ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / regex-assembly

##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Rule 932240 (Generic RCE Unix command evasion detection)
##!
##! Conceptually, we want to match:
##! - at least one character
##! - at least one character from an evasion technique

##!+ i

##! The previous cmdline evasion detection was based on the one from modsecurity: `[\x5c'\"]*`
##! We extended the evasion detection from the cmdline processor with `(?:\$[a-z0-9_@?!#{*-]*)?(?:\x5c)?` to match:
##! - non-existing vars: cu$@rl, una$$me -a, uname$$u -a
##! - vars + spacing: v='u';cu$v\r\l google.com
##! - globbing pattern expansion: {n$u\c$u,-nlvp,777}
##! - globbing: garb=cur[l];$garb+google.com

##! kill '-'9
##!> assemble
  [a-z0-9_-]+
  ##!=>
  \s*['\"][^'\"\s]+['\"]
  ##!=>
  [a-z0-9_-]+
##!<

##!> assemble
  [a-z0-9_-]+
  ##!=>
  ##! py""thon
  ['\"]['\"]+
  [\x5c\[\]]+
  \$+[\x5ca-z0-9_@?!#{*-]+
  ##! process substitution
  ``
  \$
  <
  >
  ##!=>

\s*[a-z0-9_-]+
  ##!=>
##!<

[-] 920220-chain1.ra [edit]
[-] 942370.ra [edit]
[-] 922110-chain1.ra [edit]
[-] 932237.ra [edit]
[-] 942280.ra [edit]
[-] 942470.ra [edit]
[-] 932220.ra [edit]
[-] 933131.ra [edit]
[-] 942200.ra [edit]
[-] 932320.ra [edit]
[-] 942520.ra [edit]
[-] 942290.ra [edit]
[-] 932301.ra [edit]
[-] 932260.ra [edit]
[-] toolchain.yaml [edit]
[-] 931131.ra [edit]
[-] 942500.ra [edit]
[-] 920100.ra [edit]
[-] 941220.ra [edit]
[-] 942480.ra [edit]
[-] 921421.ra [edit]
[-] 932232.ra [edit]
[+] ..
[-] 932175.ra [edit]
[-] 934101.ra [edit]
[-] 942410.ra [edit]
[-] 932236.ra [edit]
[-] 920120.ra [edit]
[-] 933160.ra [edit]
[-] 920260.ra [edit]
[-] 920221.ra [edit]
[-] 942390.ra [edit]
[-] 941390.ra [edit]
[-] 942521.ra [edit]
[-] 934170.ra [edit]
[-] 932205-chain1.ra [edit]
[-] 942190.ra [edit]
[-] 942350.ra [edit]
[-] 942380.ra [edit]
[-] 932140.ra [edit]
[-] 944150.ra [edit]
[-] 951240.ra [edit]
[-] 942180.ra [edit]
[-] 932131.ra [edit]
[-] 932206.ra [edit]
[-] 932235.ra [edit]
[-] 944152.ra [edit]
[-] 932210.ra [edit]
[-] 942550.ra [edit]
[-] 933200.ra [edit]
[-] 920521.ra [edit]
[-] 942362.ra [edit]
[-] 951230.ra [edit]
[-] 932130.ra [edit]
[-] 932321.ra [edit]
[-] 933211.ra [edit]
[-] 932238.ra [edit]
[-] 932200.ra [edit]
[-] 932230.ra [edit]
[-] 934120.ra [edit]
[-] 932205.ra [edit]
[-] 932310.ra [edit]
[-] 933210.ra [edit]
[-] 932311.ra [edit]
[-] 934150.ra [edit]
[-] 942150.ra [edit]
[-] 944151.ra [edit]
[-] 941210.ra [edit]
[-] 942120.ra [edit]
[-] 942240.ra [edit]
[-] 941130.ra [edit]
[-] 942230.ra [edit]
[-] 932239.ra [edit]
[-] 934100.ra [edit]
[-] 942152.ra [edit]
[-] 933161.ra [edit]
[-] 934160.ra [edit]
[-] 942260.ra [edit]
[-] 942400.ra [edit]
[+] include
[-] 942330.ra [edit]
[-] 942140.ra [edit]
[-] 932380.ra [edit]
[-] 941160.ra [edit]
[-] 920600.ra [edit]
[-] 932231.ra [edit]
[-] 942321.ra [edit]
[-] 942360.ra [edit]
[-] 942131.ra [edit]
[-] 942320.ra [edit]
[-] 934140.ra [edit]
[+] exclude
[-] 931130.ra [edit]
[-] 942440.ra [edit]
[-] 942340.ra [edit]
[-] 942310.ra [edit]
[-] 932125.ra [edit]
[-] 932240.ra [edit]
[-] 921422.ra [edit]
[-] 942170.ra [edit]
[-] 932370.ra [edit]
[-] 942440-chain1.ra [edit]
[-] 930100.ra [edit]
[-] 942210.ra [edit]
[-] 942540.ra [edit]
[-] 932300.ra [edit]
[-] 942130.ra [edit]
[-] 942300.ra [edit]
[-] 932250.ra [edit]
[-] 942560.ra [edit]
[-] 942151.ra [edit]