Visualizing the core-rules ruleset

Phase 2

SecRule

ID 960911
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:20

Target	REQUEST_LINE
	lowercase
matches	!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?\|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?\|options \)\s+[\w\./]+\|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$
Actions	deny log auditlog status:400 msg:Invalid HTTP Request Line severity:2

 Validate request line

SecRule

ID 950012
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:26

Target	REQUEST_HEADERS:'/(Content-Length\|Transfer-Encoding)/'

matches	,
Actions	deny log auditlog status:400 msg:HTTP Request Smuggling Attack. severity:1
Tags	WEB_ATTACK/REQUEST_SMUGGLING

 HTTP Request Smuggling

SecRule

ID 960912
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:31

Target	REQBODY_PROCESSOR_ERROR

Op	!@eq 0
Actions	deny log auditlog status:400 msg:Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG} severity:2

 Block request with malformed content.
 ModSecurity will not inspect these, but the server application might do so

SecRule

ID 960016
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:36

Target	REQUEST_HEADERS:Content-Length

matches	!^\d+$
Actions	deny log auditlog status:400 msg:Content-Length HTTP header is not numeric severity:2
Tags	PROTOCOL_VIOLATION/INVALID_HREQ

 Accept only digits in content length

SecRule

ID 960011
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:43

Target	REQUEST_METHOD

matches	^(?:GET\|HEAD)$
Actions	chain deny log auditlog status:400 msg:GET or HEAD requests with bodies severity:2
Tags	PROTOCOL_VIOLATION/EVASION

SecRule

Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:44

Target	REQUEST_HEADERS:Content-Length

matches	!^0?$

 Do not accept GET or HEAD requests with bodies
 HTTP standard allows GET requests to have a body but this
 feature is not used in real life. Attackers could try to force
 a request body on an unsuspecting web applications.

SecRule

ID 960012
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:48

Target	REQUEST_METHOD

matches	^POST$
Actions	chain deny log auditlog status:400 msg:POST request must have a Content-Length header severity:4
Tags	PROTOCOL_VIOLATION/EVASION

SecRule

Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:49

Target	&REQUEST_HEADERS:Content-Length

Op	@eq 0

 Require Content-Length to be provided with every POST request.

SecRule

ID 960013
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:56

Target	REQUEST_HEADERS:Transfer-Encoding

matches	!^$
Actions	deny log auditlog status:501 msg:ModSecurity does not support transfer encodings severity:3
Tags	PROTOCOL_VIOLATION/EVASION

 Don't accept transfer encodings we know we don't know how to handle
 NOTE ModSecurity does not support chunked transfer encodings at
      this time. You MUST reject all such requests.

SecRule

ID 950107
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:59

Target	REQUEST_BODY\|REQUEST_URI\|XML:/*

matches	\%(?!$\|\W\|[0-9a-fA-F]{2}\|u[0-9a-fA-F]{4})
Actions	chain deny log auditlog status:400 msg:URL Encoding Abuse Attack Attempt severity:4
Tags	PROTOCOL_VIOLATION/EVASION

SecRule

Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:68

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer

matches	\%u[fF]{2}[0-9a-fA-F]{2}
Actions	deny log auditlog status:400 msg:Unicode Full/Half Width Abuse Attack Attempt severity:4

 Disallow use of full-width unicode

 Check encodings

SecRule

ID 960014
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:74

Target	REQUEST_URI_RAW

matches	^\w+:/
Actions	deny log auditlog status:400 msg:Proxy access attempt severity:2
Tags	PROTOCOL_VIOLATION/PROXY_ACCESS

 Proxy access attempt
 NOTE Apache blocks such access by default if not set as a proxy. The rule is
      included in case Apache proxy is misconfigured.

SecRule

ID 960018
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:87

Target	REQUEST_FILENAME\|REQUEST_HEADERS_NAMES\|REQUEST_HEADERS\|!REQUEST_HEADERS:Referer

Op	@validateByteRange 1-255
Actions	deny log auditlog status:400 msg:Invalid character in request severity:4
Tags	PROTOCOL_VIOLATION/EVASION

 Restrict type of characters sent
 NOTE In order to be broad and support localized applications this rule
      only validates that NULL Is not used.
	   The strict policy version also validates that protocol and application
	   generated fields are limited to printable ASCII.
 TODO If your application use the range 32-126 for parameters.

