# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # # [ Unix command injection ] # # This rule detects Unix command injections. # A command injection takes a form such as: # # foo.jpg;uname -a # foo.jpg||uname -a # # The vulnerability exists when an application executes a shell command # without proper input escaping/validation. # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # # To prevent false positives, we look for a 'starting sequence' that # precedes a command in shell syntax, such as: ; | & $( ` <( >( # Anatomy of the regexp with examples of patterns caught: # # 1. Starting tokens # # ; ;ifconfig # \{ {ifconfig} # \| |ifconfig # \|\| ||ifconfig # & &ifconfig # && &&ifconfig # \n ;\nifconfig # \r ;\rifconfig # \$\( $(ifconfig) # \$\(\( $((ifconfig)) # ` `ifconfig` # \${ ${ifconfig} # <\( <( ifconfig ) # >\( >( ifconfig ) # \(\s*\) a() ( ifconfig; ); a # # 2. Command prefixes # # { { ifconfig } # \s*\(\s* ( ifconfig ) # \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ VARNAME=xyz ifconfig # !\s* ! ifconfig # \$ $ifconfig # # 3. Quoting # # ' 'ifconfig' # \" "ifconfig" # # 4. Paths # # [\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. # # An effort was made to combat evasions by shell quoting (e.g. 'ls', # 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine # transformation built-in to deal with this, but unfortunately, it # replaces ';' characters and lowercases the payload, which is less # useful for this case. However, emulating the transformation makes # the regexp more complex. # # This is the base Rule to prevent Unix Command Injection # for prefix + two and three characters. # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932230.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932230 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bt]|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&,<>\|].*|[jp])|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&,<>\|].*|h))|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&,<>\|].*|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|(?:[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|[cp])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|i|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|])|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|]).*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[hr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|p|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?|(?:[npz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)[\s\v&,<>\|].*|s)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|f|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&,<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*)|s|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|v))|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|u)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&,<>\|].*|[g-h]|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*)|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))\b" \ "id:932230,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection (2-3 chars)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] # # This is the base Rule to prevent Unix Command Injection # for prefix + more than 4 characters. # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932235.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932235 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook|pt-get|r(?:ch[\s\v<>]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:a(?:ncel|psh)[\s\v<>]|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v<>]|ontab)|s(?:plit|vtool)|u(?:psfilter|rl))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r)))|f(?:acter|(?:etch|lock)[\s\v<>]|grep|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|o(?:ld[\s\v<>]|reach)|ping|tp(?:stats|who)|unction)|g(?:awk|core|e(?:ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci|i(?:mp[\s\v<>]|nsh)|rep[\s\v<>]|tester|unzip|z(?:cat|exe|ip))|h(?:e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v<>]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:ill(?:[\s\v<>]|all)|nife[\s\v<>]|sshell)|l(?:a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|dconfig|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:a(?:il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v<>]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp))|ice[\s\v<>]|map|o(?:de[\s\v<>]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:s(?:swd|te[\s\v<>])|tch[\s\v<>])|df(?:la)?tex|er(?:f|l(?:5|sh)?|ms)|(?:ft|gre)p|i(?:(?:co|ng)[\s\v<>]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v<>])|s(?:ftp|ql)|tar(?:diff|grep)?|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:ak(?:e[\s\v<>]|u)|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v<>]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v<>]|user)|nano|oute[\s\v<>]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap|plit)[\s\v<>]|c(?:hed|r(?:een|ipt)[\s\v<>])|diff|e(?:ndmail|rvice[\s\v<>]|t(?:arch|env|facl[\s\v<>]|sid))|ftp|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v<>f]|sk(?:set)?)