^0-9A-Z_a-z]*?\\b(?:drop|shutdown))\\b|'(?:dbo|msdasql|s(?:a|qloledb))'", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942430", + "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){12})", + "targets": [ + "body", + "query" + ], + "action": "score", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942450", + "name": "SQL Bin or Hex Encoding Identified", + "pattern": "(?i)\\b0x[0-9a-f]{3,}|(?:x'[0-9a-f]{3,}|b'[01]{10,})'", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942510", + "name": "SQLi bypass attempt by ticks or backticks detected", + "pattern": "`(?:[\\s\\x0b\\(\\)\\+\\-0-9<=@-Z_a-\\{\\}]{2,29}|(?:[\\+/-9A-Za-z]{4})+(?:(?:[\\+/-9A-Za-z]{2}=|[\\+/-9A-Za-z]{3})=)?)`", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942520", + "name": "Detects basic SQL authentication bypass attempts 4.0/4", + "pattern": "(?i)[\"'`][\\s\\x0b]*?(?:(?:is[\\s\\x0b]+not|not[\\s\\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\\s\\x0b]+like)\\b|[%&\\*\\+\\-/<->\\^\\|]{1,3})", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942522", + "name": "Detects basic SQL authentication bypass attempts 4.1/4", + "pattern": "^.*?\\x5c['\"`](?:.*?['\"`])?\\s*(?:and|or)\\b", + "targets": [ + "body", + "query" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942101", + "name": "SQL Injection Attack Detected via libinjection", + "pattern": "@detectSQLi", + "targets": [ + "uri" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942152", + "name": "SQL Injection Attack: SQL function name detected", + "pattern": "(?i)\\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|eil(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|rc32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|insert_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\\(", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942321", + "name": "Detects MySQL and PostgreSQL stored procedure/function injections", + "pattern": "(?i)create[\\s\\x0b]+(?:function|procedure)[\\s\\x0b]*?[0-9A-Z_a-z]+[\\s\\x0b]*?\\([\\s\\x0b]*?\\)[\\s\\x0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\\s\\x0b]*?[0-9A-Z_a-z]+|iv[\\s\\x0b]*?\\([\\+\\-]*[\\s\\x0b\\.0-9]+,[\\+\\-]*[\\s\\x0b\\.0-9]+\\))|exec[\\s\\x0b]*?\\([\\s\\x0b]*?@|(?:lo_(?:impor|ge)t|procedure[\\s\\x0b]+analyse)[\\s\\x0b]*?\\(|;[\\s\\x0b]*?(?:declare|open)[\\s\\x0b]+[\\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\\s\\x0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)", + "targets": [ + "headers" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 2 + }, + { + "id": "942251", + "name": "Detects HAVING injections", + "pattern": "(?i)\\W+\\d*?\\s*?\\bhaving\\b\\s*?[^\\s\\-]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 3 + }, + { + "id": "942490", + "name": "Detects classic SQL injection probings 3/3", + "pattern": "[\"'`][\\s\\d]*?[^\\w\\s]\\W*?\\d\\W*?.*?[\"'`\\d]", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 3 + }, + { + "id": "942420", + "name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){8})", + "targets": [ + "headers" + ], + "action": "score", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 3 + }, + { + "id": "942431", + "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){6})", + "targets": [ + "body", + "query" + ], + "action": "score", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 3 + }, + { + "id": "942460", + "name": "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters", + "pattern": "\\W{4}", + "targets": [ + "query" + ], + "action": "score", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 3 + }, + { + "id": "942511", + "name": "SQLi bypass attempt by ticks detected", + "pattern": "'(?:[\\s\\x0b\\(\\)\\+\\-0-9<=@-Z_a-\\{\\}]{2,29}|(?:[\\+/-9A-Za-z]{4})+(?:(?:[\\+/-9A-Za-z]{2}=|[\\+/-9A-Za-z]{3})=)?)'", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 3 + }, + { + "id": "942530", + "name": "SQLi query termination detected", + "pattern": "';", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 3 + }, + { + "id": "942421", + "name": "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){3})", + "targets": [ + "headers" + ], + "action": "score", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 4 + }, + { + "id": "942432", + "name": "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)", + "pattern": "((?:(?:[!