Edge rules
Diese Seite ist noch nicht in deiner Sprache verfügbar. Englische Seite aufrufen
This page lists the edge rules implemented in STACKIT Content Delivery Network (CDN) Web Application Firewall (WAF).
Rule collection - OWASP CRS request
Section titled “Rule collection - OWASP CRS request”Rule group: 911 - Method enforcement
Section titled “Rule group: 911 - Method enforcement”| Code | Rule |
|---|---|
| 911100 | Method is not allowed by policy |
Rule group: 913 - Scanner detection
Section titled “Rule group: 913 - Scanner detection”These rules focus on detecting security tools and scanners.
| Code | Rule |
|---|---|
| 913100 | Found user-agent associated with security scanner |
Rule group: 922 - Multipart attack
Section titled “Rule group: 922 - Multipart attack”| Code | Rule |
|---|---|
| 922100 | Multipart content type global _charset_ definition is not allowed by policy |
| 922110 | Illegal MIME multipart header content-type: charset parameter |
| 922120 | Content-Transfer-Encoding was deprecated by RFC 7578 in 2015 and should not be used |
Rule group: 921 - Protocol attack
Section titled “Rule group: 921 - Protocol attack”The rules in this table target specific attacks on the HTTP protocol, such as HTTP request smuggling and response splitting.
| Code | Rule |
|---|---|
| 921110 | HTTP Request Smuggling Attack |
| 921120 | HTTP Response Splitting Attack |
| 921130 | HTTP Response Splitting Attack |
| 921140 | HTTP Header Injection Attack via headers |
| 921150 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921160 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| 921190 | HTTP Splitting (CR/LF in request filename detected) |
| 921200 | LDAP Injection Attack |
| 921421 | Content-Type header: Dangerous content type outside the mime type declaration |
| 921240 | mod_proxy attack attempt detected |
| 921151 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921422 | Content-Type header: Dangerous content type outside the mime type declaration |
| 921230 | HTTP Range Header detected |
| 921180 | HTTP Parameter Pollution ( %{TX.1} ) |
| 921210 | HTTP Parameter Pollution after detecting bogus char after parameter array |
| 921220 | HTTP Parameter Pollution possible via array notation |
Rule group: 930 - Application attack LFI
Section titled “Rule group: 930 - Application attack LFI”These rules detect attempts to include files that are local to the web server and should not be accessible to users. Exploiting this type of attack can compromise the web application or server.
| Code | Rule |
|---|---|
| 930100 | Path Traversal Attack (/../) or (/…/) |
| 930110 | Path Traversal Attack (/../) or (/…/) |
| 930120 | OS File Access Attempt |
| 930130 | Restricted File Access Attempt |
| 930121 | OS File Access Attempt in REQUEST_HEADERS |
Rule group: 931 - Application attack RFI
Section titled “Rule group: 931 - Application attack RFI”These rules detect attempts to include remote resources in the web application that may be executed. Exploiting this type of attack can compromise the web application or server.
| Code | Rule |
|---|---|
| 931100 | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
| 931110 | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
| 931120 | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character |
| 931130 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
| 931131 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
Rule group: 932 - Application attack RCE
Section titled “Rule group: 932 - Application attack RCE”| Code | Rule |
|---|---|
| 932230 | Remote Command Execution: Unix Command Injection (2-3 chars) |
| 932235 | Remote Command Execution: Unix Command Injection (command without evasion) |
| 932120 | Remote Command Execution: Windows PowerShell Command Found |
| 932125 | Remote Command Execution: Windows Powershell Alias Command Injection |
| 932130 | Remote Command Execution: Unix Shell Expression Found |
| 932140 | Remote Command Execution: Windows FOR/IF Command Found |
| 932250 | Remote Command Execution: Direct Unix Command Execution |
| 932260 | Remote Command Execution: Direct Unix Command Execution |
| 932330 | Remote Command Execution: Unix shell history invocation |
| 932160 | Remote Command Execution: Unix Shell Code Found |
| 932170 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932171 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932175 | Remote Command Execution: Unix shell alias invocation |
| 932180 | Restricted File Upload Attempt |
| 932370 | Remote Command Execution: Windows Command Injection |
| 932380 | Remote Command Execution: Windows Command Injection |
| 932231 | Remote Command Execution: Unix Command Injection |
| 932131 | Remote Command Execution: Unix Shell Expression Found |
| 932200 | RCE Bypass Technique |
| 932205 | RCE Bypass Technique |
| 932206 | RCE Bypass Technique |
| 932220 | Remote Command Execution: Unix Command Injection with pipe |
| 932240 | Remote Command Execution: Unix Command Injection evasion attempt detected |
