-
|
Hi! I just noticed, that if I try to send a multi-part POST and filename of a file in it has Thank you. Response to test request: {
"transaction": {
"time": "09/Aug/2024:15:44:36.030603 +0000",
"transaction_id": "ZrY5ZKU-6vZH3vTca4MU6gAAAJE",
"remote_address": "172.18.0.14",
"remote_port": 57472,
"local_address": "172.18.0.17",
"local_port": 8080
},
"request": {
"request_line": "POST / HTTP/1.1",
"headers": {
"X-Real-IP": "87.92.138.254",
"Host": "localhost",
"Connection": "close",
"Content-Length": "381732",
"sec-ch-ua": "\"Not)A;Brand\";v=\"99\", \"Microsoft Edge\";v=\"127\", \"Chromium\";v=\"127\"",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarya5MpsHJQc5fTfEem",
"DNT": "1",
"sec-ch-ua-mobile": "?0",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0",
"sec-ch-ua-platform": "\"Windows\"",
"Accept": "*/*",
"Origin": "chrome-extension://bhmdjpobkcdcompmlhiigoidknlgghfo",
"Sec-Fetch-Site": "none",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Dest": "empty",
"Accept-Encoding": "gzip, deflate, br, zstd",
"Accept-Language": "en-US,en;q=0.9,ru;q=0.8",
"X-Unique-ID": "ZrY5ZKU-6vZH3vTca4MU6gAAAJE"
},
"fake_body": "text=test"
},
"response": {
"protocol": "HTTP/1.1",
"status": 403,
"headers": {
"X-Unique-ID": "ZrY5ZKU-6vZH3vTca4MU6gAAAJE",
"Content-Length": "199",
"Connection": "close",
"Content-Type": "text/html; charset=iso-8859-1"
},
"body": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access this resource.</p>\n</body></html>\n"
},
"audit_data": {
"messages": [
"Warning. Match of \"rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\\\"';=])*$\" against \"FILES:file\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"124\"] [id \"920120\"] [msg \"Attempted multipart/form-data bypass\"] [data \"Delico's Nursery.png\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.3.0-dev\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"]",
"Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [ver \"OWASP_CRS/4.3.0-dev\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"]",
"Unconditional match in SecAction. [file \"/etc/modsecurity.d/crs-demo-setvar.conf\"] [line \"11\"] [id \"100000\"] [tag \"modsecurity\"]",
"Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)\"] [ver \"OWASP_CRS/4.3.0-dev\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"]"
],
"error_messages": [
"[file \"apache2_util.c\"] [line 275] [level 3] [client 172.18.0.14] ModSecurity: Warning. Match of \"rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\\\\\\\\\"';=])*$\" against \"FILES:file\" required. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"124\"] [id \"920120\"] [msg \"Attempted multipart/form-data bypass\"] [data \"Delico's Nursery.png\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.3.0-dev\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/210/272\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"ZrY5ZKU-6vZH3vTca4MU6gAAAJE\"]",
"[file \"apache2_util.c\"] [line 275] [level 3] [client 172.18.0.14] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [ver \"OWASP_CRS/4.3.0-dev\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"ZrY5ZKU-6vZH3vTca4MU6gAAAJE\"]",
"[file \"apache2_util.c\"] [line 275] [level 3] [client 172.18.0.14] ModSecurity: Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)\"] [ver \"OWASP_CRS/4.3.0-dev\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"ZrY5ZKU-6vZH3vTca4MU6gAAAJE\"]"
],
"action": {
"intercepted": true,
"phase": 2,
"message": "Operator GE matched 5 at TX:blocking_inbound_anomaly_score."
