diff --git a/content/3-about-rules/rules.md b/content/3-about-rules/rules.md index 4ccaffea..b6202dbe 100644 --- a/content/3-about-rules/rules.md +++ b/content/3-about-rules/rules.md @@ -5,4 +5,8 @@ disableToc: false chapter: false --- +### Major release v4 +{{% describe-rules version="4" %}} + +### Major release v3 {{% describe-rules version="3" %}} diff --git a/data/filesdescription.yaml b/data/filesdescription.yaml index a20215f4..5c94a0be 100644 --- a/data/filesdescription.yaml +++ b/data/filesdescription.yaml @@ -4,9 +4,12 @@ common: This file is used to add LOCAL exceptions for your site. Often in this file we would see rules that short-circuit inspection and allow certain transactions to skip through inspection. - - `Example: SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "phase:1,id:'981033',t:none,nolog,pass,ctl:ruleEngine=Off"` - REQUEST-901-INITIALIZATION.conf: TODO + REQUEST-901-INITIALIZATION.conf: > + This file initializes the Core Rules and performs preparatory actions. + It also fixes errors and omissions of variable definitions in the + crs-setup.conf file. The crs-setup.conf can and should be edited by + the user, but this file is part of the CRS installation and should + not be altered. REQUEST-913-SCANNER-DETECTION.conf: > These rules are concentrated around detecting security tools and scanners. @@ -27,10 +30,30 @@ common: remote resource into the web application that will be executed. Exploiting this type of attack can lead to the web application or server being compromised. - REQUEST-932-APPLICATION-ATTACK-RCE.conf: TODO - REQUEST-933-APPLICATION-ATTACK-PHP.conf: TODO - REQUEST-934-APPLICATION-ATTACK-GENERIC.conf: TODO - REQUEST-941-APPLICATION-ATTACK-XSS.conf: TODO + REQUEST-932-APPLICATION-ATTACK-RCE.conf: > + These rules detect Unix and Windows command injection attacks. Command + injections occur when an application executes shell commands without + proper input escaping or validation. Attackers can exploit this by + inserting command separators and additional commands into user input. + This file also protects against Oracle WebLogic Remote Command + Execution exploits. + REQUEST-933-APPLICATION-ATTACK-PHP.conf: > + These rules provide protection against PHP injection attacks. The + rules detect PHP open tags (such as "<?php" and "<?"), PHP functions + commonly used in exploits, and various PHP-based attack patterns that + could lead to remote code execution or application compromise. + REQUEST-934-APPLICATION-ATTACK-GENERIC.conf: > + These rules detect generic application attacks including NodeJS + insecure deserialization vulnerabilities and generic Remote Code + Execution (RCE) signatures. This includes patterns like eval(), + function constructors, String.fromCharCode(), and insecure + deserialization markers used by node-serialize and funcster libraries. + REQUEST-941-APPLICATION-ATTACK-XSS.conf: > + These rules provide protection against Cross-Site Scripting (XSS) + attacks by detecting malicious scripts, HTML tags, and JavaScript + code in user input. The rules also detect path-based XSS exploits and + include performance optimizations to minimize false positives while + maintaining strong protection. REQUEST-942-APPLICATION-ATTACK-SQLI.conf: > Within this configuration file we provide rules that protect against SQL injection attacks. SQLi attackers occur when an attacker passes @@ -41,7 +64,12 @@ common: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf: > These rules focus around providing protection against Session Fixation attacks. - REQUEST-944-APPLICATION-ATTACK-JAVA.conf: TODO + REQUEST-944-APPLICATION-ATTACK-JAVA.conf: > + These rules detect Java-based attacks including Remote Command + Execution exploits targeting Java classes. The rules provide + protection against Apache Struts vulnerabilities (CVE-2017-5638, + CVE-2017-9791, CVE-2017-9805) and Oracle WebLogic Remote Command + Execution exploits (CVE-2017-10271). REQUEST-949-BLOCKING-EVALUATION.conf: > These rules provide the anomaly based blocking for a given request. If you are in anomaly detection mode this file must not be deleted. @@ -74,17 +102,83 @@ common: versioned: "3": - REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf: TODO - REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf: TODO - REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf: TODO - REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf: TODO - REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf: TODO - REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf: TODO + REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf: > + These exclusion rules remedy false positives in a default Drupal + installation. They disable CRS checks on well-known parameter fields + that often trigger false alarms, including session cookies, password + fields, and article/node bodies. The exclusions