App Gateway - OWASP 3.1¶
Generated: 22 February 2026 | Total Rules: 181
OWASP 3.1¶
General -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 200004 | General | Possible Multipart Unmatched Boundary. | AnomalyScoring | Enabled |
REQUEST-911-METHOD-ENFORCEMENT -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 911100 | REQUEST-911-METHOD-ENFORCEMENT | Method is not allowed by policy | AnomalyScoring | Enabled | source |
REQUEST-913-SCANNER-DETECTION -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 913100 | REQUEST-913-SCANNER-DETECTION | Found User-Agent associated with security scanner | AnomalyScoring | Enabled | source |
| 913101 | REQUEST-913-SCANNER-DETECTION | Found User-Agent associated with scripting/generic HTTP client | AnomalyScoring | Enabled | source |
| 913102 | REQUEST-913-SCANNER-DETECTION | Found User-Agent associated with web crawler/bot | AnomalyScoring | Enabled | source |
| 913110 | REQUEST-913-SCANNER-DETECTION | Found request header associated with security scanner | AnomalyScoring | Enabled | source |
| 913120 | REQUEST-913-SCANNER-DETECTION | Found request filename/argument associated with security scanner | AnomalyScoring | Enabled | source |
REQUEST-920-PROTOCOL-ENFORCEMENT -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 920100 | REQUEST-920-PROTOCOL-ENFORCEMENT | Invalid HTTP Request Line | AnomalyScoring | Enabled | source |
| 920120 | REQUEST-920-PROTOCOL-ENFORCEMENT | Attempted multipart/form-data bypass | AnomalyScoring | Enabled | source |
| 920121 | REQUEST-920-PROTOCOL-ENFORCEMENT | Attempted multipart/form-data bypass | AnomalyScoring | Enabled | source |
| 920130 | REQUEST-920-PROTOCOL-ENFORCEMENT | Failed to parse request body. | AnomalyScoring | Enabled | source |
| 920140 | REQUEST-920-PROTOCOL-ENFORCEMENT | Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FLE %{MULTIPART_FILE_LIMIT_EXCEEDED} | AnomalyScoring | Enabled | source |
| 920160 | REQUEST-920-PROTOCOL-ENFORCEMENT | Content-Length HTTP header is not numeric. | AnomalyScoring | Enabled | source |
| 920170 | REQUEST-920-PROTOCOL-ENFORCEMENT | GET or HEAD Request with Body Content. | AnomalyScoring | Enabled | source |
| 920171 | REQUEST-920-PROTOCOL-ENFORCEMENT | GET or HEAD Request with Transfer-Encoding. | AnomalyScoring | Enabled | source |
| 920180 | REQUEST-920-PROTOCOL-ENFORCEMENT | POST request missing Content-Length Header. | AnomalyScoring | Enabled | source |
| 920190 | REQUEST-920-PROTOCOL-ENFORCEMENT | Range: Invalid Last Byte Value. | AnomalyScoring | Enabled | source |
| 920200 | REQUEST-920-PROTOCOL-ENFORCEMENT | Range: Too many fields (6 or more) | AnomalyScoring | Enabled | source |
| 920201 | REQUEST-920-PROTOCOL-ENFORCEMENT | Range: Too many fields for pdf request (35 or more) | AnomalyScoring | Enabled | source |
| 920202 | REQUEST-920-PROTOCOL-ENFORCEMENT | Range: Too many fields for pdf request (6 or more) | AnomalyScoring | Enabled | source |
| 920210 | REQUEST-920-PROTOCOL-ENFORCEMENT | Multiple/Conflicting Connection Header Data Found. | AnomalyScoring | Enabled | source |
| 920220 | REQUEST-920-PROTOCOL-ENFORCEMENT | URL Encoding Abuse Attack Attempt | AnomalyScoring | Enabled | source |
| 920230 | REQUEST-920-PROTOCOL-ENFORCEMENT | Multiple URL Encoding Detected | AnomalyScoring | Enabled | source |
| 920240 | REQUEST-920-PROTOCOL-ENFORCEMENT | URL Encoding Abuse Attack Attempt | AnomalyScoring | Enabled | source |
| 920250 | REQUEST-920-PROTOCOL-ENFORCEMENT | UTF8 Encoding Abuse Attack Attempt | AnomalyScoring | Enabled | source |
| 920260 | REQUEST-920-PROTOCOL-ENFORCEMENT | Unicode Full/Half Width Abuse Attack Attempt | AnomalyScoring | Enabled | source |
| 920270 | REQUEST-920-PROTOCOL-ENFORCEMENT | Invalid character in request (null character) | AnomalyScoring | Enabled | source |
| 920271 | REQUEST-920-PROTOCOL-ENFORCEMENT | Invalid character in request (non printable characters) | AnomalyScoring | Enabled | source |
| 920272 | REQUEST-920-PROTOCOL-ENFORCEMENT | Invalid character in request (outside of printable chars below ascii 127) | AnomalyScoring | Enabled | source |