},
"handler": "proxy-server",
"stopwatch": {
"p1": 823,
"p2": 1219,
"p3": 0,
"p4": 0,
"p5": 176,
"sr": 0,
"sw": 0,
"l": 0,
"gc": 0
},
"response_body_dechunked": true,
"producer": [
"ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/)",
"OWASP_CRS/4.3.0-dev"
],
"server": "Apache/2.4.59 (Unix) OpenSSL/3.0.11",
"engine_mode": "ENABLED"
},
"uploads": {
"info": [
{
"file_size": 381444,
"file_name": "Delico's Nursery.png",
"content_type": "<Unknown Content-Type>"
}
],
"total": 381444
},
"matched_rules": [
{
"chain": false,
"rules": [
{
"actionset": {
"id": "900000",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/crs-setup.conf",
"line_num": 183
},
"unparsed": "SecAction \"phase:1,tag:modsecurity,id:900000,nolog,pass,t:none,setvar:tx.blocking_paranoia_level=1\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "900110",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/crs-setup.conf",
"line_num": 325
},
"unparsed": "SecAction \"phase:1,tag:modsecurity,id:900110,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=5,setvar:tx.outbound_anomaly_score_threshold=4\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "900990",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/crs-setup.conf",
"line_num": 814
},
"unparsed": "SecAction \"phase:1,tag:modsecurity,id:900990,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.crs_setup_version=430\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901111",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:reporting_level",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 103
},
"unparsed": "SecRule \"&TX:reporting_level\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901111,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.reporting_level=4\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901115",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:early_blocking",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 113
},
"unparsed": "SecRule \"&TX:early_blocking\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901115,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.early_blocking=0\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901125",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:detection_paranoia_level",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 133
},
"unparsed": "SecRule \"&TX:detection_paranoia_level\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901125,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.detection_paranoia_level=%{TX.blocking_paranoia_level}\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901130",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:sampling_percentage",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 143
},
"unparsed": "SecRule \"&TX:sampling_percentage\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901130,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.sampling_percentage=100\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901140",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:critical_anomaly_score",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 153
},
"unparsed": "SecRule \"&TX:critical_anomaly_score\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901140,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.critical_anomaly_score=5\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901141",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:error_anomaly_score",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 162
},
"unparsed": "SecRule \"&TX:error_anomaly_score\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901141,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.error_anomaly_score=4\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901142",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:warning_anomaly_score",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 171
},
"unparsed": "SecRule \"&TX:warning_anomaly_score\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901142,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.warning_anomaly_score=3\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901143",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:notice_anomaly_score",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 180
},
"unparsed": "SecRule \"&TX:notice_anomaly_score\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901143,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.notice_anomaly_score=2\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901160",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:allowed_methods",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 190
},
"unparsed": "SecRule \"&TX:allowed_methods\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901160,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901162",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:allowed_request_content_type",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 200
},
"unparsed": "SecRule \"&TX:allowed_request_content_type\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901162,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901168",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:allowed_request_content_type_charset",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 210
},
"unparsed": "SecRule \"&TX:allowed_request_content_type_charset\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901168,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901163",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:allowed_http_versions",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 220
},
"unparsed": "SecRule \"&TX:allowed_http_versions\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901163,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901164",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:restricted_extensions",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 230
},
"unparsed": "SecRule \"&TX:restricted_extensions\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901164,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901165",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:restricted_headers_basic",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 240
},
