Skip to content

Commit 55d6450

Browse files
comotioncomotion
committed
all2vcl rerun, breach updated
1 parent 35e22da commit 55d6450

42 files changed

Lines changed: 50254 additions & 880 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

vcl/breach/20_protocol_violations.vcl

Lines changed: 249 additions & 93 deletions
Large diffs are not rendered by default.

vcl/breach/21_protocol_anomalies.vcl

Lines changed: 37 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,5 @@
11
sub vcl_recv {
22
set req.http.X-Sec-Module = "2vcl";
3-
## REQUEST_LINE,
4-
# skipped REQUEST_LINE rx ^GET /$
5-
## REMOTE_ADDR,
6-
# skipped REMOTE_ADDR rx ^127\.0\.0\.1$
7-
## REQUEST_LINE,
8-
# skipped REQUEST_LINE rx ^GET / HTTP/1.0$
9-
## REMOTE_ADDR,
10-
# skipped REMOTE_ADDR rx ^127\.0\.0\.1$
11-
## REQUEST_HEADERS, :User-Agent
12-
# AC User-Agent
13-
## Rule: REQUEST_HEADERS rx :User-Agent
14-
# AAA User-Agent
15-
if(req.http.User-Agent ~ "^Apache.*\(internal dummy connection\)$"){
16-
call sec_sev1;
17-
}
18-
## REQUEST_PROTOCOL,
19-
## Rule: REQUEST_PROTOCOL rx :
20-
if(req.proto ~ "^"){
21-
set req.http.X-Sec-RuleInfo = "HTTP/0.9 Request Detected";
22-
set req.http.X-Sec-Severity = "4";
23-
set req.http.X-Sec-RuleId = "960019";
24-
call sec_sev1;
25-
}
263
## &REQUEST_HEADERS, :Host
274
# AC Host
285
# skipped & REQUEST_HEADERS eq Host 0
@@ -32,34 +9,44 @@ sub vcl_recv {
329
# AAA Host
3310
if(req.http.Host ~ "^$"){
3411
set req.http.X-Sec-RuleInfo = "Request Missing a Host Header";
35-
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER";
36-
set req.http.X-Sec-Severity = "4";
12+
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER_HOST";
13+
set req.http.X-Sec-RuleName = "WASCTC/WASC-21";
14+
set req.http.X-Sec-RuleName = "OWASP_TOP_10/A7";
15+
set req.http.X-Sec-RuleName = "PCI/6.5.10";
16+
set req.http.X-Sec-Severity = "5";
3717
set req.http.X-Sec-RuleId = "960008";
38-
call sec_sev1;
18+
call sec_default_handler;
19+
}
20+
## REQUEST_METHOD,
21+
## Rule: REQUEST_METHOD rx :
22+
if(req.request ~ "^OPTIONS$"){
23+
set req.http.X-Sec-RuleInfo = "Request Missing an Accept Header";
24+
set req.http.X-Sec-Severity = "2";
25+
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT";
26+
set req.http.X-Sec-RuleName = "WASCTC/WASC-21";
27+
set req.http.X-Sec-RuleName = "OWASP_TOP_10/A7";
28+
set req.http.X-Sec-RuleName = "PCI/6.5.10";
29+
set req.http.X-Sec-RuleId = "960015";
30+
# chained rule
3931
}
4032
## &REQUEST_HEADERS, :Accept
4133
# AC Accept
4234
# skipped & REQUEST_HEADERS eq Accept 0
4335
## REQUEST_METHOD,
4436
## Rule: REQUEST_METHOD rx :
4537
if(req.request ~ "^OPTIONS$"){
46-
call sec_sev1;
38+
set req.http.X-Sec-RuleInfo = "Request Has an Empty Accept Header";
39+
set req.http.X-Sec-Severity = "2";
40+
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT";
41+
set req.http.X-Sec-RuleId = "960021";
42+
# chained rule
4743
}
4844
## REQUEST_HEADERS, :Accept
4945
# AC Accept
5046
## Rule: REQUEST_HEADERS rx :Accept
5147
# AAA Accept
5248
if(req.http.Accept ~ "^$"){
53-
set req.http.X-Sec-RuleInfo = "Request Missing an Accept Header";
54-
set req.http.X-Sec-Severity = "2";
55-
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER";
56-
set req.http.X-Sec-RuleId = "960015";
57-
# chained rule
58-
}
59-
## REQUEST_METHOD,
60-
## Rule: REQUEST_METHOD rx :
61-
if(req.request ~ "^OPTIONS$"){
62-
call sec_sev1;
49+
call sec_default_handler;
6350
}
6451
## &REQUEST_HEADERS, :User-Agent
6552
# AC User-Agent
@@ -70,10 +57,13 @@ sub vcl_recv {
7057
# AAA User-Agent
7158
if(req.http.User-Agent ~ "^$"){
7259
set req.http.X-Sec-RuleInfo = "Request Missing a User Agent Header";
73-
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER";
74-
set req.http.X-Sec-Severity = "4";
60+
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER_UA";
61+
set req.http.X-Sec-RuleName = "WASCTC/WASC-21";
62+
set req.http.X-Sec-RuleName = "OWASP_TOP_10/A7";
63+
set req.http.X-Sec-RuleName = "PCI/6.5.10";
64+
set req.http.X-Sec-Severity = "5";
7565
set req.http.X-Sec-RuleId = "960009";
76-
call sec_sev1;
66+
call sec_default_handler;
7767
}
7868
## &REQUEST_HEADERS, :Content-Type
7969
# AC Content-Type
@@ -83,23 +73,22 @@ sub vcl_recv {
8373
## Rule: REQUEST_HEADERS rx :Content-Length
8474
# AAA Content-Length
8575
if(req.http.Content-Length ~ "^0$"){
86-
call sec_sev1;
76+
call sec_default_handler;
8777
}
8878
## REQUEST_HEADERS, :Host
8979
# AC Host
9080
## Rule: REQUEST_HEADERS rx :Host
9181
# AAA Host
92-
if(req.http.Host ~ "^[\d\.]+$"){
93-
set req.http.X-Sec-Return = "400";
82+
if(req.http.Host ~ "^[\d.:]+$"){
9483
set req.http.X-Sec-RuleInfo = "Host header is a numeric IP address";
9584
set req.http.X-Sec-Severity = "2";
9685
set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/IP_HOST";
86+
set req.http.X-Sec-RuleName = "WASCTC/WASC-21";
87+
set req.http.X-Sec-RuleName = "OWASP_TOP_10/A7";
88+
set req.http.X-Sec-RuleName = "PCI/6.5.10";
89+
set req.http.X-Sec-RuleName = "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx";
9790
set req.http.X-Sec-RuleId = "960017";
98-
call sec_sev1;
91+
call sec_default_handler;
9992
}
100-
## RESPONSE_STATUS,
101-
# skipped RESPONSE_STATUS rx ^
102-
## WEBSERVER_ERROR_LOG,
103-
# skipped WEBSERVER_ERROR_LOG rx !
10493
}
10594