|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\s\v<>]|datectl)|mux|ouch[\s\v<>]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v<>]|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v<>]|gr|mdiff|pw|rsh)|olatility)|w(?:a(?:ll|tch)[\s\v<>]|get|h(?:iptail|o(?:ami|is))|i(?:reshark|sh[\s\v<>]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|y(?:arn|elp[\s\v<>])|z(?:athura|c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|s(?:oelim|td)|ypper))" \ "id:932235,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Apache 2.2 requires configuration file lines to be under 8kB. # Therefore, some remaining commands have been split off to a separate rule. # For explanation of this rule, see rule 932370. # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # # Regular expression generated from regex-assembly/932115.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932115 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*i[\"\^]*n[\"\^]*g)|e[\"\^]*r[\"\^]*(?:f[\"\^]*m[\"\^]*o[\"\^]*n|l(?:[\"\^]*(?:5|s[\"\^]*h))?)|h[\"\^]*p(?:[\"\^]*[57])?|i[\"\^]*n[\"\^]*g|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|o[\"\^]*(?:p[\"\^]*d|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|w[\"\^]*e[\"\^]*r[\"\^]*(?:c[\"\^]*f[\"\^]*g|s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?))|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|s[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*(?:i[\"\^]*s[\"\^]*t|o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t))|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|s[\"\^]*(?:e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d))|u[\"\^]*s[\"\^]*h[\"\^]*d|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:2|3(?:[\"\^]*m)?))?)|q[\"\^]*(?:g[\"\^]*r[\"\^]*e[\"\^]*p|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*[\s\v,\.-/;-<>].*|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:a[\"\^]*(?:r[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*l|p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e))|d[\"\^]*[\s\v,\.-/;-<>].*|e[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|g[\"\^]*(?:[\s\v,\.-/;-<>].*|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z|(?:n[\"\^]*(?:a[\"\^]*m[\"\^]*e[\"\^]*)?|(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|s[\"\^]*e[\"\^]*t)[\"\^]*)[\s\v,\.-/;-<>].*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?[\s\v,\.-/;-<>].*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|u[\"\^]*t[\"\^]*e[\"\^]*[\s\v,\.-/;-<>].*)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|u[\"\^]*(?:b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[8-9])?|2[\"\^]*[0-2])|n[\"\^]*(?:a[\"\^]*s|d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)))|s[\"\^]*(?:c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|e[\"\^]*(?:c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*(?:(?:x[\"\^]*)?[\s\v,\.-/;-<>].*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l))|f[\"\^]*c|h[\"\^]*(?:a[\"\^]*r[\"\^]*e|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|i[\"\^]*f[\"\^]*t|o[\"\^]*(?:r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t|w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s)|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n)|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|(?:o|t[\"\^]*a)[\"\^]*r[\"\^]*t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|v[\"\^]*n|y[\"\^]*s[\"\^]*(?:d[\"\^]*m|k[\"\^]*e[\"\^]*y|t[\"\^]*e[\"\^]*m[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d|d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r|p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c)[\"\^]*e))))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|m[\"\^]*g[\"\^]*r|s[\"\^]*c[\"\^]*h[\"\^]*d))|(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|l[\"\^]*i[\"\^]*s|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i)[\"\^]*t|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e)|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*e[\"\^]*r[\"\^]*f))|u[\"\^]*(?:n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p)|s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t))|v[\"\^]*(?:e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y|o[\"\^]*l[\"\^]*[\s\v,\.-/;-<>].*)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g[\"\^]*e[\"\^]*t|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|r[\"\^]*[ms]|v[\"\^]*a[\"\^]*r)|m[\"\^]*i[\"\^]*(?:c|m[\"\^]*g[\"\^]*m[\"\^]*t)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|u[\"\^]*(?:a[\"\^]*(?:p[\"\^]*p|u[\"\^]*c[\"\^]*l[\"\^]*t)|s[\"\^]*a))|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*[\s\v,\.-/;-<>].