Firewall Rules
We enabled Firewall Rules for most of the OWASP CRS Ruleset. See https://coreruleset.org/ for details.
| Rule Group | Rule ID | Status | Description |
|---|---|---|---|
| General | 200004 | ✅ | Possible Multipart Unmatched Boundary. |
| REQUEST‑911‑METHOD‑ENFORCEMENT | 911100 | ✅ | Method is not allowed by policy |
| REQUEST‑913‑SCANNER‑DETECTION | 913100 | ✅ | Found User-Agent associated with security scanner |
| REQUEST‑913‑SCANNER‑DETECTION | 913101 | ✅ | Found User-Agent associated with scripting/generic HTTP client |
| REQUEST‑913‑SCANNER‑DETECTION | 913102 | ✅ | Found User-Agent associated with web crawler/bot |
| REQUEST‑913‑SCANNER‑DETECTION | 913110 | ✅ | Found request header associated with security scanner |
| REQUEST‑913‑SCANNER‑DETECTION | 913120 | ✅ | Found request filename/argument associated with security scanner |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920100 | ✅ | Invalid HTTP Request Line |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920120 | ✅ | Attempted multipart/form-data bypass |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920130 | ✅ | Failed to parse request body. |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920140 | ✅ | Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FLE %{MULTIPART_FILE_LIMIT_EXCEEDED} |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920160 | ✅ | Content-Length HTTP header is not numeric. |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920170 | ✅ | GET or HEAD Request with Body Content. |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920180 | ✅ | POST request missing Content-Length Header. |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920190 | ✅ | Range: Invalid Last Byte Value. |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920200 | ✅ | Range: Too many fields (6 or more) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920201 | ✅ | Range: Too many fields for pdf request (35 or more) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920202 | ✅ | Range: Too many fields for pdf request (6 or more) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920210 | ✅ | Multiple/Conflicting Connection Header Data Found. |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920220 | ✅ | URL Encoding Abuse Attack Attempt |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920230 | ✅ | Multiple URL Encoding Detected |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920240 | ✅ | URL Encoding Abuse Attack Attempt |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920250 | ✅ | UTF8 Encoding Abuse Attack Attempt |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920260 | ✅ | Unicode Full/Half Width Abuse Attack Attempt |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920270 | ✅ | Invalid character in request (null character) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920271 | ✅ | Invalid character in request (non printable characters) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920272 | ✅ | Invalid character in request (outside of printable chars below ascii 127) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920273 | ✅ | Invalid character in request (outside of very strict set) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920274 | ✅ | Invalid character in request headers (outside of very strict set) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920280 | ✅ | Request Missing a Host Header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920290 | ✅ | Empty Host Header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920300 | ✅ | Request Missing an Accept Header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920310 | ✅ | Request Has an Empty Accept Header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920311 | ✅ | Request Has an Empty Accept Header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920320 | ✅ | Missing User Agent Header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920330 | ✅ | Empty User Agent Header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920340 | ✅ | Request Containing Content, but Missing Content-Type header |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920350 | ✅ | Host header is a numeric IP address |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920420 | ✅ | Request content type is not allowed by policy |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920430 | ✅ | HTTP protocol version is not allowed by policy |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920440 | ✅ | URL file extension is restricted by policy |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920450 | ✅ | HTTP header is restricted by policy (%{MATCHED_VAR}) |
| REQUEST‑920‑PROTOCOL‑ENFORCEMENT | 920460 | ✅ | Abnormal Escape Characters |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921100 | ✅ | HTTP Request Smuggling Attack. |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921110 | ✅ | HTTP Request Smuggling Attack |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921120 | ✅ | HTTP Response Splitting Attack |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921130 | ✅ | HTTP Response Splitting Attack |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921140 | ✅ | HTTP Header Injection Attack via headers |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921150 | ✅ | HTTP Header Injection Attack via payload (CR/LF detected) |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921151 | ✅ | HTTP Header Injection Attack via payload (CR/LF detected) |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921160 | ✅ | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921170 | ✅ | HTTP Parameter Pollution |
