# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # NOTE By default the status code sent is 501, which implies that the web # server does not support the required operation. This is a non standard # of this status code which normally refers to unsupported HTTP methods. # It is used in order to confuse automated clients and scanners. # Zope Information Leakage SecRule RESPONSE_BODY "

Site Error<\/h2>.{0,20}

An error was encountered while publishing this resource\." \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Zope Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970007',tag:'OWASP_CRS/LEAKAGE/ERRORS_ZOPE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # CF Information Leakage SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970008',tag:'OWASP_CRS/LEAKAGE/ERRORS_CF',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # PHP Information Leakage SecRule RESPONSE_BODY "Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970009',tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # ISA server existence revealed SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ISA server existence revealed',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970010',tag:'MISCONFIGURATION',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{tx.0}" # Microsoft Office document properties leakage SecRule RESPONSE_BODY "" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,block,msg:'Microsoft Office document properties leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970012',tag:'OWASP_CRS/LEAKAGE/INFO_STATISTICS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970903',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" # CF source code leakage SecRule RESPONSE_BODY ".{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)
Timeout expired
)|

internal server error<\/h1>.*?

part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970118',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" # Weblogic information disclosure SecRule RESPONSE_STATUS "^500$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'WebLogic information disclosure',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970021',severity:'3'" SecRule RESPONSE_BODY "JSP compile error<\/title>" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # File or Directory Names Leakage SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,capture,t:none,capture,ctl:auditLogParts=+E,block,msg:'File or Directory Names Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970011',tag:'OWASP_CRS/LEAKAGE/INFO_FILE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,capture,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" # # IFrame Injection # SecRule RESPONSE_BODY "!@pm iframe" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'6',id:'981177',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK" SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \ "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981000',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \ "t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'8',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981001',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i:<\s*IFRAME\s*?[^>]*?src=\"javascript:)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Malicious iframe+javascript tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981003',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',tag:'bugtraq,13544',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}" SecMarker END_IFRAME_CHECK # # Generic Malicious JS Detection # SecRule RESPONSE_BODY "(?i)(String\.fromCharCode\(.*?){4,}" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981004',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i)(eval\(.{0,15}unescape\()" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981005',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i)(var[^=]+=\s*unescape\s*;)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981006',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "(?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" \ "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981007',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}" # # Run PM check against response body data before running any RegEx Checks # If nothing matches, then we skip the remainder of phase:4 # SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',pass,id:'981178',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" # ASP/JSP source code leakage SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970014',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" # PHP source code leakage SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970015',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_BODY "<\?(?!xml)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970902',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" # Statistics pages revealed SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Statistics Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970002',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" # SQL Errors leakage SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:PostgreSQL result|O(?:racle|DBC)|M(?:S |y)SQL))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(. Requested|; the operation)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|microsoft jet database engine error '8|Microsoft Access Driver|JET Database Engine|Access Database Engine|ORA-\d{5}: |ORA-[0-9][0-9][0-9][0-9]|Oracle error|Oracle.*?Driver|Warning.*?Woci_.*?|Warning.*?Wora_.*?|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|PostgreSQL query failed:|PostgreSQL.*?ERROR|Warning.*?Wpg_.*?|valid PostgreSQL result|Npgsql.|(?:Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|You have an error in your SQL syntax(?: near ')?|incorrect syntax near (?:\'|the\b|\@\@error\b)|cannot take a \w+ data type as an argument\.|Warning: mysql_connect\(\):)|\[Microsoft\]\[ODBC |Driver.*? SQL[-_ ]*Server|OLE DB.*? SQL Server|(W|A)SQL Server.*?Driver|Warning.*?mssql_.*?|(W|A)SQL Server.*?[0-9a-fA-F]{8}|Exception Details:.*?WSystem.Data.SqlClient.|Exception Details:.*?WRoadhouse.Cms.|SQL syntax.*?MySQL|Warning.*?mysql_.*?|valid MySQL result|MySqlClient.|SQLite\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*?sqlite_.*?|Warning.*?SQLite3::)" \ "phase:4,rev:'3',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970003',tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # IIS Errors leakage SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970004',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_STATUS "!^404$" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970904',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'" SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" # Directory Listing SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \ "phase:4,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Directory Listing',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970013',tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" SecMarker END_OUTBOUND_CHECK