*)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ "id:932115,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Windows Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows PowerShell, cmdlets and options ] # # Detect some common PowerShell commands, cmdlets and options. # These commands should be relatively uncommon in normal text, but # potentially useful for code injection. # # If you are not running Windows, it is safe to disable this rule. # # https://technet.microsoft.com/en-us/magazine/ff714569.aspx # https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ "id:932120,\ phase:2,\ block,\ capture,\ t:none,t:cmdLine,\ msg:'Remote Command Execution: Windows PowerShell Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'language-powershell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows Powershell cmdlet aliases ] # # Attempts to detect aliases of the common PowerShell cmdlets in windows-powershell-commands.data # If you are not running Windows, it is safe to disable this rule. # # There are other aliases which are similar to Unix, but they are properly handled by rule 932105 # # Regular expression generated from regex-assembly/932125.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932125 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\v,\.-/;-<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\v,\.-/;-<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\v,\.-/;-<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\v,\.-/;-<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[u-v])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\v,\.-/;-<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\v,\.-/;-<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\v,\.-/;-<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\v,\.-/;-<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\v,\.-/;-<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ "id:932125,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Windows Powershell Alias Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell expressions ] # # Detects the following patterns which are common in Unix shell scripts # and one-liners: # # $(foo) Command substitution # ${foo} Parameter expansion # <(foo) Process substitution # >(foo) Process substitution # $((foo)) Arithmetic expansion # /e[t]c Shell glob expression to bypass wordlists # # Regular expression generated from regex-assembly/932130.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932130 # # This rule has a stricter sibling: 932131 (PL2) that applies the same regex to User-Agent and Referer # # This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150) # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ "id:932130,\ phase:2,\ block,\ capture,\ t:none,t:cmdLine,\ msg:'Remote Command Execution: Unix Shell Expression Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows FOR, IF commands ] # # This rule detects Windows command shell FOR and IF commands. # If you are not running Windows, it is safe to disable this rule. # # Examples: # # FOR %a IN (set) DO # FOR /D %a IN (dirs) DO # FOR /F "options" %a IN (text|"text") DO # FOR /L %a IN (start,step,end) DO # FOR /R C:\dir %A IN (set) DO # # IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n # IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2 # IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2) # # http://ss64.com/nt/if.html # http://ss64.com/nt/for.html # # Regular expression generated from regex-assembly/932140.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932140 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in\(.*\)[\s\v]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" \ "id:932140,\ phase:2,\ block,\ capture,\ t:none,t:cmdLine,\ msg:'Remote Command Execution: Windows FOR/IF Command Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix direct remote command execution ] # # Detects Unix commands at the start of a parameter (direct RCE). # Example: foo=wget%20www.example.com # # In this rule we use a different check from command injection (rule 932230), where a # command string is appended (injected) to a regular parameter, and then # passed to a shell unescaped. # # Additionaly, we require a trailing space (denoting command parameters) or command # separator character after the command. # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # # An effort was made to combat evasions by shell quoting (e.g. 'ls', # 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine # transformation built-in to deal with this, but unfortunately, it # replaces ';' characters and lowercases the payload, which is less # useful for this case. However, emulating the transformation makes # the regexp more complex. # # This is the base Rule to prevent Direct Unix Command Injection # without prefix match. # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932250.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932250 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|(?:(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|])).*|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[kz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)" \ "id:932250,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Direct Unix Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] # # This rule complements rule 932250 for commands of 4 characters and up. # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932260.