Core Rule Set Inventory


This is a list of rules from the OWASP ModSecurity Core Rule Set.

  • Handling of false positives / false alarms / blocking of legitimate traffic is explained in this tutorial.
  • This page here covers the 3.x release(s). The rule IDs from the 2.x.x release(s) are not listed / covered. Look here for some infos.
  • Helper rules are omitted.
  • Click on link to be taken to github and land on the definition of the rule.
  • The link to github points to the 3.0 dev tree.
  • The description / message is the msg action from the rule definition mostly.
  • Individual rules in this page can be reached via a shortcut. E.g., https://netnea.com/crs/942100.
  • If you are lazy, then create a dynamic bookmark and call it with the rule ID as parameter in the address line of the browser: e.g., crs 942100.
  • You like what you see? Why don’t you follow me on twitter @ChrFolini to learn about new ModSecurity stuff I publish.
Rule IDParanoia
Level
SeverityDescription (msg)
901001PL1noneCheck if crs-set.conf was loaded
901450PL1noneSampling: Disable the rule engine based on sampling_percentage
905100PL1noneCommon Exeptions example rule
905110PL1noneCommon Exeptions example rule
910000PL1criticalRequest from Known Malicious Client (Based on previous traffic violations).
910100PL1criticalClient IP is from a HIGH Risk Country Location.
910150PL1criticalHTTP Blacklist match for search engine IP,
910160PL1criticalHTTP Blacklist match for spammer IP
910170PL1criticalHTTP Blacklist match for suspicious IP
910180PL1criticalHTTP Blacklist match for harvester IP
911100PL1criticalMethod is not allowed by policy
912120PL1noneDenial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)"
912170PL1nonePotential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
912171PL2nonePotential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}
913100PL1criticalFound User-Agent associated with security scanner
913101PL2criticalFound User-Agent associated with scripting/generic HTTP client
913102PL2criticalFound User-Agent associated with web crawler/bot
913110PL1criticalFound request header associated with security scanner
913120PL1criticalFound request filename/argument associated with security scanner
920100PL1noticeInvalid HTTP Request Line
920120PL1criticalAttempted multipart/form-data bypass
920130PL1criticalFailed to parse request body.
920140PL1criticalMultipart request body failed strict validation:
920160PL1criticalContent-Length HTTP header is not numeric.
920170PL1criticalGET or HEAD Request with Body Content.
920180PL1noticePOST request missing Content-Length Header.
920190PL1warningRange: Invalid Last Byte Value.
920200PL2warningRange: Too many fields (6 or more)
920201PL2warningRange: Too many fields for pdf request (35 or more)
920202PL4warningRange: Too many fields for pdf request (6 or more)
920210PL1warningMultiple/Conflicting Connection Header Data Found.
920220PL1warningURL Encoding Abuse Attack Attempt
920230PL2warningMultiple URL Encoding Detected
920240PL1warningURL Encoding Abuse Attack Attempt
920250PL1warningUTF8 Encoding Abuse Attack Attempt
920260PL1warningUnicode Full/Half Width Abuse Attack Attempt
920270PL1errorInvalid character in request (null character)
920271PL2criticalInvalid character in request (non printable characters)
920272PL3criticalInvalid character in request (outside of printable chars below ascii 127)
920273PL4criticalInvalid character in request (outside of very strict set)
920274PL4criticalInvalid character in request headers (outside of very strict set)
920280PL1warningRequest Missing a Host Header
920290PL1warningEmpty Host Header
920300PL2noticeRequest Missing an Accept Header
920310PL1noticeRequest Has an Empty Accept Header
920311PL1noticeRequest Has an Empty Accept Header
920320PL2noticeMissing User Agent Header
920330PL1noticeEmpty User Agent Header
920340PL1noticeRequest Containing Content, but Missing Content-Type header
920350PL1warningHost header is a numeric IP address
920360PL1criticalArgument name too long
920370PL1criticalArgument value too long
920380PL1criticalToo many arguments in request
920390PL1criticalTotal arguments size exceeded
920400PL1criticalUploaded file size too large
920410PL1criticalTotal uploaded files size too large
920420PL1criticalRequest content type is not allowed by policy
920430PL1criticalHTTP protocol version is not allowed by policy
920440PL1criticalURL file extension is restricted by policy
920450PL1criticalHTTP header is restricted by policy (%{MATCHED_VAR})
920460PL4criticalAbnormal character escape detected
921100PL1criticalHTTP Request Smuggling Attack.
