cve.conf

SecRule REQUEST_HEADERS:User-Agent "@contains ${jndi:ldap:/" \
    "id:1000001,\
    phase:request,\
    deny,\
    status:403,\
    log,\
    msg:'Possible log4j2 RCE attack'"

SecRule REQUEST_URI "@rx ^/shiro/.*$" \
    "id:1000002,\
    phase:request,\
    deny,\
    status:403,\
    log,\
    msg:'Possible shiro bypass attack'"

SecRule REQUEST_COOKIES:JSESSIONID "@contains .." \
    "id:1000003,\
    phase:request,\
    deny,\
    status:403,\
    log,\
    msg:'Possible tomcat RCE attack'"

SecRule REQUEST_HEADERS:Referer "@contains /shiro/" \
    "id:1000004,\
    phase:request,\
    deny,\
    status:403,\
    log,\
    msg:'Possible shiro bypass attack'"


SecRule REQUEST_URI "@rx \.com$" \
    "id:1000005,\
    phase:request,\
    deny,\
    status:403,\
    log,\
    msg:'Possible spring bypass attack'"


SecRule REQUEST_HEADERS:User-Agent "@contains ${" \
    "id:1000006,\
    phase:request,\
    deny,\
    status:403,\
    log,\
    msg:'Possible log4j2 DoS attack'"

SecRule REQUEST_HEADERS:User-Agent "@contains ldap://" \
    "id:1000007,\
    phase:request,\
    deny,\
    status:403,\
    log,\
    msg:'Possible log4j2 RCE attack'"

SecRule REQUEST_HEADERS:User-Agent "@rx ^ApacheBench" \
"phase:1,t:none,log,auditlog,block,id:1000008,msg:'Possible DoS attack using ApacheBench'"

SecRule ARGS:login "@rx [;&|<>`$]" \
"phase:2,t:none,log,auditlog,block,id:1000011,msg:'Possible RCE attack using login parameter with shell metacharacters'"

SecRule ARGS:token "@rx [{}$]" \
"phase:2,t:none,log,auditlog,block,id:1000012,msg:'Yapi Possible MongoDB injection using token parameter with special characters'"

SecRule REQUEST_HEADERS:Authorization "@rx eyJhbGciOiJIUzI1NiJ9" \
"phase:1,t:none,log,auditlog,block,id:1000013,msg:'Possible Nacos default token.secret.key bypass using Authorization header with default JWT Token'"

SecRule REQUEST_FILENAME "@streq /SetupAccount/Upload.aspx" \
"chain,phase:2,t:none,log,auditlog,block,id:1000014,msg:'CNVD-2022-60632'"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule REQUEST_HEADERS:Content-Type "@rx multipart/form-data" \
"chain"
SecRule FILES_TMPNAMES "@rx \.(asp|aspx|php|jsp|jspx|cer|exe|bat|cmd)$"

SecRule REQUEST_FILENAME "@rx ^/(repo-edit|repo-create|repo-delete|repo-diff|repo-revision|repo-history|repo-browse|repo-blame|repo-download)\-\d+\-\d+\.html$" \
"chain,phase:2,t:none,log,auditlog,block,id:1000015,msg:'CVE-2022-26134 Possible SQL injection or command execution using vulnerable modules'"
SecRule ARGS "@rx (select|union|concat|sleep|benchmark|outfile|dumpfile|\$\{|`)" \
"t:urlDecodeUni"

SecRule REQUEST_FILENAME "@rx ^/(pages|spaces|templates|favourite|labels|plugins|search|dashboard)\.action$" \
"chain,phase:2,t:none,log,auditlog,block,id:1000016,msg:'Possible OGNL injection using vulnerable modules'"
SecRule ARGS "@rx (\$\{|\$\{|#|\$\w+\.\w+)" \
"t:urlDecodeUni"


SecRule REQUEST_FILENAME "@streq /mgmt/tm/util/bash" \
"chain,phase:1,t:none,log,auditlog,block,id:1000018,msg:'Possible unauthenticated request using iControl REST'"
SecRule REQUEST_HEADERS:Authorization "@streq Basic YWRtaW46QVNhc1M=" \
"t:urlDecodeUni"

