What's In The Rules

Rule File Description
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example This file is used to add LOCAL exceptions for your site. Often in this file we would see rules that short-circuit inspection and allow certain transactions to skip through inspection.
Example: SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "phase:1,id:‘981033’,t:none,nolog,pass,ctl:ruleEngine=Off"
REQUEST-901-INITIALIZATION.conf TODO
REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf TODO
REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf TODO
REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf TODO
REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf TODO
REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf TODO
REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf TODO
REQUEST-910-IP-REPUTATION.conf These rules deal with detecting traffic from IPs that have previously been involved with malicious activity, either on our local site or globally.
REQUEST-912-DOS-PROTECTION.conf The rules in this file will attempt to detect some level 7 DoS (Denial of Service) attacks against your server.
REQUEST-913-SCANNER-DETECTION.conf These rules are concentrated around detecting security tools and scanners.
REQUEST-920-PROTOCOL-ENFORCEMENT.conf The rules in this file center around detecting requests that either violate HTTP or represent a request that no modern browser would generate, for instance missing a user-agent.
REQUEST-921-PROTOCOL-ATTACK.conf The rules in this file focus on specific attacks against the HTTP protocol itself such as HTTP Request Smuggling and Response Splitting.
REQUEST-930-APPLICATION-ATTACK-LFI.conf These rules attempt to detect when a user is trying to include a file that would be local to the webserver that they should not have access to. Exploiting this type of attack can lead to the web application or server being compromised.
REQUEST-931-APPLICATION-ATTACK-RFI.conf These rules attempt to detect when a user is trying to include a remote resource into the web application that will be executed. Exploiting this type of attack can lead to the web application or server being compromised.
REQUEST-932-APPLICATION-ATTACK-RCE.conf TODO
REQUEST-933-APPLICATION-ATTACK-PHP.conf TODO
REQUEST-934-APPLICATION-ATTACK-GENERIC.conf TODO
REQUEST-941-APPLICATION-ATTACK-XSS.conf TODO
REQUEST-942-APPLICATION-ATTACK-SQLI.conf Within this configuration file we provide rules that protect against SQL injection attacks. SQLi attackers occur when an attacker passes crafted control characters to parameters to an area of the application that is expecting only data. The application will then pass the control characters to the database. This will end up changing the meaning of the expected SQL query.
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf These rules focus around providing protection against Session Fixation attacks.
REQUEST-944-APPLICATION-ATTACK-JAVA.conf TODO
REQUEST-949-BLOCKING-EVALUATION.conf These rules provide the anomaly based blocking for a given request. If you are in anomaly detection mode this file must not be deleted.
RESPONSE-950-DATA-LEAKAGES.conf These rules provide protection against data leakages that may occur genericly
RESPONSE-951-DATA-LEAKAGES-SQL.conf These rules provide protection against data leakages that may occur from backend SQL servers. Often these are indicative of SQL injection issues being present.
RESPONSE-952-DATA-LEAKAGES-JAVA.conf These rules provide protection against data leakages that may occur because of Java
RESPONSE-953-DATA-LEAKAGES-PHP.conf These rules provide protection against data leakages that may occur because of PHP
RESPONSE-954-DATA-LEAKAGES-IIS.conf These rules provide protection against data leakages that may occur because of Microsoft IIS.
RESPONSE-959-BLOCKING-EVALUATION.conf These rules provide the anomaly based blocking for a given response. If you are in anomaly detection mode this file must not be deleted.
RESPONSE-980-CORRELATION.conf TODO
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example This file is used to add LOCAL exceptions for your site. Often in this file we would see rules that short-circuit inspection and allow certain transactions to skip through inspection.