| 920273 | REQUEST-920-PROTOCOL-ENFORCEMENT | Invalid character in request (outside of very strict set) | AnomalyScoring | Enabled | source |
| 920274 | REQUEST-920-PROTOCOL-ENFORCEMENT | Invalid character in request headers (outside of very strict set) | AnomalyScoring | Enabled | source |
| 920280 | REQUEST-920-PROTOCOL-ENFORCEMENT | Request Missing a Host Header | AnomalyScoring | Enabled | source |
| 920290 | REQUEST-920-PROTOCOL-ENFORCEMENT | Empty Host Header | AnomalyScoring | Enabled | source |
| 920300 | REQUEST-920-PROTOCOL-ENFORCEMENT | Request Missing an Accept Header | AnomalyScoring | Enabled | source |
| 920310 | REQUEST-920-PROTOCOL-ENFORCEMENT | Request Has an Empty Accept Header | AnomalyScoring | Enabled | source |
| 920311 | REQUEST-920-PROTOCOL-ENFORCEMENT | Request Has an Empty Accept Header | AnomalyScoring | Enabled | source |
| 920320 | REQUEST-920-PROTOCOL-ENFORCEMENT | Missing User Agent Header | AnomalyScoring | Enabled | source |
| 920330 | REQUEST-920-PROTOCOL-ENFORCEMENT | Empty User Agent Header | AnomalyScoring | Enabled | source |
| 920340 | REQUEST-920-PROTOCOL-ENFORCEMENT | Request Containing Content, but Missing Content-Type header | AnomalyScoring | Enabled | source |
| 920341 | REQUEST-920-PROTOCOL-ENFORCEMENT | Request containing content requires Content-Type header | AnomalyScoring | Enabled | source |
| 920350 | REQUEST-920-PROTOCOL-ENFORCEMENT | Host header is a numeric IP address | AnomalyScoring | Enabled | source |
| 920420 | REQUEST-920-PROTOCOL-ENFORCEMENT | Request content type is not allowed by policy | AnomalyScoring | Enabled | source |
| 920430 | REQUEST-920-PROTOCOL-ENFORCEMENT | HTTP protocol version is not allowed by policy | AnomalyScoring | Enabled | source |
| 920440 | REQUEST-920-PROTOCOL-ENFORCEMENT | URL file extension is restricted by policy | AnomalyScoring | Enabled | source |
| 920450 | REQUEST-920-PROTOCOL-ENFORCEMENT | HTTP header is restricted by policy (%{MATCHED_VAR}) | AnomalyScoring | Enabled | source |
| 920460 | REQUEST-920-PROTOCOL-ENFORCEMENT | Abnormal Escape Characters | AnomalyScoring | Enabled | source |
| 920470 | REQUEST-920-PROTOCOL-ENFORCEMENT | Illegal Content-Type header | AnomalyScoring | Enabled | source |
| 920480 | REQUEST-920-PROTOCOL-ENFORCEMENT | Restrict charset parameter within the content-type header | AnomalyScoring | Enabled | source |
REQUEST-921-PROTOCOL-ATTACK -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 921110 | REQUEST-921-PROTOCOL-ATTACK | HTTP Request Smuggling Attack | AnomalyScoring | Enabled | source |
| 921120 | REQUEST-921-PROTOCOL-ATTACK | HTTP Response Splitting Attack | AnomalyScoring | Enabled | source |
| 921130 | REQUEST-921-PROTOCOL-ATTACK | HTTP Response Splitting Attack | AnomalyScoring | Enabled | source |
| 921140 | REQUEST-921-PROTOCOL-ATTACK | HTTP Header Injection Attack via headers | AnomalyScoring | Enabled | source |
| 921150 | REQUEST-921-PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF detected) | AnomalyScoring | Enabled | source |
| 921151 | REQUEST-921-PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF detected) | AnomalyScoring | Enabled | source |
| 921160 | REQUEST-921-PROTOCOL-ATTACK | HTTP Header Injection Attack via payload (CR/LF and header-name detected) | AnomalyScoring | Enabled | source |
| 921170 | REQUEST-921-PROTOCOL-ATTACK | HTTP Parameter Pollution | AnomalyScoring | Enabled | source |
| 921180 | REQUEST-921-PROTOCOL-ATTACK | HTTP Parameter Pollution (%{TX.1}) | AnomalyScoring | Enabled | source |
REQUEST-930-APPLICATION-ATTACK-LFI -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 930100 | REQUEST-930-APPLICATION-ATTACK-LFI | Path Traversal Attack (/../) | AnomalyScoring | Enabled | source |
| 930110 | REQUEST-930-APPLICATION-ATTACK-LFI | Path Traversal Attack (/../) | AnomalyScoring | Enabled | source |
| 930120 | REQUEST-930-APPLICATION-ATTACK-LFI | OS File Access Attempt | AnomalyScoring | Enabled | source |
| 930130 | REQUEST-930-APPLICATION-ATTACK-LFI | Restricted File Access Attempt | AnomalyScoring | Enabled | source |
