cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

coraza: promote 920440 + 930130 to enforce list (empirical detect-only data)
All checks were successful
Build and push coraza-spoa / Build-and-Push (push) Successful in 1m17s
Details
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 53s
Details

Browse Source 
After ~30 min of detect-only on whp01 we have actionable data on what
fires against legitimate customer traffic vs. attacker recon. Two rules
demonstrably catch only the latter and earn promotion to the day-one
enforce list:

  920440 — URL file extension restricted by policy
    Caught 124 events in the sample window, ALL backup/config-file
    disclosure probes (`/wp-config.php.old`, `/db_backup.sql`,
    `/.env.save`, `/releases.sql` ...) from a single GCP-hosted scanner
    hammering joshuaknapp.net. Match patterns: .sql (×62), .bak (×5),
    .old (×3), .save (×2), .backup, .dist. No legitimate URL on
    WP/WooCommerce/Divi/HPR ends in these.

  930130 — Restricted File Access Attempt
    Caught 117 events, ALL dotfile/VCS/config-disclosure probes
    (`/.env`, `/.env.local`, `/.env.bak`, `/.git/config`, `/config.php`,
    `/admin/.env`, `/backend/.env` ...). Spread across joshuaknapp.net,
    cgdannyb.com, onlinesupplements.net. Notably, HPR's
    `/ccdn.php?filename=/eps/...` legitimate audio-delivery URL does NOT
    trigger this rule — verified empirically.

Also documented in the "intentionally detect-only" comment block: 933150
fires on WooCommerce checkout when literal `session_start` appears in
billing form data (alphaoneaminos.com saw 2 such events). That's a
canonical CRS false positive on WooCommerce; left detect-only.

Net effect: existing detect_only deployments stay detect-only (the WHP
apply script bind-mounts an empty overrides over the baked-in file).
When operators next flip a server to enforce, these two extra ranges
activate alongside the original day-one list.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Josh Knapp
2026-05-12 18:00:21 -07:00
parent ba4c101135
commit 3572c66fb7
1 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
coraza-spoa/overrides.conf
View File

@@ -57,12 +57,41 @@ SecRuleUpdateActionById 933170-933200 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 944100-944300 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 920440 — URL file extension restricted by policy
# Catches probes for backup / config / dump files: .bak, .old, .save,
# .swp, .sql, .dist, .backup. Promoted to enforce after empirical
# observation on whp01 (2026-05-12, first ~30 min of detect-only):
# 124 events, all backup-file recon — `/wp-config.php.old`,
# `/db_backup.sql`, `/.env.save`, `/releases.sql`, etc. — from a
# single GCP-hosted scanner. Zero false positives observed; standard
# WP/WooCommerce/Divi/HPR URLs do not end in these extensions.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 920440 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 930130 — Restricted File Access Attempt
# Catches dotfile / VCS / config-disclosure probes: .env (and .env.local /
# .env.bak / .env.save variants), .git/config, config.php at root or under
# /admin /backend, etc. Distinct from 930120 (system file paths like
# /etc/passwd); this targets application secret files.
#
# Promoted to enforce on the same observation pass that justified 920440:
# 117 events split across joshuaknapp.net (136), cgdannyb.com (51),
# onlinesupplements.net (23) — all `.env`-class disclosure probes.
# Zero false positives observed. Notably, HPR's `/ccdn.php?filename=...`
# audio delivery path does NOT trigger this rule — verified empirically.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate
# on customer mix. Promote individually after observation:
#
# 941xxx (XSS) — Divi rich-text editor saves, TinyMCE submissions
# 942xxx (SQLi) — WP admin queries reflected in params
# 920xxx (Protocol)Cloudflare-in-front sometimes injects odd headers
# 920xxx (other) most 920xxx rules; 920440 specifically promoted above
# 933150 — PHP injection FP on WooCommerce checkout
# (`session_start` literal appearing in billing form data)
# 950xxx-953xxx — Data leakage / backup-file disclosure (mixed FP)
# ---------------------------------------------------------------------------