View file File name : REQUEST-949-BLOCKING-EVALUATION.conf Content :# ------------------------------------------------------------------------ # OWASP CRS ver.4.7.0-dev # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # # The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # # Summing up the blocking and detection anomaly scores in phase 1 # even when early blocking is disabled, we need to sum up the scores in phase 1 # this prevents bugs in phase 5 if Apache skips phases because of error handling # See: https://github.com/coreruleset/coreruleset/issues/2319#issuecomment-1047503932 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ "id:949052,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ "id:949152,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ "id:949053,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ "id:949153,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ "id:949054,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ "id:949154,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ "id:949055,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ "id:949155,\ phase:1,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" # at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores # this is necessary because the per-PL scores are counted across phases SecAction \ "id:949059,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=0'" SecAction \ "id:949159,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=0'" # Summing up the blocking and detection anomaly scores in phase 2 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ "id:949060,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ "id:949160,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ "id:949061,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ "id:949161,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ "id:949062,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ "id:949162,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ "id:949063,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ "id:949163,\ phase:2,\ pass,\ t:none,\ nolog,\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecMarker "BEGIN-REQUEST-BLOCKING-EVAL" # # -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=- # # if early blocking is active, check threshold in phase 1 SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ "id:949111,\ phase:1,\ deny,\ t:none,\ msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev',\ chain" SecRule TX:EARLY_BLOCKING "@eq 1" # always check threshold in phase 2 SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ "id:949110,\ phase:2,\ deny,\ t:none,\ msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ tag:'OWASP_CRS',\ ver:'OWASP_CRS/4.7.0-dev'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0-dev',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-949-BLOCKING-EVALUATION"