REQUEST-931-APPLICATION-ATTACK-RFI -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 931100 | REQUEST-931-APPLICATION-ATTACK-RFI | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address | AnomalyScoring | Enabled | source |
| 931110 | REQUEST-931-APPLICATION-ATTACK-RFI | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload | AnomalyScoring | Enabled | source |
| 931120 | REQUEST-931-APPLICATION-ATTACK-RFI | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) | AnomalyScoring | Enabled | source |
| 931130 | REQUEST-931-APPLICATION-ATTACK-RFI | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link | AnomalyScoring | Enabled | source |
REQUEST-932-APPLICATION-ATTACK-RCE -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 932100 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Unix Command Injection | AnomalyScoring | Enabled | source |
| 932105 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Unix Command Injection | AnomalyScoring | Enabled | source |
| 932106 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Unix Command Injection | AnomalyScoring | Enabled | source |
| 932110 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Windows Command Injection | AnomalyScoring | Enabled | source |
| 932115 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Windows Command Injection | AnomalyScoring | Enabled | source |
| 932120 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Windows PowerShell Command Found | AnomalyScoring | Enabled | source |
| 932130 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found | AnomalyScoring | Enabled | source |
| 932140 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Windows FOR/IF Command Found | AnomalyScoring | Enabled | source |
| 932150 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Direct Unix Command Execution | AnomalyScoring | Enabled | source |
| 932160 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Unix Shell Code Found | AnomalyScoring | Enabled | source |
| 932170 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | AnomalyScoring | Enabled | source |
| 932171 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Shellshock (CVE-2014-6271) | AnomalyScoring | Enabled | source |
| 932180 | REQUEST-932-APPLICATION-ATTACK-RCE | Restricted File Upload Attempt | AnomalyScoring | Enabled | source |
| 932190 | REQUEST-932-APPLICATION-ATTACK-RCE | Remote Command Execution: Wildcard bypass technique attempt | AnomalyScoring | Enabled | source |
REQUEST-933-APPLICATION-ATTACK-PHP -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 933100 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Opening/Closing Tag Found | AnomalyScoring | Enabled | source |
| 933110 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: PHP Script File Upload Found | AnomalyScoring | Enabled | source |
| 933111 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: PHP Script File Upload Found | AnomalyScoring | Enabled | source |
| 933120 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Configuration Directive Found | AnomalyScoring | Enabled | source |
| 933130 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Variables Found | AnomalyScoring | Enabled | source |
| 933131 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Variables Found | AnomalyScoring | Enabled | source |
| 933140 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: I/O Stream Found | AnomalyScoring | Enabled | source |
| 933150 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: High-Risk PHP Function Name Found | AnomalyScoring | Enabled | source |
| 933151 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Medium-Risk PHP Function Name Found | AnomalyScoring | Enabled | source |
| 933160 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: High-Risk PHP Function Call Found | AnomalyScoring | Enabled | source |
| 933161 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Low-Value PHP Function Call Found | AnomalyScoring | Enabled | source |
| 933170 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Serialized Object Injection | AnomalyScoring | Enabled | source |
