jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-04-22 04:27:26 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e674c780c6563fb2489dc20928279a0927e15b02
higress/plugins/wasm-go/extensions/waf/wasmplugin/rules/crs/RESPONSE-955-WEB-SHELLS.conf
rinfx c32e1ab69b Go WAF Plugin (#400)
2023-06-28 19:25:36 +08:00

549 lines
17 KiB
Plaintext
Raw Blame History

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
# For performance reasons, most of the shells are matched using this rule.
# This rule is intended for PHP web shells.
SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
"id:955100,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Web shell detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# r57 web shell
SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" \
"id:955110,\
phase:4,\
block,\
capture,\
t:none,\
msg:'r57 web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# WSO web shell
SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" \
"id:955120,\
phase:4,\
block,\
capture,\
t:none,\
msg:'WSO web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n)
SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" \
"id:955130,\
phase:4,\
block,\
capture,\
t:none,\
msg:'b4tm4n web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Mini Shell web shell
SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
"id:955140,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Mini Shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Ashiyane web shell
SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
"id:955150,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Ashiyane web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Symlink_Sa web shell
SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
"id:955160,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Symlink_Sa web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# CasuS web shell
SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
"id:955170,\
phase:4,\
block,\
capture,\
t:none,\
msg:'CasuS web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# GRP WebShell
SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
"id:955180,\
phase:4,\
block,\
capture,\
t:none,\
msg:'GRP WebShell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# NGHshell web shell
SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
"id:955190,\
phase:4,\
block,\
capture,\
t:none,\
msg:'NGHshell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# SimAttacker web shell
SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \
"id:955200,\
phase:4,\
block,\
capture,\
t:none,\
msg:'SimAttacker web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell</title>" \
"id:955210,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Unknown web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# lama's'hell web shell
SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
"id:955220,\
phase:4,\
block,\
capture,\
t:none,\
msg:'lama\'s\'hell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# lostDC web shell
SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
"id:955230,\
phase:4,\
block,\
capture,\
t:none,\
msg:'lostDC web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n <!-- Replaces command with Base64-encoded Data -->" \
"id:955240,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Unknown web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\">Input command :</font></div>\n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" \
"id:955250,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Unknown web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Ru24PostWebShell web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \
"id:955260,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Ru24PostWebShell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# s72 Shell web shell
SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" \
"id:955270,\
phase:4,\
block,\
capture,\
t:none,\
msg:'s72 Shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# PhpSpy web shell
SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\r\n<title>PhpSpy Ver [0-9]+</title>" \
"id:955280,\
phase:4,\
block,\
capture,\
t:none,\
msg:'PhpSpy web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# g00nshell web shell
SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
"id:955290,\
phase:4,\
block,\
capture,\
t:none,\
msg:'g00nshell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# PuNkHoLic shell web shell
# Various versions has this text written little differently so we need to do
# t:removeWhitespace and t:lowercase.
SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
"id:955300,\
phase:4,\
block,\
capture,\
t:none,t:removeWhitespace,t:lowercase,\
msg:'PuNkHoLic shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# azrail web shell
SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-9.]+ by C-W-M</title>" \
"id:955310,\
phase:4,\
block,\
capture,\
t:none,\
msg:'azrail web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# SmEvK_PaThAn Shell web shell
SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
"id:955320,\
phase:4,\
block,\
capture,\
t:none,\
msg:'SmEvK_PaThAn Shell web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Shell I web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style>" \
"id:955330,\
phase:4,\
block,\
capture,\
t:none,\
msg:'Shell I web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# b374k m1n1 web shell
SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" \
"id:955340,\
phase:4,\
block,\
capture,\
t:none,\
msg:'b374k m1n1 web shell',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# webadmin.php file manager
# This is placed in PL2 because of too generic pattern.
SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>" \
"id:955350,\
phase:4,\
block,\
capture,\
t:none,\
msg:'webadmin.php file manager',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0-rc1',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-RESPONSE-955-WEB-SHELLS"
Reference in New Issue View Git Blame Copy Permalink