airween/rule-941330.json

## rule-941330.json
[
  {
    "enabled":0,
    "version_min":300000,
    "title":"Testing setvar :: OWASP CRS id:941330",
    "client":{
      "ip":"200.249.12.31",
      "port":123
    },
    "server":{
      "ip":"200.249.12.31",
      "port":80
    },
    "request":{
      "headers":{
          "Host": "localhost"
      },
      "uri":"/?var=%22in%20\\u0076\\u0061l\\u0075e\\u004F\\u0066%3d",
      "method":"GET"
    },
    "response":{
      "headers":{
        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
        "Content-Type":"text/html"
      },
      "body":[
        "no need."
      ]
    },
    "expected":{
      "http_code":400
    },
    "rules":[
      "SecRuleEngine On",
      "SecDefaultAction \"phase:2,deny,block,status:400,log\"",
      "SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \"@rx (?i:[\\\"\\'][ ]*(([^a-z0-9~_:\\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)\" \"id:941330,phase:2,block,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,msg:'IE XSS Filters - Attack Detected.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',setvar:'tx.msg=%{rule.msg}',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'\""
    ]
  }
]
	[
	{
	"enabled":0,
	"version_min":300000,
	"title":"Testing setvar :: OWASP CRS id:941330",
	"client":{
	"ip":"200.249.12.31",
	"port":123
	},
	"server":{
	"ip":"200.249.12.31",
	"port":80
	},
	"request":{
	"headers":{
	"Host": "localhost"
	},
	"uri":"/?var=%22in%20\\u0076\\u0061l\\u0075e\\u004F\\u0066%3d",
	"method":"GET"
	},
	"response":{
	"headers":{
	"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
	"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
	"Content-Type":"text/html"
	},
	"body":[
	"no need."
	]
	},
	"expected":{
	"http_code":400
	},
	"rules":[
	"SecRuleEngine On",
	"SecDefaultAction \"phase:2,deny,block,status:400,log\"",
	"SecRule REQUEST_COOKIES\|!REQUEST_COOKIES:/__utm/\|!REQUEST_COOKIES:/_pk_ref/\|REQUEST_COOKIES_NAMES\|ARGS_NAMES\|ARGS\|XML:/* \"@rx (?i:[\\\"\\'][ ](([^a-z0-9~_:\\' ])\|(in)).?(((l\|(\\\\u006C))(o\|(\\\\u006F))(c\|(\\\\u0063))(a\|(\\\\u0061))(t\|(\\\\u0074))(i\|(\\\\u0069))(o\|(\\\\u006F))(n\|(\\\\u006E)))\|((n\|(\\\\u006E))(a\|(\\\\u0061))(m\|(\\\\u006D))(e\|(\\\\u0065)))\|((o\|(\\\\u006F))(n\|(\\\\u006E))(e\|(\\\\u0065))(r\|(\\\\u0072))(r\|(\\\\u0072))(o\|(\\\\u006F))(r\|(\\\\u0072)))\|((v\|(\\\\u0076))(a\|(\\\\u0061))(l\|(\\\\u006C))(u\|(\\\\u0075))(e\|(\\\\u0065))(O\|(\\\\u004F))(f\|(\\\\u0066)))).*?=)\" \"id:941330,phase:2,block,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,msg:'IE XSS Filters - Attack Detected.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ver:'OWASP_CRS/3.1.0',severity:'CRITICAL',setvar:'tx.msg=%{rule.msg}',setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'\""
	]
	}
	]