SecRule

ID 960901
Phase 2
Location $CORE_RULES/modsecurity_crs_20_protocol_violations.conf:91

Target	ARGS\|ARGS_NAMES\|REQUEST_HEADERS:Referer

Op	@validateByteRange 1-255
Actions	deny log auditlog status:400 msg:Invalid character in request severity:4
Tags	PROTOCOL_VIOLATION/EVASION

SecRule

ID 999210
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:22

Target	REQUEST_LINE

matches	^GET /$
Actions	log auditlog chain pass nolog ctl:ruleRemoveById=960019 ctl:ruleRemoveById=960008 ctl:ruleRemoveById=960015 ctl:ruleRemoveById=960009 severity:5

SecRule

Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:23

Target	REMOTE_ADDR

matches	^127\.0\.0\.1$

SecRule

ID 999211
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:26

Target	REQUEST_LINE

matches	^GET / HTTP/1.0$
Actions	log auditlog chain pass nolog ctl:ruleRemoveById=960019 ctl:ruleRemoveById=960008 ctl:ruleRemoveById=960015 ctl:ruleRemoveById=960009 severity:5

SecRule

Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:27

Target	REMOTE_ADDR

matches	^127\.0\.0\.1$
Actions	chain

SecRule

Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:28

Target	REQUEST_HEADERS:User-Agent

matches	^Apache.*$internal dummy connection$$

 Exception for Apache internal dummy connection

SecRule

ID 960019
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:32

Target	REQUEST_PROTOCOL
	lowercase
matches	^http/0.9$
Actions	log auditlog msg:HTTP/0.9 Request Detected severity:4

 Detect HTTP/0.9 Requests

SecRule

ID 960008
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:34

Target	&REQUEST_HEADERS:Host

Op	@eq 0
Actions	skip:1 log auditlog msg:Request Missing a Host Header severity:4
Tags	PROTOCOL_VIOLATION/MISSING_HEADER

SecRule

ID 960008
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:36

Target	REQUEST_HEADERS:Host

matches	^$
Actions	log auditlog msg:Request Missing a Host Header severity:4
Tags	PROTOCOL_VIOLATION/MISSING_HEADER

SecRule

ID 960015
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:40

Target	&REQUEST_HEADERS:Accept

Op	@eq 0
Actions	chain skip:1 log auditlog msg:Request Missing an Accept Header severity:2
Tags	PROTOCOL_VIOLATION/MISSING_HEADER

SecRule

Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:42

Target	REQUEST_METHOD

matches	!^OPTIONS$

SecRule

ID 960015
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:43

Target	REQUEST_HEADERS:Accept

matches	^$
Actions	chain log auditlog msg:Request Missing an Accept Header severity:2
Tags	PROTOCOL_VIOLATION/MISSING_HEADER

SecRule

Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:45

Target	REQUEST_METHOD

matches	!^OPTIONS$

SecRule

ID 960009
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:47

Target	&REQUEST_HEADERS:User-Agent

Op	@eq 0
Actions	skip:1 log auditlog msg:Request Missing a User Agent Header severity:4
Tags	PROTOCOL_VIOLATION/MISSING_HEADER

SecRule

ID 960009
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:49

Target	REQUEST_HEADERS:User-Agent

matches	^$
Actions	log auditlog msg:Request Missing a User Agent Header severity:4
Tags	PROTOCOL_VIOLATION/MISSING_HEADER

SecRule

ID 960904
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:53

Target	&REQUEST_HEADERS:Content-Type

Op	@eq 0
Actions	chain log auditlog msg:Request Containing Content, but Missing Content-Type header severity:4

SecRule

Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:55

Target	REQUEST_HEADERS:Content-Length

matches	!^0$

SecRule

ID 960017
Phase 2
Location $CORE_RULES/modsecurity_crs_21_protocol_anomalies.conf:60

Target	REQUEST_HEADERS:Host

matches	^[\d\.]+$
Actions	deny log auditlog status:400 msg:Host header is a numeric IP address severity:2
Tags	PROTOCOL_VIOLATION/IP_HOST

 Check that the host header is not an IP address

SecRule

ID 960335
Phase 2
Location $CORE_RULES/modsecurity_crs_23_request_limits.conf:28

Target	&ARGS

Op	@gt 255
Actions	deny log auditlog status:403 msg:Too many arguments in request severity:4

 Maximum number of arguments in request limited

SecRule

ID 960032
Phase 2
Location $CORE_RULES/modsecurity_crs_30_http_policy.conf:34

Target	REQUEST_METHOD

matches	!^((?:(?:POS\|GE)T\|OPTIONS\|HEAD))$
Actions	log auditlog status:501 msg:Method is not allowed by policy severity:2
Tags	POLICY/METHOD_NOT_ALLOWED

 allow request methods
 TODO Most applications only use GET, HEAD, and POST request
      methods. If that is not the case with your environment, you are advised
      to edit the line or uncomment it.