921110PL1criticalHTTP Request Smuggling Attack
921120PL1criticalHTTP Response Splitting Attack
921130PL1criticalHTTP Response Splitting Attack
921140PL1criticalHTTP Header Injection Attack via headers
921150PL1criticalHTTP Header Injection Attack via payload (CR/LF detected)
921151PL2criticalHTTP Header Injection Attack via payload (CR/LF detected)
921160PL1criticalHTTP Header Injection Attack via payload (CR/LF and header-name detected)
921180PL3criticalHTTP Parameter Pollution (%{TX.1})
930100PL1criticalPath Traversal Attack (/../)
930110PL1criticalPath Traversal Attack (/../)
930120PL1criticalOS File Access Attempt
930130PL1criticalRestricted File Access Attempt
931100PL1criticalPossible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
931110PL1criticalPossible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
931120PL1criticalPossible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
931130PL2criticalPossible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932100PL1criticalRemote Command Execution: Unix Command Injection
932105PL1criticalRemote Command Execution: Unix Command Injection
932110PL1criticalRemote Command Execution: Windows Command Injection
932115PL1criticalRemote Command Execution: Windows Command Injection
932120PL1criticalRemote Command Execution: Windows PowerShell Command Found
932130PL1criticalRemote Command Execution: Unix Shell Expression Found
932140PL1criticalRemote Command Execution: Windows FOR/IF Command Found
932150PL1criticalRemote Command Execution: Direct Unix Command Execution
932160PL1criticalRemote Command Execution: Unix Shell Code Found
932170PL1criticalRemote Command Execution: Shellshock (CVE-2014-6271)
932171PL1criticalRemote Command Execution: Shellshock (CVE-2014-6271)
933100PL1criticalPHP Injection Attack: Opening/Closing Tag Found
933110PL1criticalPHP Injection Attack: PHP Script File Upload Found
933111PL3criticalPHP Injection Attack: PHP Script File Upload Found
933120PL1criticalPHP Injection Attack: Configuration Directive Found
933130PL1criticalPHP Injection Attack: Variables Found
933131PL3criticalPHP Injection Attack: Variables Found
933140PL1criticalPHP Injection Attack: I/O Stream Found
933150PL1criticalPHP Injection Attack: High-Risk PHP Function Name Found
933151PL2criticalPHP Injection Attack: Medium-Risk PHP Function Name Found
933160PL1criticalPHP Injection Attack: High-Risk PHP Function Call Found
933161PL3criticalPHP Injection Attack: Low-Value PHP Function Call Found
933170PL1criticalPHP Injection Attack: Serialized Object Injection
933180PL1criticalPHP Injection Attack: Variable Function Call Found
941100PL1criticalXSS Attack Detected via libinjection
941110PL1criticalXSS Filter - Category 1: Script Tag Vector
941120PL1criticalXSS Filter - Category 2: Event Handler Vector
941130PL1criticalXSS Filter - Category 3: Attribute Vector
941140PL1criticalXSS Filter - Category 4: Javascript URI Vector
941150PL1criticalXSS Filter - Category 5: Disallowed HTML Attributes
941160PL1criticalNoScript XSS InjectionChecker: HTML Injection
941170PL1criticalNoScript XSS InjectionChecker: Attribute Injection
941180PL1criticalNode-Validator Blacklist Keywords
941190PL1criticalIE XSS Filters - Attack Detected.