-\\+\\-:->@\\[\\]\\^`\\{-~]|\\x{c2}\\x{b4}|\\x{e2}\\x80[\\x98\\x99])[^!-\\+\\-:->@\\[\\]\\^`\\{-~]*?){2})", + "targets": [ + "body", + "query" + ], + "action": "score", + "score": 5, + "severity": "medium", + "category": "sqli", + "enabled": true, + "tags": [ + "attack-sqli", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/ATTACK-SQLI", + "capec/1000/152/248/66" + ], + "paranoia_level": 4 } ] }, @@ -2307,7 +4182,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-SESSION-FIXATION", "capec/1000/225/21/593/61" - ] + ], + "paranoia_level": 1 } ] }, @@ -2316,7 +4192,7 @@ "name": "CRS Java / Deserialization Attack", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Java / Deserialization Attack (3 rules)", + "description": "OWASP CRS v4.24.1 — CRS Java / Deserialization Attack (11 rules)", "author": "OWASP CRS Project", "priority": 3, "enabled": true, @@ -2339,7 +4215,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-JAVA", "capec/1000/152/137/6" - ] + ], + "paranoia_level": 1 }, { "id": "944140", @@ -2359,7 +4236,8 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-JAVA", "capec/1000/152/242" - ] + ], + "paranoia_level": 1 }, { "id": "944150", @@ -2379,7 +4257,176 @@ "OWASP_CRS", "OWASP_CRS/ATTACK-JAVA", "capec/1000/152/137/6" - ] + ], + "paranoia_level": 1 + }, + { + "id": "944151", + "name": "Potential Remote Command Execution: Log4j / Log4shell", + "pattern": "(?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)(?:[^\\}]*(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)|jndi|ctx)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/137/6" + ], + "paranoia_level": 2 + }, + { + "id": "944200", + "name": "Magic bytes Detected, probable java serialization in use", + "pattern": "\\xac\\xed\\x00\\x05", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ], + "paranoia_level": 2 + }, + { + "id": "944210", + "name": "Magic bytes Detected Base64 Encoded, probable java serialization in use", + "pattern": "(?:rO0ABQ|KztAAU|Cs7QAF)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ], + "paranoia_level": 2 + }, + { + "id": "944240", + "name": "Remote Command Execution: Java serialization (CVE-2015-4852)", + "pattern": "(?:clonetransform|xmldecod)er|f(?:orclosure|ilewriter)|in(?:stantiate(?:factory|transformer)|vokertransformer)|(?:prototype(?:clone|serialization)factor|getpropert)y|whileclosure", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ], + "paranoia_level": 2 + }, + { + "id": "944250", + "name": "Remote Command Execution: Suspicious Java method detected", + "pattern": "java\\b.+(?:runtime|processbuilder)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ], + "paranoia_level": 2 + }, + { + "id": "944260", + "name": "Remote Command Execution: Malicious class-loading payload", + "pattern": "class\\.module\\.classLoader\\.resources\\.context\\.parent\\.pipeline|springframework\\.context\\.support\\.FileSystemXmlApplicationContext", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ], + "paranoia_level": 2 + }, + { + "id": "944300", + "name": "Base64 encoded string matched suspicious keyword", + "pattern": "c(?:nVudGltZQ|HJv(?:Y2Vzc2J1aWxkZXI|dG90eXBl(?:Y2xvbmVmYWN0b3J5|c2VyaWFsaXphdGlvbmZhY3Rvcnk)))|H(?:J1bnRpbWU|Byb(?:2Nlc3NidWlsZGVy|3RvdHlwZ(?:WNsb25lZmFjdG9yeQ|XNlcmlhbGl6YXRpb25mYWN0b3J5))|doaWxlY2xvc3VyZQ)|B(?:(?:ydW50aW1|mb3JjbG9zdXJ)l|wcm9(?:jZXNzYnVpbGRlcg|0b3R5cGV(?:jbG9uZWZhY3Rvcnk|zZXJpYWxpemF0aW9uZmFjdG9yeQ))|jbG9uZXRyYW5zZm9ybWVy|pbn(?:N0YW50aWF0Z(?:WZhY3Rvcnk|XRyYW5zZm9ybWVy)|Zva2VydHJhbnNmb3JtZXI)|3aGlsZWNsb3N1cmU)|Y2xvbmV0cmFuc2Zvcm1lcg|G(?:Nsb25ldHJhbnNmb3JtZXI|ZvcmNsb3N1cmU|lu(?:c3RhbnRpYXRl(?:ZmFjdG9yeQ|dHJhbnNmb3JtZXI)|dm9rZXJ0cmFuc2Zvcm1lcg))|Zm9yY2xvc3VyZQ|aW5(?:zdGFudGlhdGV(?:mYWN0b3J5|0cmFuc2Zvcm1lcg)|2b2tlcnRyYW5zZm9ybWVy)|d2hpbGVjbG9zdXJl", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/3", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/248" + ], + "paranoia_level": 3 + }, + { + "id": "944152", + "name": "Potential Remote Command Execution: Log4j / Log4shell", + "pattern": "(?i)(?:\\$|$?)