WAF 規則參考ModeSecurity
Rule ID | Paranoia Level |
Severity | Description (msg) |
---|---|---|---|
901001 | PL1 | none | Check if crs-set.conf was loaded |
901450 | PL1 | none | Sampling: Disable the rule engine based on sampling_percentage |
905100 | PL1 | none | Common Exeptions example rule |
905110 | PL1 | none | Common Exeptions example rule |
910000 | PL1 | critical | Request from Known Malicious Client (Based on previous traffic violations). |
910100 | PL1 | critical | Client IP is from a HIGH Risk Country Location. |
910150 | PL1 | critical | HTTP Blacklist match for search engine IP, |
910160 | PL1 | critical | HTTP Blacklist match for spammer IP |
910170 | PL1 | critical | HTTP Blacklist match for suspicious IP |
910180 | PL1 | critical | HTTP Blacklist match for harvester IP |
911100 | PL1 | critical | Method is not allowed by policy |
912120 | PL1 | none | Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)” |
912170 | PL1 | none | Potential Denial of Service (DoS) Attack from %{tx.real_ip} – # of Request Bursts: %{ip.dos_burst_counter} |
912171 | PL2 | none | Potential Denial of Service (DoS) Attack from %{tx.real_ip} – # of Request Bursts: %{ip.dos_burst_counter} |
913100 | PL1 | critical | Found User-Agent associated with security scanner |
913101 | PL2 | critical | Found User-Agent associated with scripting/generic HTTP client |
913102 | PL2 | critical | Found User-Agent associated with web crawler/bot |
913110 | PL1 | critical | Found request header associated with security scanner |
913120 | PL1 | critical | Found request filename/argument associated with security scanner |
920100 | PL1 | notice | Invalid HTTP Request Line |
920120 | PL1 | critical | Attempted multipart/form-data bypass |
920130 | PL1 | critical | Failed to parse request body. |
920140 | PL1 | critical | Multipart request body failed strict validation: |
920160 | PL1 | critical | Content-Length HTTP header is not numeric. |
920170 | PL1 | critical | GET or HEAD Request with Body Content. |
920180 | PL1 | notice | POST request missing Content-Length Header. |
920190 | PL1 | warning | Range: Invalid Last Byte Value. |
920200 | PL2 | warning | Range: Too many fields (6 or more) |
920201 | PL2 | warning | Range: Too many fields for pdf request (35 or more) |
920202 | PL4 | warning | Range: Too many fields for pdf request (6 or more) |
920210 | PL1 | warning | Multiple/Conflicting Connection Header Data Found. |
920220 | PL1 | warning | URL Encoding Abuse Attack Attempt |
920230 | PL2 | warning | Multiple URL Encoding Detected |
920240 | PL1 | warning | URL Encoding Abuse Attack Attempt |
920250 | PL1 | warning | UTF8 Encoding Abuse Attack Attempt |
920260 | PL1 | warning | Unicode Full/Half Width Abuse Attack Attempt |
920270 | PL1 | error | Invalid character in request (null character) |
920271 | PL2 | critical | Invalid character in request (non printable characters) |
920272 | PL3 | critical | Invalid character in request (outside of printable chars below ascii 127) |
920273 | PL4 | critical | Invalid character in request (outside of very strict set) |
920274 | PL4 | critical | Invalid character in request headers (outside of very strict set) |
920280 | PL1 | warning | Request Missing a Host Header |
920290 | PL1 | warning | Empty Host Header |
920300 | PL2 | notice | Request Missing an Accept Header |
920310 | PL1 | notice | Request Has an Empty Accept Header |
920311 | PL1 | notice | Request Has an Empty Accept Header |
920320 | PL2 | notice | Missing User Agent Header |
920330 | PL1 | notice | Empty User Agent Header |
920340 | PL1 | notice | Request Containing Content, but Missing Content-Type header |
920350 | PL1 | warning | Host header is a numeric IP address |
920360 | PL1 | critical | Argument name too long |
920370 | PL1 | critical | Argument value too long |
920380 | PL1 | critical | Too many arguments in request |
920390 | PL1 | critical | Total arguments size exceeded |
920400 | PL1 | critical | Uploaded file size too large |
920410 | PL1 | critical | Total uploaded files size too large |
920420 | PL1 | critical | Request content type is not allowed by policy |
920430 | PL1 | critical | HTTP protocol version is not allowed by policy |
920440 | PL1 | critical | URL file extension is restricted by policy |