vcl/breach/23_request_limits.vcl

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,34 @@
11
sub vcl_recv {
22
set req.http.X-Sec-Module = "2vcl";
3+
## &TX, :ARG_NAME_LENGTH
4+
# AC ARG_NAME_LENGTH
5+
# skipped & TX eq ARG_NAME_LENGTH 1
6+
## ARGS_NAMES,
7+
# skipped ARGS_NAMES gt %{tx.arg_name_length}
8+
## &TX, :ARG_LENGTH
9+
# AC ARG_LENGTH
10+
# skipped & TX eq ARG_LENGTH 1
11+
## ARGS,
12+
# skipped ARGS gt %{tx.arg_length}
13+
## &TX, :MAX_NUM_ARGS
14+
# AC MAX_NUM_ARGS
15+
# skipped & TX eq MAX_NUM_ARGS 1
316
## &ARGS,
4-
# skipped & ARGS gt 255
17+
# skipped & ARGS gt %{tx.max_num_args}
18+
## &TX, :TOTAL_ARG_LENGTH
19+
# AC TOTAL_ARG_LENGTH
20+
# skipped & TX eq TOTAL_ARG_LENGTH 1
21+
## ARGS_COMBINED_SIZE,
22+
# skipped ARGS_COMBINED_SIZE gt %{tx.total_arg_length}
23+
## &TX, :MAX_FILE_SIZE
24+
# AC MAX_FILE_SIZE
25+
# skipped & TX eq MAX_FILE_SIZE 1
26+
## FILES_SIZES,
27+
# skipped FILES_SIZES gt %{tx.max_file_size}
28+
## &TX, :COMBINED_FILE_SIZES
29+
# AC COMBINED_FILE_SIZES
30+
# skipped & TX eq COMBINED_FILE_SIZES 1
31+
## FILES_COMBINED_SIZE,
32+
# skipped FILES_COMBINED_SIZE gt %{tx.combined_file_sizes}
533
}
634