(?:\\{|&l(?:brace|cub);?)", + "targets": [ + "all" + ], + "action": "score", + "score": 10, + "severity": "critical", + "category": "deserialization", + "enabled": true, + "tags": [ + "attack-rce", + "paranoia-level/4", + "OWASP_CRS", + "OWASP_CRS/ATTACK-JAVA", + "capec/1000/152/137/6" + ], + "paranoia_level": 4 } ] }, @@ -2388,7 +4435,7 @@ "name": "CRS Data Leakage Detection", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS Data Leakage Detection (2 rules)", + "description": "OWASP CRS v4.24.1 — CRS Data Leakage Detection (3 rules)", "author": "OWASP CRS Project", "priority": 15, "enabled": true, @@ -2411,7 +4458,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES", "capec/1000/118/116/54/127" - ] + ], + "paranoia_level": 1 }, { "id": "950140", @@ -2431,7 +4479,29 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES", "capec/1000/118/116" - ] + ], + "paranoia_level": 1 + }, + { + "id": "950100", + "name": "The Application Returned a 500-Level Status Code", + "pattern": "^5\\d{2}$", + "targets": [ + "body" + ], + "action": "score", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES", + "capec/1000/152" + ], + "paranoia_level": 2 } ] }, @@ -2463,7 +4533,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951120", @@ -2483,7 +4554,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951130", @@ -2503,7 +4575,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951140", @@ -2523,7 +4596,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951150", @@ -2543,7 +4617,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951160", @@ -2563,7 +4638,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951170", @@ -2583,7 +4659,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951180", @@ -2603,7 +4680,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951190", @@ -2623,7 +4701,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951200", @@ -2643,7 +4722,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951210", @@ -2663,7 +4743,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951220", @@ -2683,7 +4764,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951230", @@ -2703,7 +4785,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951240", @@ -2723,7 +4806,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951250", @@ -2743,7 +4827,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 }, { "id": "951260", @@ -2763,7 +4848,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-SQL", "capec/1000/118/116/54" - ] + ], + "paranoia_level": 1 } ] }, @@ -2795,7 +4881,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-JAVA", "capec/1000/118/116" - ] + ], + "paranoia_level": 1 } ] }, @@ -2804,7 +4891,7 @@ "name": "CRS PHP Data Leakage", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS PHP Data Leakage (2 rules)", + "description": "OWASP CRS v4.24.1 — CRS PHP Data Leakage (3 rules)", "author": "OWASP CRS Project", "priority": 15, "enabled": true, @@ -2827,7 +4914,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-PHP", "capec/1000/118/116" - ] + ], + "paranoia_level": 1 }, { "id": "953120", @@ -2847,7 +4935,29 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-PHP", "capec/1000/118/116" - ] + ], + "paranoia_level": 1 + }, + { + "id": "953101", + "name": "PHP Information Leakage", + "pattern": "(?i)Empty string|F(?:ile size is|reeing memory)|Header (?:name )?