ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / BitNinja

SecRule REQUEST_FILENAME "^.*\/[a-z]{8}\.php$" \
"chain,\
phase:2,\
id:407001,\
t:none,\
auditlog,\
block,\
severity:CRITICAL,\
msg:'Protection against HEXA botnet',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
	SecRule REQUEST_HEADERS:Content-Type "^application/x-www-form-urlencoded$" "t:lowercase,chain"
	SecRule &ARGS_POST "@eq 1" "chain"
	SecRule ARGS_POST "^[0-9a-fA-F]+$" "chain"
	SecRule REQUEST_BODY_LENGTH "@gt 2000" \
	 "setvar:tx.bn_inbound_found=+1"
SecRule ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "jndi:ldap:|jndi:dns:|jndi:rmi:|jndi:rni:|\${jndi:" \
"phase:1, \
 id:407002, \
 t:none, \
 deny, \
 status:403, \
 log, \
 auditlog, \
 msg:'DVT: CVE-2021-44228 - deny known \"jndi:\" pattern', \
 severity:'2', \
 rev:1, \
 tag:'no_ar',\
 setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING  "jndi:ldap:|jndi:dns:|jndi:rmi:|jndi:rni:|\${jndi:" \
"phase:2, \
 id:407003, \
 t:none, \
 deny, \
 status:403, \
 log, \
 auditlog, \
 msg:'DVT: CVE-2021-44228 - deny known \"jndi:\" pattern', \
 severity:'2', \
 rev:1, \
 tag:'no_ar',\
 setvar:'tx.bn_inbound_found=+1'"

[-] 405-MAGENTO-REMOTE-EXECUTION-PROTECTION.conf [edit]
[-] 400030-status.conf [edit]
[+] ..
[-] 404-SCANNER-PROTECTION.conf [edit]
[-] malware-endpoints.data [edit]
[-] 419-REQUEST-BLOCKING-EVALUATION-BN.conf [edit]
[-] 402-DRUPAL-REMOTE-EXECUTION-PROTECTION.conf [edit]
[-] 401-WORDPRESS-BACKDOOR-PROTECTION.conf [edit]
[-] 410-OTHER-BN.conf [edit]
[-] 400-BITNINJA-INITIALIZATION.conf [edit]
[-] scripting-user-agents.data [edit]
[-] 104-TYPO3-MAGENTO-EXCLUSION-RULES.conf [edit]
[-] botnet-post-request.data [edit]
[-] 407-BOTNET-PROTECTION.conf [edit]
[-] 406-WORDPRESS-PLUGIN-VULNERABILITY-PROTECTION.conf [edit]
[-] 403-MODX-REVOLUTION-REMOETE-EXECUTION-PROTECTION.conf [edit]
[-] 408-SYMFONY-PROTECTION-BN.conf [edit]
[-] 409-ANTIMALWARE-PROTECTION-BN.conf [edit]
[-] web-shell-uri.data [edit]