Add PL1 tag.

Author: annawinkler

rules/REQUEST-910-IP-REPUTATION.conf

@@ -38,6 +38,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
     severity:'CRITICAL',\
     chain,\
@@ -66,6 +67,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     severity:'CRITICAL',\
     chain"
     SecRule TX:REAL_IP "@geoLookup" \
@@ -96,6 +98,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
 #    tag:'language-multi',\
 #    tag:'platform-multi',\
 #    tag:'attack-reputation-ip',\
+#    tag:'paranoia-level/1',\
 #    severity:'CRITICAL',\
 #    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
 #    setvar:'ip.reput_block_flag=1',\
@@ -117,6 +120,7 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     skipAfter:END-RBL-LOOKUP"
 
 #
@@ -138,6 +142,7 @@ SecRule &TX:block_suspicious_ip "@eq 0" \
     pass,\
     t:none,\
     nolog,\
+    tag:'paranoia-level/1',\
     chain,\
     skipAfter:END-RBL-CHECK"
     SecRule &TX:block_harvester_ip "@eq 0" \
@@ -157,6 +162,7 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     setvar:'tx.httpbl_msg=%{tx.0}',\
     chain"
     SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
@@ -175,6 +181,7 @@ SecRule TX:block_search_ip "@eq 1" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     severity:'CRITICAL',\
     chain,\
     skipAfter:END-RBL-CHECK"
@@ -196,6 +203,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     severity:'CRITICAL',\
     chain,\
     skipAfter:END-RBL-CHECK"
@@ -217,6 +225,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     severity:'CRITICAL',\
     chain,\
     skipAfter:END-RBL-CHECK"
@@ -238,6 +247,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     severity:'CRITICAL',\
     chain,\
     skipAfter:END-RBL-CHECK"
@@ -259,6 +269,7 @@ SecAction \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
+    tag:'paranoia-level/1',\
     setvar:'ip.previous_rbl_check=1',\
     expirevar:'ip.previous_rbl_check=86400'"
 

rules/REQUEST-911-METHOD-ENFORCEMENT.conf

@@ -34,6 +34,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-generic',\
+    tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\
     tag:'WASCTC/WASC-15',\

rules/REQUEST-912-DOS-PROTECTION.conf

@@ -109,6 +109,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'paranoia-level/1',\
     tag:'attack-dos',\
     chain"
     SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
@@ -131,6 +132,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'paranoia-level/1',\
     tag:'attack-dos',\
     setvar:'ip.dos_block_counter=+1'"
 
@@ -151,6 +153,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'paranoia-level/1',\
     tag:'attack-dos',\
     skipAfter:END-DOS-PROTECTION-CHECKS"
 
@@ -168,6 +171,7 @@ SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'paranoia-level/1',\
     tag:'attack-dos',\
     setvar:'tx.extension=/%{TX.1}/',\
     chain"
@@ -196,6 +200,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'paranoia-level/1',\
     tag:'attack-dos',\
     chain"
     SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
@@ -213,6 +218,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'paranoia-level/1',\
     tag:'attack-dos',\
     chain"
     SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
@@ -236,6 +242,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 2" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'paranoia-level/1',\
     tag:'attack-dos',\
     setvar:'ip.dos_block=1',\
     expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"

rules/REQUEST-913-SCANNER-DETECTION.conf

@@ -42,6 +42,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-scanner',\
+    tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
     tag:'WASCTC/WASC-21',\
@@ -66,6 +67,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-scanner',\
+    tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
     tag:'WASCTC/WASC-21',\
@@ -92,6 +94,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-scanner',\
+    tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
     tag:'WASCTC/WASC-21',\