mirror of
https://github.com/alibaba/higress.git
synced 2026-03-06 17:40:51 +08:00
466 lines
22 KiB
Plaintext
466 lines
22 KiB
Plaintext
# ------------------------------------------------------------------------
|
|
# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1
|
|
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
|
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
|
#
|
|
# The OWASP ModSecurity Core Rule Set is distributed under
|
|
# Apache Software License (ASL) version 2
|
|
# Please see the enclosed LICENSE file for full details.
|
|
# ------------------------------------------------------------------------
|
|
|
|
#
|
|
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
|
#
|
|
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
|
#
|
|
# This rule is also triggered by an Apache Struts exploit:
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
|
#
|
|
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
|
|
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
|
#
|
|
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
|
|
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
|
#
|
|
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
|
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
|
#
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx java\.lang\.(?:runtime|processbuilder)" \
|
|
"id:944100,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
msg:'Remote Command Execution: Suspicious Java class detected',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/137/6',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# This rule is also triggered by the following exploit(s):
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
|
# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
|
|
# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
|
|
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
|
#
|
|
# Generic rule to detect processbuilder or runtime calls, if any of those is found and the same target contains
|
|
# java. unmarshaller or base64data to trigger a potential payload execution
|
|
# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
|
|
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:runtime|processbuilder)" \
|
|
"id:944110,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
chain"
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
|
|
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected
|
|
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
|
|
"id:944120,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
chain"
|
|
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
|
|
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# This rule is also triggered by the following exploit(s):
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
|
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
|
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
|
|
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
|
|
#
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@pmFromFile java-classes.data" \
|
|
"id:944130,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,\
|
|
msg:'Suspicious Java class detected',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
#
|
|
# [ Java Script Uploads ]
|
|
#
|
|
# Block file uploads with filenames ending in Java scripts (.jsp, .jspx)
|
|
#
|
|
# Many application contain Unrestricted File Upload vulnerabilities.
|
|
# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
|
|
#
|
|
# Attackers may use such a vulnerability to achieve remote code execution
|
|
# by uploading a script file. If the upload storage location is predictable
|
|
# and not adequately protected, the attacker may then request the uploaded
|
|
# file and have the code within it executed on the server.
|
|
#
|
|
# Some AJAX uploaders use the nonstandard request headers X-Filename,
|
|
# X_Filename, or X-File-Name to transmit the file name to the server;
|
|
# scan these request headers as well as multipart/form-data file names.
|
|
#
|
|
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:jsp|jspx)\.*$" \
|
|
"id:944140,\
|
|
phase:2,\
|
|
block,\
|
|
capture,\
|
|
t:none,t:lowercase,\
|
|
msg:'Java Injection Attack: Java Script File Upload Found',\
|
|
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-injection-java',\
|
|
tag:'paranoia-level/1',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/242',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
# Log4J / Log4Shell Defense
|
|
#
|
|
# This addresses exploits against the Log4J library described in several CVEs:
|
|
# * CVE-2021-44228
|
|
# * CVE-2021-44832
|
|
# * CVE-2021-45046
|
|
# * CVE-2021-45105
|
|
#
|
|
# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
|
|
#
|
|
# This rule attempts to detect two things:
|
|
# * Nested use of ${
|
|
# * use of ${jndi:... without the closing bracket
|
|
#
|
|
# Rule 932130 is also essential for defense since there are certain
|
|
# bypasses of the log4j rules that can be caught by 932130.
|
|
#
|
|
# The payload is not displayed in the alert message since log4j could
|
|
# potentially be executed on the logviewer.
|
|
#
|
|
# This rule has stricter siblings: 944151 (PL2), 944152 (PL4)
|
|
#
|
|
# Regular expression generated from regex-assembly/944150.ra.
|
|
# To update the regular expression run the following shell script
|
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
# crs-toolchain regex update 944150
|
|
#
|
|
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]{0,15}(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \
|
|
"id:944150,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\
|
|
log,\
|
|
msg:'Potential Remote Command Execution: Log4j / Log4shell',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/137/6',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
|
#
|
|
|
|
# This is a stricter sibling of 944150.
|
|
# It is a re-iteration of said rule without the curly bracket distance limiter
|
|
# between the nested "${". This is prone to backtracking and therefore a potential
|
|
# DoS problem for backtracking regular expression engines (e.g. PCRE2), but it also avoids evasions that fill the space between the nested
|
|
# elements with arbitrary data.
|
|
#
|
|
# Regular expression generated from regex-assembly/944151.ra.
|
|
# To update the regular expression run the following shell script
|
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
# crs-toolchain regex update 944151
|
|
#
|
|
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]*(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \
|
|
"id:944151,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\
|
|
log,\
|
|
msg:'Potential Remote Command Execution: Log4j / Log4shell',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/137/6',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ]
|
|
#
|
|
# Detect exploitation of "Java deserialization" Apache Commons.
|
|
#
|
|
# Based on rules by @spartantri.
|
|
# https://spartantri.com/ModSecurity/?p=44
|
|
#
|
|
# Interesting references about the vulnerability
|
|
# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
|
|
# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
|
|
#
|
|
# Potential false positives with random fields, the anomaly level is set low to avoid blocking request
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx \xac\xed\x00\x05" \
|
|
"id:944200,\
|
|
phase:2,\
|
|
block,\
|
|
msg:'Magic bytes Detected, probable java serialization in use',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
# Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
|
|
"id:944210,\
|
|
phase:2,\
|
|
block,\
|
|
msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
|
|
"id:944240,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
# This rule is also triggered by the following exploit(s):
|
|
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
|
#
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx java\b.+(?:runtime|processbuilder)" \
|
|
"id:944250,\
|
|
phase:2,\
|
|
block,\
|
|
t:lowercase,\
|
|
msg:'Remote Command Execution: Suspicious Java method detected',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
# This rule is also triggered by the following exploit(s):
|
|
# - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
|
|
# - https://www.ironcastle.net/possible-new-java-spring-framework-vulnerability-wed-mar-30th/
|
|
#
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" \
|
|
"id:944260,\
|
|
phase:2,\
|
|
block,\
|
|
t:urlDecodeUni,\
|
|
msg:'Remote Command Execution: Malicious class-loading payload',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
|
#
|
|
# Interesting keywords for possibly RCE on vulnerable classes and methods base64 encoded
|
|
# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure']
|
|
#for item in keywords:
|
|
# pad='\x00'
|
|
# for padding in xrange(3):
|
|
# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:],
|
|
#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \
|
|
"id:944300,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,\
|
|
msg:'Base64 encoded string matched suspicious keyword',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/248',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/3',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
|
#
|
|
|
|
# This is a stricter sibling of 944150.
|
|
# It simply checks for the existence of `${`, taking into account the same encoding evasions
|
|
# as 944150.
|
|
#
|
|
# Regular expression generated from regex-assembly/944152.ra.
|
|
# To update the regular expression run the following shell script
|
|
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
|
# crs-toolchain regex update 944152
|
|
#
|
|
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)" \
|
|
"id:944152,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\
|
|
log,\
|
|
msg:'Potential Remote Command Execution: Log4j / Log4shell',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'capec/1000/152/137/6',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/4',\
|
|
ver:'OWASP_CRS/4.0.0-rc1',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
|
|
|
#
|
|
# -= Paranoia Levels Finished =-
|
|
#
|
|
SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|