SecRule REQUEST_FILENAME "@streq /functionRouter" \
"chain,phase:2,t:none,log,auditlog,block,id:1000021,msg:'Possible SpEL injection using functionRouter'"
SecRule REQUEST_HEADERS:spring.cloud.function.routing-expression "@rx (\$\{|\$\{|#|\$\w+\.\w+)" \
"t:urlDecodeUni"

SecRule REQUEST_FILENAME "@streq /actuator/gateway" \
"chain,phase:1,t:none,log,auditlog,block,id:1000022,msg:'Possible unauthenticated request using Gateway Actuator'"
SecRule REQUEST_HEADERS:Authorization "@streq Basic YWRtaW46QVNhc1M=" \
"t:urlDecodeUni"

SecRule REQUEST_FILENAME "@streq /plugin/add" \
"chain,phase:2,t:none,log,auditlog,block,id:1000024,msg:'Possible remote code execution using plugin add'"
SecRule REQUEST_HEADERS:Authorization "!@streq Basic YWRtaW46QVNhc1M=" \
"t:urlDecodeUni"

SecRule REQUEST_BODY "@rx \${jndi:.*}" \
"phase:2,t:none,log,auditlog,block,id:1000025,msg:'CVE-2021-44228/CVE-2021-45046 Possible JNDI injection using Log4j'"

SecRule REQUEST_URI "@rx ^/public/plugins/.*(\.\./)+" \
    "id:1000026,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-43798 Grafana directory traversal attempt'"
	
	
SecRule REQUEST_URI "@rx ^/ws/v1/cluster/apps/(new-application|[^/]+)$" \
    "id:1000027,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'Hadoop Yarn RPC unauthorized access attempt'"

SecRule REQUEST_URI "@rx ^/(snippets|projects/import)$" \
    "id:100028,\
    phase:2,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-22205 GitLab RCE attempt',\
    chain"
    SecRule REQUEST_BODY "@contains (metadata)" 	

SecRule REQUEST_URI "@rx ^/(icons|cgi-bin)/.*(\.\.%2e/|\.\.%%32%65/)+" \
    "id:100029,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-42013 Apache HTTP Server path traversal attempt'"
SecRule REQUEST_URI "@rx ^/(icons|cgi-bin)/.*(\.\.%2e/)+" \
    "id:100030,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-41773 Apache HTTP Server path traversal attempt'"

SecRule REQUEST_URI "@rx ^/analytics/ceip/sdk/\.\.;/\.\.;/\.\.;/analytics/ph/api/dataapp/agent" \
    "chain,id:100031,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-22005 VMware vCenter Server arbitrary file upload attempt'"
SecRule ARGS "@rx action=collect" \
    "t:none"

SecRule REQUEST_URI "@rx ^/pages/(doenterpagevariables|createpage-entervariables)\.action" \
    "chain,id:100032,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-26084 Confluence Server OGNL injection attempt'"
SecRule ARGS "@rx [#@[\{]" \
    "t:none"

SecRule ARGS_NAMES "@rx jato\.pageSession" \
    "chain,id:100033,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-35464 ForgeRock AM remote code execution attempt'"
SecRule ARGS_GET:jato.pageSession "@rx (ac ed|rO0)" \
    "t:none"

SecRule ARGS_NAMES "@rx ^\$(invoke|invokeAsync)$" \
    "chain,id:100034,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-30179 Apache Dubbo remote code execution attempt'"
SecRule ARGS_GET:$invoke "@rx (ac ed|rO0)" \
    "t:none"

SecRule REQUEST_URI "@rx /servlet/~ic/bsh\.servlet\.BshServlet" \
    "chain,id:100035,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CNVD-2021-30167 yong you NC BeanShell remote code execution attempt'"
SecRule ARGS "@rx exec" \
    "t:none"

SecRule REQUEST_URI "@rx /webtools/control/SOAPService" \
    "chain,id:100036,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-30128 Apache OFBiz remote code execution attempt'"
SecRule REQUEST_BODY "@rx (ac ed|rO0)" \
    "t:none"