SecRule

ID 960010
Phase 2
Location $CORE_RULES/modsecurity_crs_30_http_policy.conf:68

Target	REQUEST_METHOD
	lowercase
matches	!^(?:get\|head\|propfind\|options)$
Actions	chain deny log auditlog status:501 msg:Request content type is not allowed by policy severity:4
Tags	POLICY/ENCODING_NOT_ALLOWED

SecRule

Location $CORE_RULES/modsecurity_crs_30_http_policy.conf:70

Target	REQUEST_HEADERS:Content-Type

matches	!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$\|multipart/form-data;)\|text/xml)

 Restrict which content-types we accept.
 TODO Most applications support only two types for request bodies
      because that is all browsers know how to produce. If you are using
      automated tools to talk to the application you may be using other
      content types and would want to change the list of supported types.
      Note though that ModSecurity parses only three content types:
      application/x-www-form-urlencoded, multipart/form-data request and
      text/xml. The protection provided for any other type is inferior.
 TODO There are many applications that are not using multipart/form-data
      types (typically only used for file uploads). This content type
      can be disabled if not used.
 NOTE We allow any content type to be specified with GET or HEAD
      because some tools incorrectly supply content type information
      even when the body is not present. There is a rule further in
      the file to prevent GET and HEAD requests to have bodies to we're
      safe in that respect.
 NOTE Use of WebDAV requires "text/xml" content type.
 NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
      applications running on the PocketPC and AvantGo platforms use
      non-standard content types:
      M-Business iAnywhere      application/x-mal-client-data
      UltraLite iAnywhere       application/octet-stream

SecRule

ID 960034
Phase 2
Location $CORE_RULES/modsecurity_crs_30_http_policy.conf:82

Target	REQUEST_PROTOCOL

matches	!^HTTP/(0\.9\|1\.[01])$
Actions	deny log auditlog status:505 msg:HTTP protocol version is not allowed by policy severity:2
Tags	POLICY/PROTOCOL_NOT_ALLOWED

 Restrict protocol versions.
 TODO All modern browsers use HTTP version 1.1. For tight security, allow only
      this version.
 NOTE Automation programs, both malicious and non malicious many times use
      other HTTP versions. If you want to allow a specific automated program
      to use your site, try to create a narrower expection and not allow any
      client to send HTTP requests in a version lower than 1.1

SecRule

ID 960035
Phase 2
Location $CORE_RULES/modsecurity_crs_30_http_policy.conf:93

Target	REQUEST_BASENAME
	urlDecodeUnilowercase
matches	\.(?:c(?:o(?:nf(?:ig)?\|m)\|s(?:proj\|r)?\|dx\|er\|fg\|md)\|p(?:rinter\|ass\|db\|ol\|wd)\|v(?:b(?:proj\|s)?\|sdisco)\|a(?:s(?:ax?\|cx)\|xd)\|d(?:bf?\|at\|ll\|os)\|i(?:d[acq]\|n[ci])\|ba(?:[kt]\|ckup)\|res(?:ources\|x)\|s(?:h?tm\|ql\|ys)\|l(?:icx\|nk\|og)\|\w{0,5}~\|webinfo\|ht[rw]\|xs[dx]\|key\|mdb\|old)$
Actions	deny log auditlog status:500 msg:URL file extension is restricted by policy severity:2
Tags	POLICY/EXT_RESTRICTED

 Restrict file extension
 TODO the list of file extensions below are virtually always considered unsafe
      and not in use in any valid program. If your application uses one of
      these extensions, please remove it from the list of blocked extensions.
      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
      comment the whole rule.

SecRule

ID 960038
Phase 2
Location $CORE_RULES/modsecurity_crs_30_http_policy.conf:105

Target	REQUEST_HEADERS_NAMES
	lowercase
matches	(?:lock-token\|translate\|if)$
Actions	deny log auditlog status:500 msg:HTTP header is restricted by policy severity:4
Tags	POLICY/HEADER_RESTRICTEDPOLICY/FILES_NOT_ALLOWED

 Restricted HTTP headers
 TODO the list of HTTP headers below are considered unsafe for your environment.
      If your application uses one of these directories, please remove it from
      the list of blocked extensions. You may need to use ModSecurity Core Rule
      Set Templates to do so, otherwise comment the whole rule.

