modsecurity ID in WAF log (reverseproxy.log) finden

#1 · 22. Januar 2024, 13:03

Zitat von mpachmann am 22. Januar 2024, 13:03 Uhr
tail -n 5000 -f /log/reverseproxy.log | grep security2:error

https://web.archive.org/web/20230901104426/https://www.netnea.com/cms/core-rule-set-inventory/

This is a list of rules from the OWASP ModSecurity Core Rule Set.

Handling of false positives / false alarms / blocking of legitimate traffic is explained in this tutorial.

This page here covers the 3.x release(s). The rule IDs from the 2.x.x release(s) are not listed / covered. Look here for some infos.

Helper rules are omitted.

Click on link to be taken to github and land on the definition of the rule.

The link to github points to the 3.0 dev tree.

The description / message is the msg action from the rule definition mostly.

Individual rules in this page can be reached via a shortcut. E.g., https://netnea.com/crs/942100.

If you are lazy, then create a dynamic bookmark and call it with the rule ID as parameter in the address line of the browser: e.g., crs 942100.

You like what you see? Why don’t you follow me on twitter @ChrFolini to learn about new ModSecurity stuff I publish.

Rule ID Paranoia
Level Severity Description (msg)

901001 PL1 none Check if crs-set.conf was loaded

901450 PL1 none Sampling: Disable the rule engine based on sampling_percentage

905100 PL1 none Common Exeptions example rule

905110 PL1 none Common Exeptions example rule

910000 PL1 critical Request from Known Malicious Client (Based on previous traffic violations).

910100 PL1 critical Client IP is from a HIGH Risk Country Location.

910150 PL1 critical HTTP Blacklist match for search engine IP,

910160 PL1 critical HTTP Blacklist match for spammer IP

910170 PL1 critical HTTP Blacklist match for suspicious IP

910180 PL1 critical HTTP Blacklist match for harvester IP

911100 PL1 critical Method is not allowed by policy

912120 PL1 none Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)"

912170 PL1 none Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}

912171 PL2 none Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}

913100 PL1 critical Found User-Agent associated with security scanner

913101 PL2 critical Found User-Agent associated with scripting/generic HTTP client

913102 PL2 critical Found User-Agent associated with web crawler/bot

913110 PL1 critical Found request header associated with security scanner

913120 PL1 critical Found request filename/argument associated with security scanner

920100 PL1 notice Invalid HTTP Request Line

920120 PL1 critical Attempted multipart/form-data bypass

920130 PL1 critical Failed to parse request body.

920140 PL1 critical Multipart request body failed strict validation:

920160 PL1 critical Content-Length HTTP header is not numeric.

920170 PL1 critical GET or HEAD Request with Body Content.

920180 PL1 notice POST request missing Content-Length Header.

920190 PL1 warning Range: Invalid Last Byte Value.

920200 PL2 warning Range: Too many fields (6 or more)

920201 PL2 warning Range: Too many fields for pdf request (35 or more)

920202 PL4 warning Range: Too many fields for pdf request (6 or more)

920210 PL1 warning Multiple/Conflicting Connection Header Data Found.

920220 PL1 warning URL Encoding Abuse Attack Attempt

920230 PL2 warning Multiple URL Encoding Detected

920240 PL1 warning URL Encoding Abuse Attack Attempt

920250 PL1 warning UTF8 Encoding Abuse Attack Attempt

920260 PL1 warning Unicode Full/Half Width Abuse Attack Attempt

920270 PL1 error Invalid character in request (null character)

920271 PL2 critical Invalid character in request (non printable characters)

920272 PL3 critical Invalid character in request (outside of printable chars below ascii 127)

920273 PL4 critical Invalid character in request (outside of very strict set)

920274 PL4 critical Invalid character in request headers (outside of very strict set)

920280 PL1 warning Request Missing a Host Header

920290 PL1 warning Empty Host Header

920300 PL2 notice Request Missing an Accept Header

920310 PL1 notice Request Has an Empty Accept Header