"unparsed": "SecRule \"&TX:restricted_headers_basic\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901165,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901171",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:restricted_headers_extended",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 250
},
"unparsed": "SecRule \"&TX:restricted_headers_extended\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901171,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.restricted_headers_extended=/accept-charset/\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901167",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:enforce_bodyproc_urlencoded",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 260
},
"unparsed": "SecRule \"&TX:enforce_bodyproc_urlencoded\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901167,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.enforce_bodyproc_urlencoded=0\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901169",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&TX:crs_validate_utf8_encoding",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 270
},
"unparsed": "SecRule \"&TX:crs_validate_utf8_encoding\" \"@eq 0\" \"phase:1,tag:modsecurity,id:901169,pass,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.crs_validate_utf8_encoding=0\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901200",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 308
},
"unparsed": "SecAction \"phase:1,tag:modsecurity,id:901200,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.blocking_inbound_anomaly_score=0,setvar:tx.detection_inbound_anomaly_score=0,setvar:tx.inbound_anomaly_score_pl1=0,setvar:tx.inbound_anomaly_score_pl2=0,setvar:tx.inbound_anomaly_score_pl3=0,setvar:tx.inbound_anomaly_score_pl4=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.blocking_outbound_anomaly_score=0,setvar:tx.detection_outbound_anomaly_score=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.anomaly_score=0\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "901400",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "eq",
"operator_param": "100",
"target": "TX:sampling_percentage",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-901-INITIALIZATION.conf",
"line_num": 402
},
"unparsed": "SecRule \"TX:sampling_percentage\" \"@eq 100\" \"phase:1,tag:modsecurity,id:901400,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-SAMPLING\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "911013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf",
"line_num": 49
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:911013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "913013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf",
"line_num": 59
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:913013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-913-SCANNER-DETECTION\"",
"is_matched": true
}
]
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920180",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 4,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272"
]
},
"operator": {
"operator": "within",
"operator_param": "HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0",
"target": "REQUEST_PROTOCOL",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 252
},
"unparsed": "SecRule \"REQUEST_PROTOCOL\" \"!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0\" \"phase:1,log,tag:modsecurity,id:920180,block,t:none,msg:'POST without Content-Length or Transfer-Encoding headers',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,ver:OWASP_CRS/4.3.0-dev,severity:WARNING,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "streq",
"operator_param": "POST",
"target": "REQUEST_METHOD",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 254
},
"unparsed": "SecRule \"REQUEST_METHOD\" \"@streq POST\" \"chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&REQUEST_HEADERS:Content-Length",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 256
},
"unparsed": "SecRule \"&REQUEST_HEADERS:Content-Length\" \"@eq 0\" \"chain\"",
"is_matched": false
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&REQUEST_HEADERS:Transfer-Encoding",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 258
},
"unparsed": "SecRule \"&REQUEST_HEADERS:Transfer-Encoding\" \"@eq 0\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920221",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/255/153/267/72"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*%.*\\.[^\\s\\x0b\\.]+$",
"target": "REQUEST_BASENAME",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 427
},
"unparsed": "SecRule \"REQUEST_BASENAME\" \"!@rx ^.*%.*\\\\.[^\\\\s\\\\x0b\\\\.]+$\" \"phase:1,log,tag:modsecurity,id:920221,block,capture,t:none,t:urlDecodeUni,msg:'URL Encoding Abuse Attack Attempt',logdata:%{REQUEST_BASENAME},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/255/153/267/72,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "validateUrlEncoding",
"operator_param": "",
"target": "TX:0",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 430
},
"unparsed": "SecRule \"TX:0\" \"@validateUrlEncoding \" \"t:none,t:urlDecodeUni,setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920340",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 5,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272"
]
},
"operator": {
"operator": "rx",
"operator_param": "^0$",
"target": "REQUEST_HEADERS:Content-Length",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 744
},
"unparsed": "SecRule \"REQUEST_HEADERS:Content-Length\" \"!@rx ^0$\" \"phase:1,log,tag:modsecurity,id:920340,pass,t:none,msg:'Request Containing Content, but Missing Content-Type header',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,ver:OWASP_CRS/4.3.0-dev,severity:NOTICE,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "eq",
"operator_param": "0",
"target": "&REQUEST_HEADERS:Content-Type",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 747
},
"unparsed": "SecRule \"&REQUEST_HEADERS:Content-Type\" \"@eq 0\" \"t:none,setvar:tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920420",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/255/153",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^[^;\\s]+",
"target": "REQUEST_HEADERS:Content-Type",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1012
},