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932260 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:b(?:as(?:e(?:32|64|nc)|h)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:o(?:mmand[\s\v<>]|proc)|url)|d(?:(?:ash|iff)[\s\v<>]|mesg|oas)|e(?:(?:cho|xec)[\s\v<>]|grep|val)|f(?:etch[\s\v<>]|grep|iletest|tp(?:stats|who))|g(?:rep[\s\v<>]|unzip|z(?:cat|exe|ip))|(?:head|java)[\s\v<>]|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|ynx[\s\v<>]|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:ailq|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp)|ohup|ping|stat)|onintr|p(?:erl5?|(?:ft|gre)p|igz|k(?:exec|ill)|opd|rint(?:env|f[\s\v<>])|tar(?:diff|grep)?|ython[^\s\v])|r(?:e(?:alpath|(?:name|p(?:eat|lace))[\s\v<>])|m(?:dir[\s\v<>]|user)|nano|sync|uby[^\s\v])|s(?:ched|diff|e(?:ndmail|t(?:env|sid))|ftp|h(?:\.distrib|ell)|o(?:cat|urce[\s\v<>])|trings|udo|ysctl)|t(?:ail[\s\v<>f]|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v<>]|raceroute6?)|u(?:n(?:ame|compress|lz(?:4|ma)|(?:pig|x)z|rar|set[\s\v<>]|z(?:ip|std))|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|std))" \ "id:932260,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Direct Unix Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ "t:none,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell history invocation ] # # Detects Unix shell history invocations in any context. # # Example: # GET /?rce=example.com # GET /?rce=curl%20 # GET /?rce=!-1!-2 # # Will execute `curl example.com`. We should be able to detect the '!-' sequence with a very low risk of false-positives since the sequence is very specific # and does not allow for whitespaces in between. # # This rule has stricter siblings: # * 932331 (PL3) # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" \ "id:932330,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix shell history invocation',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell snippets ] # # Detect some common sequences found in shell commands and scripts. # # Some commands which were restricted in earlier rules due to FP, # have been added here with their full path, in order to catch some # cases where the full path is sent. # # Rule relations: # # .932160 (base rule, PL1, unix shell commands with full path) # ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) # # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \ "id:932160,\ phase:2,\ block,\ capture,\ t:none,t:cmdLine,t:normalizePath,\ msg:'Remote Command Execution: Unix Shell Code Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] # # Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. # # Based on ModSecurity rules created by Red Hat. # Permission for use was granted by Martin Prpic # # https://access.redhat.com/articles/1212303 # SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ "id:932170,\ phase:1,\ block,\ capture,\ t:none,t:urlDecode,\ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ "id:932171,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,t:urlDecodeUni,\ msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell alias detection ] # # Detects Unix shell alias invocations in any context. # # Example: # GET /?rce=alias%20a=b # # Shell aliasing can be performed to substitute anything in commands, escaping # # References: https://pubs.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap03.html#tag_03_10 : # "In the shell command language, a word consisting solely of underscores, digits, and alphabetics # from the portable character set and any of the following characters: '!', '%', ',', '@'." # # Implementations may allow other characters within alias names as an extension. # # Regular expression generated from regex-assembly/932175.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932175 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s\b[\s\v]+[!-\"%',0-9@-Z_a-z]+=[^\s\v]" \ "id:932175,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix shell alias invocation',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Restricted File Upload ]=- # # Detects attempts to upload a file with a forbidden filename. # # Many application contain Unrestricted File Upload vulnerabilities. # https://www.owasp.org/index.php/Unrestricted_File_Upload # # These might be abused to upload configuration files or other files # that affect the behavior of the web server, possibly causing remote # code execution. # SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ "@pmFromFile restricted-upload.data" \ "id:932180,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Restricted File Upload Attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows command injection ] # # This rule detects Windows shell command injections. # If you are not running Windows, it is safe to disable this rule. # # New in CRSv4: The rules 