# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.0.2 # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:942011,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:942012,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) # # # References: # # SQL Injection Knowledgebase (via @LightOS) - # http://websec.ca/kb/sql_injection # # SQLi Filter Evasion Cheat Sheet - # http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/ # # SQL Injection Cheat Sheet - # http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ # # SQLMap's Tamper Scripts (for evasions) # https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/ # # # -=[ LibInjection Check ]=- # # Ref: https://libinjection.client9.com/ # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \ "msg:'SQL Injection Attack Detected via libinjection',\ id:942100,\ severity:'CRITICAL',\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'1',\ accuracy:'8',\ phase:request,\ block,\ multiMatch,\ t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments,\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}" # # -=[ Detect DB Names ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(?:ys(?:\.database_name|aux)\b|chema(?:\W*\(|_name\b)|qlite(_temp)?_master\b)|d(?:atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ ctl:auditLogParts=+E,\ block,\ msg:'SQL Injection Attack: Common DB Names Detected',\ id:942140,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ PHPIDS - Converted SQLI Filters ]=- # # https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects blind sqli tests using sleep() or benchmark().',\ id:942160,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',\ id:942170,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\s*?(?:exec|execute).*?(?:\W)xp_cmdshell)|(?:[\"'`]\s*?!\s*?[\"'`\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`];?\s*?(?:select|union|having)\b\s*?[^\s])|(?:\wiif\s*?\()|(?:(?:exec|execute)\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects MSSQL code execution and information gathering attempts',\ id:942190,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \"magic number\" crash',\ id:942220,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects conditional SQL injection attempts',\ id:942230,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:alter\s*?\w+.*?(?:character|char)\s+set\s+\w+)|([\"'`];*?\s*?waitfor\s+(?:time|delay)\s+[\"'`])|(?:[\"'`];.*?:\s*?goto))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects MySQL charset switch and MSSQL DoS attempts',\ id:942240,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections',\ id:942250,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',\ id:942270,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',\ id:942280,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Finds basic MongoDB SQL injection attempts',\ id:942290,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ id:942320,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:create\s+function\s+.+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',\ id:942350,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\d\W]\s+as\s*?[\"'`\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc)\b)|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`]\s+regexp\W)|(?:[\s(]load_file\s*?\())" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\ id:942360,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:942013,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:942014,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) # # # -=[ String Termination/Statement Ending Injection Testing ]=- # # Identifies common initial SQLi probing requests where attackers insert/append # quote characters to the existing normal payload to see how the app/db responds. # SecRule ARGS_NAMES|ARGS|XML:/* "(^[\"'`;]+|[\"'`]+$)" \ "phase:request,\ rev:'4',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,\ block,\ msg:'SQL Injection Attack: Common Injection Testing Detected',\ id:942110,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'WARNING',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ SQL Operators ]=- # SecRule ARGS_NAMES|ARGS|XML:/* "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|\bxor\b|\brlike\b|\bregexp\b|\bisnull\b)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:\bxor\b|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))" \ "phase:request,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:utf8toUnicode,t:urlDecodeUni,\ block,\ msg:'SQL Injection Attack: SQL Operator Detected',\ id:942120,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ SQL Tautologies ]=- # SecRule ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`\(\)]*?)(?!\2)([\d\w]+)))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ multiMatch,t:none,t:urlDecodeUni,t:replaceComments,\ block,\ msg:'SQL Injection Attack: SQL Tautology Detected.',\ id:942130,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ SQL Function Names ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf sql-function-names.data" \ "chain,\ phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ msg:'SQL Injection Attack',\ id:942150,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL'" SecRule MATCHED_VARS "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\("\ "setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?i:\d[\"'`]\s+[\"'`]\s+\d)|(?:^admin\s*?[\"'`]|(\/\*)+[\"'`]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`])|(?:[\"'`]\s*?[^\w\s]?=\s*?[\"'`])|(?:[\"'`]\W*?[+=]+\W*?[\"'`])|(?:[\"'`]\s*?[!=|][\d\s!=+-]+.*?[\"'`(].*?$)|(?:[\"'`]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`]\s*?like\W+[\w\"'`(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`][<>~]+[\"'`]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects basic SQL authentication bypass attempts 1/3',\ id:942180,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\Z|[^\"'`]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',\ id:942200,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`=()]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects chained SQL injection attempts 1/2',\ id:942210,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select\s+)|(?:\w+\s+like\s+[\"'`])|(?:like\s*?[\"'`]\%)|(?:[\"'`]\s*?like\W*?[\"'`\d])|(?:[\"'`]\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having\s+)|(?:[\"'`]\s*?\*\s*?\w+\W+[\"'`])|(?:[\"'`]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w)|(?:select\s+?[\[\]()\s\w\.,\"'`-]+from\s+)|(?:find_in_set\s*?\())" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects basic SQL authentication bypass attempts 2/3',\ id:942260,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects MySQL comments, conditions and ch(a)r injections',\ id:942300,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`]\s*?(?:(?:[-+=|@]+\s+?)+|[-+=|@]+)[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`]\w)|(?:[\"'`];\s*?(?:if|while|begin))|(?:[\"'`][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects chained SQL injection attempts 2/2',\ id:942310,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?(x?or|div|like|between|and)\s*?[\"'`]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`]$)|(?:(?:^[\"'`\\\\]*?(?:[\d\"'`]+|[^\"'`]+[\"'`]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].)|(?:\Winformation_schema|table_name\W))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects classic SQL injection probings 1/2',\ id:942330,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`]|[=\d]+x))|([\"'`]\s*?\d\s*?