SecRule

ID 960902
Phase 2
Location $CORE_RULES/modsecurity_crs_30_http_policy.conf:116

Target	REQUEST_HEADERS:Content-Encoding

matches	!^Identity$
Actions	deny log auditlog status:501 msg:ModSecurity does not support content encodings severity:3

 Restricted Content Encodings
 ModSecurity does not support compressed content. Therefore, the following
 action will be taken:
   - Inbound compressed content will be denied
   - Outbound compressed content will be logged once, to alert the user
 Deny inbound compressed content

SecRule

ID 990002
Phase 2
Location $CORE_RULES/modsecurity_crs_35_bad_robots.conf:18

Target	REQUEST_HEADERS:User-Agent
	lowercase
matches	(?:\b(?:m(?:ozilla\/4\.0 $compatible$\|etis)\|webtrends security analyzer\|pmafind)\b\|n(?:-stealth\|sauditor\|essus\|ikto)\|b(?:lack ?widow\|rutus\|ilbo)\|(?:jaascoi\|paro)s\|webinspect\|\.nasl)
Actions	deny log auditlog status:404 msg:Request Indicates a Security Scanner Scanned the Site severity:2
Tags	AUTOMATION/SECURITY_SCANNER

SecRule

ID 990901
Phase 2
Location $CORE_RULES/modsecurity_crs_35_bad_robots.conf:20

Target	REQUEST_HEADERS_NAMES
	lowercase
matches	\bacunetix-product\b
Actions	deny log auditlog status:404 msg:Request Indicates a Security Scanner Scanned the Site severity:2
Tags	AUTOMATION/SECURITY_SCANNER

SecRule

ID 990902
Phase 2
Location $CORE_RULES/modsecurity_crs_35_bad_robots.conf:22

Target	REQUEST_FILENAME
	lowercase
matches	^/nessustest
Actions	deny log auditlog status:404 msg:Request Indicates a Security Scanner Scanned the Site severity:2
Tags	AUTOMATION/SECURITY_SCANNER

SecRule

ID 990012
Phase 2
Location $CORE_RULES/modsecurity_crs_35_bad_robots.conf:25

Target	REQUEST_HEADERS:User-Agent
	lowercase
matches	(?:e(?:mail(?:(?:collec\|harves\|magne)t\|(?: extracto\|reape)r\|siphon\|wolf)\|(?:collecto\|irgrabbe)r\|xtractorpro\|o browse)\|m(?:ozilla\/4\.0 \(compatible; advanced email extractor\|ailto:craftbot\@yahoo\.com)\|a(?:t(?:tache\|hens)\|utoemailspider\|dsarobot)\|w(?:eb(?:emailextrac\| by mail)\|3mir)\|f(?:astlwspider\|loodgate)\|p(?:cbrowser\|ackrat\|surf)\|(?:digout4uagen\|takeou)t\|\bdatacha0s\b\|hhjhj@yahoo\|chinaclaw\|rsync\|shai\|zeus)
Actions	deny log auditlog status:404 msg:Rogue web site crawler severity:2
Tags	AUTOMATION/MALICIOUS

SecRule

ID 990011
Phase 2
Location $CORE_RULES/modsecurity_crs_35_bad_robots.conf:28

Target	REQUEST_HEADERS:User-Agent
	lowercase
matches	(?:\b(?:(?:indy librar\|snoop)y\|microsoft url control\|lynx)\b\|mozilla\/2\.0 $compatible; newt activex; win32$\|w(?:3mirror\|get)\|download demon\|l(?:ibwww\|wp)\|p(?:avuk\|erl)\|big brother\|autohttp\|netants\|eCatch\|curl)
Actions	chain log auditlog msg:Request Indicates an automated program explored the site severity:5
Tags	AUTOMATION/MISC

SecRule

Location $CORE_RULES/modsecurity_crs_35_bad_robots.conf:30

Target	REQUEST_HEADERS:User-Agent

matches	!^apache.*perl

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:23

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodecompressWhiteSpacelowercase
Op	@pm set-cookie .cookie
Actions	log auditlog pass nolog

 Session fixation

SecRule

ID 950009
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:26

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodecompressWhiteSpacelowercase
matches	(?:\.cookie\b.?;\W?(?:expires\|domain)\W*?=\|\bhttp-equiv\W+set-cookie\b)
Actions	capture ctl:auditLogParts=+E log auditlog msg:Session Fixation logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SESSION_FIXATION

SecRule

ID 959009
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:28

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodecompressWhiteSpacelowercase
matches	(?:\.cookie\b.?;\W?(?:expires\|domain)\W*?=\|\bhttp-equiv\W+set-cookie\b)
Actions	capture ctl:auditLogParts=+E log auditlog msg:Session Fixation logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SESSION_FIXATION

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:35

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodelowercasereplaceCommentscompressWhiteSpace
Op	@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries
Actions	log auditlog pass nolog