"unparsed": "SecRule \"REQUEST_HEADERS:Content-Type\" \"@rx ^[^;\\\\s]+\" \"phase:1,log,tag:modsecurity,id:920420,block,capture,t:none,msg:'Request content type is not allowed by policy',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/255/153,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.content_type=|%{tx.0}|,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.allowed_request_content_type}",
"target": "TX:content_type",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1015
},
"unparsed": "SecRule \"TX:content_type\" \"!@within %{tx.allowed_request_content_type}\" \"t:lowercase,setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920450",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 1,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/12.1"
]
},
"operator": {
"operator": "rx",
"operator_param": "^.*$",
"target": "REQUEST_HEADERS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1193
},
"unparsed": "SecRule \"REQUEST_HEADERS_NAMES\" \"@rx ^.*$\" \"phase:1,log,tag:modsecurity,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,tag:PCI/12.1,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.header_name_920450_%{tx.0}=/%{tx.0}/,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 1,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "within",
"operator_param": "%{tx.restricted_headers_basic}",
"target": "TX:/^header_name_920450_/",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1195
},
"unparsed": "SecRule \"TX:/^header_name_920450_/\" \"@within %{tx.restricted_headers_basic}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "920013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1340
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:920013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "921013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf",
"line_num": 308
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:921013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "930013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf",
"line_num": 147
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:930013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "931013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf",
"line_num": 99
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:931013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "932013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf",
"line_num": 837
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:932013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "933013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf",
"line_num": 508
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:933013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "934013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf",
"line_num": 236
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:934013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "941010",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "validateByteRange",
"operator_param": "20, 45-47, 48-57, 65-90, 95, 97-122",
"target": "REQUEST_FILENAME",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
"line_num": 65
},
"unparsed": "SecRule \"REQUEST_FILENAME\" \"!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122\" \"phase:1,tag:modsecurity,id:941010,pass,t:none,nolog,tag:OWASP_CRS,ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,ver:OWASP_CRS/4.3.0-dev\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "941013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
"line_num": 765
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:941013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "942013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
"line_num": 627
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:942013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "943013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf",
"line_num": 105
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:943013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "944013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf",
"line_num": 231
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:944013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949052",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "ge",
"operator_param": "1",
"target": "TX:BLOCKING_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 28
},
"unparsed": "SecRule \"TX:BLOCKING_PARANOIA_LEVEL\" \"@ge 1\" \"phase:1,tag:modsecurity,id:949052,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949152",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "ge",
"operator_param": "1",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 38
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@ge 1\" \"phase:1,tag:modsecurity,id:949152,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 243
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:949013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "980013",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 1,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf",
"line_num": 111
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:1,tag:modsecurity,id:980013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-RESPONSE-980-CORRELATION\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "911014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf",
"line_num": 50
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:911014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "913014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf",
"line_num": 60
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:913014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-913-SCANNER-DETECTION\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "920120",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272"
]
},
"operator": {
"operator": "rx",
"operator_param": "(?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$",
"target": "FILES|FILES_NAMES",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 124
},
"unparsed": "SecRule \"FILES|FILES_NAMES\" \"!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\\\"';=])*$\" \"phase:2,log,tag:modsecurity,id:920120,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": true
}
]
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "920540",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 2,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/255/153/267/72"
]
},
"operator": {
"operator": "streq",