| 933180 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: Variable Function Call Found | AnomalyScoring | Enabled | source |
| 933190 | REQUEST-933-APPLICATION-ATTACK-PHP | PHP Injection Attack: PHP Closing Tag Found | AnomalyScoring | Enabled | source |
REQUEST-941-APPLICATION-ATTACK-XSS -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 941100 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Attack Detected via libinjection | AnomalyScoring | Enabled | source |
| 941101 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Attack Detected via libinjection. | AnomalyScoring | Enabled | source |
| 941110 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Filter - Category 1: Script Tag Vector | AnomalyScoring | Enabled | source |
| 941120 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Filter - Category 2: Event Handler Vector | AnomalyScoring | Enabled | source |
| 941130 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Filter - Category 3: Attribute Vector | AnomalyScoring | Enabled | source |
| 941140 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Filter - Category 4: Javascript URI Vector | AnomalyScoring | Enabled | source |
| 941150 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Filter - Category 5: Disallowed HTML Attributes | AnomalyScoring | Enabled | source |
| 941160 | REQUEST-941-APPLICATION-ATTACK-XSS | NoScript XSS InjectionChecker: HTML Injection | AnomalyScoring | Enabled | source |
| 941170 | REQUEST-941-APPLICATION-ATTACK-XSS | NoScript XSS InjectionChecker: Attribute Injection | AnomalyScoring | Enabled | source |
| 941180 | REQUEST-941-APPLICATION-ATTACK-XSS | Node-Validator Blacklist Keywords | AnomalyScoring | Enabled | source |
| 941190 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS Using style sheets | AnomalyScoring | Enabled | source |
| 941200 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using VML frames | AnomalyScoring | Enabled | source |
| 941210 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using obfuscated JavaScript | AnomalyScoring | Enabled | source |
| 941220 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using obfuscated VB Script | AnomalyScoring | Enabled | source |
| 941230 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using 'embed' tag | AnomalyScoring | Enabled | source |
| 941240 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using 'import' or 'implementation' attribute | AnomalyScoring | Enabled | source |
| 941250 | REQUEST-941-APPLICATION-ATTACK-XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941260 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using 'meta' tag | AnomalyScoring | Enabled | source |
| 941270 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using 'link' href | AnomalyScoring | Enabled | source |
| 941280 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using 'base' tag | AnomalyScoring | Enabled | source |
| 941290 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using 'applet' tag | AnomalyScoring | Enabled | source |
| 941300 | REQUEST-941-APPLICATION-ATTACK-XSS | XSS using 'object' tag | AnomalyScoring | Enabled | source |
| 941310 | REQUEST-941-APPLICATION-ATTACK-XSS | US-ASCII Malformed Encoding XSS Filter - Attack Detected. | AnomalyScoring | Enabled | source |
| 941320 | REQUEST-941-APPLICATION-ATTACK-XSS | Possible XSS Attack Detected - HTML Tag Handler | AnomalyScoring | Enabled | source |
| 941330 | REQUEST-941-APPLICATION-ATTACK-XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941340 | REQUEST-941-APPLICATION-ATTACK-XSS | IE XSS Filters - Attack Detected. | AnomalyScoring | Enabled | source |
| 941350 | REQUEST-941-APPLICATION-ATTACK-XSS | UTF-7 Encoding IE XSS - Attack Detected. | AnomalyScoring | Enabled | source |
REQUEST-942-APPLICATION-ATTACK-SQLI -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 942100 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack Detected via libinjection | AnomalyScoring | Enabled | source |
