From 3572c66fb77970e87825c981c0c367a416b96f9f Mon Sep 17 00:00:00 2001 From: Josh Knapp Date: Tue, 12 May 2026 18:00:21 -0700 Subject: [PATCH] coraza: promote 920440 + 930130 to enforce list (empirical detect-only data) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After ~30 min of detect-only on whp01 we have actionable data on what fires against legitimate customer traffic vs. attacker recon. Two rules demonstrably catch only the latter and earn promotion to the day-one enforce list: 920440 — URL file extension restricted by policy Caught 124 events in the sample window, ALL backup/config-file disclosure probes (`/wp-config.php.old`, `/db_backup.sql`, `/.env.save`, `/releases.sql` ...) from a single GCP-hosted scanner hammering joshuaknapp.net. Match patterns: .sql (×62), .bak (×5), .old (×3), .save (×2), .backup, .dist. No legitimate URL on WP/WooCommerce/Divi/HPR ends in these. 930130 — Restricted File Access Attempt Caught 117 events, ALL dotfile/VCS/config-disclosure probes (`/.env`, `/.env.local`, `/.env.bak`, `/.git/config`, `/config.php`, `/admin/.env`, `/backend/.env` ...). Spread across joshuaknapp.net, cgdannyb.com, onlinesupplements.net. Notably, HPR's `/ccdn.php?filename=/eps/...` legitimate audio-delivery URL does NOT trigger this rule — verified empirically. Also documented in the "intentionally detect-only" comment block: 933150 fires on WooCommerce checkout when literal `session_start` appears in billing form data (alphaoneaminos.com saw 2 such events). That's a canonical CRS false positive on WooCommerce; left detect-only. Net effect: existing detect_only deployments stay detect-only (the WHP apply script bind-mounts an empty overrides over the baked-in file). When operators next flip a server to enforce, these two extra ranges activate alongside the original day-one list. Co-Authored-By: Claude Opus 4.7 (1M context) --- coraza-spoa/overrides.conf | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/coraza-spoa/overrides.conf b/coraza-spoa/overrides.conf index ebc2022..f278298 100644 --- a/coraza-spoa/overrides.conf +++ b/coraza-spoa/overrides.conf @@ -57,12 +57,41 @@ SecRuleUpdateActionById 933170-933200 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- SecRuleUpdateActionById 944100-944300 "ctl:ruleEngine=On" +# --------------------------------------------------------------------------- +# 920440 — URL file extension restricted by policy +# Catches probes for backup / config / dump files: .bak, .old, .save, +# .swp, .sql, .dist, .backup. Promoted to enforce after empirical +# observation on whp01 (2026-05-12, first ~30 min of detect-only): +# 124 events, all backup-file recon — `/wp-config.php.old`, +# `/db_backup.sql`, `/.env.save`, `/releases.sql`, etc. — from a +# single GCP-hosted scanner. Zero false positives observed; standard +# WP/WooCommerce/Divi/HPR URLs do not end in these extensions. +# --------------------------------------------------------------------------- +SecRuleUpdateActionById 920440 "ctl:ruleEngine=On" + +# --------------------------------------------------------------------------- +# 930130 — Restricted File Access Attempt +# Catches dotfile / VCS / config-disclosure probes: .env (and .env.local / +# .env.bak / .env.save variants), .git/config, config.php at root or under +# /admin /backend, etc. Distinct from 930120 (system file paths like +# /etc/passwd); this targets application secret files. +# +# Promoted to enforce on the same observation pass that justified 920440: +# 117 events split across joshuaknapp.net (136), cgdannyb.com (51), +# onlinesupplements.net (23) — all `.env`-class disclosure probes. +# Zero false positives observed. Notably, HPR's `/ccdn.php?filename=...` +# audio delivery path does NOT trigger this rule — verified empirically. +# --------------------------------------------------------------------------- +SecRuleUpdateActionById 930130 "ctl:ruleEngine=On" + # --------------------------------------------------------------------------- # Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate # on customer mix. Promote individually after observation: # # 941xxx (XSS) — Divi rich-text editor saves, TinyMCE submissions # 942xxx (SQLi) — WP admin queries reflected in params -# 920xxx (Protocol) — Cloudflare-in-front sometimes injects odd headers +# 920xxx (other) — most 920xxx rules; 920440 specifically promoted above +# 933150 — PHP injection FP on WooCommerce checkout +# (`session_start` literal appearing in billing form data) # 950xxx-953xxx — Data leakage / backup-file disclosure (mixed FP) # ---------------------------------------------------------------------------