"operator_param": "JSON",
"target": "REQBODY_PROCESSOR",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1281
},
"unparsed": "SecRule \"REQBODY_PROCESSOR\" \"!@streq JSON\" \"phase:2,log,tag:modsecurity,id:920540,block,t:none,msg:'Possible Unicode character bypass detected',logdata:%{MATCHED_VAR_NAME}=%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/255/153/267/72,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 2,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "rx",
"operator_param": "(?i)\\x5cu[0-9a-f]{4}",
"target": "REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1283
},
"unparsed": "SecRule \"REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES\" \"@rx (?i)\\\\x5cu[0-9a-f]{4}\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "920014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"line_num": 1341
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:920014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "921014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf",
"line_num": 309
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:921014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK\"",
"is_matched": true
}
]
},
{
"chain": true,
"rules": [
{
"actionset": {
"id": "922110",
"version": "OWASP_CRS/4.3.0-dev",
"severity": 2,
"phase": 2,
"is_chained": true,
"chain_starter": true,
"tags": [
"modsecurity",
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/272/220"
]
},
"operator": {
"operator": "rx",
"operator_param": "^content-type\\s*:\\s*(.*)$",
"target": "MULTIPART_PART_HEADERS",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf",
"line_num": 74
},
"unparsed": "SecRule \"MULTIPART_PART_HEADERS\" \"@rx ^content-type\\\\s*:\\\\s*(.*)$\" \"phase:2,log,tag:modsecurity,id:922110,block,capture,t:none,t:lowercase,msg:'Illegal MIME Multipart Header content-type: charset parameter',logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/272/220,ver:OWASP_CRS/4.3.0-dev,severity:CRITICAL,chain\"",
"is_matched": true
},
{
"actionset": {
"phase": 2,
"is_chained": true,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "rx",
"operator_param": "^(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*(?:[\\s\\x0b]*,[\\s\\x0b]*(?:(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)/(?:\\*|[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]+)|\\*)(?:[\\s\\x0b]*;[\\s\\x0b]*(?:charset[\\s\\x0b]*=[\\s\\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\\b\"?|(?:[^\\s\\x0b-\"\\(\\),/:-\\?\\[-\\]c\\{\\}]|c(?:[^!\"\\(\\),/:-\\?\\[-\\]h\\{\\}]|h(?:[^!\"\\(\\),/:-\\?\\[-\\]a\\{\\}]|a(?:[^!\"\\(\\),/:-\\?\\[-\\]r\\{\\}]|r(?:[^!\"\\(\\),/:-\\?\\[-\\]s\\{\\}]|s(?:[^!\"\\(\\),/:-\\?\\[-\\]e\\{\\}]|e[^!\"\\(\\),/:-\\?\\[-\\]t\\{\\}]))))))[^!\"\\(\\),/:-\\?\\[-\\]\\{\\}]*[\\s\\x0b]*=[\\s\\x0b]*[^!\\(\\),/:-\\?\\[-\\]\\{\\}]+);?)*)*$",
"target": "TX:1",
"negated": true
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf",
"line_num": 76
},
"unparsed": "SecRule \"TX:1\" \"!@rx ^(?:(?:\\\\*|[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]+)/(?:\\\\*|[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]+)|\\\\*)(?:[\\\\s\\\\x0b]*;[\\\\s\\\\x0b]*(?:charset[\\\\s\\\\x0b]*=[\\\\s\\\\x0b]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\\\b\\\"?|(?:[^\\\\s\\\\x0b-\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]c\\\\{\\\\}]|c(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]h\\\\{\\\\}]|h(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]a\\\\{\\\\}]|a(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]r\\\\{\\\\}]|r(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]s\\\\{\\\\}]|s(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]e\\\\{\\\\}]|e[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]t\\\\{\\\\}]))))))[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]*[\\\\s\\\\x0b]*=[\\\\s\\\\x0b]*[^!\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]+);?)*(?:[\\\\s\\\\x0b]*,[\\\\s\\\\x0b]*(?:(?:\\\\*|[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]+)/(?:\\\\*|[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]+)|\\\\*)(?:[\\\\s\\\\x0b]*;[\\\\s\\\\x0b]*(?:charset[\\\\s\\\\x0b]*=[\\\\s\\\\x0b]*\\\"?(?:iso-8859-15?|utf-8|windows-1252)\\\\b\\\"?|(?:[^\\\\s\\\\x0b-\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]c\\\\{\\\\}]|c(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]h\\\\{\\\\}]|h(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]a\\\\{\\\\}]|a(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]r\\\\{\\\\}]|r(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]s\\\\{\\\\}]|s(?:[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]e\\\\{\\\\}]|e[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]t\\\\{\\\\}]))))))[^!\\\"\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]*[\\\\s\\\\x0b]*=[\\\\s\\\\x0b]*[^!\\\\(\\\\),/:-\\\\?\\\\[-\\\\]\\\\{\\\\}]+);?)*)*$\" \"setvar:tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}\"",
"is_matched": false
}
],
"full_chain_match": false
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "930014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf",
"line_num": 148
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:930014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "931014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf",
"line_num": 100
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:931014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "932014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf",
"line_num": 838
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:932014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "933014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf",
"line_num": 509
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:933014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "934014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf",
"line_num": 237
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:934014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "941014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
"line_num": 766
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:941014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "942014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
"line_num": 628