| 942110 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack: Common Injection Testing Detected | AnomalyScoring | Enabled | source |
| 942120 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack: SQL Operator Detected | AnomalyScoring | Enabled | source |
| 942130 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack: SQL Tautology Detected. | AnomalyScoring | Enabled | source |
| 942140 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack: Common DB Names Detected | AnomalyScoring | Enabled | source |
| 942150 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942160 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects blind sqli tests using sleep() or benchmark(). | AnomalyScoring | Enabled | source |
| 942170 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects SQL benchmark and sleep injection attempts including conditional queries | AnomalyScoring | Enabled | source |
| 942180 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects basic SQL authentication bypass attempts ⅓ | AnomalyScoring | Enabled | source |
| 942190 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects MSSQL code execution and information gathering attempts | AnomalyScoring | Enabled | source |
| 942200 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects MySQL comment-/space-obfuscated injections and backtick termination | AnomalyScoring | Enabled | source |
| 942210 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects chained SQL injection attempts ½ | AnomalyScoring | Enabled | source |
| 942220 | REQUEST-942-APPLICATION-ATTACK-SQLI | Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \"magic number\" crash | AnomalyScoring | Enabled | source |
| 942230 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects conditional SQL injection attempts | AnomalyScoring | Enabled | source |
| 942240 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects MySQL charset switch and MSSQL DoS attempts | AnomalyScoring | Enabled | source |
| 942250 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections | AnomalyScoring | Enabled | source |
| 942251 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects HAVING injections | AnomalyScoring | Enabled | source |
| 942260 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects basic SQL authentication bypass attempts ⅔ | AnomalyScoring | Enabled | source |
| 942270 | REQUEST-942-APPLICATION-ATTACK-SQLI | Looking for basic sql injection. Common attack string for mysql, oracle and others. | AnomalyScoring | Enabled | source |
| 942280 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts | AnomalyScoring | Enabled | source |
| 942290 | REQUEST-942-APPLICATION-ATTACK-SQLI | Finds basic MongoDB SQL injection attempts | AnomalyScoring | Enabled | source |
| 942300 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects MySQL comments, conditions and ch(a)r injections | AnomalyScoring | Enabled | source |
| 942310 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects chained SQL injection attempts 2/2 | AnomalyScoring | Enabled | source |
| 942320 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects MySQL and PostgreSQL stored procedure/function injections | AnomalyScoring | Enabled | source |
| 942330 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects classic SQL injection probings ½ | AnomalyScoring | Enabled | source |
| 942340 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects basic SQL authentication bypass attempts 3/3 | AnomalyScoring | Enabled | source |
| 942350 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects MySQL UDF injection and other data/structure manipulation attempts | AnomalyScoring | Enabled | source |
| 942360 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects concatenated basic SQL injection and SQLLFI attempts | AnomalyScoring | Enabled | source |
| 942361 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects basic SQL injection based on keyword alter or union | AnomalyScoring | Enabled | source |
| 942370 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects classic SQL injection probings 2/2 | AnomalyScoring | Enabled | source |