SecRule REQUEST_URI "@rx /webtools/control/SOAPService" \
    "chain,id:100037,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'CVE-2021-27905 Apache Solr SSRF attempt'"
SecRule REQUEST_BODY "@rx file://" \
    "t:none"
SecRule REQUEST_URI "@rx /sysShell|/alarmConfig" \
    "chain,id:100038,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'ClusterEngineV4.0 sysShell remote code execution attempt'"
SecRule ARGS "@rx exec" \
    "t:none"

SecRule REQUEST_URI "@rx /login\.do" \
    "chain,id:100039,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:' V8  attempt'"
SecRule ARGS "@rx admin=admin&password=admin123" \
    "t:none"

SecRule REQUEST_URI "@rx /api/settings/values" \
    "chain,id:100040,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'SonarQube API attempt'"
SecRule REQUEST_METHOD "@streq GET" \
    "t:none"

SecRule REQUEST_URI "@rx /WebReport/ReportServer" \
    "chain,id:100041,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'finebi v8.0  attempt'"
SecRule ARGS:resourcepath "@rx (privilege|web)\.xml" \
    "t:none"

SecRule REQUEST_URI "@rx /tools/manage/upload.php" \
    "chain,id:100042,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:' V8/V9 attempt'"
SecRule ARGS:file "@rx \.(php|jsp|asp|aspx|cgi)" \
    "t:none"

SecRule REQUEST_URI "@rx /admin.do" \
    "chain,id:100043,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'OA attempt'"
SecRule ARGS:method "@rx (testDbConn|dataXml)" \
    "chain,t:none"
SecRule REQUEST_BODY "@rx (java\.lang\.Runtime|bsh\.Interpreter)" \
    "t:none"

SecRule REQUEST_URI "@rx (/sysShell|/login)" \
    "chain,id:100044,\
    phase:1,\
    log,\
    deny,\
    status:403,\
    msg:'ClusterEngineV4.0  attempt'"
SecRule ARGS "@rx (cmd|admin|password)" \
    "t:none"
	
	
SecRule REQUEST_METHOD "^POST$" "chain,msg:'OA V9',severity:ERROR,deny,status:403,id:1000045"
SecRule REQUEST_URI "/page/exportImport/uploadOperation.jsp" "chain"
SecRule REQUEST_FILENAME "@validateByteRange 1-255"

SecRule REQUEST_METHOD "^GET$" "chain,msg:'OA V8',severity:ERROR,deny,status:403,id:1000046"
SecRule REQUEST_URI "/js/hrm/getdata.jsp" "chain"
SecRule ARGS:cmd "@streq getSelectAllId" "chain"
SecRule ARGS:sql "@detectSQLi"


SecRule REQUEST_METHOD "^POST$" "chain,msg:' V9',severity:ERROR,deny,status:403,id:1000047"
SecRule REQUEST_URI "/WebReport/ReportServer" "chain"
SecRule ARGS:cmd "@streq design_save_svg" "chain"
SecRule ARGS:filePath "@contains chartmapsvg" "chain"
SecRule ARGS:filePath "@rx \.(jsp|php|asp|aspx)$"


SecRule REQUEST_METHOD "^POST$" "chain,msg:'A8',severity:ERROR,deny,status:403,id:1000048"
SecRule REQUEST_URI "/seeyon/(htmlofficeservlet|ajax.do|wpsAssistServlet)" "chain"
SecRule REQUEST_BODY "@rx \.(jsp|php|asp|aspx)$"

SecRule REQUEST_METHOD "^POST$" "chain,msg:'CVE-2021-21975、CVE-2021-21983',severity:ERROR,deny,status:403,id:1000049"
SecRule REQUEST_URI "/casa/nodes/thumbprints" "chain"
SecRule REQUEST_BODY "@rx \.(jsp|php|asp|aspx)$"

SecRule REQUEST_METHOD "^POST$" "chain,msg:'CVE-2021-26919',severity:ERROR,deny,status:403,id:1000050"
SecRule REQUEST_URI "/druid/v2/sql" "chain"
SecRule REQUEST_BODY "@contains allowLoadLocalInfile=true"