\"|Invalid date|No active class|(?:Out of memor|cannot be empt)y|Pa(?:ir level|ssword is too long)|Re(?:ading file|starting!)|S(?:ession is not active|tatic function\\b)|T(?:elling\\.\\.\\.|he function\\b)|(?:Unknown reas|invalid opti)on|e(?:mpty password|rror reading)", + "targets": [ + "body" + ], + "action": "score", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-PHP", + "capec/1000/118/116" + ], + "paranoia_level": 2 } ] }, @@ -2856,7 +4966,7 @@ "name": "CRS IIS Data Leakage", "version": "4.24.1", "source": "owasp-crs", - "description": "OWASP CRS v4.24.1 — CRS IIS Data Leakage (2 rules)", + "description": "OWASP CRS v4.24.1 — CRS IIS Data Leakage (3 rules)", "author": "OWASP CRS Project", "priority": 15, "enabled": true, @@ -2879,7 +4989,8 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-IIS", "capec/1000/118/116" - ] + ], + "paranoia_level": 1 }, { "id": "954110", @@ -2899,7 +5010,29 @@ "OWASP_CRS", "OWASP_CRS/DATA-LEAKAGES-IIS", "capec/1000/118/116" - ] + ], + "paranoia_level": 1 + }, + { + "id": "954101", + "name": "Disclosure of IIS install location", + "pattern": "(?i)[\\x5c/]inetpub\\b", + "targets": [ + "body" + ], + "action": "score", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-IIS", + "capec/1000/118/116" + ], + "paranoia_level": 2 } ] }, @@ -2931,7 +5064,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955120", @@ -2951,7 +5085,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955130", @@ -2971,7 +5106,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955140", @@ -2991,7 +5127,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955150", @@ -3011,7 +5148,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955160", @@ -3031,7 +5169,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955170", @@ -3051,7 +5190,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955180", @@ -3071,7 +5211,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955190", @@ -3091,7 +5232,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955200", @@ -3111,7 +5253,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955210", @@ -3131,7 +5274,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955220", @@ -3151,7 +5295,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955230", @@ -3171,7 +5316,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955240", @@ -3191,7 +5337,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955250", @@ -3211,7 +5358,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955260", @@ -3231,7 +5379,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955270", @@ -3251,7 +5400,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955280", @@ -3271,7 +5421,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955290", @@ -3291,7 +5442,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955310", @@ -3311,7 +5463,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955320", @@ -3331,7 +5484,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955330", @@ -3351,7 +5505,8 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 }, { "id": "955340", @@ -3371,7 +5526,41 @@ "OWASP_CRS", "OWASP_CRS/WEB-SHELLS", "capec/1000/225/122/17/650" - ] + ], + "paranoia_level": 1 + } + ] + }, + { + "id": "crs-data-leakage-ruby", + "name": "CRS Ruby Data Leakage", + "version": "4.24.1", + "source": "owasp-crs", + "description": "OWASP CRS v4.24.1 — CRS Ruby Data Leakage (1 rules)", + "author": "OWASP CRS Project", + "priority": 15, + "enabled": true, + "rules": [ + { + "id": "956110", + "name": "Ruby source code leakage", + "pattern": "(?i)(?:<%[=#\\s]|#\\{[^}]+\\})", + "targets": [ + "body" + ], + "action": "score", + "score": 8, + "severity": "high", + "category": "data_leakage", + "enabled": true, + "tags": [ + "attack-disclosure", + "paranoia-level/2", + "OWASP_CRS", + "OWASP_CRS/DATA-LEAKAGES-RUBY", + "capec/1000/118/116" + ], + "paranoia_level": 2 } ] }