932110 and 932115 were reorganized and moved to new rules 932370 and 932380 based on their contents. # The new rules target specific Windows binaries to easy updating in the future. # # A command injection takes a form such as: # # foo.jpg&ver /r # foo.jpg|ver /r # # The vulnerability exists when an application executes a shell command # without proper input escaping/validation. # # To prevent false positives, we look for a 'starting sequence' that # precedes a command in CMD syntax, such as: ; | & ` # # Anatomy of the regexp: # # 1. Starting tokens # # ; ;cmd # \{ {cmd # \| |cmd # \|\| ||cmd # & &cmd # && &&cmd # \n \ncmd # \r \rcmd # ` `cmd # # 2. Command prefixes # # ( (cmd) # , ,cmd # @ @cmd # ' 'cmd' # " "cmd" # \s spacing+cmd # # 3. Paths # # [\w'\"\./]+/ /path/cmd # [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c C:\Program Files\cmd # [\^\.\w '\"/\x5c]*\x5c)?[\"\^]* \\net\share\dir\cmd # # 4. Quoting # # \" "cmd" # \^ ^cmd # # 5. Extension/switches # # \.[\"\^]*\w+ cmd.com, cmd.exe, etc. # /b cmd/h # # An effort is made to combat evasions by CMD syntax; for example, # the following strings are valid: c^md, @cmd, "c"md. ModSecurity # has a t:cmdLine transformation built-in to deal with some of these, # but unfortunately, that transformation replaces ';' characters (so # we cannot match on the start of a command) and '\' characters (so we # have trouble matching paths). This makes the regexp more complex. # # This rule is case-insensitive. # # Regular expression generated from regex-assembly/932370.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932370 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\v,\.-/;-<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\v,\.-/;-<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ "id:932370,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Windows Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-windows',\ tag:'attack-rce',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # # [ Unix command injection ] # # This rule targets pefix + the source command (dot character) at PL2. # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932231.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932231 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\v].*\b" \ "id:932231,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This is a stricter sibling of rule 932130. # # It applies the same regular expression to the # User-Agent and Referer HTTP headers. # # Unlike the sibling rule, this rule runs in phase 1. # SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*})|[<>]\(.*\)|\[!?.+\])" \ "id:932131,\ phase:1,\ block,\ capture,\ t:none,t:cmdLine,\ msg:'Remote Command Execution: Unix Shell Expression Found',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ Rule 932200 ]=- # # Block RCE Bypass using different techniques: # - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/) # - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) # - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) # # Examples: # - foo;cat$u+/etc$u/passwd # - bar;cd+/etc;/bin$u/ca*+passwd # - foo;ca\t+/et\c/pa\s\swd # - foo;c'at'+/etc/pa's'swd # - foo;c$@at+/et$@c/pas$@swd # - foo;c$!at+/et$!c/pas$!swd # - foo;c$*at+/et$*c/pas$*swd # - foo;c$?at+/et$?c/pas$?swd # - foo;c$-at+/et$-c/pas$-swd # - foo;c$_at+/et$_c/pas$_swd # - foo;c$$at+/et$$c/pas$$swd # # Regex notes: https://regex101.com/r/V6wrCO/1 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?:[*?`\x5c'][^/\n]+/|\$[({\[#@!?*\-_$a-zA-Z0-9]|/[^/]+?[*?`\x5c'])" \ "id:932200,\ phase:2,\ block,\ capture,\ t:none,t:lowercase,t:urlDecodeUni,\ msg:'RCE Bypass Technique',\ logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ chain" SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain" SecRule MATCHED_VAR "@rx \s" "t:none,t:urlDecodeUni,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/932220.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932220 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[ci]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[npsz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[fs]|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \ "id:932220,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection with pipe',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # -=[ Rule 932240 ]=- # # Generic RCE Bypass blocking using different techniques: see https://github.com/coreruleset/coreruleset/issues/2632 # # This rule complements rule 932230 with generic evasion detection. # Anything that uses a well-known evasion technique should be blocked at this level. # The chained rule will exclude false positives due to german thousands separators (e.g., 10'000). # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932240.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932240 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\"'\[-\]]+|\$+[!#\*\-0-9\?