Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Commit f8d4ef1

Browse files
lifeformslifeforms
authored
Merge pull request #892 from lifeforms/rce-anatomy
RCE regexps: add explanations in comments
2 parents 682828a + 277c359 commit f8d4ef1

File tree

1 file changed

+75
-0
lines changed

1 file changed

+75
-0
lines changed

rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,42 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:932012,nolog,pass,skipAfter:END-RE
3333
#
3434
# To prevent false positives, we look for a 'starting sequence' that
3535
# precedes a command in shell syntax, such as: ; | & $( ` <( >(
36+
# Anatomy of the regexp with examples of patterns caught:
37+
#
38+
# 1. Starting tokens
39+
#
40+
# ; ;ifconfig
41+
# \{ {ifconfig}
42+
# \| |ifconfig
43+
# \|\| ||ifconfig
44+
# & &ifconfig
45+
# && &&ifconfig
46+
# \n ;\nifconfig
47+
# \r ;\rifconfig
48+
# \$\( $(ifconfig)
49+
# $\(\( $((ifconfig))
50+
# ` `ifconfig`
51+
# \${ ${ifconfig}
52+
# <\( <( ifconfig )
53+
# >\( >( ifconfig )
54+
# \(\s*\) a() ( ifconfig; ); a
55+
#
56+
# 2. Command prefixes
57+
#
58+
# { { ifconfig }
59+
# \s*\(\s* ( ifconfig )
60+
# \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ VARNAME=xyz ifconfig
61+
# !\s* ! ifconfig
62+
# \$ $ifconfig
63+
#
64+
# 3. Quoting
65+
#
66+
# ' 'ifconfig'
67+
# \" "ifconfig"
68+
#
69+
# 4. Paths
70+
#
71+
# [\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc.
3672
#
3773
# This rule is case-sensitive to prevent FP ("Cat" vs. "cat").
3874
#
@@ -141,6 +177,45 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
141177
# To prevent false positives, we look for a 'starting sequence' that
142178
# precedes a command in CMD syntax, such as: ; | & `
143179
#
180+
# Anatomy of the regexp:
181+
#
182+
# 1. Starting tokens
183+
#
184+
# ; ;cmd
185+
# \{ {cmd
186+
# \| |cmd
187+
# \|\| ||cmd
188+
# & &cmd
189+
# && &&cmd
190+
# \n \ncmd
191+
# \r \rcmd
192+
# ` `cmd
193+
#
194+
# 2. Command prefixes
195+
#
196+
# ( (cmd)
197+
# , ,cmd
198+
# @ @cmd
199+
# ' 'cmd'
200+
# " "cmd"
201+
# \s spacing+cmd
202+
#
203+
# 3. Paths
204+
#
205+
# [\w'\"\./]+/ /path/cmd
206+
# [\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\ C:\Program Files\cmd
207+
# [\^\.\w '\"/\\\\]*\\\\)?[\"\^]* \\net\share\dir\cmd
208+
#
209+
# 4. Quoting
210+
#
211+
# \" "cmd"
212+
# \^ ^cmd
213+
#
214+
# 5. Extension/switches
215+
#
216+
# \.[\"\^]*\w+ cmd.com, cmd.exe, etc.
217+
# /b cmd/h
218+
#
144219
# An effort is made to combat evasions by CMD syntax; for example,
145220
# the following strings are valid: c^md, @cmd, "c"md. ModSecurity
146221
# has a t:cmdLine transformation built-in to deal with some of these,

0 commit comments

Comments
 (0)