# WHP day-one enforce overrides for coraza-spoa. # # Global mode in config.yaml is SecRuleEngine DetectionOnly. The rule ID # ranges below are promoted to enforcement individually, chosen for very # low false-positive rate on the kinds of customer traffic seen on WHP # (WordPress, WooCommerce, Divi page builders). # # When bumping the upstream coraza-spoa pin (and thus the bundled CRS): # 1. Skim the CRS CHANGELOG for new/changed rules in these ID ranges. # 2. Verify they're still high-confidence before promoting the new image. # 3. Smoke-test in staging detect-only mode for 24h before flipping enforce. # # Per-customer false-positive tuning lives in a future per-customer # override mechanism; v1 is server-wide. # --------------------------------------------------------------------------- # 913xxx — Scanner User-Agents # (sqlmap, nikto, nmap-scripts, dirbuster, masscan, gobuster, ZAP, w3af, etc.) # Legitimate browsers and apps never send these UAs. Pure recon/exploit # tooling. Highest signal-to-noise rule family in CRS. # --------------------------------------------------------------------------- SecRuleUpdateActionById 913100-913199 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 930120 — LFI: explicit traversal to sensitive system files # (/etc/passwd, /proc/self/, /.ssh/, /etc/shadow, /etc/group, etc.) # Unambiguous probe pattern; no legitimate site path leads here. # Note: 930xxx as a whole includes broader traversal patterns that can FP # on legitimate relative-path file browsers — keep those detect-only. # --------------------------------------------------------------------------- SecRuleUpdateActionById 930120 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 932100-932160 — RCE: Unix shell command injection # Patterns like `; cat /etc/passwd`, `|whoami`, backtick `\`uname\``, # $(...) substitution, &&/|| chaining with shell builtins. # Don't appear in normal POST bodies, URL params, or headers. Targeting # these is unambiguous attempted command execution. # --------------------------------------------------------------------------- SecRuleUpdateActionById 932100-932160 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 933170-933200 — PHP Webshell access patterns # Direct requests to known webshell paths: c99.php, r57.php, b374k.php, # wso.php, alfa.php, mini.php, etc. Almost universally reconnaissance # scanning for post-exploitation. Even legitimate WordPress installs # never serve these paths. # --------------------------------------------------------------------------- SecRuleUpdateActionById 933170-933200 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 944100-944300 — Log4Shell / JNDI injection # `${jndi:ldap://}`, `${jndi:rmi://}`, and obfuscated variants thereof # in headers, query strings, or bodies. Even our PHP/Node stack isn't # vulnerable, but blocking at the edge keeps logs clean and protects # any future Java workloads. # --------------------------------------------------------------------------- SecRuleUpdateActionById 944100-944300 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate # on customer mix. Promote individually after observation: # # 941xxx (XSS) — Divi rich-text editor saves, TinyMCE submissions # 942xxx (SQLi) — WP admin queries reflected in params # 920xxx (Protocol) — Cloudflare-in-front sometimes injects odd headers # 950xxx-953xxx — Data leakage / backup-file disclosure (mixed FP) # ---------------------------------------------------------------------------