Linux bear.hostingplus.cl 4.18.0-513.18.1.lve.2.el8.x86_64 #1 SMP Sat Mar 30 15:36:11 UTC 2024 x86_64
LiteSpeed
Server IP : 192.140.57.17 & Your IP : 216.73.216.28
Domains :
Cant Read [ /etc/named.conf ]
User : explo
Terminal
Auto Root
Create File
Create Folder
Localroot Suggester
Backdoor Destroyer
Readme
/
opt /
bitninja-waf /
etc /
crs /
rules /
Delete
Unzip
Name
Size
Permission
Date
Action
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
7.3
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-901-INITIALIZATION.conf
9.8
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
12.59
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
18.22
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-905-COMMON-EXCEPTIONS.conf
1.37
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-910-IP-REPUTATION.conf
9.92
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-911-METHOD-ENFORCEMENT.conf
2.62
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-912-DOS-PROTECTION.conf
9.05
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-913-SCANNER-DETECTION.conf
7.49
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
47.59
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-921-PROTOCOL-ATTACK.conf
12.32
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-930-APPLICATION-ATTACK-LFI.conf
6.31
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-931-APPLICATION-ATTACK-RFI.conf
5.64
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-932-APPLICATION-ATTACK-RCE.conf
46.28
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-933-APPLICATION-ATTACK-PHP.conf
31.93
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-941-APPLICATION-ATTACK-XSS.conf
40.37
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
55.7
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
5.33
KB
-rw-r--r--
2026-03-10 01:32
REQUEST-949-BLOCKING-EVALUATION.conf
3.23
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-950-DATA-LEAKAGES.conf
3.72
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-951-DATA-LEAKAGES-SQL.conf
19.47
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-952-DATA-LEAKAGES-JAVA.conf
3.7
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-953-DATA-LEAKAGES-PHP.conf
5.03
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-954-DATA-LEAKAGES-IIS.conf
5.85
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-959-BLOCKING-EVALUATION.conf
2.78
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-980-CORRELATION.conf
4.31
KB
-rw-r--r--
2026-03-10 01:32
RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
2.93
KB
-rw-r--r--
2026-03-10 01:32
crawlers-user-agents.data
659
B
-rw-r--r--
2026-03-10 01:32
iis-errors.data
551
B
-rw-r--r--
2026-03-10 01:32
java-code-leakages.data
264
B
-rw-r--r--
2026-03-10 01:32
java-errors.data
240
B
-rw-r--r--
2026-03-10 01:32
lfi-os-files.data
29.4
KB
-rw-r--r--
2026-03-10 01:32
php-config-directives.data
5.28
KB
-rw-r--r--
2026-03-10 01:32
php-errors.data
8.93
KB
-rw-r--r--
2026-03-10 01:32
php-function-names-933150.data
589
B
-rw-r--r--
2026-03-10 01:32
php-function-names-933151.data
20.88
KB
-rw-r--r--
2026-03-10 01:32
php-variables.data
224
B
-rw-r--r--
2026-03-10 01:32
restricted-files.data
722
B
-rw-r--r--
2026-03-10 01:32
scanners-headers.data
216
B
-rw-r--r--
2026-03-10 01:32
scanners-urls.data
418
B
-rw-r--r--
2026-03-10 01:32
scanners-user-agents.data
4.01
KB
-rw-r--r--
2026-03-10 01:32
scripting-user-agents.data
717
B
-rw-r--r--
2026-03-10 01:32
sql-errors.data
1.85
KB
-rw-r--r--
2026-03-10 01:32
sql-function-names.data
1.93
KB
-rw-r--r--
2026-03-10 01:32
unix-shell.data
943
B
-rw-r--r--
2026-03-10 01:32
windows-powershell-commands.data
3.83
KB
-rw-r--r--
2026-03-10 01:32
Save
Rename
# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.0.2 # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:921011,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:921012,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) # # # -=[ HTTP Request Smuggling ]=- # # [ Rule Logic ] # This rule looks for a comma character in either the Content-Length or Transfer-Encoding # request headers. This character would indicate that there were more than one request header # with this same name. In these instances, Apache treats the data in a similar manner as # multiple cookie values. # # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # http://article.gmane.org/gmane.comp.apache.mod-security.user/3299 # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," \ "msg:'HTTP Request Smuggling Attack.',\ phase:request,\ id:921100,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ severity:'CRITICAL',\ t:none,\ capture,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\ tag:'WASCTC/WASC-26',\ tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}" # # -=[ HTTP Request Smuggling ]=- # # [ Rule Logic ] # This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name. # This