| REQUEST‑921‑PROTOCOL‑ATTACK | 921180 | ✅ | HTTP Parameter Pollution (%{TX.1}) |
| REQUEST‑930‑APPLICATION‑ATTACK‑LFI | 930100 | ✅ | Path Traversal Attack (/../) |
| REQUEST‑930‑APPLICATION‑ATTACK‑LFI | 930110 | ✅ | Path Traversal Attack (/../) |
| REQUEST‑930‑APPLICATION‑ATTACK‑LFI | 930120 | ✅ | OS File Access Attempt |
| REQUEST‑930‑APPLICATION‑ATTACK‑LFI | 930130 | ✅ | Restricted File Access Attempt |
| REQUEST‑931‑APPLICATION‑ATTACK‑RFI | 931100 | ✅ | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
| REQUEST‑931‑APPLICATION‑ATTACK‑RFI | 931110 | ✅ | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
| REQUEST‑931‑APPLICATION‑ATTACK‑RFI | 931120 | ✅ | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
| REQUEST‑931‑APPLICATION‑ATTACK‑RFI | 931130 | ✅ | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932100 | ✅ | Remote Command Execution: Unix Command Injection |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932105 | ✅ | Remote Command Execution: Unix Command Injection |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932110 | ✅ | Remote Command Execution: Windows Command Injection |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932115 | ✅ | Remote Command Execution: Windows Command Injection |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932120 | ✅ | Remote Command Execution: Windows PowerShell Command Found |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932130 | ✅ | Remote Command Execution: Unix Shell Expression Found |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932140 | ✅ | Remote Command Execution: Windows FOR/IF Command Found |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932150 | ✅ | Remote Command Execution: Direct Unix Command Execution |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932160 | ✅ | Remote Command Execution: Unix Shell Code Found |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932170 | ✅ | Remote Command Execution: Shellshock (CVE-2014-6271) |
| REQUEST‑932‑APPLICATION‑ATTACK‑RCE | 932171 | ✅ | Remote Command Execution: Shellshock (CVE-2014-6271) |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933100 | ✅ | PHP Injection Attack: Opening/Closing Tag Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933110 | ✅ | PHP Injection Attack: PHP Script File Upload Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933111 | ✅ | PHP Injection Attack: PHP Script File Upload Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933120 | ✅ | PHP Injection Attack: Configuration Directive Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933130 | ✅ | PHP Injection Attack: Variables Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933131 | ✅ | PHP Injection Attack: Variables Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933140 | ✅ | PHP Injection Attack: I/O Stream Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933150 | ✅ | PHP Injection Attack: High-Risk PHP Function Name Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933151 | ✅ | PHP Injection Attack: Medium-Risk PHP Function Name Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933160 | ✅ | PHP Injection Attack: High-Risk PHP Function Call Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933161 | ✅ | PHP Injection Attack: Low-Value PHP Function Call Found |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933170 | ✅ | PHP Injection Attack: Serialized Object Injection |
| REQUEST‑933‑APPLICATION‑ATTACK‑PHP | 933180 | ✅ | PHP Injection Attack: Variable Function Call Found |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941100 | ✅ | XSS Attack Detected via libinjection |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941110 | ✅ | XSS Filter - Category 1: Script Tag Vector |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941120 | ✅ | XSS Filter - Category 2: Event Handler Vector |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941130 | ✅ | XSS Filter - Category 3: Attribute Vector |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941140 | ✅ | XSS Filter - Category 4: Javascript URI Vector |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941150 | ✅ | XSS Filter - Category 5: Disallowed HTML Attributes |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941160 | ✅ | NoScript XSS InjectionChecker: HTML Injection |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941170 | ✅ | NoScript XSS InjectionChecker: Attribute Injection |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941180 | ✅ | Node-Validator Blacklist Keywords |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941190 | ✅ | XSS Using style sheets |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941200 | ✅ | XSS using VML frames |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941210 | ✅ | XSS using obfuscated JavaScript |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941220 | ✅ | XSS using obfuscated VB Script |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941230 | ✅ | XSS using 'embed' tag |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941240 | ✅ | XSS using 'import' or 'implementation' attribute |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941250 | ✅ | IE XSS Filters - Attack Detected. |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941260 | ✅ | XSS using 'meta' tag |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941270 | ✅ | XSS using 'link' href |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941280 | ✅ | XSS using 'base' tag |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941290 | ✅ | XSS using 'applet' tag |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941300 | ✅ | XSS using 'object' tag |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941310 | ✅ | US-ASCII Malformed Encoding XSS Filter - Attack Detected. |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941320 | ✅ | Possible XSS Attack Detected - HTML Tag Handler |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941330 | ✅ | IE XSS Filters - Attack Detected. |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941340 | ✅ | IE XSS Filters - Attack Detected. |