| 932210 | Remote Command Execution: SQLite System Command Execution |
| 932300 | Remote Command Execution: SMTP Command Execution |
| 932310 | Remote Command Execution: IMAP Command Execution |
| 932320 | Remote Command Execution: POP3 Command Execution |
| 932236 | Remote Command Execution: Unix Command Injection (command without evasion) |
| 932239 | Remote Command Execution: Unix Command Injection found in user-agent or referer header |
| 932161 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS |
| 932232 | Remote Command Execution: Unix Command Injection |
| 932237 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS |
| 932238 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS |
| 932190 | Remote Command Execution: Wildcard bypass technique attempt |
| 932301 | Remote Command Execution: SMTP Command Execution |
| 932311 | Remote Command Execution: IMAP Command Execution |
| 932321 | Remote Command Execution: POP3 Command Execution |
| 932331 | Remote Command Execution: Unix shell history invocation |
Rule group: 933 - Application attack PHP
Section titled “Rule group: 933 - Application attack PHP”| Code | Rule |
|---|---|
| 933100 | PHP Injection Attack: PHP Open Tag Found |
| 933110 | PHP Injection Attack: PHP Script File Upload Found |
| 933120 | PHP Injection Attack: Configuration Directive Found |
| 933130 | PHP Injection Attack: Variables Found |
| 933140 | PHP Injection Attack: I/O Stream Found |
| 933200 | PHP Injection Attack: Wrapper scheme detected |
| 933150 | PHP Injection Attack: High-Risk PHP Function Name Found |
| 933160 | PHP Injection Attack: High-Risk PHP Function Call Found |
| 933170 | PHP Injection Attack: Serialized Object Injection |
| 933180 | PHP Injection Attack: Variable Function Call Found |
| 933210 | PHP Injection Attack: Variable Function Call Found |
| 933151 | PHP Injection Attack: Medium-Risk PHP Function Name Found |
| 933131 | PHP Injection Attack: Variables Found |
| 933161 | PHP Injection Attack: Low-Value PHP Function Call Found |
| 933111 | PHP Injection Attack: PHP Script File Upload Found |
| 933190 | PHP Injection Attack: PHP Closing Tag Found |
| 933211 | PHP Injection Attack: Variable Function Call Found |
Rule group: 934 - Application attack GENERIC
Section titled “Rule group: 934 - Application attack GENERIC”| Code | Rule |
|---|---|
| 934100 | Node.js Injection Attack 1/2 |
| 934110 | Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter |
| 934130 | JavaScript Prototype Pollution |
| 934150 | Ruby Injection Attack |
| 934160 | Node.js DoS attack |
| 934170 | PHP data scheme attack |
| 934101 | Node.js Injection Attack 2/2 |
| 934120 | Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address |
| 934140 | Perl Injection Attack |
| 934100 | Node.js Injection Attack |
Rule group: 941 - Application attack XSS
Section titled “Rule group: 941 - Application attack XSS”| Code | Rule |
|---|---|
| 941100 | XSS Attack Detected via libinjection |
| 941110 | XSS Filter - Category 1: Script Tag Vector |
| 941130 | XSS Filter - Category 3: Attribute Vector |
| 941140 | XSS Filter - Category 4: Javascript URI Vector |
| 941160 | NoScript XSS InjectionChecker: HTML Injection |
| 941170 | NoScript XSS InjectionChecker: Attribute Injection |
| 941180 | Node-Validator Deny List Keywords |
| 941190 | IE XSS Filters - Attack Detected |
| 941200 | IE XSS Filters - Attack Detected |
| 941210 | IE XSS Filters - Attack Detected |
| 941220 | IE XSS Filters - Attack Detected |
| 941230 | IE XSS Filters - Attack Detected |
| 941240 | IE XSS Filters - Attack Detected |
| 941250 | IE XSS Filters - Attack Detected |
| 941260 | IE XSS Filters - Attack Detected |
| 941270 | IE XSS Filters - Attack Detected |
| 941280 | IE XSS Filters - Attack Detected |
| 941290 | IE XSS Filters - Attack Detected |
| 941300 | IE XSS Filters - Attack Detected |
| 941310 | US-ASCII Malformed Encoding XSS Filter - Attack Detected |
| 941350 | UTF-7 Encoding IE XSS - Attack Detected |
| 941360 | JSFuck / Hieroglyphy obfuscation detected |
| 941370 | JavaScript global variable found |
| 941390 | Javascript method detected |
| 941400 | XSS JavaScript function without parentheses |
| 941101 | XSS Attack Detected via libinjection |
| 941120 | XSS Filter - Category 2: Event Handler Vector |
| 941150 | XSS Filter - Category 5: Disallowed HTML Attributes |
| 941181 | Node-Validator Deny List Keywords |
| 941320 | Possible XSS Attack Detected - HTML Tag Handler |
| 941330 | IE XSS Filters - Attack Detected |
| 941340 | IE XSS Filters - Attack Detected |
| 941380 | AngularJS client side template injection detected |
Rule group: 942 - Application attack SQL injection
Section titled “Rule group: 942 - Application attack SQL injection”This table lists rules that protect against SQL injection (SQLi) attacks. SQL injection occurs when an attacker sends specially crafted control characters to parameters intended for data only. The application then passes these characters to the database, which can alter the intended meaning of the SQL query.