920311 PL1 notice Request Has an Empty Accept Header

920320 PL2 notice Missing User Agent Header

920330 PL1 notice Empty User Agent Header

920340 PL1 notice Request Containing Content, but Missing Content-Type header

920350 PL1 warning Host header is a numeric IP address

920360 PL1 critical Argument name too long

920370 PL1 critical Argument value too long

920380 PL1 critical Too many arguments in request

920390 PL1 critical Total arguments size exceeded

920400 PL1 critical Uploaded file size too large

920410 PL1 critical Total uploaded files size too large

920420 PL1 critical Request content type is not allowed by policy

920430 PL1 critical HTTP protocol version is not allowed by policy

920440 PL1 critical URL file extension is restricted by policy

920450 PL1 critical HTTP header is restricted by policy (%{MATCHED_VAR})

920460 PL4 critical Abnormal character escape detected

921100 PL1 critical HTTP Request Smuggling Attack.

921110 PL1 critical HTTP Request Smuggling Attack

921120 PL1 critical HTTP Response Splitting Attack

921130 PL1 critical HTTP Response Splitting Attack

921140 PL1 critical HTTP Header Injection Attack via headers

921150 PL1 critical HTTP Header Injection Attack via payload (CR/LF detected)

921151 PL2 critical HTTP Header Injection Attack via payload (CR/LF detected)

921160 PL1 critical HTTP Header Injection Attack via payload (CR/LF and header-name detected)

921180 PL3 critical HTTP Parameter Pollution (%{TX.1})

930100 PL1 critical Path Traversal Attack (/../)

930110 PL1 critical Path Traversal Attack (/../)

930120 PL1 critical OS File Access Attempt

930130 PL1 critical Restricted File Access Attempt

931100 PL1 critical Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address

931110 PL1 critical Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload

931120 PL1 critical Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)

931130 PL2 critical Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

932100 PL1 critical Remote Command Execution: Unix Command Injection

932105 PL1 critical Remote Command Execution: Unix Command Injection

932110 PL1 critical Remote Command Execution: Windows Command Injection

932115 PL1 critical Remote Command Execution: Windows Command Injection

932120 PL1 critical Remote Command Execution: Windows PowerShell Command Found

932130 PL1 critical Remote Command Execution: Unix Shell Expression Found

932140 PL1 critical Remote Command Execution: Windows FOR/IF Command Found

932150 PL1 critical Remote Command Execution: Direct Unix Command Execution

932160 PL1 critical Remote Command Execution: Unix Shell Code Found

932170 PL1 critical Remote Command Execution: Shellshock (CVE-2014-6271)

932171 PL1 critical Remote Command Execution: Shellshock (CVE-2014-6271)

933100 PL1 critical PHP Injection Attack: Opening/Closing Tag Found

933110 PL1 critical PHP Injection Attack: PHP Script File Upload Found

933111 PL3 critical PHP Injection Attack: PHP Script File Upload Found

933120 PL1 critical PHP Injection Attack: Configuration Directive Found

933130 PL1 critical PHP Injection Attack: Variables Found

933131 PL3 critical PHP Injection Attack: Variables Found

933140 PL1 critical PHP Injection Attack: I/O Stream Found

933150 PL1 critical PHP Injection Attack: High-Risk PHP Function Name Found

933151 PL2 critical PHP Injection Attack: Medium-Risk PHP Function Name Found

933160 PL1 critical PHP Injection Attack: High-Risk PHP Function Call Found

933161 PL3 critical PHP Injection Attack: Low-Value PHP Function Call Found

933170 PL1 critical PHP Injection Attack: Serialized Object Injection

933180 PL1 critical PHP Injection Attack: Variable Function Call Found

941100 PL1 critical XSS Attack Detected via libinjection

941110 PL1 critical XSS Filter - Category 1: Script Tag Vector

941120 PL1 critical XSS Filter - Category 2: Event Handler Vector

941130 PL1 critical XSS Filter - Category 3: Attribute Vector

941140 PL1 critical XSS Filter - Category 4: Javascript URI Vector

941150 PL1 critical XSS Filter - Category 5: Disallowed HTML Attributes

941160 PL1 critical NoScript XSS InjectionChecker: HTML Injection

