airween/rule-941330-2.conf

## rule-941330-2.conf

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))|((o|(\\u006F))(n|(\\u006E))(e|(\\u0065))(r|(\\u0072))(r|(\\u0072))(o|(\\u006F))(r|(\\u0072)))|((v|(\\u0076))(a|(\\u0061))(l|(\\u006C))(u|(\\u0075))(e|(\\u0065))(O|(\\u004F))(f|(\\u0066)))).*?=)" \
    "id:941330,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
    msg:'IE XSS Filters - Attack Detected.',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
    tag:'WASCTC/WASC-8',\
    tag:'WASCTC/WASC-22',\
    tag:'OWASP_TOP_10/A2',\
    tag:'OWASP_AppSensor/IE1',\
    tag:'PCI/6.5.1',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.msg=%{rule.msg}',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"

## rule-941330-include2.json
[
  {
    "enabled":1,
    "version_min":300000,
    "title":"Testing setvar :: OWASP CRS id:941330",
    "client":{
      "ip":"200.249.12.31",
      "port":123
    },
    "server":{
      "ip":"200.249.12.31",
      "port":80
    },
    "request":{
      "headers":{
          "Host": "localhost"
      },
      "uri":"/?var=%22in%20\\u0076\\u0061l\\u0075e\\u004F\\u0066%3d",
      "method":"GET"
    },
    "response":{
      "headers":{
        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
        "Content-Type":"text/html"
      },
      "body":[
        "no need."
      ]
    },
    "expected":{
      "http_code":400
    },
    "rules":[
      "SecRuleEngine On",
      "SecDefaultAction \"phase:2,deny,block,status:400,log\"",
      "Include 941330-2.conf"
    ]
  }
]

	SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* "@rx (?i:[\"\'][ ](([^a-z0-9~_:\' ])\|(in)).?(((l\|(\\u006C))(o\|(\\u006F))(c\|(\\u0063))(a\|(\\u0061))(t\|(\\u0074))(i\|(\\u0069))(o\|(\\u006F))(n\|(\\u006E)))\|((n\|(\\u006E))(a\|(\\u0061))(m\|(\\u006D))(e\|(\\u0065)))\|((o\|(\\u006F))(n\|(\\u006E))(e\|(\\u0065))(r\|(\\u0072))(r\|(\\u0072))(o\|(\\u006F))(r\|(\\u0072)))\|((v\|(\\u0076))(a\|(\\u0061))(l\|(\\u006C))(u\|(\\u0075))(e\|(\\u0065))(O\|(\\u004F))(f\|(\\u0066)))).*?=)" \
	"id:941330,\
	phase:2,\
	block,\
	capture,\
	t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
	msg:'IE XSS Filters - Attack Detected.',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-multi',\
	tag:'attack-xss',\
	tag:'OWASP_CRS/WEB_ATTACK/XSS',\
	tag:'WASCTC/WASC-8',\
	tag:'WASCTC/WASC-22',\
	tag:'OWASP_TOP_10/A2',\
	tag:'OWASP_AppSensor/IE1',\
	tag:'PCI/6.5.1',\
	tag:'paranoia-level/2',\
	ver:'OWASP_CRS/3.1.0',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
	setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
	[
	{
	"enabled":1,
	"version_min":300000,
	"title":"Testing setvar :: OWASP CRS id:941330",
	"client":{
	"ip":"200.249.12.31",
	"port":123
	},
	"server":{
	"ip":"200.249.12.31",
	"port":80
	},
	"request":{
	"headers":{
	"Host": "localhost"
	},
	"uri":"/?var=%22in%20\\u0076\\u0061l\\u0075e\\u004F\\u0066%3d",
	"method":"GET"
	},
	"response":{
	"headers":{
	"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
	"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
	"Content-Type":"text/html"
	},
	"body":[
	"no need."
	]
	},
	"expected":{
	"http_code":400
	},
	"rules":[
	"SecRuleEngine On",
	"SecDefaultAction \"phase:2,deny,block,status:400,log\"",
	"Include 941330-2.conf"
	]
	}
	]