| Code | Rule |
|---|---|
| 942100 | SQL Injection Attack Detected via libinjection |
| 942140 | SQL Injection Attack: Common DB Names Detected |
| 942151 | SQL Injection Attack: SQL function name detected |
| 942160 | Detects blind sqli tests using sleep() or benchmark() |
| 942170 | Detects SQL benchmark and sleep injection attempts including conditional queries |
| 942190 | Detects MSSQL code execution and information gathering attempts |
| 942220 | Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the “magic number” crash |
| 942230 | Detects conditional SQL injection attempts |
| 942240 | Detects MySQL charset switch and MSSQL DoS attempts |
| 942250 | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
| 942270 | Looking for basic sql injection. Common attack string for mysql, oracle and others |
| 942280 | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
| 942290 | Finds basic MongoDB SQL injection attempts |
| 942320 | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942350 | Detects MySQL UDF injection and other data/structure manipulation attempts |
| 942360 | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942500 | MySQL in-line comment detected |
| 942540 | SQL Authentication bypass (split query) |
| 942560 | MySQL Scientific Notation payload detected |
| 942550 | JSON-Based SQL Injection |
| 942120 | SQL Injection Attack: SQL Operator Detected |
| 942130 | SQL Injection Attack: SQL Boolean-based attack detected |
| 942131 | SQL Injection Attack: SQL Boolean-based attack detected |
| 942150 | SQL Injection Attack: SQL function name detected |
| 942180 | Detects basic SQL authentication bypass attempts 1/3 |
| 942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| 942210 | Detects chained SQL injection attempts 1/2 |
| 942260 | Detects basic SQL authentication bypass attempts 2/3 |
| 942300 | Detects MySQL comments, conditions and ch(a)r injections |
| 942310 | Detects chained SQL injection attempts 2/2 |
| 942330 | Detects classic SQL injection probings 1/3 |
| 942340 | Detects basic SQL authentication bypass attempts 3/3 |
| 942361 | Detects basic SQL injection based on keyword alter or union |
| 942362 | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942370 | Detects classic SQL injection probings 2/3 |
| 942380 | SQL Injection Attack |
| 942390 | SQL Injection Attack |
| 942400 | SQL Injection Attack |
| 942410 | SQL Injection Attack |
| 942470 | SQL Injection Attack |
| 942480 | SQL Injection Attack |
| 942430 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| 942440 | SQL Comment Sequence Detected |
| 942450 | SQL Hex Encoding Identified |
| 942510 | SQLi bypass attempt by ticks or backticks detected |
| 942520 | Detects basic SQL authentication bypass attempts 4.0/4 |
| 942521 | Detects basic SQL authentication bypass attempts 4.1/4 |
| 942522 | Detects basic SQL authentication bypass attempts 4.1/4 |
| 942101 | SQL Injection Attack Detected via libinjection |
| 942152 | SQL Injection Attack: SQL function name detected |
| 942321 | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942251 | Detects HAVING injections |
| 942490 | Detects classic SQL injection probings 3/3 |
| 942420 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
| 942431 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
| 942460 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
| 942511 | SQLi bypass attempt by ticks detected |
| 942530 | SQLi query termination detected |
| 942421 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
Rule group: 943 - Application attack session fixation
Section titled “Rule group: 943 - Application attack session fixation”These rules protect against session fixation attacks.