941170 PL1 critical NoScript XSS InjectionChecker: Attribute Injection

941180 PL1 critical Node-Validator Blacklist Keywords

941190 PL1 critical IE XSS Filters - Attack Detected.

941200 PL1 critical IE XSS Filters - Attack Detected.

941210 PL1 critical IE XSS Filters - Attack Detected.

941220 PL1 critical IE XSS Filters - Attack Detected.

941230 PL1 critical IE XSS Filters - Attack Detected.

941240 PL1 critical IE XSS Filters - Attack Detected.

941250 PL1 critical IE XSS Filters - Attack Detected.

941260 PL1 critical IE XSS Filters - Attack Detected.

941270 PL1 critical IE XSS Filters - Attack Detected.

941280 PL1 critical IE XSS Filters - Attack Detected.

941290 PL1 critical IE XSS Filters - Attack Detected.

941300 PL1 critical IE XSS Filters - Attack Detected.

941310 PL1 critical US-ASCII Malformed Encoding XSS Filter - Attack Detected.

941320 PL2 critical Possible XSS Attack Detected - HTML Tag Handler

941330 PL2 critical IE XSS Filters - Attack Detected.

941340 PL2 critical IE XSS Filters - Attack Detected.

941350 PL1 critical UTF-7 Encoding IE XSS - Attack Detected.

942100 PL1 critical SQL Injection Attack Detected via libinjection

942110 PL2 warning SQL Injection Attack: Common Injection Testing Detected

942120 PL2 critical SQL Injection Attack: SQL Operator Detected

942130 PL2 critical SQL Injection Attack: SQL Tautology Detected.

942140 PL1 critical SQL Injection Attack: Common DB Names Detected

942150 PL2 critical SQL Injection Attack

942160 PL1 critical Detects blind sqli tests using sleep() or benchmark().

942170 PL1 critical Detects SQL benchmark and sleep injection attempts including conditional queries

942180 PL2 critical Detects basic SQL authentication bypass attempts 1/3

942190 PL1 critical Detects MSSQL code execution and information gathering attempts

942200 PL2 critical Detects MySQL comment-/space-obfuscated injections and backtick termination

942210 PL2 critical Detects chained SQL injection attempts 1/2

942220 PL1 critical Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash

942230 PL1 critical Detects conditional SQL injection attempts

942240 PL1 critical Detects MySQL charset switch and MSSQL DoS attempts

942250 PL1 critical Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections

942251 PL3 critical Detects HAVING injections

942260 PL2 critical Detects basic SQL authentication bypass attempts 2/3

942270 PL1 critical Looking for basic sql injection. Common attack string for mysql, oracle and others.

942280 PL1 critical Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts

942290 PL1 critical Finds basic MongoDB SQL injection attempts

942300 PL2 critical Detects MySQL comments, conditions and ch(a)r injections

942310 PL2 critical Detects chained SQL injection attempts 2/2

942320 PL1 critical Detects MySQL and PostgreSQL stored procedure/function injections

942330 PL2 critical Detects classic SQL injection probings 1/2

942340 PL2 critical Detects basic SQL authentication bypass attempts 3/3

942350 PL1 critical Detects MySQL UDF injection and other data/structure manipulation attempts

942360 PL1 critical Detects concatenated basic SQL injection and SQLLFI attempts

942370 PL2 critical Detects classic SQL injection probings 2/2

942380 PL2 critical SQL Injection Attack

942390 PL2 critical SQL Injection Attack

942400 PL2 critical SQL Injection Attack

942410 PL2 critical SQL Injection Attack

942420 PL3 warning Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)

942421 PL4 warning Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)

942430 PL2 warning Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)

942431 PL3 warning Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)

942432 PL4 warning Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)

942440 PL2 critical SQL Comment Sequence Detected.

942450 PL2 critical SQL Hex Encoding Identified

942460 PL3 warning Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters

943100 PL1 critical Possible Session Fixation Attack: Setting Cookie Values in HTML

943110 PL1 critical Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer

943120 PL1 critical Possible Session Fixation Attack: SessionID Parameter Name with No Referer

949100 PL1 none Request Denied by IP Reputation Enforcement.

949110 PL1 none Check of inbound anomaly score

950100 PL2 error The Application Returned a 500-Level Status Code

950130 PL1 error Directory Listing

951110 PL1 critical Microsoft Access SQL Information Leakage

951120 PL1 critical Oracle SQL Information Leakage

951130 PL1 critical DB2 SQL Information Leakage

951140 PL1 critical EMC SQL Information Leakage

951150 PL1 critical firebird SQL Information Leakage

951160 PL1 critical Frontbase SQL Information Leakage

951170 PL1 critical hsqldb SQL Information Leakage

951180 PL1 critical informix SQL Information Leakage

951190 PL1 critical ingres SQL Information Leakage

951200 PL1 critical interbase SQL Information Leakage

951210 PL1 critical maxDB SQL Information Leakage

951220 PL1 critical mssql SQL Information Leakage

951230 PL1 critical mysql SQL Information Leakage

951240 PL1 critical postgres SQL Information Leakage

951250 PL1 critical sqlite SQL Information Leakage

951260 PL1 critical Sybase SQL Information Leakage

952100 PL1 error Java Source Code Leakage

952110 PL1 error Java Errors

953100 PL1 error PHP Information Leakage

953110 PL1 error PHP source code leakage

953120 PL1 error PHP source code leakage

954100 PL1 error Disclosure of IIS install location

954110 PL1 error Application Availability Error

954120 PL1 error IIS Information Leakage

954130 PL1 error IIS Information Leakage

959100 PL1 none Check of outbound anomaly score

980100 PL1 none Anomaly score correlation rule

980110 PL1 none Anomaly score correlation rule

980120 PL1 none Anomaly score correlation rule

980130 PL1 none Anomaly score correlation rule

980140 PL1 none Anomaly score correlation rule

9001000 PL1 none Drupal rule exception

9001110 PL1 none Drupal rule exception

9001112 PL1 none Drupal rule exception

9001114 PL1 none Drupal rule exception

9001116 PL1 none Drupal rule exception

9001120 PL1 none Drupal rule exception

9001122 PL1 none Drupal rule exception

9001124 PL1 none Drupal rule exception

9001126 PL1 none Drupal rule exception

9001128 PL1 none Drupal rule exception

9001140 PL1 none Drupal rule exception

9001150 PL1 none Drupal rule exception

9001170 PL1 none Drupal rule exception

9001180 PL1 none Drupal rule exception

9001182 PL1 none Drupal rule exception

9001184 PL1 none Drupal rule exception

9001200 PL1 none Drupal rule exception

9001202 PL1 none Drupal rule exception

9001204 PL1 none Drupal rule exception

9001206 PL1 none Drupal rule exception

9001208 PL1 none Drupal rule exception

9001210 PL1 none Drupal rule exception

9001212 PL1 none Drupal rule exception

9001214 PL1 none Drupal rule exception

9001216 PL1 none Drupal rule exception

9002000 PL1 none WordPress rule exception

9002001 PL1 none WordPress rule exception

9002100 PL1 none WordPress rule exception

9002120 PL1 none WordPress rule exception

9002130 PL1 none WordPress rule exception

9002150 PL1 none WordPress rule exception

9002160 PL1 none WordPress rule exception

9002200 PL1 none WordPress rule exception

9002400 PL1 none WordPress rule exception

9002401 PL1 none WordPress rule exception

9002410 PL1 none WordPress rule exception

9002420 PL1 none WordPress rule exception

9002520 PL1 none WordPress rule exception

9002530 PL1 none WordPress rule exception

9002540 PL1 none WordPress rule exception

9002700 PL1 none WordPress rule exception

9002710 PL1 none WordPress rule exception

9002720 PL1 none WordPress rule exception

9002730 PL1 none WordPress rule exception

9002740 PL1 none WordPress rule exception

9002750 PL1 none WordPress rule exception

9002800 PL1 none WordPress rule exception

9002810 PL1 none WordPress rule exception

9002820 PL1 none WordPress rule exception

9002900 PL1 none WordPress rule exception

tail -n 5000 -f /log/reverseproxy.log | grep security2:error

https://web.archive.org/web/20230901104426/https://www.netnea.com/cms/core-rule-set-inventory/

This is a list of rules from the OWASP ModSecurity Core Rule Set.