vcl/breach/25_cc_known.vcl

Lines changed: 155 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,155 @@
1+
sub vcl_recv {
2+
set req.http.X-Sec-Module = "2vcl";
3+
## ARGS,
4+
## Rule: ARGS verifyCC :
5+
if(req.url verifyCC "(?:^|[^\d])(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)"){
6+
set req.http.X-Sec-RuleId = "981078";
7+
call sec_default_handler;
8+
}
9+
## ARGS,
10+
## Rule: ARGS verifyCC :
11+
if(req.url verifyCC "(?:^|[^\d])((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)"){
12+
set req.http.X-Sec-RuleInfo = "GSA SmartPay Credit Card Number detected in user input";
13+
set req.http.X-Sec-RuleName = "PCI/10.2";
14+
set req.http.X-Sec-Severity = "5";
15+
set req.http.X-Sec-RuleId = "920019";
16+
call sec_default_handler;
17+
}
18+
## ARGS,
19+
## Rule: ARGS verifyCC :
20+
if(req.url verifyCC "(?:^|[^\d])(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)"){
21+
set req.http.X-Sec-RuleInfo = "MasterCard Credit Card Number detected in user input";
22+
set req.http.X-Sec-RuleName = "PCI/10.2";
23+
set req.http.X-Sec-Severity = "5";
24+
set req.http.X-Sec-RuleId = "920005";
25+
call sec_default_handler;
26+
}
27+
## ARGS,
28+
## Rule: ARGS verifyCC :
29+
if(req.url verifyCC "(?:^|[^\d])(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)"){
30+
set req.http.X-Sec-RuleInfo = "Visa Credit Card Number detected in user input";
31+
set req.http.X-Sec-RuleName = "PCI/10.2";
32+
set req.http.X-Sec-Severity = "5";
33+
set req.http.X-Sec-RuleId = "920007";
34+
call sec_default_handler;
35+
}
36+
## ARGS,
37+
## Rule: ARGS verifyCC :
38+
if(req.url verifyCC "(?:^|[^\d])(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)"){
39+
set req.http.X-Sec-RuleInfo = "American Express Credit Card Number detected in user input";
40+
set req.http.X-Sec-RuleName = "PCI/10.2";
41+
set req.http.X-Sec-Severity = "5";
42+
set req.http.X-Sec-RuleId = "920009";
43+
call sec_default_handler;
44+
}
45+
## ARGS,
46+
## Rule: ARGS verifyCC :
47+
if(req.url verifyCC "(?:^|[^\d])((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)"){
48+
set req.http.X-Sec-RuleInfo = "Diners Club Credit Card Number detected in user input";
49+
set req.http.X-Sec-RuleName = "PCI/10.2";
50+
set req.http.X-Sec-Severity = "5";
51+
set req.http.X-Sec-RuleId = "920011";
52+
call sec_default_handler;
53+
}
54+
## ARGS,
55+
## Rule: ARGS verifyCC :
56+
if(req.url verifyCC "(?:^|[^\d])(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)"){
57+
set req.http.X-Sec-RuleInfo = "Discover Credit Card Number detected in user input";
58+
set req.http.X-Sec-RuleName = "PCI/10.2";
59+
set req.http.X-Sec-Severity = "5";
60+
set req.http.X-Sec-RuleId = "920015";
61+
call sec_default_handler;
62+
}
63+
## ARGS,
64+
## Rule: ARGS verifyCC :
65+
if(req.url verifyCC "(?:^|[^\d])(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)"){
66+
set req.http.X-Sec-RuleInfo = "JCB Credit Card Number detected in user input";
67+
set req.http.X-Sec-RuleName = "PCI/10.2";
68+
set req.http.X-Sec-Severity = "5";
69+
set req.http.X-Sec-RuleId = "920017";