920450 | PL1 | critical | HTTP header is restricted by policy (%{MATCHED_VAR}) |
920460 | PL4 | critical | Abnormal character escape detected |
921100 | PL1 | critical | HTTP Request Smuggling Attack. |
921110 | PL1 | critical | HTTP Request Smuggling Attack |
921120 | PL1 | critical | HTTP Response Splitting Attack |
921130 | PL1 | critical | HTTP Response Splitting Attack |
921140 | PL1 | critical | HTTP Header Injection Attack via headers |
921150 | PL1 | critical | HTTP Header Injection Attack via payload (CR/LF detected) |
921151 | PL2 | critical | HTTP Header Injection Attack via payload (CR/LF detected) |
921160 | PL1 | critical | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
921180 | PL3 | critical | HTTP Parameter Pollution (%{TX.1}) |
930100 | PL1 | critical | Path Traversal Attack (/../) |
930110 | PL1 | critical | Path Traversal Attack (/../) |
930120 | PL1 | critical | OS File Access Attempt |
930130 | PL1 | critical | Restricted File Access Attempt |
931100 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
931110 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
931120 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
931130 | PL2 | critical | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
932100 | PL1 | critical | Remote Command Execution: Unix Command Injection |
932105 | PL1 | critical | Remote Command Execution: Unix Command Injection |
932110 | PL1 | critical | Remote Command Execution: Windows Command Injection |
932115 | PL1 | critical | Remote Command Execution: Windows Command Injection |
932120 | PL1 | critical | Remote Command Execution: Windows PowerShell Command Found |
932130 | PL1 | critical | Remote Command Execution: Unix Shell Expression Found |
932140 | PL1 | critical | Remote Command Execution: Windows FOR/IF Command Found |
932150 | PL1 | critical | Remote Command Execution: Direct Unix Command Execution |
932160 | PL1 | critical | Remote Command Execution: Unix Shell Code Found |
932170 | PL1 | critical | Remote Command Execution: Shellshock (CVE-2014-6271) |
932171 | PL1 | critical | Remote Command Execution: Shellshock (CVE-2014-6271) |
933100 | PL1 | critical | PHP Injection Attack: Opening/Closing Tag Found |
933110 | PL1 | critical | PHP Injection Attack: PHP Script File Upload Found |
933111 | PL3 | critical | PHP Injection Attack: PHP Script File Upload Found |
933120 | PL1 | critical | PHP Injection Attack: Configuration Directive Found |
933130 | PL1 | critical | PHP Injection Attack: Variables Found |
933131 | PL3 | critical | PHP Injection Attack: Variables Found |
933140 | PL1 | critical | PHP Injection Attack: I/O Stream Found |
933150 | PL1 | critical | PHP Injection Attack: High-Risk PHP Function Name Found |
933151 | PL2 | critical | PHP Injection Attack: Medium-Risk PHP Function Name Found |
933160 | PL1 | critical | PHP Injection Attack: High-Risk PHP Function Call Found |
933161 | PL3 | critical | PHP Injection Attack: Low-Value PHP Function Call Found |
933170 | PL1 | critical | PHP Injection Attack: Serialized Object Injection |
933180 | PL1 | critical | PHP Injection Attack: Variable Function Call Found |
941100 | PL1 | critical | XSS Attack Detected via libinjection |
941110 | PL1 | critical | XSS Filter – Category 1: Script Tag Vector |
941120 | PL1 | critical | XSS Filter – Category 2: Event Handler Vector |
941130 | PL1 | critical | XSS Filter – Category 3: Attribute Vector |
941140 | PL1 | critical | XSS Filter – Category 4: Javascript URI Vector |
941150 | PL1 | critical | XSS Filter – Category 5: Disallowed HTML Attributes |
941160 | PL1 | critical | NoScript XSS InjectionChecker: HTML Injection |
941170 | PL1 | critical | NoScript XSS InjectionChecker: Attribute Injection |
941180 | PL1 | critical | Node-Validator Blacklist Keywords |
941190 | PL1 | critical | IE XSS Filters – Attack Detected. |
941200 | PL1 | critical | IE XSS Filters – Attack Detected. |
941210 | PL1 | critical | IE XSS Filters – Attack Detected. |
941220 | PL1 | critical | IE XSS Filters – Attack Detected. |
941230 | PL1 | critical | IE XSS Filters – Attack Detected. |
941240 | PL1 | critical | IE XSS Filters – Attack Detected. |
941250 | PL1 | critical | IE XSS Filters – Attack Detected. |
941260 | PL1 | critical | IE XSS Filters – Attack Detected. |