941200PL1criticalIE XSS Filters - Attack Detected.
941210PL1criticalIE XSS Filters - Attack Detected.
941220PL1criticalIE XSS Filters - Attack Detected.
941230PL1criticalIE XSS Filters - Attack Detected.
941240PL1criticalIE XSS Filters - Attack Detected.
941250PL1criticalIE XSS Filters - Attack Detected.
941260PL1criticalIE XSS Filters - Attack Detected.
941270PL1criticalIE XSS Filters - Attack Detected.
941280PL1criticalIE XSS Filters - Attack Detected.
941290PL1criticalIE XSS Filters - Attack Detected.
941300PL1criticalIE XSS Filters - Attack Detected.
941310PL1criticalUS-ASCII Malformed Encoding XSS Filter - Attack Detected.
941320PL2criticalPossible XSS Attack Detected - HTML Tag Handler
941330PL2criticalIE XSS Filters - Attack Detected.
941340PL2criticalIE XSS Filters - Attack Detected.
941350PL1criticalUTF-7 Encoding IE XSS - Attack Detected.
942100PL1criticalSQL Injection Attack Detected via libinjection
942110PL2warningSQL Injection Attack: Common Injection Testing Detected
942120PL2criticalSQL Injection Attack: SQL Operator Detected
942130PL2criticalSQL Injection Attack: SQL Tautology Detected.
942140PL1criticalSQL Injection Attack: Common DB Names Detected
942150PL2criticalSQL Injection Attack
942160PL1criticalDetects blind sqli tests using sleep() or benchmark().
942170PL1criticalDetects SQL benchmark and sleep injection attempts including conditional queries
942180PL2criticalDetects basic SQL authentication bypass attempts 1/3
942190PL1criticalDetects MSSQL code execution and information gathering attempts
942200PL2criticalDetects MySQL comment-/space-obfuscated injections and backtick termination
942210PL2criticalDetects chained SQL injection attempts 1/2
942220PL1criticalLooking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash
942230PL1criticalDetects conditional SQL injection attempts
942240PL1criticalDetects MySQL charset switch and MSSQL DoS attempts
942250PL1criticalDetects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942251PL3criticalDetects HAVING injections
942260PL2criticalDetects basic SQL authentication bypass attempts 2/3
942270PL1criticalLooking for basic sql injection. Common attack string for mysql, oracle and others.
942280PL1criticalDetects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290PL1criticalFinds basic MongoDB SQL injection attempts
942300PL2criticalDetects MySQL comments, conditions and ch(a)r injections
942310PL2criticalDetects chained SQL injection attempts 2/2
942320PL1criticalDetects MySQL and PostgreSQL stored procedure/function injections
942330PL2criticalDetects classic SQL injection probings 1/2
942340PL2criticalDetects basic SQL authentication bypass attempts 3/3
942350PL1criticalDetects MySQL UDF injection and other data/structure manipulation attempts
942360PL1criticalDetects concatenated basic SQL injection and SQLLFI attempts
942370PL2criticalDetects classic SQL injection probings 2/2
942380PL2criticalSQL Injection Attack
942390PL2criticalSQL Injection Attack
942400PL2criticalSQL Injection Attack
942410PL2criticalSQL Injection Attack
942420PL3warningRestricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942421PL4warningRestricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
942430PL2warningRestricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942431PL3warningRestricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942432PL4warningRestricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
942440PL2criticalSQL Comment Sequence Detected.
942450PL2criticalSQL Hex Encoding Identified
942460PL3warningMeta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
943100PL1criticalPossible Session Fixation Attack: Setting Cookie Values in HTML
943110PL1criticalPossible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
943120PL1criticalPossible Session Fixation Attack: SessionID Parameter Name with No Referer
949100PL1noneRequest Denied by IP Reputation Enforcement.