SecRule REQUEST_METHOD "^GET$" "chain,msg:'CVE-2021-28073/CVE-2021-28074',severity:ERROR,deny,status:403,id:1000051"
SecRule REQUEST_URI "/lua/login.lua" "chain"
SecRule ARGS:referer "@contains /lua/admin" "chain"
SecRule ARGS:referer "@detectSQLi"

SecRule REQUEST_METHOD "^POST$" "chain,msg:'CVE-2021-26295',severity:ERROR,deny,status:403,id:1000052"
SecRule REQUEST_URI "/webtools/control/SOAPService" "chain"
SecRule REQUEST_BODY "@contains java.lang.Runtime"

# Block requests to iControl REST interface that contain suspicious paths or parameters
SecRule REQUEST_URI "@rx /mgmt/(shared/authn/login|tm/util/bash)" \
    "id:1000053,\
    phase:1,\
    deny,\
    status:403,\
    log,\
    msg:'CVE-2021-22986 attempt blocked'"
	
	
# Block requests to Apache Solr Config API or stream.url parameter
SecRule REQUEST_URI "@rx /config" \
    "id:1000054,\
    phase:1,\
    deny,\
    status:403,\
    log,\
    msg:'Apache Solr Config API attempt blocked'"
SecRule ARGS:stream.url "@rx ^file://" \
    "id:1000055,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'Apache Solr stream.url SSRF attempt blocked'"

SecRule REQUEST_URI "@beginsWith /apisix/admin" "id:100057,phase:2,log,deny,status:403,msg:'CVE-2020-13945 Attack',severity:CRITICAL,chain" 
SecRule REQUEST_HEADERS:Authorization "@streq apisix-key" 

SecRule REQUEST_URI "@beginsWith /websocket" "id:100058,deny,status:403,log,msg:'CVE-2020-13935 Attack',severity:CRITICAL,chain" 
SecRule REQUEST_HEADERS:Content-Length "@gt 65535" 

SecRule REQUEST_URI "@beginsWith /run" "id:100059,phase:2,log,deny,status:403,msg:'CVE-2020-16846 Attack',severity:CRITICAL,chain"  
SecRule REQUEST_BODY|XML "@contains ssh_priv"

SecRule REQUEST_URI "@streq /kylin/api/admin/config" "phase:1,log,deny,id:100061,msg:'CVE-2020-13937'"
SecRule REQUEST_URI "@streq /solr/admin/configs" "phase:1,log,deny,id:100062,msg:'CVE-2020-13957'"
SecRule REQUEST_URI "@rx /admin/.*" "phase:1,log,deny,id:100063,msg:'CVE-2020-13933'"
SecRule REQUEST_URI "@streq /pcidss/report" "phase:1,log,deny,id:100064,msg:'CVE-2020-8193'"
SecRule REQUEST_URI "@streq /com.alibaba.dubbo.registry.RegistryService" "phase:1,log,deny,id:100065,msg:'CVE-2020-1948'"
# Replace the IP address with your own
SecRule REQUEST_URI "@beginsWith /kong" "chain,phase:1,id:100066,log,deny,status:403,msg:'CVE-2020-11710'"
SecRule REMOTE_ADDR "!@ipMatch 1.1.1.1" 

#SecRule REQUEST_URI "@contains /" "chain,phase:1,id:100067,log,deny,status:403,msg:'CVE-2020-5405'" SecRule ARGS "@contains _" 

SecRule REQUEST_URI "@contains /" "chain,phase:1,id:100068,log,deny,status:403,msg: 'tomcat'" SecRule REQUEST_HEADERS:Host "@contains :8009" 

SecRule REQUEST_URI "@beginsWith /api/users" "chain,phase:1,id:100069,log,deny,msg:'CVE-2019-19023'" SecRule REQUEST_METHOD "@streq PUT" "chain" SecRule ARGS:email "@contains @admin.com"