941270 | PL1 | critical | IE XSS Filters – Attack Detected. |
941280 | PL1 | critical | IE XSS Filters – Attack Detected. |
941290 | PL1 | critical | IE XSS Filters – Attack Detected. |
941300 | PL1 | critical | IE XSS Filters – Attack Detected. |
941310 | PL1 | critical | US-ASCII Malformed Encoding XSS Filter – Attack Detected. |
941320 | PL2 | critical | Possible XSS Attack Detected – HTML Tag Handler |
941330 | PL2 | critical | IE XSS Filters – Attack Detected. |
941340 | PL2 | critical | IE XSS Filters – Attack Detected. |
941350 | PL1 | critical | UTF-7 Encoding IE XSS – Attack Detected. |
942100 | PL1 | critical | SQL Injection Attack Detected via libinjection |
942110 | PL2 | warning | SQL Injection Attack: Common Injection Testing Detected |
942120 | PL2 | critical | SQL Injection Attack: SQL Operator Detected |
942130 | PL2 | critical | SQL Injection Attack: SQL Tautology Detected. |
942140 | PL1 | critical | SQL Injection Attack: Common DB Names Detected |
942150 | PL2 | critical | SQL Injection Attack |
942160 | PL1 | critical | Detects blind sqli tests using sleep() or benchmark(). |
942170 | PL1 | critical | Detects SQL benchmark and sleep injection attempts including conditional queries |
942180 | PL2 | critical | Detects basic SQL authentication bypass attempts 1/3 |
942190 | PL1 | critical | Detects MSSQL code execution and information gathering attempts |
942200 | PL2 | critical | Detects MySQL comment-/space-obfuscated injections and backtick termination |
942210 | PL2 | critical | Detects chained SQL injection attempts 1/2 |
942220 | PL1 | critical | Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the “magic number” crash |
942230 | PL1 | critical | Detects conditional SQL injection attempts |
942240 | PL1 | critical | Detects MySQL charset switch and MSSQL DoS attempts |
942250 | PL1 | critical | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
942251 | PL3 | critical | Detects HAVING injections |
942260 | PL2 | critical | Detects basic SQL authentication bypass attempts 2/3 |
942270 | PL1 | critical | Looking for basic sql injection. Common attack string for mysql, oracle and others. |
942280 | PL1 | critical | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
942290 | PL1 | critical | Finds basic MongoDB SQL injection attempts |
942300 | PL2 | critical | Detects MySQL comments, conditions and ch(a)r injections |
942310 | PL2 | critical | Detects chained SQL injection attempts 2/2 |
942320 | PL1 | critical | Detects MySQL and PostgreSQL stored procedure/function injections |
942330 | PL2 | critical | Detects classic SQL injection probings 1/2 |
942340 | PL2 | critical | Detects basic SQL authentication bypass attempts 3/3 |
942350 | PL1 | critical | Detects MySQL UDF injection and other data/structure manipulation attempts |
942360 | PL1 | critical | Detects concatenated basic SQL injection and SQLLFI attempts |
942370 | PL2 | critical | Detects classic SQL injection probings 2/2 |
942380 | PL2 | critical | SQL Injection Attack |
942390 | PL2 | critical | SQL Injection Attack |
942400 | PL2 | critical | SQL Injection Attack |
942410 | PL2 | critical | SQL Injection Attack |
942420 | PL3 | warning | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
942421 | PL4 | warning | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
942430 | PL2 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
942431 | PL3 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
942432 | PL4 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
942440 | PL2 | critical | SQL Comment Sequence Detected. |
942450 | PL2 | critical | SQL Hex Encoding Identified |
942460 | PL3 | warning | Meta-Character Anomaly Detection Alert – Repetitive Non-Word Characters |
943100 | PL1 | critical | Possible Session Fixation Attack: Setting Cookie Values in HTML |
943110 | PL1 | critical | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
943120 | PL1 | critical | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
949100 | PL1 | none | Request Denied by IP Reputation Enforcement. |
949110 | PL1 | none | Check of inbound anomaly score |
950100 | PL2 | error | The Application Returned a 500-Level Status Code |
950130 | PL1 | error | Directory Listing |