| REQUEST‑941‑APPLICATION‑ATTACK‑XSS | 941350 | ✅ | UTF-7 Encoding IE XSS - Attack Detected. |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942100 | ✅ | SQL Injection Attack Detected via libinjection |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942110 | ✅ | SQL Injection Attack: Common Injection Testing Detected |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942120 | ✅ | SQL Injection Attack: SQL Operator Detected |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942130 | ✅ | SQL Injection Attack: SQL Tautology Detected. |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942140 | ✅ | SQL Injection Attack: Common DB Names Detected |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942150 | ✅ | SQL Injection Attack |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942160 | ✅ | Detects blind sqli tests using sleep() or benchmark(). |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942170 | ✅ | Detects SQL benchmark and sleep injection attempts including conditional queries |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942180 | ✅ | Detects basic SQL authentication bypass attempts 1/3 |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942190 | ✅ | Detects MSSQL code execution and information gathering attempts |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942200 | ✅ | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942210 | ✅ | Detects chained SQL injection attempts 1/2 |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942220 | ✅ | Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942230 | ✅ | Detects conditional SQL injection attempts |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942240 | ✅ | Detects MySQL charset switch and MSSQL DoS attempts |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942250 | ✅ | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942251 | ✅ | Detects HAVING injections |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942260 | ✅ | Detects basic SQL authentication bypass attempts 2/3 |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942270 | ✅ | Looking for basic sql injection. Common attack string for mysql, oracle and others. |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942280 | ✅ | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942290 | ✅ | Finds basic MongoDB SQL injection attempts |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942300 | ✅ | Detects MySQL comments, conditions and ch(a)r injections |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942310 | ✅ | Detects chained SQL injection attempts 2/2 |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942320 | ✅ | Detects MySQL and PostgreSQL stored procedure/function injections |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942330 | ✅ | Detects classic SQL injection probings 1/2 |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942340 | ✅ | Detects basic SQL authentication bypass attempts 3/3 |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942350 | ✅ | Detects MySQL UDF injection and other data/structure manipulation attempts |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942360 | ✅ | Detects concatenated basic SQL injection and SQLLFI attempts |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942370 | ✅ | Detects classic SQL injection probings 2/2 |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942380 | ✅ | SQL Injection Attack |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942390 | ✅ | SQL Injection Attack |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942400 | ✅ | SQL Injection Attack |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942410 | ✅ | SQL Injection Attack |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942420 | ✅ | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942421 | ✅ | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942430 | ✅ | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942431 | ✅ | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942432 | ✅ | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942440 | ✅ | SQL Comment Sequence Detected. |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942450 | ✅ | SQL Hex Encoding Identified |
| REQUEST‑942‑APPLICATION‑ATTACK‑SQLI | 942460 | ✅ | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
| REQUEST‑943‑APPLICATION‑ATTACK‑SESSION‑FIXATION | 943100 | ✅ | Possible Session Fixation Attack: Setting Cookie Values in HTML |
| REQUEST‑943‑APPLICATION‑ATTACK‑SESSION‑FIXATION | 943110 | ✅ | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
| REQUEST‑943‑APPLICATION‑ATTACK‑SESSION‑FIXATION | 943120 | ✅ | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
| Known‑CVEs | 800100 | ✅ | Rule to help detect and mitigate log4j vulnerability - CVE-2021-44228 |
| Known‑CVEs | 800110 | ✅ | Spring4Shell Interaction Attempt |
| Known‑CVEs | 800111 | ✅ | Attempted Spring Cloud routing-expression injection - CVE-2022-22963 |
| Known‑CVEs | 800112 | ✅ | Attempted Spring Framework unsafe class object exploitation - CVE-2022-22965 |
| Known‑CVEs | 800113 | ✅ | Attempted Spring Cloud Gateway Actuator injection - CVE-2022-22947 |