Remove mostly redundant 944220 in favor of 944240

rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf

@@ -17,7 +17,6 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAf
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
 #
-# Renamed 944200 to 944100
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx java\.lang\.(?:runtime|processbuilder)" \
     "id:944100,\
@@ -50,7 +49,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
 # java. unmarshaller or base64data to trigger a potential payload execution
 # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
 
-# Renamed 944210 to 944110
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx (?:runtime|processbuilder)" \
     "id:944110,\
@@ -78,8 +76,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
             setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
             setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
 
-# Renamed 944220 to 944120
-# Moved 944340 to 944220
 # Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected
 # anomaly score set to critical as all conditions indicate the request try to perform RCE.
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
@@ -110,7 +106,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
         setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
 
-# Renamed 944230 to 944130
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@pmf java-classes.data" \
     "id:944130,\
@@ -153,7 +148,6 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAf
 # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
 # https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
 #
-# Renamed 944300 to 944200
 # Potential false positives with random fields, the anomaly level is set low to avoid blocking request
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx \xac\xed\x00\x05" \
@@ -179,7 +173,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
 
-# Renamed 944310 to 944210
 # Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
@@ -205,35 +198,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
 
-# Renamed 944320 to 944220
-SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
-    "@rx [a-zA-Z0-9\-_]{45}(?:[a-zA-Z0-9\-_]{3})*(?:[a-zA-Z0-9\-_]{1}==|[a-zA-Z0-9\-_]{2}=)?" \
-    "id:944220,\
-    phase:2,\
-    block,\
-    log,\
-    msg:'Probable vulnerable java class in use',\
-    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
-    tag:'application-multi',\
-    tag:'language-java',\
-    tag:'platform-multi',\
-    tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
-    tag:'WASCTC/WASC-31',\
-    tag:'OWASP_TOP_10/A1',\
-    tag:'PCI/6.5.2',\
-    tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule MATCHED_VARS "@rx (?:runtime|processbuilder|clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
-        "t:base64Decode,t:lowercase,\
-        setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
-
-# Renamed 944340 to 944240
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
     "id:944240,\
@@ -259,7 +223,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{matched_var}'"
 
-# Renamed 944350 to 944250
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx java\b.+(?:runtime|processbuilder)" \
     "id:944250,\
@@ -292,7 +255,6 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAf
 #
 # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
 #
-# Renamed 944400 to 944300
 # Interesting keywords for possibly RCE on vulnerable classess and methods base64 encoded
 # Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure']
 #for item in keywords:

util/docker/docker-entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-python -c "import re;import os;out=re.sub('(#SecAction[\S\s]*id:900000[\s\S]*paranoia_level=1\")','SecAction \\\\\n  \"id:900000, \\\\\n   phase:1, \\\\\n   nolog, \\\\\n   pass, \\\\\n   t:none, \\\\\n   setvar:tx.paranoia_level='+os.environ['PARANOIA']+'\"',open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','r').read());open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','w').write(out)" && \
-python -c "import re;import os;out=re.sub('(#SecAction[\S\s]*id:900330[\s\S]*total_arg_length=64000\")','SecAction \\\\\n \"id:900330, \\\\\n phase:1, \\\\\n nolog, \\\\\n pass, \\\\\n t:none, \\\\\n setvar:tx.total_arg_length=64000\"',open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','r').read());open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','w').write(out)" && \
+python -c "import re;import os;out=re.sub('(#SecAction[\S\s]{7}id:900000[\s\S]*tx\.paranoia_level=1\")','SecAction \\\\\n  \"id:900000, \\\\\n   phase:1, \\\\\n   nolog, \\\\\n   pass, \\\\\n   t:none, \\\\\n   setvar:tx.paranoia_level='+os.environ['PARANOIA']+'\"',open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','r').read());open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','w').write(out)" && \
+python -c "import re;import os;out=re.sub('(#SecAction[\S\s]{6}id:900330[\s\S]*total_arg_length=64000\")','SecAction \\\\\n \"id:900330, \\\\\n phase:1, \\\\\n nolog, \\\\\n pass, \\\\\n t:none, \\\\\n setvar:tx.total_arg_length=64000\"',open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','r').read());open('/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf','w').write(out)" && \
 
 if [ ! -z $PROXY ]; then
   if [ $PROXY -eq 1 ]; then