Handling of false positives / false alarms / blocking of legitimate traffic is explained in this tutorial.
This page here covers the 3.x release(s). The rule IDs from the 2.x.x release(s) are not listed / covered. Look here for some infos.
Helper rules are omitted.
Click on link to be taken to github and land on the definition of the rule.
The link to github points to the 3.0 dev tree.
The description / message is the msg action from the rule definition mostly.
Individual rules in this page can be reached via a shortcut. E.g., https://netnea.com/crs/942100.
If you are lazy, then create a dynamic bookmark and call it with the rule ID as parameter in the address line of the browser: e.g., crs 942100.
You like what you see? Why don’t you follow me on twitter @ChrFolini to learn about new ModSecurity stuff I publish.

Rule ID	Paranoia Level	Severity	Description (msg)
901001	PL1	none	Check if crs-set.conf was loaded
901450	PL1	none	Sampling: Disable the rule engine based on sampling_percentage
905100	PL1	none	Common Exeptions example rule
905110	PL1	none	Common Exeptions example rule
910000	PL1	critical	Request from Known Malicious Client (Based on previous traffic violations).
910100	PL1	critical	Client IP is from a HIGH Risk Country Location.
910150	PL1	critical	HTTP Blacklist match for search engine IP,
910160	PL1	critical	HTTP Blacklist match for spammer IP
910170	PL1	critical	HTTP Blacklist match for suspicious IP
910180	PL1	critical	HTTP Blacklist match for harvester IP
911100	PL1	critical	Method is not allowed by policy
912120	PL1	none	Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)"
912170	PL1	none	Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
912171	PL2	none	Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
913100	PL1	critical	Found User-Agent associated with security scanner
913101	PL2	critical	Found User-Agent associated with scripting/generic HTTP client
913102	PL2	critical	Found User-Agent associated with web crawler/bot
913110	PL1	critical	Found request header associated with security scanner
913120	PL1	critical	Found request filename/argument associated with security scanner
920100	PL1	notice	Invalid HTTP Request Line
920120	PL1	critical	Attempted multipart/form-data bypass
920130	PL1	critical	Failed to parse request body.
920140	PL1	critical	Multipart request body failed strict validation:
920160	PL1	critical	Content-Length HTTP header is not numeric.
920170	PL1	critical	GET or HEAD Request with Body Content.
920180	PL1	notice	POST request missing Content-Length Header.
920190	PL1	warning	Range: Invalid Last Byte Value.
920200	PL2	warning	Range: Too many fields (6 or more)
920201	PL2	warning	Range: Too many fields for pdf request (35 or more)
920202	PL4	warning	Range: Too many fields for pdf request (6 or more)
920210	PL1	warning	Multiple/Conflicting Connection Header Data Found.
920220	PL1	warning	URL Encoding Abuse Attack Attempt
920230	PL2	warning	Multiple URL Encoding Detected
920240	PL1	warning	URL Encoding Abuse Attack Attempt
920250	PL1	warning	UTF8 Encoding Abuse Attack Attempt
920260	PL1	warning	Unicode Full/Half Width Abuse Attack Attempt
920270	PL1	error	Invalid character in request (null character)
920271	PL2	critical	Invalid character in request (non printable characters)
920272	PL3	critical	Invalid character in request (outside of printable chars below ascii 127)
920273	PL4	critical	Invalid character in request (outside of very strict set)
920274	PL4	critical	Invalid character in request headers (outside of very strict set)
920280	PL1	warning	Request Missing a Host Header
920290	PL1	warning	Empty Host Header
920300	PL2	notice	Request Missing an Accept Header
920310	PL1	notice	Request Has an Empty Accept Header
920311	PL1	notice	Request Has an Empty Accept Header
920320	PL2	notice	Missing User Agent Header
920330	PL1	notice	Empty User Agent Header
920340	PL1	notice	Request Containing Content, but Missing Content-Type header