-@\x5c_a-\{]+|``|[\$<>]\(\))[\s\v]*[\-0-9_a-z]+" \ "id:932240,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ "t:none,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Sqlite System Command Execution ] # # This rule prevents execution of SQLite CLI commands like .system and .shell # # You can find a vulnerable script and a sample payload here: # https://github.com/qxxxb/ctf/tree/master/2021/zer0pts_ctf/baby_sqli # # List of sqlite3 CLI commands: # https://sqlite.org/cli.html # # Regular expression generated from regex-assembly/932210.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932210 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\v]*\.[\s\v]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" \ "id:932210,\ phase:2,\ block,\ t:none,t:escapeSeqDecode,t:compressWhitespace,\ msg:'Remote Command Execution: SQLite System Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # -=[ SMTP/IMAP/POP3 Command Execution ]=- # # Rationale # ========= # # The rules for email command execution are based on the RFCs for each protocol. # Some of the commands have optional and/or additional parameters, so we tried to be # precise to avoid as many FP in PL2 rules. # For those commands that resemble common English words, and may pose a higher risk of false positives, # they have been split off to a sibling rule in PL3. # =[ SMTP Command Execution ]= # # This rule prevents execution of SMTP related system commands. # # List of SMTP commands: from rfc 5321 (https://www.rfc-editor.org/rfc/rfc5321) # # Regular expression generated from regex-assembly/932300.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932300 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?i:E)(?:HLO [\--\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\--\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SET\b)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20}(?i: )(?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}(?i:=)|[\+/-9A-Z_a-z\x17f\x212a]{3}))?(?i:=)|STARTTLS\b|NOOP\b(?:(?i: ).{1,255})?)" \ "id:932300,\ phase:2,\ block,\ t:none,t:escapeSeqDecode,\ msg:'Remote Command Execution: SMTP Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # =[ IMAP Command Execution ]= # # This rule prevents execution of IMAP4 related system commands. # # List of IMAP4 commands: from rfc 3501 (https://datatracker.ietf.org/doc/html/rfc3501#section-9) # # Note: Mailbox International Naming Convention uses UTF-7, so it was left out explicitly. # # Regular expression generated from regex-assembly/932310.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932310 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"-#%-&\*\--9A-Z\x5c_a-z]+)?(?: \([ \x5ca-z]+\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"-#\*\.-9A-Z_a-z~]+)? (?:[\"%-&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? \((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\)|ETACL (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)" \ "id:932310,\ phase:2,\ block,\ t:none,t:escapeSeqDecode,\ msg:'Remote Command Execution: IMAP Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # =[ POP3 Command Execution ]= # # This rule prevents execution of POP3 related system commands. # # List of POP3 commands: # - from rfc 1939 (https://www.rfc-editor.org/rfc/rfc1939#appendix-B) # - extensions from rfc 2449 (https://www.rfc-editor.org/rfc/rfc2449) # # These commands all have some kind of parameter that makes them a good PL2 target. # # Regular expression generated from regex-assembly/932320.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932320 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9A-Z_]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" \ "id:932320,\ phase:2,\ block,\ t:none,t:escapeSeqDecode,\ msg:'Remote Command Execution: POP3 Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] # # This is a stricter sibling of rule 932235. # This stricter sibling detects Unix RCE in request headers referer and user-agent. # It uses the same regex. # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932236.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932236 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[ar]?|a(?:(?:b|w[ks])[\s\v&<>\|]|pt(?:-get)?|r(?:[\s\v&<>jp\|]|ch[\s\v<>]|ia2c)|s(?:[\s\v&<>h\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&<>\|]|obm)|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z[\s\v&<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t[\s\v&<>\|]|(?:ncel|psh)[\s\v<>])|c[\s\v&<>\|]|mp|p(?:[\s\v&<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&<>\|]|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du][\s\v&<>\|]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd][\s\v&<>\|]|n(?:v(?:[\s\v&<>\|]|-update)|d(?:if|sw))|qn|x(?:[\s\v&<>\|]|ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c[\s\v&<>\|]|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])?|mt|tp(?:[\s\v&<>\|]|stats|who)|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c[^\s\v]|ore)|db|e(?:m[\s\v&<>\|]|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t[\s\v&<>\|]|mp[\s\v<>]|nsh)|o[\s\v&<>\|]|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up)[\s\v&<>\|]|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d[\s\v&<>\|]|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d?