 Blind SQL injection

SecRule

ID 950007
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:38

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodelowercasereplaceCommentscompressWhiteSpace
matches	(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column\|le)\|rigger)\|object\|view)s\|c(?:onstraints\|atalog))\|all_tables\|tab)\|elect\b.{0,40}\b(?:substring\|ascii\|user))\|m(?:sys(?:(?:queri\|ac)e\|relationship\|column\|object)s\|ysql\.user)\|c(?:onstraint_type\|harindex)\|waitfor\b\W*?\bdelay\|attnotnull)\b\|(?:locate\|instr)\W+\()\|\@\@spid\b)
Actions	capture ctl:auditLogParts=+E log auditlog msg:Blind SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

ID 959007
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:40

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodelowercasereplaceCommentscompressWhiteSpace
matches	(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column\|le)\|rigger)\|object\|view)s\|c(?:onstraints\|atalog))\|all_tables\|tab)\|elect\b.{0,40}\b(?:substring\|ascii\|user))\|m(?:sys(?:(?:queri\|ac)e\|relationship\|column\|object)s\|ysql\.user)\|c(?:onstraint_type\|harindex)\|waitfor\b\W*?\bdelay\|attnotnull)\b\|(?:locate\|instr)\W+\()\|\@\@spid\b)
Actions	capture ctl:auditLogParts=+E log auditlog msg:Blind SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:50

Target	REQUEST_FILENAME\|ARGS\|REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
Op	@pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name
Actions	log auditlog pass nolog

SecRule

ID 950904
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:53

Target	REQUEST_FILENAME\|ARGS
	htmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
matches	\b(?:(?:s(?:ys(?:(?:(?:process\|tabl)e\|filegroup\|object)s\|c(?:o(?:nstraint\|lumn)s\|at)\|dba\|ibm)\|ubstr(?:ing)?)\|user_(?:(?:(?:constrain\|objec)t\|tab(?:_column\|le)\|ind_column\|user)s\|password\|group)\|a(?:tt(?:rel\|typ)id\|ll_objects)\|object_(?:(?:nam\|typ)e\|id)\|pg_(?:attribute\|class)\|column_(?:name\|id)\|(?:dba\|mb)_users\|xtype\W+\bchar\|rownum)\b\|t(?:able_name\b\|extpos\W+\())
Actions	capture ctl:auditLogParts=+E log auditlog msg:Blind SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

ID 959904
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:55

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
matches	\b(?:(?:s(?:ys(?:(?:(?:process\|tabl)e\|filegroup\|object)s\|c(?:o(?:nstraint\|lumn)s\|at)\|dba\|ibm)\|ubstr(?:ing)?)\|user_(?:(?:(?:constrain\|objec)t\|tab(?:_column\|le)\|ind_column\|user)s\|password\|group)\|a(?:tt(?:rel\|typ)id\|ll_objects)\|object_(?:(?:nam\|typ)e\|id)\|pg_(?:attribute\|class)\|column_(?:name\|id)\|(?:dba\|mb)_users\|xtype\W+\bchar\|rownum)\b\|t(?:able_name\b\|extpos\W+\())
Actions	capture ctl:auditLogParts=+E log auditlog msg:Blind SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:62

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
Op	@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite
Actions	log auditlog pass nolog

 SQL injection

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:81

Target	REQUEST_FILENAME\|ARGS\|REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
Op	@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class
Actions	log auditlog pass nolog

SecRule

ID 950906
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:84

Target	REQUEST_FILENAME\|ARGS
	htmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
matches	\b(?:user_(?:(?:object\|table\|user)s\|password\|group)\|a(?:tt(?:rel\|typ)id\|ll_objects)\|object_(?:(?:nam\|typ)e\|id)\|pg_(?:attribute\|class)\|column_(?:name\|id)\|substr(?:ing)?\|table_name\|mb_users\|rownum)\b
Actions	capture ctl:auditLogParts=+E log auditlog msg:SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

ID 959906
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:86

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
matches	\b(?:user_(?:(?:object\|table\|user)s\|password\|group)\|a(?:tt(?:rel\|typ)id\|ll_objects)\|object_(?:(?:nam\|typ)e\|id)\|pg_(?:attribute\|class)\|column_(?:name\|id)\|substr(?:ing)?\|table_name\|mb_users\|rownum)\b
Actions	capture ctl:auditLogParts=+E log auditlog msg:SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

ID 950908
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:89

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|!REQUEST_HEADERS:via
	htmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
matches	\b(?:coalesce\b\|root\@)
Actions	capture ctl:auditLogParts=+E log auditlog msg:SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