would point to an attempt to inject a 2nd request into the request, thus bypassing # tests carried out on the primary request. # # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \ "msg:'HTTP Request Smuggling Attack',\ phase:request,\ id:921110,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{matched_var_name}=%{tx.0}" # # -=[ HTTP Response Splitting ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. # These characters may cause problems if the data is returned in a respones header and # may be interpreted by an intermediary proxy server and treated as two separate # responses. # # [ References ] # http://projects.webappsec.org/HTTP-Response-Splitting # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\r\n]\W*?(?:content-(type|length)|set-cookie|location):" \ "msg:'HTTP Response Splitting Attack',\ phase:request,\ id:921120,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ severity:'CRITICAL',\ t:none,t:urlDecodeUni,t:lowercase,\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \ "msg:'HTTP Response Splitting Attack',\ phase:request,\ id:921130,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" # # -=[ HTTP Header Injection ]=- # # [ Rule Logic ] # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, # on their own or in combination with header field names. # These characters may cause problems if the data is returned in a respones header # and interpreted by the client. # The rules are similar to rules defending against the HTTP Request Splitting and # Request Smuggling rules. # # [ References ] # https://en.wikipedia.org/wiki/HTTP_header_injection # SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "(\n|\r)" \ "msg:'HTTP Header Injection Attack via headers',\ phase:request,\ id:921140,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" # Detect newlines in argument names. # Checking for GET arguments has been moved to paranoia level 2 (921151) # in order to mitigate possible false positives. # SecRule ARGS_NAMES "(\n|\r)" \ "msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ phase:request,\ id:921150,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',chain" SecRule &TX:BN_XMLRPC_CALL "@eq 0" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:\s+|location|refresh|(?:set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ "msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ phase:request,\ id:921160,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:921013,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:921014,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) # # Detect newlines in GET argument values. # These may point to a HTTP header injection attack, but can also sometimes # occur in benign query parameters. # # See also: rule 921140, 921150 # SecRule ARGS_GET "(\n|\r)" \ "msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ phase:request,\ id:921151,\ rev:'1',\ ver:'OWASP_CRS/3.0.0',\ maturity:'5',\ accuracy:'5',\ severity:'CRITICAL',\ capture,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/2',\ t:none,t:urlDecodeUni,t:htmlEntityDecode,\ ctl:auditLogParts=+E,\ block,\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:921015,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:921016,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) # # # -=[ HTTP Parameter Polution ]=- # # [ Rule Logic ] # These rules look for multiple parameters with the same name. # 921170 counts the occurrences of the individual parameters. # 921180 checks if any counter is > 1. # # One HPP attack vector is to try evade signature filters by distributing the # attack payload across multiple parameters with the same name. # This works as many security devices only apply signatures to individual # parameter payloads, however the back-end web application may (in the case # of ASP.NET) consolidate all of the payloads into one thus making the # attack payload active. # # [ References ] # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html # https://capec.mitre.org/data/definitions/460.html # SecRule ARGS_NAMES "." \ "phase:request,\ id:921170,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ pass,\ nolog,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'CAPEC-460',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ "msg:'HTTP Parameter Pollution (%{TX.1})',\ chain,\ phase:request,\ id:921180,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'7',\ accuracy:'8',\ severity:'CRITICAL',\ pass,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/3',\ tag:'CAPEC-460',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'" SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)" \ "capture,\ setvar:tx.msg=%{rule.msg},\ setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:921017,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:921018,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"