920350	PL1	warning	Host header is a numeric IP address
920360	PL1	critical	Argument name too long
920370	PL1	critical	Argument value too long
920380	PL1	critical	Too many arguments in request
920390	PL1	critical	Total arguments size exceeded
920400	PL1	critical	Uploaded file size too large
920410	PL1	critical	Total uploaded files size too large
920420	PL1	critical	Request content type is not allowed by policy
920430	PL1	critical	HTTP protocol version is not allowed by policy
920440	PL1	critical	URL file extension is restricted by policy
920450	PL1	critical	HTTP header is restricted by policy (%{MATCHED_VAR})
920460	PL4	critical	Abnormal character escape detected
921100	PL1	critical	HTTP Request Smuggling Attack.
921110	PL1	critical	HTTP Request Smuggling Attack
921120	PL1	critical	HTTP Response Splitting Attack
921130	PL1	critical	HTTP Response Splitting Attack
921140	PL1	critical	HTTP Header Injection Attack via headers
921150	PL1	critical	HTTP Header Injection Attack via payload (CR/LF detected)
921151	PL2	critical	HTTP Header Injection Attack via payload (CR/LF detected)
921160	PL1	critical	HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921180	PL3	critical	HTTP Parameter Pollution (%{TX.1})
930100	PL1	critical	Path Traversal Attack (/../)
930110	PL1	critical	Path Traversal Attack (/../)
930120	PL1	critical	OS File Access Attempt
930130	PL1	critical	Restricted File Access Attempt
931100	PL1	critical	Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110	PL1	critical	Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120	PL1	critical	Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130	PL2	critical	Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932100	PL1	critical	Remote Command Execution: Unix Command Injection
932105	PL1	critical	Remote Command Execution: Unix Command Injection
932110	PL1	critical	Remote Command Execution: Windows Command Injection
932115	PL1	critical	Remote Command Execution: Windows Command Injection
932120	PL1	critical	Remote Command Execution: Windows PowerShell Command Found
932130	PL1	critical	Remote Command Execution: Unix Shell Expression Found
932140	PL1	critical	Remote Command Execution: Windows FOR/IF Command Found
932150	PL1	critical	Remote Command Execution: Direct Unix Command Execution
932160	PL1	critical	Remote Command Execution: Unix Shell Code Found
932170	PL1	critical	Remote Command Execution: Shellshock (CVE-2014-6271)
932171	PL1	critical	Remote Command Execution: Shellshock (CVE-2014-6271)
933100	PL1	critical	PHP Injection Attack: Opening/Closing Tag Found
933110	PL1	critical	PHP Injection Attack: PHP Script File Upload Found
933111	PL3	critical	PHP Injection Attack: PHP Script File Upload Found
933120	PL1	critical	PHP Injection Attack: Configuration Directive Found
933130	PL1	critical	PHP Injection Attack: Variables Found
933131	PL3	critical	PHP Injection Attack: Variables Found
933140	PL1	critical	PHP Injection Attack: I/O Stream Found
933150	PL1	critical	PHP Injection Attack: High-Risk PHP Function Name Found
933151	PL2	critical	PHP Injection Attack: Medium-Risk PHP Function Name Found
933160	PL1	critical	PHP Injection Attack: High-Risk PHP Function Call Found
933161	PL3	critical	PHP Injection Attack: Low-Value PHP Function Call Found
933170	PL1	critical	PHP Injection Attack: Serialized Object Injection
933180	PL1	critical	PHP Injection Attack: Variable Function Call Found
941100	PL1	critical	XSS Attack Detected via libinjection
941110	PL1	critical	XSS Filter - Category 1: Script Tag Vector
941120	PL1	critical	XSS Filter - Category 2: Event Handler Vector
941130	PL1	critical	XSS Filter - Category 3: Attribute Vector
941140	PL1	critical	XSS Filter - Category 4: Javascript URI Vector
941150	PL1	critical	XSS Filter - Category 5: Disallowed HTML Attributes
941160	PL1	critical	NoScript XSS InjectionChecker: HTML Injection
941170	PL1	critical	NoScript XSS InjectionChecker: Attribute Injection