ID 959908
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:91

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer\|!REQUEST_HEADERS:via
	urlDecodeUnihtmlEntityDecodereplaceCommentscompressWhiteSpacelowercase
matches	\b(?:coalesce\b\|root\@)
Actions	capture ctl:auditLogParts=+E log auditlog msg:SQL Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SQL_INJECTION

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:98

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodecompressWhiteSpacelowercase
Op	@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input
Actions	log auditlog pass nolog

XSS

SecRule

ID 950004
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:101

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodecompressWhiteSpacelowercase
matches	(?:\b(?:(?:type\b\W?\b(?:text\b\W?\b(?:j(?:ava)?\|ecma\|vb)\|application\b\W?\bx-(?:java\|vb))script\|c(?:opyparentfolder\|reatetextrange)\|get(?:special\|parent)folder\|iframe\b.{0,100}?\bsrc)\b\|on(?:(?:mo(?:use(?:o(?:ver\|ut)\|down\|move\|up)\|ve)\|key(?:press\|down\|up)\|c(?:hange\|lick)\|s(?:elec\|ubmi)t\|(?:un)?load\|dragdrop\|resize\|focus\|blur)\b\W?=\|abort\b)\|(?:l(?:owsrc\b\W?\b(?:(?:java\|vb)script\|shell\|http)\|ivescript)\|(?:href\|url)\b\W?\b(?:(?:java\|vb)script\|shell)\|background-image\|mocha):\|s(?:(?:tyle\b\W=.\bexpression\b\W\|ettimeout\b\W?)\(\|rc\b\W?\b(?:(?:java\|vb)script\|shell\|http):)\|a(?:ctivexobject\b\|lert\b\W?\(\|sfunction:))\|<(?:(?:body\b.?\b(?:backgroun\|onloa)d\|input\b.?\btype\b\W*?\bimage)\b\| ?(?:(?:script\|meta)\b\|iframe)\|!\[cdata\[)\|(?:\.(?:(?:execscrip\|addimpor)t\|(?:fromcharcod\|cooki)e\|innerhtml)\|\@import)\b)
Actions	capture ctl:auditLogParts=+E log auditlog msg:Cross-site Scripting (XSS) Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/XSS

SecRule

ID 959004
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:103

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodecompressWhiteSpacelowercase
matches	(?:\b(?:(?:type\b\W?\b(?:text\b\W?\b(?:j(?:ava)?\|ecma\|vb)\|application\b\W?\bx-(?:java\|vb))script\|c(?:opyparentfolder\|reatetextrange)\|get(?:special\|parent)folder\|iframe\b.{0,100}?\bsrc)\b\|on(?:(?:mo(?:use(?:o(?:ver\|ut)\|down\|move\|up)\|ve)\|key(?:press\|down\|up)\|c(?:hange\|lick)\|s(?:elec\|ubmi)t\|(?:un)?load\|dragdrop\|resize\|focus\|blur)\b\W?=\|abort\b)\|(?:l(?:owsrc\b\W?\b(?:(?:java\|vb)script\|shell\|http)\|ivescript)\|(?:href\|url)\b\W?\b(?:(?:java\|vb)script\|shell)\|background-image\|mocha):\|s(?:(?:tyle\b\W=.\bexpression\b\W\|ettimeout\b\W?)\(\|rc\b\W?\b(?:(?:java\|vb)script\|shell\|http):)\|a(?:ctivexobject\b\|lert\b\W?\(\|sfunction:))\|<(?:(?:body\b.?\b(?:backgroun\|onloa)d\|input\b.?\btype\b\W*?\bimage)\b\| ?(?:(?:script\|meta)\b\|iframe)\|!\[cdata\[)\|(?:\.(?:(?:execscrip\|addimpor)t\|(?:fromcharcod\|cooki)e\|innerhtml)\|\@import)\b)
Actions	capture ctl:auditLogParts=+E log auditlog msg:Cross-site Scripting (XSS) Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/XSS

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:110

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|REQUEST_HEADERS\|XML:/*
	urlDecodeUnihtmlEntityDecodelowercase
Op	@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl
Actions	log auditlog pass nolog

 File Injection

SecRule

ID 950005
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:113

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodelowercase
matches	(?:\b(?:\.(?:ht(?:access\|passwd\|group)\|www_?acl)\|global\.asa\|httpd\.conf\|boot\.ini)\b\|\/etc\/)
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:Remote File Access Attempt logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/FILE_INJECTION

SecRule

ID 959005
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:115

Target	REQUEST_HEADERS\|XML:/*
	urlDecodeUnihtmlEntityDecodelowercase
matches	(?:\b(?:\.(?:ht(?:access\|passwd\|group)\|www_?acl)\|global\.asa\|httpd\.conf\|boot\.ini)\b\|\/etc\/)
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:Remote File Access Attempt logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/FILE_INJECTION

