From 160fb070dcdb8fb711e87461046ea65664ec88dc Mon Sep 17 00:00:00 2001 From: dune73 Date: Mon, 19 Jun 2023 14:08:38 +0200 Subject: [PATCH 1/2] Removed rule 913110 and connecting files --- ...00-EXCLUSION-RULES-BEFORE-CRS.conf.example | 3 +- rules/REQUEST-913-SCANNER-DETECTION.conf | 21 --------- rules/scanners-headers.data | 8 ---- .../REQUEST-913-SCANNER-DETECTION/913110.yaml | 44 ------------------- 4 files changed, 1 insertion(+), 75 deletions(-) delete mode 100644 rules/scanners-headers.data delete mode 100644 tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example index a0bd17ec1..7cb9bfe7d 100644 --- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example +++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -176,7 +176,7 @@ # conditions will not be matched against the following rules: # # - id: 911100 (allowed methods) -# - id: 913100,913110,913120,913101,913102 (scan detection) +# - id: 913100,913120,913101,913102 (scan detection) # - id: 920280 (missing/empty host header) # - id: 920350 (IP address in host header) # - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules) @@ -191,7 +191,6 @@ # SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \ # "ctl:ruleRemoveById=911100,\ # ctl:ruleRemoveById=913100,\ -# ctl:ruleRemoveById=913110,\ # ctl:ruleRemoveById=913120,\ # ctl:ruleRemoveById=913101,\ # ctl:ruleRemoveById=913102,\ diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index c4d777acd..bfa51fcab 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -56,27 +56,6 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$" \ "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \ - "id:913110,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found request header associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \ "id:913120,\ diff --git a/rules/scanners-headers.data b/rules/scanners-headers.data deleted file mode 100644 index f87c667e6..000000000 --- a/rules/scanners-headers.data +++ /dev/null @@ -1,8 +0,0 @@ -acunetix-product -(acunetix web vulnerability scanner -acunetix-scanning-agreement -acunetix-user-agreement -myvar=1234 -x-ratproxy-loop -bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14 -x-scanner diff --git a/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml b/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml deleted file mode 100644 index 778a1c0b1..000000000 --- a/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -meta: - author: csanders-git - description: None - enabled: true - name: 913110.yaml -tests: - - test_title: 913110-1 - desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec regressions - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - Accept-Encoding: gzip,deflate - Accept-Language: en-us,en;q=0.5 - Acunetix-Product: WVS/5.0 (Acunetix Web Vulnerability Scanner - EVALUATION) - Host: localhost - Keep-Alive: '300' - Proxy-Connection: keep-alive - User-Agent: "OWASP CRS test agent" - method: GET - port: 80 - uri: / - version: HTTP/1.0 - output: - log_contains: id "913110" - - test_title: 913110-2 - desc: "Scanner identification based on custom header" - stages: - - stage: - input: - dest_addr: "127.0.0.1" - method: "GET" - port: 80 - headers: - Host: "localhost" - X-Scanner: "whatever" - uri: "/" - User-Agent: "OWASP CRS test agent" - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - output: - log_contains: id "913110" From 7ed5eea0af7b0d03b1f49e9f645fe6905908d4ac Mon Sep 17 00:00:00 2001 From: dune73 Date: Fri, 23 Jun 2023 09:20:01 +0200 Subject: [PATCH 2/2] Resolve merge conflicts --- ...00-EXCLUSION-RULES-BEFORE-CRS.conf.example | 4 +- rules/REQUEST-913-SCANNER-DETECTION.conf | 60 ------------------- 2 files changed, 1 insertion(+), 63 deletions(-) diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example index aaac561c9..0f78e44f4 100644 --- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example +++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -176,7 +176,7 @@ # conditions will not be matched against the following rules: # # - id: 911100 (allowed methods) -# - id: 913100,913101,913102 (scan detection) +# - id: 913100 (scan detection) # - id: 920280 (missing/empty host header) # - id: 920350 (IP address in host header) # - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules) @@ -191,8 +191,6 @@ # SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \ # "ctl:ruleRemoveById=911100,\ # ctl:ruleRemoveById=913100,\ -# ctl:ruleRemoveById=913101,\ -# ctl:ruleRemoveById=913102,\ # ctl:ruleRemoveById=920280,\ # ctl:ruleRemoveById=920350,\ # ctl:ruleRemoveByTag=attack-disclosure" diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index 6f2bb3d3f..cb8368be8 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -64,66 +64,6 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAf # -# -# -=[ Scripting/Generic User-Agents ]=- -# -# This rule detects user-agents associated with various HTTP client libraries -# and scripting languages. Detection suggests attempted access by some -# automated tool. -# -# This rule is a sibling of rule 913100. -# -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ - "id:913101,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found User-Agent associated with scripting/generic HTTP client',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scripting',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - - - -# -# -=[ Crawler User-Agents ]=- -# -# This rule detects user-agents associated with various crawlers, SEO tools, -# and bots, which have been reported to potentially misbehave. -# These crawlers can have legitimate uses when used with authorization. -# -# This rule is a sibling of rule 913100. -# -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ - "id:913102,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found User-Agent associated with web crawler/bot',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-crawler',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/150',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"