Rules
The content on this page may be outdated. We are currently in the process of rewriting all of our documentation: please bear with us while we update our older content.
What’s In The Rules
| REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
| Configuration Path:
rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
| This file is used to add LOCAL exceptions for your site. Often in this
file we would see rules that short-circuit inspection and allow
certain transactions to skip through inspection.
Example: SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "phase:1,id:'981033',t:none,nolog,pass,ctl:ruleEngine=Off"
|
| REQUEST-901-INITIALIZATION.conf | TODO |
| REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf | TODO |
REQUEST-901-INITIALIZATION.conf TODO
REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf TODO
| REQUEST-905-COMMON-EXCEPTIONS
| Configuration Path:
rules/REQUEST-905-COMMON-EXCEPTIONS.conf
|
| Some rules are quite prone to causing false positives in well
established software, such as Apache callbacks or Google Analytics
tracking cookie. This file offers rules that will allow the
transactions to avoid triggering these false positives.
| REQUEST-910-IP-REPUTATION
| Configuration Path:
rules/REQUEST-910-IP-REPUTATION.conf
|
| These rules deal with detecting traffic from IPs that have previously
been involved with malicious activity, either on our local site or
globally.
REQUEST-911-METHOD-ENFORCEMENT TODO
| REQUEST-912-DOS-PROTECTION
| Configuration Path:
rules/REQUEST-912-DOS-PROTECTION.conf
|
| The rules in this file will attempt to detect some level 7 DoS (Denial
of Service) attacks against your server.
| REQUEST-913-SCANNER-DETECTION
| Configuration Path:
rules/REQUEST-913-SCANNER-DETECTION.conf
|
| These rules are concentrated around detecting security tools and
scanners.
| REQUEST-920-PROTOCOL-ENFORCEMENT
| Configuration Path:
rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
|
| The rules in this file center around detecting requests that either
violate HTTP or represent a request that no modern browser would
generate, for instance missing a user-agent.
| REQUEST-921-PROTOCOL-ATTACK
|
| Configuration Path: rules/REQUEST-21-PROTOCOL-ATTACK.conf
| The rules in this file focus on specific attacks against the HTTP
protocol itself such as HTTP Request Smuggling and Response Splitting.
| REQUEST-930-APPLICATION-ATTACK-LFI
|
| Configuration Path: rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
| These rules attempt to detect when a user is trying to include a file that would be local to the webserver that they should not have access to. Exploiting this type of attack can lead to the web application or server being compromised.
| REQUEST-931-APPLICATION-ATTACK-RFI
| Configuration Path: rules/REQUEST-31-APPLICATION-ATTACK-RFI.conf
|
| These rules attempt to detect when a user is trying to include a
remote resource into the web application that will be executed.
Exploiting this type of attack can lead to the web application or
server being compromised.
REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
TODO
REQUEST-941-APPLICATION-ATTACK-XSS.conf TODO
| REQUEST-942-APPLICATION-ATTACK-SQLI
| Configuration Path: rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
|
| Within this configuration file we provide rules that protect against
SQL injection attacks. SQLi attackers occur when an attacker passes
crafted control characters to parameters to an area of the application
that is expecting only data. The application will then pass the
control characters to the database. This will end up changing the
meaning of the expected SQL query.
| REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
| Configuration Path: rules/REQUEST-43-APPLICATION-ATTACK-SESSION-FIXATION.conf
|
| These rules focus around providing protection against Session Fixation
attacks.
REQUEST-944-APPLICATION-ATTACK-JAVA TODO
| REQUEST-949-BLOCKING-EVALUATION
| Configuration Path: rules/REQUEST-49-BLOCKING-EVALUATION.conf
|
| These rules provide the anomaly based blocking for a given request. If
you are in anomaly detection mode this file must not be deleted.
| RESPONSE-954-DATA-LEAKAGES-IIS
| Configuration Path:
rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
|
| These rules provide protection against data leakages that may occur
because of Microsoft IIS
| RESPONSE-952-DATA-LEAKAGES-JAVA
| Configuration Path: rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
|
| These rules provide protection against data leakages that may occur
because of Java
| RESPONSE-953-DATA-LEAKAGES-PHP
| Configuration Path:
rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
|
| These rules provide protection against data leakages that may occur
because of PHP
| RESPONSE-950-DATA-LEAKAGES
| Configuration Path:
rules/RESPONSE-950-DATA-LEAKAGES.conf
|
| These rules provide protection against data leakages that may occur
genericly
| RESPONSE-951-DATA-LEAKAGES-SQL
| Configuration Path:
rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
|
| These rules provide protection against data leakages that may occur
from backend SQL servers. Often these are indicative of SQL injection
issues being present.
| RESPONSE-959-BLOCKING-EVALUATION
| Configuration Path: rules/RESPONSE-959-BLOCKING-EVALUATION.conf
|
| These rules provide the anomaly based blocking for a given response.
If you are in anomaly detection mode this file must not be deleted.
| RESPONSE-980-CORRELATION
| Configuration Path: rules/RESPONSE-980-CORRELATION.conf
|
| The rules in this configuration file facilitate the gathering of data
about successful and unsuccessful attacks on the server.
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
Configuration Path: rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
This file is used to add LOCAL exceptions for your site. Often in this file we would see rules that short-circuit inspection and allow certain transactions to skip through inspection.