[\s\v&<>\|]|config)|[np][\s\v&<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&<>\|]|(?:la)?tex)|z(?:[\s\v&<>\|]|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n[\s\v&<>\|]|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v[\s\v&<>\|]|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&<>\|]|(?:c|st)at|kit-ftp)|ofetch)|l[\s\v&<>\|]|m(?:[\s\v&<>\|]|ap)|p(?:m[\s\v&<>\|]|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d[\s\v&<>\|]|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x[\s\v&<>\|]|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:[\s\v&<>\|]|tp)|g(?:rep)?|hp[\s\v&<>\|]|i(?:c(?:o[\s\v<>])?|p[^\s\v]|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&<>\|]|int(?:env|f[\s\v<>]))|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r[\s\v&<>\|]|k(?:e[\s\v<>]|u))|cp[\s\v&<>\|]|e(?:d(?:[\s\v&<>\|]|carpet[\s\v<>])|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:[\s\v&<>\|]|dir[\s\v<>]|user)|pm(?:[\s\v&<>\|]|db|(?:quer|verif)y)|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d[\s\v&<>\|]|t(?:[\s\v&<>\|]|arch|env|facl[\s\v<>]|sid)|ndmail|rvice[\s\v<>])|g|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))?|s(?:[\s\v&<>\|]|h(?:[\s\v&<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&<>\|]|do)|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&<>\|]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:e|x[\s\v&<>\|]|lnet)|i(?:c[\s\v&<>\|]|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:[\s\v&<>\|]|imit[\s\v<>])|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\v&<>\|]|m(?:[\s\v&<>\|]|diff)|ew[\s\v<>]|gr|pw|rsh)|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:[\s\v&<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))" \ "id:932236,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Unix shell snippets ] # # Detect some common sequences found in shell commands and scripts. # # Some commands which were restricted in earlier rules due to FP, # have been added here with their full path, in order to catch some # cases where the full path is sent. # # Rule relations: # # .932160 (base rule, PL1, unix shell commands with full path) # ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) # SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-shell.data" \ "id:932161,\ phase:2,\ block,\ capture,\ t:none,t:cmdLine,t:normalizePath,\ msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # # [ Unix command injection ] # # This rule targets pefix + commans that are prone to false positive detection at PL3. # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # # Regular expression generated from regex-assembly/932232.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932232 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i|(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&,<>\|].*)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&,<>\|].*))\b" \ "id:932232,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] # # Rule relations: # # .932230 (base rule, PL1, targets prefix + two and three character commands) # ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) # ..932232 (stricter sibling, PL3, targets prefix + additional command words) # .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) # # .932250 (base rule, PL1, targets two and three character commands) # .932260 (base rule, PL1, targets known command word of length > 3 without evasion) # # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix # - words of any length # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length # - no excluded words) # # Regular expression generated from regex-assembly/932237.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932237 # SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]?|a(?:b|pt(?:-get)?|r(?:[jp]|ch[\s\v<>]|ia2c)?|s(?:h|cii(?:-xfr|85)|pell)?|t(?:obm)?|w[ks]|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t|(?:ncel|psh)[\s\v<>])|c|mp|p(?:an|io|ulimit)?|s(?:h|plit|vtool)|u(?:t|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd]|n(?:v(?:-update)?|d(?:if|sw))|qn|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))?|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])?|mt|tp(?:stats|who)?|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c|ore)|db|e(?:m|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t|mp[\s\v<>]|nsh)|o|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:d|up|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d|config)?|[np]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:(?:la)?tex)?|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))?|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:\.(?:openbsd|traditional)|at)?|e(?:t(?:(?:c|st)at|kit-ftp)?|ofetch)|l|m(?:ap)?|p(?:m|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:tp)?|g(?:rep)?|hp|i(?:c(?:o[\s\v<>])?