are only active if + crs_exclusions_drupal=1 is set in crs-setup.conf. + REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf: > + These exclusion rules remedy false positives in a default WordPress + installation. They provide exceptions for WordPress login forms, + admin panels, and other WordPress-specific functionality. The + exclusions are only active if crs_exclusions_wordpress=1 is set in + crs-setup.conf. Note that WordPress comment fields are NOT excluded + from checking due to security concerns. + REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf: > + These exclusion rules remedy false positives in a default NextCloud + installation. They likely work with OwnCloud as well. The rules + provide exceptions for file uploads, WebDAV operations, and other + NextCloud-specific functionality. The exclusions are only active if + crs_exclusions_nextcloud=1 is set in crs-setup.conf. + REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf: > + These exclusion rules remedy false positives in a default DokuWiki + installation. They provide exceptions for wiki page editing, autosave + functionality, and file uploads. The exclusions are only active if + crs_exclusions_dokuwiki=1 is set in crs-setup.conf. + REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf: > + These exclusion rules remedy false positives in a default cPanel + environment. They provide exceptions for cPanel WHM server status + requests and other cPanel-specific functionality. The exclusions are + only active if crs_exclusions_cpanel=1 is set in crs-setup.conf. + REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf: > + These exclusion rules remedy false positives in a default XenForo + forum installation. They provide exceptions for forum posts, image + proxies, and other XenForo-specific functionality. The exclusions are + only active if crs_exclusions_xenforo=1 is set in crs-setup.conf. REQUEST-910-IP-REPUTATION.conf: > - These rules deal with detecting traffic from IPs that have - previously been involved with malicious activity, either on our local site or globally. + These rules detect and block traffic from IP addresses that have + previously been involved with malicious activity based on traffic + violations detected in previous requests. When a client IP is + flagged, subsequent requests from that IP are blocked during a + timeout period. REQUEST-912-DOS-PROTECTION.conf: > - The rules in this file will attempt to detect some level 7 DoS (Denial of Service) attacks against your server. + These anti-automation rules detect application layer (Layer 7) Denial + of Service attacks. The rules track request rates per IP address and + identify burst patterns. When an IP exceeds the configured thresholds, + it is temporarily blocked. The DoS counter tracks requests to + non-static resources and raises blocking flags when limits are + exceeded. "4": - REQUEST-905-COMMON-EXCEPTIONS.conf: TODO - RESPONSE-955-WEB-SHELLS.conf: TODO + REQUEST-905-COMMON-EXCEPTIONS.conf: > + This file is used as an exception mechanism to remove common false + positives that may be encountered. It includes exceptions for Apache + SSL pinger, Apache internal dummy connections, and other legitimate + traffic that should bypass CRS inspection. + REQUEST-911-METHOD-ENFORCEMENT.conf: > + These rules enforce the configured allowed HTTP methods policy. Requests using HTTP + methods not explicitly permitted in the configuration (defined in + tx.allowed_methods) will be blocked to prevent potential attacks + using uncommon or dangerous HTTP methods. + REQUEST-922-MULTIPART-ATTACK.conf: > + These rules protect against multipart-related attacks and address the + 3UWMWA6W vulnerability. They enforce strict policies on multipart + content, including charset definitions and content-type headers. + Requires ModSecurity version 2.9.6 or newer, or 3.0.8 or newer. + REQUEST-999-COMMON-EXCEPTIONS-AFTER.conf: > + This file contains common exception rules that remove false positives + for well-known applications and services, such as Google Analytics + cookies, Google Ads cookies, and other legitimate third-party + services. This file must be loaded after all the request rules have + been created. + RESPONSE-955-WEB-SHELLS.conf: > + These rules provide detection and blocking of web shells in response + bodies. Web shells are malicious scripts uploaded to web servers that + provide attackers with remote command execution capabilities. The + rules detect PHP, JSP, ASP, and other types of web shells that may + indicate a successful server compromise. + RESPONSE-956-DATA-LEAKAGES-RUBY.conf: > + These rules provide protection against data leakages that may occur + from Ruby applications. The rules detect Ruby error messages and stack + traces in response bodies that could reveal sensitive information + about the application's internal structure.