70+
call sec_default_handler;
71+
}
72+
## RESPONSE_BODY,
73+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)
74+
## RESPONSE_HEADERS, :Location
75+
# AC Location
76+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)
77+
## RESPONSE_BODY,
78+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)
79+
## RESPONSE_HEADERS, :Location
80+
# AC Location
81+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)
82+
## TX, :1
83+
# AC 1
84+
## Rule: TX rx :1
85+
## TX, :CCDATA
86+
# AC CCDATA
87+
## Rule: TX rx :CCDATA
88+
## RESPONSE_BODY,
89+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)
90+
## RESPONSE_HEADERS, :Location
91+
# AC Location
92+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)
93+
## TX, :1
94+
# AC 1
95+
## Rule: TX rx :1
96+
## TX, :CCDATA
97+
# AC CCDATA
98+
## Rule: TX rx :CCDATA
99+
## RESPONSE_BODY,
100+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)
101+
## RESPONSE_HEADERS, :Location
102+
# AC Location
103+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)
104+
## TX, :1
105+
# AC 1
106+
## Rule: TX rx :1
107+
## TX, :CCDATA
108+
# AC CCDATA
109+
## Rule: TX rx :CCDATA
110+
## RESPONSE_BODY,
111+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)
112+
## RESPONSE_HEADERS, :Location
113+
# AC Location
114+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)
115+
## TX, :1
116+
# AC 1
117+
## Rule: TX rx :1
118+
## TX, :CCDATA
119+
# AC CCDATA
120+
## Rule: TX rx :CCDATA
121+
## RESPONSE_BODY,
122+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)
123+
## RESPONSE_HEADERS, :Location
124+
# AC Location
125+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)
126+
## TX, :1
127+
# AC 1
128+
## Rule: TX rx :1
129+
## TX, :CCDATA
130+
# AC CCDATA
131+
## Rule: TX rx :CCDATA
132+
## RESPONSE_BODY,
133+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)
134+
## RESPONSE_HEADERS, :Location
135+
# AC Location
136+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)
137+
## TX, :1
138+
# AC 1
139+
## Rule: TX rx :1
140+
## TX, :CCDATA
141+
# AC CCDATA
142+
## Rule: TX rx :CCDATA
143+
## RESPONSE_BODY,
144+
# skipped RESPONSE_BODY verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)
145+
## RESPONSE_HEADERS, :Location
146+
# AC Location
147+
# skipped RESPONSE_HEADERS verifyCC Location (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)
148+
## TX, :1
149+
# AC 1
150+
## Rule: TX rx :1
151+
## TX, :CCDATA
152+
# AC CCDATA
153+
## Rule: TX rx :CCDATA
154+
}
155+

vcl/breach/25_cc_track_pan.vcl

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
sub vcl_recv {
2+
set req.http.X-Sec-Module = "2vcl";
3+
## RESPONSE_BODY,
4+
# skipped RESPONSE_BODY rx \%[Bb][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}\^[^\^]+\^[0-9]+\?
5+
## RESPONSE_BODY,
6+
# skipped RESPONSE_BODY rx \;[3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[=Dd][0-9]+\?
7+
## RESPONSE_BODY,
8+
# skipped RESPONSE_BODY rx [^0-9][3456][0-9]{3,3}[\x20\-]{0,3}[0-9]{4,6}[\x20\-]{0,3}[0-9]{2,5}[\x20\-]{0,3}[0-9]{0,4}[^0-9]
9+
}
10+

0 commit comments

Comments
 (0)