# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.3.2 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) # # This rule is also triggered by an Apache Struts exploit: # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] # # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx java\.lang\.(?:runtime|processbuilder)" \ "id:944100,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Remote Command Execution: Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ] # [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # # Generic rule to detect processbuilder or runtime calls, if any of those is found and the same target contains # java. unmarshaller or base64data to trigger a potential payload execution # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:runtime|processbuilder)" \ "id:944110,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ chain" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected # anomaly score set to critical as all conditions indicate the request try to perform RCE. SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "id:944120,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ "t:none,t:lowercase,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ] # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \ "@pmFromFile java-classes.data" \ "id:944130,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Suspicious Java class detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) # # [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ] # # Detect exploitation of "Java deserialization" Apache Commons. # # Based on rules by @spartantri. # https://spartantri.com/ModSecurity/?p=44 # # Interesting references about the vulnerability # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ # https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet # # Potential false positives with random fields, the anomaly level is set low to avoid blocking request SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx \xac\xed\x00\x05" \ "id:944200,\ phase:2,\ block,\ log,\ msg:'Magic bytes Detected, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \ "id:944210,\ phase:2,\ block,\ log,\ msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ "id:944240,\ phase:2,\ block,\ t:none,t:lowercase,\ log,\ msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx java\b.+(?:runtime|processbuilder)" \ "id:944250,\ phase:2,\ block,\ t:lowercase,\ log,\ msg:'Remote Command Execution: Suspicious Java method detected',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) # # Interesting keywords for possibly RCE on vulnerable classes and methods base64 encoded # Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure'] #for item in keywords: # pad='\x00' # for padding in xrange(3): # print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:], #cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \ "id:944300,\ phase:2,\ block,\ t:none,\ log,\ msg:'Base64 encoded string matched suspicious keyword',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'application-multi',\ tag:'language-java',\ tag:'platform-multi',\ tag:'attack-rce',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ ver:'OWASP_CRS/3.3.2',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"