| Code | Rule |
|---|---|
| 943100 | Possible Session Fixation Attack: Setting Cookie Values in HTML |
| 943110 | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
| 943120 | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
Rule group: 944 - Application attack Java
Section titled “Rule group: 944 - Application attack Java”| Code | Rule |
|---|---|
| 944100 | Remote Command Execution: Suspicious Java class detected |
| 944110 | Remote Command Execution: Java process spawn (CVE-2017-9805) |
| 944120 | Remote Command Execution: Java serialization (CVE-2015-4852) |
| 944130 | Suspicious Java class detected |
| 944140 | Java Injection Attack: Java Script File Upload Found |
| 944150 | Potential Remote Command Execution: Log4j / Log4shell |
| 944151 | Potential Remote Command Execution: Log4j / Log4shell |
| 944200 | Magic bytes Detected, probable java serialization in use |
| 944210 | Magic bytes Detected Base64 Encoded, probable java serialization in use |
| 944240 | Remote Command Execution: Java serialization (CVE-2015-4852) |
| 944250 | Remote Command Execution: Suspicious Java method detected |
| 944260 | Remote Command Execution: Malicious class-loading payload |
| 944300 | Base64 encoded string matched suspicious keyword |
| 944152 | Potential Remote Command Execution: Log4j / Log4shell |
Rule collection - OWASP CRS response
Section titled “Rule collection - OWASP CRS response”Rule group: 950 - Data leakages
Section titled “Rule group: 950 - Data leakages”These rules protect against general data leakages.
| Code | Rule |
|---|---|
| 950130 | Directory Listing |
| 950140 | CGI source code leakage |
| 950100 | The Application Returned a 500-Level Status Code |
Rule group: 951 - Data leakages SQL
Section titled “Rule group: 951 - Data leakages SQL”These rules protect against data leakages from backend SQL servers, which often indicate the presence of SQL injection vulnerabilities.
| Code | Rule |
|---|---|
| 951110 | Microsoft Access SQL Information Leakage |
| 951120 | Oracle SQL Information Leakage |
| 951130 | DB2 SQL Information Leakage |
| 951140 | EMC SQL Information Leakage |
| 951150 | firebird SQL Information Leakage |
| 951160 | Frontbase SQL Information Leakage |
| 951170 | hsqldb SQL Information Leakage |
| 951180 | informix SQL Information Leakage |
| 951190 | ingres SQL Information Leakage |
| 951200 | interbase SQL Information Leakage |
| 951210 | maxDB SQL Information Leakage |
| 951220 | mssql SQL Information Leakage |
| 951230 | mysql SQL Information Leakage |
| 951240 | postgres SQL Information Leakage |
| 951250 | sqlite SQL Information Leakage |
| 951260 | Sybase SQL Information Leakage |
Rule group: 952 - Data leakages Java
Section titled “Rule group: 952 - Data leakages Java”These rules protect against data leakages caused by Java.
| Code | Rule |
|---|---|
| 952100 | Java Source Code Leakage |
| 952110 | Java Errors |
Rule group: 953 - Data leakages PHP
Section titled “Rule group: 953 - Data leakages PHP”These rules protect against data leakages caused by PHP.
| Code | Rule |
|---|---|
| 953100 | PHP Information Leakage |
| 953110 | PHP source code leakage |
| 953120 | PHP source code leakage |
| 953101 | PHP Information Leakage |
Rule group: 954 - Data leakages IIS
Section titled “Rule group: 954 - Data leakages IIS”These rules protect against data leakages caused by Microsoft IIS.
| Code | Rule |
|---|---|
| 954100 | Disclosure of IIS install location |
| 954110 | Application Availability Error |
| 954120 | IIS Information Leakage |
| 954130 | IIS Information Leakage |
Rule group: 955 - Web shells
Section titled “Rule group: 955 - Web shells”| Code | Rule |
|---|---|
| 955100 | Web shell detected |
| 955110 | r57 web shell |
| 955120 | WSO web shell |
| 955130 | b4tm4n web shell |
| 955140 | Mini Shell web shell |
| 955150 | Ashiyane web shell |
| 955160 | Symlink_Sa web shell |
| 955170 | CasuS web shell |
| 955180 | GRP WebShell |
| 955190 | NGHshell web shell |
| 955200 | SimAttacker web shell |
| 955210 | Unknown web shell |
| 955220 | lama’s’hell web shell |
| 955230 | lostDC web shell |
| 955240 | Unknown web shell |
| 955250 | Unknown web shell |
| 955260 | Ru24PostWebShell web shell |
| 955270 | s72 Shell web shell |
| 955280 | PhpSpy web shell |
| 955290 | g00nshell web shell |
| 955300 | PuNkHoLic shell web shell |
| 955310 | azrail web shell |
| 955320 | SmEvK_PaThAn Shell web shell |
| 955330 | Shell I web shell |
| 955340 | b374k m1n1 web shell |
| 955350 | webadmin.php file manager |