Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Remove req msg dot #1678

Merged
merged 14 commits into from
Feb 12, 2020
Merged

Remove req msg dot #1678

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
7f4b67d
Added SemrushBot to crawlers-user-agents.data
dune73 Jan 30, 2020
bbd5dee
Fix FP with create with 942360
franbuehler Feb 3, 2020
d5448af
Add regression tests
franbuehler Feb 3, 2020
8ba7159
Add regression tests
franbuehler Feb 3, 2020
3f2021b
Merge pull request #1 from SpiderLabs/v3.3/dev
nerrehmit Feb 6, 2020
bc01409
remove all the trailing dots from msg actions
nerrehmit Feb 6, 2020
1de5b4b
remove trailing dot in msg action for a commented out rule
nerrehmit Feb 7, 2020
e7b8856
Merge pull request #1672 from SpiderLabs/add-SemrushBot
fzipi Feb 9, 2020
864f8cf
Merge pull request #1675 from franbuehler/create-942360
lifeforms Feb 10, 2020
5c2feb7
Temporary travis workaround to buy time and fix it for good (#1684)
theMiddleBlue Feb 12, 2020
b64bd2c
Replace REQUEST_BODY with ARGS on 930100 and 930110 (#1659)
theMiddleBlue Feb 12, 2020
b973ce6
remove all the trailing dots from msg actions
nerrehmit Feb 6, 2020
084ba8e
remove trailing dot in msg action for a commented out rule
nerrehmit Feb 7, 2020
6e19519
Merge branch 'remove-REQ-msg-dot' of github.com:nerrehmit/owasp-modse…
nerrehmit Feb 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions rules/REQUEST-901-INITIALIZATION.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
status:500,\
log,\
auditlog,\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.',\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
severity:'CRITICAL'"


Expand Down Expand Up @@ -402,7 +402,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
log,\
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage \
%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.',\
%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
ctl:ruleEngine=Off"

SecMarker "END-SAMPLING"
Expand All @@ -420,4 +420,4 @@ SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
status:500,\
t:none,\
log,\
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting.'"
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting'"
4 changes: 2 additions & 2 deletions rules/REQUEST-910-IP-REPUTATION.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
phase:2,\
block,\
t:none,\
msg:'Request from Known Malicious Client (Based on previous traffic violations).',\
msg:'Request from Known Malicious Client (Based on previous traffic violations)',\
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -61,7 +61,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
phase:2,\
block,\
t:none,\
msg:'Client IP is from a HIGH Risk Country Location.',\
msg:'Client IP is from a HIGH Risk Country Location',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down
12 changes: 6 additions & 6 deletions rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
phase:1,\
block,\
t:none,\
msg:'Content-Length HTTP header is not numeric.',\
msg:'Content-Length HTTP header is not numeric',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -166,7 +166,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
phase:2,\
block,\
t:none,\
msg:'GET or HEAD Request with Body Content.',\
msg:'GET or HEAD Request with Body Content',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -192,7 +192,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
phase:2,\
block,\
t:none,\
msg:'GET or HEAD Request with Transfer-Encoding.',\
msg:'GET or HEAD Request with Transfer-Encoding',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -224,7 +224,7 @@ SecRule REQUEST_METHOD "@rx ^POST$" \
phase:2,\
block,\
t:none,\
msg:'POST without Content-Length or Transfer-Encoding headers.',\
msg:'POST without Content-Length or Transfer-Encoding headers',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -264,7 +264,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
block,\
capture,\
t:none,\
msg:'Range: Invalid Last Byte Value.',\
msg:'Range: Invalid Last Byte Value',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -297,7 +297,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
phase:2,\
block,\
t:none,\
msg:'Multiple/Conflicting Connection Header Data Found.',\
msg:'Multiple/Conflicting Connection Header Data Found',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down
32 changes: 16 additions & 16 deletions rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -323,7 +323,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -350,7 +350,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -377,7 +377,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -404,7 +404,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -431,7 +431,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -458,7 +458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -485,7 +485,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -512,7 +512,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -539,7 +539,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -566,7 +566,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand All @@ -593,7 +593,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -625,7 +625,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -657,7 +657,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
msg:'UTF-7 Encoding IE XSS - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -911,7 +911,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -939,7 +939,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
msg:'IE XSS Filters - Attack Detected.',\
msg:'IE XSS Filters - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down
14 changes: 7 additions & 7 deletions rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Detects blind sqli tests using sleep() or benchmark().',\
msg:'Detects blind sqli tests using sleep() or benchmark()',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -304,7 +304,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',\
msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -506,7 +506,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'MySQL in-line comment detected.',\
msg:'MySQL in-line comment detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -624,7 +624,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?([\d\w]++)[\s'\"`()]*?(?:<(?
block,\
capture,\
t:none,t:urlDecodeUni,t:replaceComments,\
msg:'SQL Injection Attack: SQL Tautology Detected.',\
msg:'SQL Injection Attack: SQL Tautology Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -1299,7 +1299,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'SQL Comment Sequence Detected.',\
msg:'SQL Comment Sequence Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -1379,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'SQLi bypass attempt by ticks or backticks detected.',\
msg:'SQLi bypass attempt by ticks or backticks detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down Expand Up @@ -1646,7 +1646,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'SQLi bypass attempt by ticks detected.',\
msg:'SQLi bypass attempt by ticks detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down
2 changes: 1 addition & 1 deletion rules/REQUEST-949-BLOCKING-EVALUATION.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
phase:2,\
deny,\
log,\
msg:'Request Denied by IP Reputation Enforcement.',\
msg:'Request Denied by IP Reputation Enforcement',\
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
tag:'application-multi',\
tag:'language-multi',\
Expand Down