SecRule

ID 950002
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:122

Target	REQUEST_FILENAME
	htmlEntityDecodelowercase
matches	\b(?:n(?:map\|et\|c)\|w(?:guest\|sh)\|cmd(?:32)?\|telnet\|rcmd\|ftp)\.exe\b
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:System Command Access logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/FILE_INJECTION

 Command access

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:129

Target	ARGS
	htmlEntityDecodelowercase
Op	@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
Actions	log auditlog pass nolog

 Command injection

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:134

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:'/^(Cookie\|Referer\|X-OS-Prefs)$/'\|REQUEST_COOKIES\|REQUEST_COOKIES_NAMES
	urlDecodeUnihtmlEntityDecodelowercase
Op	@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
Actions	log auditlog pass nolog

SecRule

ID 950008
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:153

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodelowercase
matches	\bcf(?:usion_(?:d(?:bconnections_flush\|ecrypt)\|set(?:tings_refresh\|odbcini)\|getodbc(?:dsn\|ini)\|verifymail\|encrypt)\|_(?:(?:iscoldfusiondatasourc\|getdatasourceusernam)e\|setdatasource(?:password\|username))\|newinternal(?:adminsecurit\|registr)y\|admin_registry_(?:delete\|set)\|internaldebug)\b
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:Injection of Undocumented ColdFusion Tags logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/CF_INJECTION

 Coldfusion injection

SecRule

ID 959008
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:155

Target	REQUEST_HEADERS\|XML:/*
	urlDecodeUnihtmlEntityDecodelowercase
matches	\bcf(?:usion_(?:d(?:bconnections_flush\|ecrypt)\|set(?:tings_refresh\|odbcini)\|getodbc(?:dsn\|ini)\|verifymail\|encrypt)\|_(?:(?:iscoldfusiondatasourc\|getdatasourceusernam)e\|setdatasource(?:password\|username))\|newinternal(?:adminsecurit\|registr)y\|admin_registry_(?:delete\|set)\|internaldebug)\b
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:Injection of Undocumented ColdFusion Tags logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/CF_INJECTION

SecRule

ID 950010
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:162

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodelowercase
matches	(?:$(?:\W?(?:objectc(?:ategory\|lass)\|homedirectory\|[gu]idnumber\|cn)\b\W?=\|[^\w\x80-\xFF]?[\!\&\\|][^\w\x80-\xFF]?\()\|$[^\w\x80-\xFF]?\([^\w\x80-\xFF]?[\!\&\\|])
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:LDAP Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/LDAP_INJECTION

 LDAP injection

SecRule

ID 959010
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:164

Target	REQUEST_HEADERS\|XML:/*\|!REQUEST_HEADERS:Referer
	urlDecodeUnihtmlEntityDecodelowercase
matches	(?:$(?:\W?(?:objectc(?:ategory\|lass)\|homedirectory\|[gu]idnumber\|cn)\b\W?=\|[^\w\x80-\xFF]?[\!\&\\|][^\w\x80-\xFF]?\()\|$[^\w\x80-\xFF]?\([^\w\x80-\xFF]?[\!\&\\|])
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:LDAP Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/LDAP_INJECTION

SecRule

ID 950011
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:171

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodelowercase
matches	<!--\W?#\W?(?:e(?:cho\|xec)\|printenv\|include\|cmd)
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:SSI injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SSI_INJECTION

 SSI injection

SecRule

ID 959011
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:173

Target	REQUEST_HEADERS\|XML:/*
	urlDecodeUnihtmlEntityDecodelowercase
matches	<!--\W?#\W?(?:e(?:cho\|xec)\|printenv\|include\|cmd)
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:SSI injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/SSI_INJECTION

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:180

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|REQUEST_HEADERS\|XML:/*
	urlDecodeUnihtmlEntityDecodelowercase
Op	@pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress
Actions	log auditlog pass nolog

 PHP injection

SecRule

ID 950013
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:183

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodelowercase
matches	(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge\|pu)t\|get(?:s?s\|c)\|scanf\|write\|open\|read)\|gz(?:(?:encod\|writ)e\|compress\|open\|read)\|s(?:ession_start\|candir)\|read(?:(?:gz)?file\|dir)\|move_uploaded_file\|(?:proc_\|bz)open)\|\$_(?:(?:pos\|ge)t\|session))\b\|<\?(?!xml))
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:PHP Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/PHP_INJECTIONWEB_ATTACK/HTTP_RESPONSSE_SPLITTING

