I just added the following new signatures to the
modsecurity_crs_50_outbound.conf file in SVN -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_50_outbound.conf
Please either sync from SVN or you can copy/paste them from below if you would
like to try them out.
Please report any issues back to the list.
-Ryan
#
# Generic Malicious JS Detection
#
SecRule RESPONSE_BODY "(?i)(String\.fromCharCode\(.*?){4,}" \
"t:none,phase:4,rev:'2.2.0',ctl:auditLogParts=+E,block,msg:'Potential
Obfuscated Javascript in Output - Excessive
fromCharCode',capture,logdata:'%{tx.0}',id:'981004',tag:'MALICIOUS_CODE',tag:'bugtraq,13544',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?i)(eval\(.{0,15}unescape\()" \
"t:none,phase:4,rev:'2.2.0',ctl:auditLogParts=+E,block,msg:'Potential
Obfuscated Javascript in Output -
Eval+Unescape',capture,logdata:'%{tx.0}',id:'981005',tag:'MALICIOUS_CODE',tag:'bugtraq,13544',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?i)(var[^=]+=\s*unescape\s*;)" \
"t:none,phase:4,rev:'2.2.0',ctl:auditLogParts=+E,block,msg:'Potential
Obfuscated Javascript in Output -
Unescape',capture,logdata:'%{tx.0}',id:'981006',tag:'MALICIOUS_CODE',tag:'bugtraq,13544',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
SecRule RESPONSE_BODY "(?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" \
"t:none,phase:4,rev:'2.2.0',ctl:auditLogParts=+E,block,msg:'Potential
Obfuscated Javascript in Output - Heap
Spray',id:'981007',tag:'MALICIOUS_CODE',tag:'bugtraq,13544',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