SecRule REQUEST_URI "@beginsWith /api/usergroups" "chain,phase:1,id:100070,log,deny,msg:'CVE-2019-19029'" SecRule ARGS "@rx ''.[\'\";].'" 
SecRule REQUEST_BODY "@rx '\.(java|javax|org|com)\.[a-zA-Z0-9\.]" "phase:2,id:100074,log,deny,msg:'CVE-2019-14439 ,CVE-2019-14361'"
SecRule ARGS:poller_id "^[0-9]+$" "id:100078,phase:2,t:none,deny,status:403,msg:'CVE-2022-46169'"
#SecRule REQUEST_URI|REQUEST_BODY "@rx /e" "id:100079,phase:2,t:none,deny,status:403,msg:'CVE-2022-44877'"
#SecRule REQUEST_URI "@beginsWith /admin" "id:100080,phase:2,t:none,deny,status:403,msg:'CVE-2023-22602'"
SecRule REQUEST_BODY|REQUEST_URI "@contains com.sun.security.auth.module.JndiLoginModule" "id:100081,phase:2,t:none,deny,status:403,msg:'CVE-2023-25194'"
SecRule REQUEST_BODY|XML "@contains <com.thoughtworks.xstream.converters.extended.ThrowableConverter>" "id:1000082,msg:'CVE-2020-26217 Attack',severity:CRITICAL,deny,status:403"


SecRule ARGS "@rx \\\$\\{jndi:" \
    "id:1000083,\
    phase:2,\
    log,\
    deny,\
    msg:'Log4j2 RCE Attempt'"
SecRule REQUEST_HEADERS "@rx \\\$\\{jndi:" \
    "id:1000084,\
    phase:1,\
    log,\
    deny,\
    msg:'Log4j2 RCE Attempt'"


SecRule ARGS "@rx \\\$\\{" \
    "id:1000085,\
    phase:2,\
    log,\
    deny,\
    msg:'Struts2 RCE Attempt'"
SecRule REQUEST_URI "@rx \\\$\\{" \
    "id:1000086,\
    phase:1,\
    log,\
    deny,\
    msg:'Struts2 RCE Attempt'"


SecRule ARGS "@rx TemplatesImpl" \
    "id:1000087,\
    phase:2,\
    log,\
    deny,\
    msg:'Jackson RCE Attempt'"

SecRule REQUEST_BODY "@rx TemplatesImpl" \
    "id:1000088,\
    phase:2,\
    log,\
    deny,\
    msg:'Jackson RCE Attempt'"

SecRule REQUEST_URI "@rx /package-updates/update.cgi" \
    "id:1000089,\
    phase:1,\
    log,\
    deny,\
    msg:'Webmin RCE Attempt',\
    chain"
    SecRule ARGS "@rx u=" \
        "t:none"
SecRule REQUEST_URI "@rx owa-data/caches/" \
    "id:1000090,\
    phase:1,\
    log,\
    deny,\
    msg:'OWA RCE Attempt'"

SecRule REQUEST_URI "@rx \\.//" \
    "id:1000091,\
    phase:1,\
    log,\
    deny,\
    msg:'WebLogic LFI Attempt'"

SecRule REQUEST_URI "@rx redirect_uri=|\\.\\.%252f" \
    "id:1000092,\
    phase:1,\
    log,\
    deny,\
    msg:'Spring Cloud Config LFI Attempt'"

SecRule ARGS "@rx target=|%25" \
    "id:1000093,\
    phase:2,\
    log,\
    deny,\
    msg:'phpMyAdmin LFI Attempt'"


# Enable DOS Defence Module
SecAction "id:1000094,\
    phase:1,\
    nolog,\
    pass,\
    t:none,\
    setvar:tx.dos_burst_time_slice=60,\
    setvar:tx.dos_counter_threshold=100,\
    setvar:tx.dos_block_timeout=600"

# Detection of requests with the path login.do
SecRule REQUEST_URI "@streq /login.do" \
    "id:1000095,\
    phase:2,\
    pass,\
    nolog,\
    setvar:'ip.dos_counter=+1',\
    expirevar:'ip.dos_counter=%{tx.dos_burst_time_slice}'"

# When a client accesses the /login.do interface more than tx.dos_counter_threshold times in tx.dos_burst_time_slice seconds, 
# it is considered a DOS attack and is blocked tx.dos_block_timeout seconds

SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" \
    "id:1000096,\
    phase:2,\
    log,\
    deny,\
    status:403,\
    msg:'DOS Attack Detected',\
    setvar:'ip.dos_block_flag=1',\
    expirevar:'ip.dos_block_flag=%{tx.dos_block_timeout}'"
    
# When a client accesses a page that does not exist (status code 404), log its IP address and limit it to 5 visits in 10 minutes,
# otherwise the request is rejected
SecRule RESPONSE_STATUS "@streq 404" "phase:5,id:1000097,nolog,pass,setvar:ip.count2=+1,expirevar:ip.count2=600,initcol:ip=%{remote_addr}"
SecRule IP:COUNT2 "@gt 5" "phase:1,id:1000098,deny,status:403,msg:'Too many requests'"
# 404 pages are visited more frequently, use global restrictions rather than just blocking access to 404 pages, lock out for 30 minutes
#SecRule IP:COUNT2 "@gt 5" "phase:1,id:1000098,deny,status:403,msg:'Too many requests', expirevar:ip.count=1800"

# When a client accesses the /login.do interface and the response body contains an error, 
# the client's IP address is recorded and limited to 5 visits within 10 minutes, 
# after which the IP address is locked for 30 minutes and the client cannot access the /login.do interface again.

SecRule REQUEST_URI "@streq /login.do" "phase:5,id:1000099,nolog,pass,chain"
SecRule RESPONSE_BODY "@contains error" "setvar:ip.count=+1,expirevar:ip.count=600,initcol:ip=%{remote_addr}"
SecRule IP:COUNT "@gt 5" "phase:1,id:1000100,deny,status:403,msg:'Too many login attempts',expirevar:ip.count=1800"

SecRule REQUEST_URI "@contains **" "id:1000101,phase:2,log,deny,status:403,msg:'CVE-2023-20860 detected'"
SecRule ARGS "@contains Error.prepareStackTrace" "id:1000102,phase:2,log,deny,status:403,msg:'CVE-2023-29017 detected'"
SecRule REQUEST_URI "@contains /api/gen/clients/" "id:1000103,phase:2,log,deny,status:403,msg:'CVE-2023-1177 detected'"
SecRule RESPONSE_BODY "@contains MINIO_SECRET_KEY|MINIO_ROOT_PASSWORD" "id:1000104,phase:3,log,deny,status:403,msg:'CVE-2023-28432 detected'"

SecRule REQUEST_URI "@contains jmreport/qurestSql" "id:1000105,phase:2,log,deny,status:403,msg:'CVE-2023-1454 detected'"
SecRule REQUEST_HEADERS:Content-Type "@contains x-bea-t3|iiop" "id:1000106,phase:2,log,deny,status:403,msg:'CVE-2023-21839 detected'"
SecRule REQUEST_HEADERS:User-Agent "@contains T3" "id:1000107,phase:1,log,deny,status:403,msg:'CVE-2023-21839 detected'"
SecRule ARGS "@contains com.sun.security.auth.module.JndiLoginModule" "id:1000108,phase:2,log,deny,status:403,msg:'CVE-2023-25194 detected'"
SecRule REQUEST_HEADERS:User-Agent "@contains ShardingSphere-Proxy" "id:1000109,phase:2,log,deny,status:403,msg:'CVE-2022-45347 detected'"

SecRule REQUEST_URI "@contains /env" "chain,id:1000110,deny,status:403,msg:'CVE-2022-46166 detected'"
SecRule REQUEST_METHOD "@streq POST"

SecRule REQUEST_HEADERS:User-Agent "Java" \
    "id:1000111,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:requestBodyProcessor=XML,\
    setvar:'tx.jndi_injection_score=+%{tx.critical_anomaly_score}'"

SecRule TX:jndi_injection_score "@ge 5" \
    "id:1000112,\
    phase:2,\
    block,\
    t:none,\
    msg:'JNDI Injection Attack Detected CVE-2023-25194',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-injection',\
    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
    severity:'CRITICAL',\
    setvar:'tx.anomaly_score_blocking=+1000'"
    
 SecRule REQUEST_URI "@rx /api/graphql" \
    "id:1000113,\
    phase:2,\
    deny,\
    status:403, \
    msg:'CVE-2023-2478 GitLab code execution attempt',\
    log"