SecRule

ID 959013
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:185

Target	REQUEST_HEADERS\|XML:/*
	urlDecodeUnihtmlEntityDecodelowercase
matches	(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge\|pu)t\|get(?:s?s\|c)\|scanf\|write\|open\|read)\|gz(?:(?:encod\|writ)e\|compress\|open\|read)\|s(?:ession_start\|candir)\|read(?:(?:gz)?file\|dir)\|move_uploaded_file\|(?:proc_\|bz)open)\|\$_(?:(?:pos\|ge)t\|session))\b\|<\?(?!xml))
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:PHP Injection Attack logdata:%{TX.0} severity:2
Tags	WEB_ATTACK/PHP_INJECTIONWEB_ATTACK/HTTP_RESPONSSE_SPLITTING

SecRule

ID 950018
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:192

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodecompressWhiteSpacelowercase
matches	http:\/\/[\w\.]+?\/.?\.pdf\b[^\x0d\x0a]#
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:Persistent Universal PDF XSS attack severity:2
Tags	WEB_ATTACK/UPDF_XSS

 UPDF XSS

SecRule

ID 959018
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:194

Target	REQUEST_HEADERS\|XML:/*
	urlDecodeUnihtmlEntityDecodecompressWhiteSpacelowercase
matches	http:\/\/[\w\.]+?\/.?\.pdf\b[^\x0d\x0a]#
Actions	capture ctl:auditLogParts=+E deny log auditlog status:501 msg:Persistent Universal PDF XSS attack severity:2
Tags	WEB_ATTACK/UPDF_XSS

SecRule

ID 950019
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:201

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES
	htmlEntityDecodelowercase
matches	[\n\r]\s\b(?:to\|b?cc)\b\s:.*?\@
Actions	capture ctl:auditLogParts=+E log auditlog msg:Email Injection Attack logdata:%{TX.0} severity:2

 Email Injection

SecRule

ID 959019
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:203

Target	REQUEST_HEADERS\|XML:/*
	urlDecodehtmlEntityDecodelowercase
matches	[\n\r]\s\b(?:to\|b?cc)\b\s:.*?\@
Actions	capture ctl:auditLogParts=+E log auditlog msg:Email Injection Attack logdata:%{TX.0} severity:2

SecRule

ID 950910
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:210

Target	REQUEST_URI\|REQUEST_HEADERS\|REQUEST_HEADERS_NAMES
	lowercase
matches	%0[ad]
Actions	capture ctl:auditLogParts=+E deny log auditlog status:400 msg:HTTP Response Splitting Attack logdata:%{TX.0} severity:1

 HTTP Response Splitting

SecRule

ID 950911
Phase 2
Location $CORE_RULES/modsecurity_crs_40_generic_attacks.conf:212

Target	REQUEST_FILENAME\|ARGS\|ARGS_NAMES\|XML:/*
	urlDecodeUnihtmlEntityDecodelowercase
matches	(?:\bhttp\/(?:0\.9\|1\.[01])\|<(?:html\|meta)\b)
Actions	capture ctl:auditLogParts=+E deny log auditlog status:400 msg:HTTP Response Splitting Attack logdata:%{TX.0} severity:1

SecRule

ID 950110
Phase 2
Location $CORE_RULES/modsecurity_crs_45_trojans.conf:30

Target	REQUEST_HEADERS_NAMES
	lowercase
matches	x_(?:key\|file)\b
Actions	ctl:auditLogParts=+E deny log auditlog status:404 msg:Backdoor access severity:2
Tags	MALICIOUS_SOFTWARE/TROJAN

SecRule

ID 950921
Phase 2
Location $CORE_RULES/modsecurity_crs_45_trojans.conf:31

Target	REQUEST_FILENAME
	urlDecodeUnihtmlEntityDecodelowercase
matches	root\.exe
Actions	ctl:auditLogParts=+E deny log auditlog status:404 msg:Backdoor access severity:2
Tags	MALICIOUS_SOFTWARE/TROJAN

SecRule

Phase 2
Location $CORE_RULES/modsecurity_crs_50_outbound.conf:89

Target	TX:1

matches	!program files\x5cmicrosoft office\x5c(?:office\|templates)
Actions	log auditlog

 File or Directory Names Leakage

SecRule

ID 999010
Phase 2
Location $CORE_RULES/modsecurity_crs_42_comment_spam.conf:20

Target	ARGS\|ARGS_NAMES
	urlDecodeUnihtmlEntityDecodecompressWhiteSpacelowercase
matches	\bhttp:
Actions	log auditlog skip:1 pass nolog severity:5

 Prequalifier. Look for <http> first

SecRule

Phase 1

Phase 2