941180	PL1	critical	Node-Validator Blacklist Keywords
941190	PL1	critical	IE XSS Filters - Attack Detected.
941200	PL1	critical	IE XSS Filters - Attack Detected.
941210	PL1	critical	IE XSS Filters - Attack Detected.
941220	PL1	critical	IE XSS Filters - Attack Detected.
941230	PL1	critical	IE XSS Filters - Attack Detected.
941240	PL1	critical	IE XSS Filters - Attack Detected.
941250	PL1	critical	IE XSS Filters - Attack Detected.
941260	PL1	critical	IE XSS Filters - Attack Detected.
941270	PL1	critical	IE XSS Filters - Attack Detected.
941280	PL1	critical	IE XSS Filters - Attack Detected.
941290	PL1	critical	IE XSS Filters - Attack Detected.
941300	PL1	critical	IE XSS Filters - Attack Detected.
941310	PL1	critical	US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941320	PL2	critical	Possible XSS Attack Detected - HTML Tag Handler
941330	PL2	critical	IE XSS Filters - Attack Detected.
941340	PL2	critical	IE XSS Filters - Attack Detected.
941350	PL1	critical	UTF-7 Encoding IE XSS - Attack Detected.
942100	PL1	critical	SQL Injection Attack Detected via libinjection
942110	PL2	warning	SQL Injection Attack: Common Injection Testing Detected
942120	PL2	critical	SQL Injection Attack: SQL Operator Detected
942130	PL2	critical	SQL Injection Attack: SQL Tautology Detected.
942140	PL1	critical	SQL Injection Attack: Common DB Names Detected
942150	PL2	critical	SQL Injection Attack
942160	PL1	critical	Detects blind sqli tests using sleep() or benchmark().
942170	PL1	critical	Detects SQL benchmark and sleep injection attempts including conditional queries
942180	PL2	critical	Detects basic SQL authentication bypass attempts 1/3
942190	PL1	critical	Detects MSSQL code execution and information gathering attempts
942200	PL2	critical	Detects MySQL comment-/space-obfuscated injections and backtick termination
942210	PL2	critical	Detects chained SQL injection attempts 1/2
942220	PL1	critical	Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash
942230	PL1	critical	Detects conditional SQL injection attempts
942240	PL1	critical	Detects MySQL charset switch and MSSQL DoS attempts
942250	PL1	critical	Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942251	PL3	critical	Detects HAVING injections
942260	PL2	critical	Detects basic SQL authentication bypass attempts 2/3
942270	PL1	critical	Looking for basic sql injection. Common attack string for mysql, oracle and others.
942280	PL1	critical	Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290	PL1	critical	Finds basic MongoDB SQL injection attempts
942300	PL2	critical	Detects MySQL comments, conditions and ch(a)r injections
942310	PL2	critical	Detects chained SQL injection attempts 2/2
942320	PL1	critical	Detects MySQL and PostgreSQL stored procedure/function injections
942330	PL2	critical	Detects classic SQL injection probings 1/2
942340	PL2	critical	Detects basic SQL authentication bypass attempts 3/3
942350	PL1	critical	Detects MySQL UDF injection and other data/structure manipulation attempts
942360	PL1	critical	Detects concatenated basic SQL injection and SQLLFI attempts
942370	PL2	critical	Detects classic SQL injection probings 2/2
942380	PL2	critical	SQL Injection Attack
942390	PL2	critical	SQL Injection Attack
942400	PL2	critical	SQL Injection Attack
942410	PL2	critical	SQL Injection Attack
942420	PL3	warning	Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942421	PL4	warning	Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
942430	PL2	warning	Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942431	PL3	warning	Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942432	PL4	warning	Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
942440	PL2	critical	SQL Comment Sequence Detected.
942450	PL2	critical	SQL Hex Encoding Identified
942460	PL3	warning	Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
943100	PL1	critical	Possible Session Fixation Attack: Setting Cookie Values in HTML
943110	PL1	critical	Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120	PL1	critical	Possible Session Fixation Attack: SessionID Parameter Name with No Referer
949100	PL1	none	Request Denied by IP Reputation Enforcement.
949110	PL1	none	Check of inbound anomaly score
950100	PL2	error	The Application Returned a 500-Level Status Code
950130	PL1	error	Directory Listing
951110	PL1	critical	Microsoft Access SQL Information Leakage
951120	PL1	critical	Oracle SQL Information Leakage
951130	PL1	critical	DB2 SQL Information Leakage
951140	PL1	critical	EMC SQL Information Leakage
951150	PL1	critical	firebird SQL Information Leakage
951160	PL1	critical	Frontbase SQL Information Leakage
951170	PL1	critical	hsqldb SQL Information Leakage
951180	PL1	critical	informix SQL Information Leakage
951190	PL1	critical	ingres SQL Information Leakage
951200	PL1	critical	interbase SQL Information Leakage
951210	PL1	critical	maxDB SQL Information Leakage
951220	PL1	critical	mssql SQL Information Leakage
951230	PL1	critical	mysql SQL Information Leakage
951240	PL1	critical	postgres SQL Information Leakage
951250	PL1	critical	sqlite SQL Information Leakage
951260	PL1	critical	Sybase SQL Information Leakage
952100	PL1	error	Java Source Code Leakage
952110	PL1	error	Java Errors
953100	PL1	error	PHP Information Leakage
953110	PL1	error	PHP source code leakage
953120	PL1	error	PHP source code leakage
954100	PL1	error	Disclosure of IIS install location
954110	PL1	error	Application Availability Error
954120	PL1	error	IIS Information Leakage
954130	PL1	error	IIS Information Leakage
959100	PL1	none	Check of outbound anomaly score
980100	PL1	none	Anomaly score correlation rule
980110	PL1	none	Anomaly score correlation rule
980120	PL1	none	Anomaly score correlation rule
980130	PL1	none	Anomaly score correlation rule
980140	PL1	none	Anomaly score correlation rule
9001000	PL1	none	Drupal rule exception
9001110	PL1	none	Drupal rule exception
9001112	PL1	none	Drupal rule exception
9001114	PL1	none	Drupal rule exception
9001116	PL1	none	Drupal rule exception
9001120	PL1	none	Drupal rule exception
9001122	PL1	none	Drupal rule exception
9001124	PL1	none	Drupal rule exception
9001126	PL1	none	Drupal rule exception
9001128	PL1	none	Drupal rule exception
9001140	PL1	none	Drupal rule exception
9001150	PL1	none	Drupal rule exception
9001170	PL1	none	Drupal rule exception
9001180	PL1	none	Drupal rule exception
9001182	PL1	none	Drupal rule exception
9001184	PL1	none	Drupal rule exception
9001200	PL1	none	Drupal rule exception
9001202	PL1	none	Drupal rule exception
9001204	PL1	none	Drupal rule exception
9001206	PL1	none	Drupal rule exception
9001208	PL1	none	Drupal rule exception
9001210	PL1	none	Drupal rule exception
9001212	PL1	none	Drupal rule exception
9001214	PL1	none	Drupal rule exception
9001216	PL1	none	Drupal rule exception
9002000	PL1	none	WordPress rule exception
9002001	PL1	none	WordPress rule exception
9002100	PL1	none	WordPress rule exception
9002120	PL1	none	WordPress rule exception
9002130	PL1	none	WordPress rule exception
9002150	PL1	none	WordPress rule exception
9002160	PL1	none	WordPress rule exception
9002200	PL1	none	WordPress rule exception
9002400	PL1	none	WordPress rule exception
9002401	PL1	none	WordPress rule exception
9002410	PL1	none	WordPress rule exception
9002420	PL1	none	WordPress rule exception
9002520	PL1	none	WordPress rule exception
9002530	PL1	none	WordPress rule exception
9002540	PL1	none	WordPress rule exception
9002700	PL1	none	WordPress rule exception
9002710	PL1	none	WordPress rule exception
9002720	PL1	none	WordPress rule exception
9002730	PL1	none	WordPress rule exception
9002740	PL1	none	WordPress rule exception
9002750	PL1	none	WordPress rule exception
9002800	PL1	none	WordPress rule exception
9002810	PL1	none	WordPress rule exception
9002820	PL1	none	WordPress rule exception
9002900	PL1	none	WordPress rule exception

Knowledge Base

modsecurity ID in WAF log (reverseproxy.log) finden

ISP-Service

Quick Links

Informationen