SecRule REQUEST_URI "@rx /api/kibana" \
    "id:1000114,\
    phase:2,\
    deny,\
    status:403, \
    msg:'CVE-2023-31414,CVE-2023-31415 Kibana code execution attempt',\
    log"

# edit modsecurity.conf 
# SecResponseBodyAccess On
# add SecResponseBodyMimeType text/plain text/html text/xml application/json

SecRule RESPONSE_BODY "@rx \b(and|as|python|assert|break|class|continue|def|del|elif|else|except|finally|for|from|global|if|import|in|is|lambda|nonlocal|not|or|pass|raise|return|try|while|with|yield)\b" \
    "id:1000115,phase:4,deny,status:403,msg:'Python keyword detected in response'"


SecRule RESPONSE_BODY "@rx \b(IntegrityError|Traceback|python)\b" \
    "id:1000116,phase:4,deny,status:403,msg:'Python keyword detected in response',chain"
    SecRule REQUEST_HEADERS:Host "@rx ^(GgWnLT2.example.com|equTN24z5nUuv.example.com)$"


SecRule REQUEST_URI "@rx /gateway/(admin|api)/([^/]+)/([^/]+)" 
"phase:1,id:'1000117',t:none,deny,status:403,log,msg:'Spring Cloud Gateway RCE detected',severity:'CRITICAL'"


SecRule REQUEST_URI "@rx /jenkins/script/groovy/(script|scriptlet)/([^/]+)" \
"phase:1,id:'1000118',t:none,deny,status:403,log,msg:'Jenkins RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /index.php/(index|home)/do/([^/]+)" \
"phase:1,id:'1000119',t:none,deny,status:403,log,msg:'ThinkPHP RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /index.php/(index|admin)/([^/]+)" \
"phase:1,id:'1000120',t:none,deny,status:403,log,msg:'PHPCMS RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /wp-includes/load.php" \
"phase:1,id:'1000121',t:none,deny,status:403,log,msg:'WordPress RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /Naming/lookup/([^/]+)" \
"phase:1,id:'1000122',t:none,deny,status:403,log,msg:'Java RMI RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /ssh/([^/]+)" \
"phase:1,id:'1000123',t:none,deny,status:403,log,msg:'OpenSSH RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /log4j/[^/]+/(lookup|logback.xml)"
"phase:1,id:'1000124',t:none,deny,status:403,log,msg:'Apache Log4j 2 RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /actuator/(?:endpoints|beans|health|dump|heapdump|metrics|threaddump|mappings|conditions|configprops|env|loggers|scheduledtasks|caches|hystrix|httptrace|jolokia|liquibase|info|loggers|threaddump)" 
"phase:1,id:'1000125',t:none,deny,status:403,log,msg:'Spring Boot RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /admin/([^/]+)/([^/]+)/([^/]+)/([^/]+)" \
"phase:1,id:'1000126',t:none,deny,status:403,log,msg:'Django RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /admin/([^/]+)/([^/]+)/([^/]+)" \
"phase:1,id:'1000127',t:none,deny,status:403,log,msg:'Laravel RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /api/([^/]+)/([^/]+)/([^/]+)" \
"phase:1,id:'1000128',t:none,deny,status:403,log,msg:'Node.js RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /index.php/([^/]+)/([^/]+)/([^/]+)" \
"phase:1,id:'1000129',t:none,deny,status:403,log,msg:'PHP RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /app/([^/]+)/([^/]+)/([^/]+)" \
"phase:1,id:'1000130',t:none,deny,status:403,log,msg:'Python RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /service/([^/]+)/([^/]+)/([^/]+)" \
"phase:1,id:'1000131',t:none,deny,status:403,log,msg:'Java RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /bin/([^/]+)/([^/]+)/([^/]+)" \
"phase:1,id:'1000132',t:none,deny,status:403,log,msg:'C/C++ RCE detected',severity:'CRITICAL'"

SecRule REQUEST_URI "@rx /([^/]+)/.*\.php" \
"phase:1,id:'1000133',t:none,deny,status:403,log,msg:'Webshell detected',severity:'CRITICAL'"