949110PL1noneCheck of inbound anomaly score
950100PL2errorThe Application Returned a 500-Level Status Code
950130PL1errorDirectory Listing
951110PL1criticalMicrosoft Access SQL Information Leakage
951120PL1criticalOracle SQL Information Leakage
951130PL1criticalDB2 SQL Information Leakage
951140PL1criticalEMC SQL Information Leakage
951150PL1criticalfirebird SQL Information Leakage
951160PL1criticalFrontbase SQL Information Leakage
951170PL1criticalhsqldb SQL Information Leakage
951180PL1criticalinformix SQL Information Leakage
951190PL1criticalingres SQL Information Leakage
951200PL1criticalinterbase SQL Information Leakage
951210PL1criticalmaxDB SQL Information Leakage
951220PL1criticalmssql SQL Information Leakage
951230PL1criticalmysql SQL Information Leakage
951240PL1criticalpostgres SQL Information Leakage
951250PL1criticalsqlite SQL Information Leakage
951260PL1criticalSybase SQL Information Leakage
952100PL1errorJava Source Code Leakage
952110PL1errorJava Errors
953100PL1errorPHP Information Leakage
953110PL1errorPHP source code leakage
953120PL1errorPHP source code leakage
954100PL1errorDisclosure of IIS install location
954110PL1errorApplication Availability Error
954120PL1errorIIS Information Leakage
954130PL1errorIIS Information Leakage
959100PL1noneCheck of outbound anomaly score
980100PL1noneAnomaly score correlation rule
980110PL1noneAnomaly score correlation rule
980120PL1noneAnomaly score correlation rule
980130PL1noneAnomaly score correlation rule
980140PL1noneAnomaly score correlation rule
9001000PL1noneDrupal rule exception
9001110PL1noneDrupal rule exception
9001112PL1noneDrupal rule exception
9001114PL1noneDrupal rule exception
9001116PL1noneDrupal rule exception
9001120PL1noneDrupal rule exception
9001122PL1noneDrupal rule exception
9001124PL1noneDrupal rule exception
9001126PL1noneDrupal rule exception
9001128PL1noneDrupal rule exception
9001140PL1noneDrupal rule exception
9001150PL1noneDrupal rule exception
9001170PL1noneDrupal rule exception
9001180PL1noneDrupal rule exception
9001182PL1noneDrupal rule exception
9001184PL1noneDrupal rule exception
9001200PL1noneDrupal rule exception
9001202PL1noneDrupal rule exception
9001204PL1noneDrupal rule exception
9001206PL1noneDrupal rule exception
9001208PL1noneDrupal rule exception
9001210PL1noneDrupal rule exception
9001212PL1noneDrupal rule exception
9001214PL1noneDrupal rule exception
9001216PL1noneDrupal rule exception
9002000PL1noneWordPress rule exception
9002001PL1noneWordPress rule exception
9002100PL1noneWordPress rule exception
9002120PL1noneWordPress rule exception
9002130PL1noneWordPress rule exception
9002150PL1noneWordPress rule exception
9002160PL1noneWordPress rule exception
9002200PL1noneWordPress rule exception
9002400PL1noneWordPress rule exception
9002401PL1noneWordPress rule exception
9002410PL1noneWordPress rule exception
9002420PL1noneWordPress rule exception
9002520PL1noneWordPress rule exception
9002530PL1noneWordPress rule exception
9002540PL1noneWordPress rule exception
9002700PL1noneWordPress rule exception
9002710PL1noneWordPress rule exception
9002720PL1noneWordPress rule exception
9002730PL1noneWordPress rule exception
9002740PL1noneWordPress rule exception
9002750PL1noneWordPress rule exception
9002800PL1noneWordPress rule exception
9002810PL1noneWordPress rule exception
9002820PL1noneWordPress rule exception
9002900PL1noneWordPress rule exception