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:942014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "943014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf",
"line_num": 106
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:943014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "944014",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "lt",
"operator_param": "2",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf",
"line_num": 232
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@lt 2\" \"phase:2,tag:modsecurity,id:944014,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949059",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 110
},
"unparsed": "SecAction \"phase:2,tag:modsecurity,id:949059,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.blocking_inbound_anomaly_score=0\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949159",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 120
},
"unparsed": "SecAction \"phase:2,tag:modsecurity,id:949159,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.detection_inbound_anomaly_score=0\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949060",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "ge",
"operator_param": "1",
"target": "TX:BLOCKING_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 132
},
"unparsed": "SecRule \"TX:BLOCKING_PARANOIA_LEVEL\" \"@ge 1\" \"phase:2,tag:modsecurity,id:949060,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949160",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "ge",
"operator_param": "1",
"target": "TX:DETECTION_PARANOIA_LEVEL",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 142
},
"unparsed": "SecRule \"TX:DETECTION_PARANOIA_LEVEL\" \"@ge 1\" \"phase:2,tag:modsecurity,id:949160,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "949110",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 2,
"is_chained": false,
"tags": [
"modsecurity",
"anomaly-evaluation",
"OWASP_CRS"
]
},
"operator": {
"operator": "ge",
"operator_param": "%{tx.inbound_anomaly_score_threshold}",
"target": "TX:BLOCKING_INBOUND_ANOMALY_SCORE",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"line_num": 233
},
"unparsed": "SecRule \"TX:BLOCKING_INBOUND_ANOMALY_SCORE\" \"@ge %{tx.inbound_anomaly_score_threshold}\" \"phase:2,log,tag:modsecurity,id:949110,deny,t:none,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',tag:anomaly-evaluation,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "100000",
"phase": 5,
"is_chained": false,
"tags": [
"modsecurity"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/crs-demo-setvar.conf",
"line_num": 11
},
"unparsed": "SecAction \"phase:5,tag:modsecurity,id:100000,pass,nolog,auditlog\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "980099",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 5,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf",
"line_num": 37
},
"unparsed": "SecAction \"phase:5,tag:modsecurity,id:980099,pass,t:none,nolog,noauditlog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,setvar:tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score},setvar:tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score},setvar:tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score},setvar:tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score},setvar:tx.anomaly_score=%{tx.blocking_inbound_anomaly_score},setvar:tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "980044",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 5,
"is_chained": false,
"tags": [
"modsecurity",
"OWASP_CRS"
]
},
"operator": {
"operator": "ge",
"operator_param": "%{tx.inbound_anomaly_score_threshold}",
"target": "TX:BLOCKING_INBOUND_ANOMALY_SCORE",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf",
"line_num": 53
},
"unparsed": "SecRule \"TX:BLOCKING_INBOUND_ANOMALY_SCORE\" \"@ge %{tx.inbound_anomaly_score_threshold}\" \"phase:5,tag:modsecurity,id:980044,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev,skipAfter:LOG-REPORTING\"",
"is_matched": true
}
]
},
{
"chain": false,
"rules": [
{
"actionset": {
"id": "980170",
"version": "OWASP_CRS/4.3.0-dev",
"phase": 5,
"is_chained": false,
"tags": [
"modsecurity",
"reporting",
"OWASP_CRS"
]
},
"operator": {
"operator": "unconditionalMatch",
"operator_param": "",
"target": "REMOTE_ADDR",
"negated": false
},
"config": {
"filename": "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf",
"line_num": 98
},
"unparsed": "SecAction \"phase:5,log,tag:modsecurity,id:980170,pass,t:none,noauditlog,msg:'Anomaly Scores: (Inbound Scores: blocking=%{tx.blocking_inbound_anomaly_score}, detection=%{tx.detection_inbound_anomaly_score}, per_pl=%{tx.inbound_anomaly_score_pl1}-%{tx.inbound_anomaly_score_pl2}-%{tx.inbound_anomaly_score_pl3}-%{tx.inbound_anomaly_score_pl4}, threshold=%{tx.inbound_anomaly_score_threshold}) - (Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - (SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',tag:reporting,tag:OWASP_CRS,ver:OWASP_CRS/4.3.0-dev\"",
"is_matched": true
}
]
}
]
} |
Beta Was this translation helpful? Give feedback.
Answered by
M4tteoP
Aug 9, 2024
Replies: 1 comment 2 replies
-
|
Hi, at first sight, you are looking for an exclusion rule that disables the rule based on some conditions (See https://coreruleset.org/docs/concepts/false_positives_tuning/) . You might exclude the rule to the specific |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
And I wondered, why I was not seeing my other thread about a false positive: I was in wrong repo :D Sorry about that. |
Beta Was this translation helpful? Give feedback.
-
|
🙌 |
Beta Was this translation helpful? Give feedback.
Answer selected by
Simbiat
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, at first sight, you are looking for an exclusion rule that disables the rule based on some conditions (See https://coreruleset.org/docs/concepts/false_positives_tuning/) . You might exclude the rule to the specific
FILES:filevariable that is triggering it. That being said, 920120 is already very specific about FILES And FILES_NAMES so you are kind of disabling it completely.By the way, this questions looks specific to fine tuning the CRS rather than related to an Engine (Coraza) problem, and logs looks to be from a Modsec instance 🤔. I think you can get more help on OWASP slack under
#corerulesetchannel or directly in https://github.com/coreruleset/coreruleset. It might also help t…