| 942380 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942390 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942400 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942410 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942420 | REQUEST-942-APPLICATION-ATTACK-SQLI | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) | AnomalyScoring | Enabled | source |
| 942421 | REQUEST-942-APPLICATION-ATTACK-SQLI | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) | AnomalyScoring | Enabled | source |
| 942430 | REQUEST-942-APPLICATION-ATTACK-SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) | AnomalyScoring | Enabled | source |
| 942431 | REQUEST-942-APPLICATION-ATTACK-SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) | AnomalyScoring | Enabled | source |
| 942432 | REQUEST-942-APPLICATION-ATTACK-SQLI | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) | AnomalyScoring | Enabled | source |
| 942440 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Comment Sequence Detected. | AnomalyScoring | Enabled | source |
| 942450 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Hex Encoding Identified | AnomalyScoring | Enabled | source |
| 942460 | REQUEST-942-APPLICATION-ATTACK-SQLI | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters | AnomalyScoring | Enabled | source |
| 942470 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942480 | REQUEST-942-APPLICATION-ATTACK-SQLI | SQL Injection Attack | AnomalyScoring | Enabled | source |
| 942490 | REQUEST-942-APPLICATION-ATTACK-SQLI | Detects classic SQL injection probings 3/3 | AnomalyScoring | Enabled | source |
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 943100 | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION | Possible Session Fixation Attack: Setting Cookie Values in HTML | AnomalyScoring | Enabled | source |
| 943110 | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer | AnomalyScoring | Enabled | source |
| 943120 | REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION | Possible Session Fixation Attack: SessionID Parameter Name with No Referer | AnomalyScoring | Enabled | source |
REQUEST-944-APPLICATION-ATTACK-JAVA -¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 944100 | REQUEST-944-APPLICATION-ATTACK-JAVA | Remote Command Execution: Apache Struts, Oracle WebLogic | AnomalyScoring | Enabled | source |
| 944110 | REQUEST-944-APPLICATION-ATTACK-JAVA | Detects potential payload execution | AnomalyScoring | Enabled | source |
| 944120 | REQUEST-944-APPLICATION-ATTACK-JAVA | Possible payload execution and remote command execution | AnomalyScoring | Enabled | source |
| 944130 | REQUEST-944-APPLICATION-ATTACK-JAVA | Suspicious Java classes | AnomalyScoring | Enabled | source |
| 944200 | REQUEST-944-APPLICATION-ATTACK-JAVA | Exploitation of Java deserialization Apache Commons | AnomalyScoring | Enabled | source |
| 944210 | REQUEST-944-APPLICATION-ATTACK-JAVA | Possible use of Java serialization | AnomalyScoring | Enabled | source |
| 944240 | REQUEST-944-APPLICATION-ATTACK-JAVA | Remote Command Execution: Java serialization | AnomalyScoring | Enabled | source |
| 944250 | REQUEST-944-APPLICATION-ATTACK-JAVA | Remote Command Execution: Suspicious Java method detected | AnomalyScoring | Enabled | source |
Known-CVEs - This Rule Group contains Rules for new and known CVEs¶
| Rule ID | Rule Group | Description | Action | State | CRS Source |
|---|---|---|---|---|---|
| 800100 | Known-CVEs | Rule to help detect and mitigate log4j vulnerability - CVE-2021-44228 | AnomalyScoring | Enabled | |
| 800110 | Known-CVEs | Spring4Shell Interaction Attempt | AnomalyScoring | Enabled | |
| 800111 | Known-CVEs | Attempted Spring Cloud routing-expression injection - CVE-2022-22963 | AnomalyScoring | Enabled | |
| 800112 | Known-CVEs | Attempted Spring Framework unsafe class object exploitation - CVE-2022-22965 | AnomalyScoring | Enabled | |
| 800113 | Known-CVEs | Attempted Spring Cloud Gateway Actuator injection - CVE-2022-22947 | AnomalyScoring | Enabled |