| REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example |
This file is used to add LOCAL exceptions for your site. Often in this file we would see rules that short-circuit inspection and allow certain transactions to skip through inspection. |
| REQUEST-901-INITIALIZATION.conf |
This file initializes the Core Rules and performs preparatory actions. It also fixes errors and omissions of variable definitions in the crs-setup.conf file. The crs-setup.conf can and should be edited by the user, but this file is part of the CRS installation and should not be altered. |
| REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf |
These exclusion rules remedy false positives in a default Drupal installation. They disable CRS checks on well-known parameter fields that often trigger false alarms, including session cookies, password fields, and article/node bodies. The exclusions are only active if crs_exclusions_drupal=1 is set in crs-setup.conf. |
| REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf |
These exclusion rules remedy false positives in a default WordPress installation. They provide exceptions for WordPress login forms, admin panels, and other WordPress-specific functionality. The exclusions are only active if crs_exclusions_wordpress=1 is set in crs-setup.conf. Note that WordPress comment fields are NOT excluded from checking due to security concerns. |
| REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf |
These exclusion rules remedy false positives in a default NextCloud installation. They likely work with OwnCloud as well. The rules provide exceptions for file uploads, WebDAV operations, and other NextCloud-specific functionality. The exclusions are only active if crs_exclusions_nextcloud=1 is set in crs-setup.conf. |
| REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf |
These exclusion rules remedy false positives in a default DokuWiki installation. They provide exceptions for wiki page editing, autosave functionality, and file uploads. The exclusions are only active if crs_exclusions_dokuwiki=1 is set in crs-setup.conf. |
| REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf |
These exclusion rules remedy false positives in a default cPanel environment. They provide exceptions for cPanel WHM server status requests and other cPanel-specific functionality. The exclusions are only active if crs_exclusions_cpanel=1 is set in crs-setup.conf. |
| REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf |
These exclusion rules remedy false positives in a default XenForo forum installation. They provide exceptions for forum posts, image proxies, and other XenForo-specific functionality. The exclusions are only active if crs_exclusions_xenforo=1 is set in crs-setup.conf. |
| REQUEST-910-IP-REPUTATION.conf |
These rules detect and block traffic from IP addresses that have previously been involved with malicious activity based on traffic violations detected in previous requests. When a client IP is flagged, subsequent requests from that IP are blocked during a timeout period. |
| REQUEST-912-DOS-PROTECTION.conf |
These anti-automation rules detect application layer (Layer 7) Denial of Service attacks. The rules track request rates per IP address and identify burst patterns. When an IP exceeds the configured thresholds, it is temporarily blocked. The DoS counter tracks requests to non-static resources and raises blocking flags when limits are exceeded. |
| REQUEST-913-SCANNER-DETECTION.conf |
These rules are concentrated around detecting security tools and scanners. |
| REQUEST-920-PROTOCOL-ENFORCEMENT.conf |
The rules in this file center around detecting requests that either violate HTTP or represent a request that no modern browser would generate, for instance missing a user-agent. |
| REQUEST-921-PROTOCOL-ATTACK.conf |
The rules in this file focus on specific attacks against the HTTP protocol itself such as HTTP Request Smuggling and Response Splitting. |
| REQUEST-930-APPLICATION-ATTACK-LFI.conf |
These rules attempt to detect when a user is trying to include a file that would be local to the webserver that they should not have access to. Exploiting this type of attack can lead to the web application or server being compromised. |
| REQUEST-931-APPLICATION-ATTACK-RFI.conf |
These rules attempt to detect when a user is trying to include a remote resource into the web application that will be executed. Exploiting this type of attack can lead to the web application or server being compromised. |
| REQUEST-932-APPLICATION-ATTACK-RCE.conf |
These rules detect Unix and Windows command injection attacks. Command injections occur when an application executes shell commands without proper input escaping or validation. Attackers can exploit this by inserting command separators and additional commands into user input. This file also protects against Oracle WebLogic Remote Command Execution exploits. |
| REQUEST-933-APPLICATION-ATTACK-PHP.conf |
These rules provide protection against PHP injection attacks. The rules detect PHP open tags (such as “<?php” and “<?”), PHP functions commonly used in exploits, and various PHP-based attack patterns that could lead to remote code execution or application compromise. |
| REQUEST-934-APPLICATION-ATTACK-GENERIC.conf |
These rules detect generic application attacks including NodeJS insecure deserialization vulnerabilities and generic Remote Code Execution (RCE) signatures. This includes patterns like eval(), function constructors, String.fromCharCode(), and insecure deserialization markers used by node-serialize and funcster libraries. |
| REQUEST-941-APPLICATION-ATTACK-XSS.conf |
These rules provide protection against Cross-Site Scripting (XSS) attacks by detecting malicious scripts, HTML tags, and JavaScript code in user input. The rules also detect path-based XSS exploits and include performance optimizations to minimize false positives while maintaining strong protection. |
| REQUEST-942-APPLICATION-ATTACK-SQLI.conf |
Within this configuration file we provide rules that protect against SQL injection attacks. SQLi attackers occur when an attacker passes crafted control characters to parameters to an area of the application that is expecting only data. The application will then pass the control characters to the database. This will end up changing the meaning of the expected SQL query. |
| REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf |
These rules focus around providing protection against Session Fixation attacks. |
| REQUEST-944-APPLICATION-ATTACK-JAVA.conf |
These rules detect Java-based attacks including Remote Command Execution exploits targeting Java classes. The rules provide protection against Apache Struts vulnerabilities (CVE-2017-5638, CVE-2017-9791, CVE-2017-9805) and Oracle WebLogic Remote Command Execution exploits (CVE-2017-10271). |
| REQUEST-949-BLOCKING-EVALUATION.conf |
These rules provide the anomaly based blocking for a given request. If you are in anomaly detection mode this file must not be deleted. |
| RESPONSE-950-DATA-LEAKAGES.conf |
These rules provide protection against data leakages that may occur genericly |
| RESPONSE-951-DATA-LEAKAGES-SQL.conf |
These rules provide protection against data leakages that may occur from backend SQL servers. Often these are indicative of SQL injection issues being present. |
| RESPONSE-952-DATA-LEAKAGES-JAVA.conf |
These rules provide protection against data leakages that may occur because of Java |
| RESPONSE-953-DATA-LEAKAGES-PHP.conf |
These rules provide protection against data leakages that may occur because of PHP |
| RESPONSE-954-DATA-LEAKAGES-IIS.conf |
These rules provide protection against data leakages that may occur because of Microsoft IIS. |
| RESPONSE-959-BLOCKING-EVALUATION.conf |
These rules provide the anomaly based blocking for a given response. If you are in anomaly detection mode this file must not be deleted. |
| RESPONSE-980-CORRELATION.conf |
The rules in this configuration file facilitate the gathering of data about successful and unsuccessful attacks on the server. |
| RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example |
This file is used to add LOCAL exceptions for your site. Often in this file we would see rules that short-circuit inspection and allow certain transactions to skip through inspection. |