(?:--|#))|(?:[\"'`][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`])|(?:[\"'`]\s*?is\s*?\d.+[\"'`]?\w)|(?:[\"'`]\|?[\w-]{3,}[^\w\s.,]+[\"'`])|(?:[\"'`]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects basic SQL authentication bypass attempts 3/3',\ id:942340,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`]\d)|(?:\^[\"'`])|(?:^[\w\s\"'`-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])|(?:[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`])|(?:[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`].*?\*\s*?\d)|(?:[\"'`]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects classic SQL injection probings 2/2',\ id:942370,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ ctl:auditLogParts=+E,\ block,\ msg:'SQL Injection Attack',\ id:942380,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ ctl:auditLogParts=+E,\ block,\ msg:'SQL Injection Attack',\ id:942390,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ ctl:auditLogParts=+E,\ block,\ msg:'SQL Injection Attack',\ id:942400,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|replwritetovarbin|help|addextendedproc|is_srvrolemember|prepare|password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|servicecontrol|ntsec_enumdomains|terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_\w+\.\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|\butl_inaddr\b|\bsys_context\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ ctl:auditLogParts=+E,\ block,\ msg:'SQL Injection Attack',\ id:942410,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # [ SQL Injection Character Anomaly Usage ] # # This rules attempts to gauge when there is an exccesive use of # meta-characters within a single parameter payload. # # Expect a lot of false positives with this rule. # The most likely false positive instances will be free-form text fields. # This will make it necessary to disable the rule for certain known parameters. # The following directive is an example to switch off the rule globally for # the parameter foo. Place this instruction in your configuration after # the include directive for the Core Rules Set. # # SecRuleUpdateTargetById 942430 "!ARGS:foo" # SecRule ARGS_NAMES|ARGS|XML:/* "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){12})" \ "phase:request,\ t:none,t:urlDecodeUni,\ block,\ id:942430,\ severity:'WARNING',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)',\ capture,\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\ setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" # # -=[ Detect SQL Comment Sequences ]=- # # Example Payloads Detected: # ------------------------- # OR 1# # DROP sampletable;-- # admin'-- # DROP/*comment*/sampletable # DR/**/OP/*bypass blacklisting*/sampletable # SELECT/*avoid-spaces*/password/**/FROM/**/Members # SELECT /*!32302 1/0, */ 1 FROM tablename # ‘ or 1=1# # ‘ or 1=1-- - # ‘ or 1=1/* # ' or 1=1;\x00 # 1='1' or-- - # ' /*!50000or*/1='1 # ' /*!or*/1='1 # 0/**/union/*!50000select*/table_name`foo`/**/ # ------------------------- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" \ "phase:request,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ id:942440,\ t:none,t:urlDecodeUni,\ block,\ msg:'SQL Comment Sequence Detected.',\ severity:'CRITICAL',\ capture,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" # # -=[ SQL Hex Evasion Methods ]=- # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" \ "phase:request,\ id:942450,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'8',\ accuracy:'8',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'SQL Hex Encoding Identified',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:942015,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:942016,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) # # # [ SQL HAVING queries ] # # This pattern was split off from rule 942250 due to frequent # false positives in English text. Testing showed that SQL # injections with HAVING should be detected by libinjection # (rule 942100). # # This is a stricter sibling of rule 942250. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\W+\d*?\s*?having\s*?[^\s\-]" \ "phase:request,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'6',\ capture,\ t:none,t:urlDecodeUni,\ block,\ msg:'Detects HAVING injections',\ id:942251,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" # # [ SQL Injection Character Anomaly Usage ] # # This rule attempts to gauge when there is an exccesive use of # meta-characters within a single parameter payload. # # It is similar to 942430, but focues on Cookies instead of # GET/POST parameters. # # Expect a lot of false positives with this rule. # The most likely false positive instances will be complex session ids. # This will make it necessary to disable the rule for certain known cookies. # The following directive is an example to switch off the rule globally for # the cookie foo_id. Place this instruction in your configuration after # the include directive for the Core Rules Set. # # SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:foo_id" # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){8})" \ "phase:request,\ t:none,t:urlDecodeUni,\ block,\ id:942420,\ severity:'WARNING',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)',\ capture,\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\ setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" # # This is a stricter sibling of rule 942430. # SecRule ARGS_NAMES|ARGS|XML:/* "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){6})" \ "phase:request,\ t:none,t:urlDecodeUni,\ block,\ id:942431,\ severity:'WARNING',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)',\ capture,\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\ setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" # # [ Repetitive Non-Word Characters ] # # This rule attempts to identify when multiple (4 or more) non-word characters # are repeated in sequence. # # The pattern may occur in some normal texts, e.g. "foo...." will match. # SecRule ARGS "\W{4}" \ "phase:request,\ capture,\ t:none,t:urlDecodeUni,\ block,\ id:942460,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ severity:'WARNING',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:942017,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:942018,nolog,pass,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) # # # [ SQL Injection Character Anomaly Usage ] # # This is a stricter sibling of rule 942420. # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){3})" \ "phase:request,\ t:none,t:urlDecodeUni,\ block,\ id:942421,\ severity:'WARNING',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)',\ capture,\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\ setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" # # This is a stricter sibling of rule 942430. # SecRule ARGS_NAMES|ARGS|XML:/* "((?:[\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>][^\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]*?){2})" \ "phase:request,\ t:none,t:urlDecodeUni,\ block,\ id:942432,\ severity:'WARNING',\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'8',\ msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',\ capture,\ logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ tag:'WASCTC/WASC-19',\ tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\ setvar:tx.sql_injection_score=+%{tx.warning_anomaly_score},\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}" # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-942-APPLICATION-ATTACK-SQLI"