|p|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y|int(?:env|f[\s\v<>]))?|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r|k(?:e[\s\v<>]|u))|cp|e(?:d(?:carpet[\s\v<>])?|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:dir[\s\v<>]|user)?|pm(?:db|(?:quer|verif)y)?|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d|t(?:arch|env|facl[\s\v<>]|sid)?|ndmail|rvice[\s\v<>])|g|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))?|s(?:h(?:-key(?:ge|sca)n|pass)?)?|u(?:do)?|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:[ex]|lnet)|i(?:c|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:imit[\s\v<>])?|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:diff)?|ew[\s\v<>]|gr|pw|rsh)?|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)?|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))\b" \ "id:932237,\ phase:2,\ block,\ capture,\ t:none,t:cmdLine,t:normalizePath,\ msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # -=[ Bypass Rule 930120 (wildcard) ]=- # # When Paranoia Level is set to 1 and 2, a Remote Command Execution # could be exploited bypassing rule 930120 (OS File Access Attempt) # by using wildcard characters. # # In some other cases, it could be bypassed even if the Paranoia Level is set to 3. # Please, keep in mind that this rule could lead to many false positives. # # The following two blog posts explain the evasions this rule is designed to detect: # - https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 # - https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ "id:932190,\ phase:2,\ block,\ capture,\ t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\ msg:'Remote Command Execution: Wildcard bypass technique attempt',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # -=[ SMTP commands ]=- # # This rule prevents execution of SMTP related system commands. # # These commands may have a higher risk of false positives. # For explanation of this rule, see above rule 932300. # # Rule 932301 is a stricter sibling of rule 932300. # # Regular expression generated from regex-assembly/932301.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932301 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" \ "id:932301,\ phase:2,\ block,\ t:none,t:escapeSeqDecode,\ msg:'Remote Command Execution: SMTP Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # =[ IMAP4 Command Execution ]= # # This rule prevents execution of IMAP4 related system commands. # # These commands may have a higher risk of false positives. # For explanation of this rule, see above rule 932310. # # Rule 932311 is a stricter sibling of rule 932310. # # Regular expression generated from regex-assembly/932311.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932311 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"-#%-&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"-#\*\--9A-Z\x5c_a-z~]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\--\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&\*\--9A-Z\x5c_a-z]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"-#%-&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\--\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))?|ARTTLS)|UBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" \ "id:932311,\ phase:2,\ block,\ t:none,t:escapeSeqDecode,\ msg:'Remote Command Execution: IMAP Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # =[ POP3 Command Execution ]= # # This rule prevents execution of POP3 related system commands. # # These commands may have a higher risk of false positives. # For explanation of this rule, see above rule 932320. # # Rule 932321 is a stricter sibling of rule 932320. # # Regular expression generated from regex-assembly/932321.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932321 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" \ "id:932321,\ phase:2,\ block,\ t:none,t:escapeSeqDecode,\ msg:'Remote Command Execution: POP3 Command Execution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # =[ Unix shell history invocation ]= # # This rule is a stricter sibling of 932330. # Shell history can also be invoked by providing an absolute position: '!1' or by repeating the last command '!!'. # The latter might seem harmless as you would expect that it already requires a successful exploitation, but it is a threat in disguise. # # Imagine the following requests: # GET /?rce=c # GET /?rce=!!!! # The last request will invoke /usr/bin/cc, which is otherwise blocked by 932150. # # Neither !1 nor !! is necessarily valid speech, but blocking either of them is much more likely to cause false-positives than 932330. SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" \ "id:932331,\ phase:2,\ block,\ t:none,\ msg:'Remote Command Execution: Unix shell history invocation',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ tag:'attack-rce',\ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ ver:'OWASP_CRS/4.0.0-rc1',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE"