Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Commit

Permalink
Revert #578
Browse files Browse the repository at this point in the history
Stop decoding things twice. See #590 for details.
  • Loading branch information
fgsch committed Dec 4, 2019
1 parent 7c7ac0b commit ce9b6c5
Show file tree
Hide file tree
Showing 6 changed files with 19 additions and 19 deletions.
2 changes: 1 addition & 1 deletion rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Original file line number Diff line number Diff line change
Expand Up @@ -1522,7 +1522,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
t:none,t:htmlEntityDecode,t:lowercase,\
log,\
msg:'Abnormal character escapes in request',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
Expand Down
10 changes: 5 additions & 5 deletions rules/REQUEST-921-PROTOCOL-ATTACK.conf
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
t:none,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Request Smuggling Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -68,7 +68,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
t:none,t:lowercase,\
msg:'HTTP Response Splitting Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand All @@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
t:none,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Response Splitting Attack',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -154,7 +154,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
t:none,t:htmlEntityDecode,\
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand All @@ -176,7 +176,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?c
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
t:none,t:htmlEntityDecode,t:lowercase,\
msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
8 changes: 4 additions & 4 deletions rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\
t:none,t:cmdLine,t:lowercase,\
msg:'Remote Command Execution: Windows PowerShell Command Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:cmdLine,\
t:none,t:cmdLine,\
msg:'Remote Command Execution: Unix Shell Expression Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -406,7 +406,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:cmdLine,\
t:none,t:cmdLine,\
msg:'Remote Command Execution: Windows FOR/IF Command Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -498,7 +498,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\
t:none,t:cmdLine,t:normalizePath,t:lowercase,\
msg:'Remote Command Execution: Unix Shell Code Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
t:none,t:lowercase,\
msg:'PHP Injection Attack: PHP Open Tag Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -117,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
t:none,t:normalisePath,t:lowercase,\
msg:'PHP Injection Attack: Configuration Directive Found',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
10 changes: 5 additions & 5 deletions rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Original file line number Diff line number Diff line change
Expand Up @@ -624,7 +624,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -655,7 +655,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
t:none,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -884,7 +884,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
t:none,t:jsDecode,t:lowercase,\
msg:'Possible XSS Attack Detected - HTML Tag Handler',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand All @@ -909,7 +909,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
t:none,t:htmlEntityDecode,t:compressWhitespace,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -937,7 +937,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
t:none,t:htmlEntityDecode,t:compressWhitespace,\
msg:'IE XSS Filters - Attack Detected.',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down
4 changes: 2 additions & 2 deletions rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
t:none,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down Expand Up @@ -85,7 +85,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,\
t:none,t:lowercase,\
msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
Expand Down

0 comments on commit ce9b6c5

Please sign in to comment.