951110 | PL1 | critical | Microsoft Access SQL Information Leakage |
951120 | PL1 | critical | Oracle SQL Information Leakage |
951130 | PL1 | critical | DB2 SQL Information Leakage |
951140 | PL1 | critical | EMC SQL Information Leakage |
951150 | PL1 | critical | firebird SQL Information Leakage |
951160 | PL1 | critical | Frontbase SQL Information Leakage |
951170 | PL1 | critical | hsqldb SQL Information Leakage |
951180 | PL1 | critical | informix SQL Information Leakage |
951190 | PL1 | critical | ingres SQL Information Leakage |
951200 | PL1 | critical | interbase SQL Information Leakage |
951210 | PL1 | critical | maxDB SQL Information Leakage |
951220 | PL1 | critical | mssql SQL Information Leakage |
951230 | PL1 | critical | mysql SQL Information Leakage |
951240 | PL1 | critical | postgres SQL Information Leakage |
951250 | PL1 | critical | sqlite SQL Information Leakage |
951260 | PL1 | critical | Sybase SQL Information Leakage |
952100 | PL1 | error | Java Source Code Leakage |
952110 | PL1 | error | Java Errors |
953100 | PL1 | error | PHP Information Leakage |
953110 | PL1 | error | PHP source code leakage |
953120 | PL1 | error | PHP source code leakage |
954100 | PL1 | error | Disclosure of IIS install location |
954110 | PL1 | error | Application Availability Error |
954120 | PL1 | error | IIS Information Leakage |
954130 | PL1 | error | IIS Information Leakage |
959100 | PL1 | none | Check of outbound anomaly score |
980100 | PL1 | none | Anomaly score correlation rule |
980110 | PL1 | none | Anomaly score correlation rule |
980120 | PL1 | none | Anomaly score correlation rule |
980130 | PL1 | none | Anomaly score correlation rule |
980140 | PL1 | none | Anomaly score correlation rule |
9001000 | PL1 | none | Drupal rule exception |
9001110 | PL1 | none | Drupal rule exception |
9001112 | PL1 | none | Drupal rule exception |
9001114 | PL1 | none | Drupal rule exception |
9001116 | PL1 | none | Drupal rule exception |
9001120 | PL1 | none | Drupal rule exception |
9001122 | PL1 | none | Drupal rule exception |
9001124 | PL1 | none | Drupal rule exception |
9001126 | PL1 | none | Drupal rule exception |
9001128 | PL1 | none | Drupal rule exception |
9001140 | PL1 | none | Drupal rule exception |
9001150 | PL1 | none | Drupal rule exception |
9001170 | PL1 | none | Drupal rule exception |
9001180 | PL1 | none | Drupal rule exception |
9001182 | PL1 | none | Drupal rule exception |
9001184 | PL1 | none | Drupal rule exception |
9001200 | PL1 | none | Drupal rule exception |
9001202 | PL1 | none | Drupal rule exception |
9001204 | PL1 | none | Drupal rule exception |
9001206 | PL1 | none | Drupal rule exception |
9001208 | PL1 | none | Drupal rule exception |
9001210 | PL1 | none | Drupal rule exception |
9001212 | PL1 | none | Drupal rule exception |
9001214 | PL1 | none | Drupal rule exception |
9001216 | PL1 | none | Drupal rule exception |
9002000 | PL1 | none | WordPress rule exception |
9002001 | PL1 | none | WordPress rule exception |
9002100 | PL1 | none | WordPress rule exception |
9002120 | PL1 | none | WordPress rule exception |
9002130 | PL1 | none | WordPress rule exception |
9002150 | PL1 | none | WordPress rule exception |
9002160 | PL1 | none | WordPress rule exception |
9002200 | PL1 | none | WordPress rule exception |
9002400 | PL1 | none | WordPress rule exception |
9002401 | PL1 | none | WordPress rule exception |
9002410 | PL1 | none | WordPress rule exception |
9002420 | PL1 | none | WordPress rule exception |
9002520 | PL1 | none | WordPress rule exception |
9002530 | PL1 | none | WordPress rule exception |
9002540 | PL1 | none | WordPress rule exception |
9002700 | PL1 | none | WordPress rule exception |
9002710 | PL1 | none | WordPress rule exception |
9002720 | PL1 | none | WordPress rule exception |
9002730 | PL1 | none | WordPress rule exception |
9002740 | PL1 | none | WordPress rule exception |
9002750 | PL1 | none | WordPress rule exception |
9002800 | PL1 | none | WordPress rule exception |
9002810 | PL1 | none | WordPress rule exception |
9002820 | PL1 | none | WordPress rule exception |
9002900 | PL1 | none | WordPress rule exception |
https://www.netnea.com/cms/core-rule-set-inventory/
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0/master/rules
https://github.com/fastly/ftw