# WHP day-one enforce overrides for coraza-spoa. # # Global mode in config.yaml is SecRuleEngine DetectionOnly. The rule ID # ranges below are promoted to enforcement individually, chosen for very # low false-positive rate on the kinds of customer traffic seen on WHP # (WordPress, WooCommerce, Divi page builders). # # When bumping the upstream coraza-spoa pin (and thus the bundled CRS): # 1. Skim the CRS CHANGELOG for new/changed rules in these ID ranges. # 2. Verify they're still high-confidence before promoting the new image. # 3. Smoke-test in staging detect-only mode for 24h before flipping enforce. # # Per-customer false-positive tuning lives in a future per-customer # override mechanism; v1 is server-wide. # --------------------------------------------------------------------------- # 930120 — LFI: explicit traversal to sensitive system files # (/etc/passwd, /proc/self/, /.ssh/, /etc/shadow, /etc/group, etc.) # Unambiguous probe pattern; no legitimate site path leads here. # Note: 930xxx as a whole includes broader traversal patterns that can FP # on legitimate relative-path file browsers — keep those detect-only. # --------------------------------------------------------------------------- SecRuleUpdateActionById 930120 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 932100-932160 — RCE: Unix shell command injection # Patterns like `; cat /etc/passwd`, `|whoami`, backtick `\`uname\``, # $(...) substitution, &&/|| chaining with shell builtins. # Don't appear in normal POST bodies, URL params, or headers. Targeting # these is unambiguous attempted command execution. # --------------------------------------------------------------------------- SecRuleUpdateActionById 932100-932160 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 933170-933200 — PHP Webshell access patterns # Direct requests to known webshell paths: c99.php, r57.php, b374k.php, # wso.php, alfa.php, mini.php, etc. Almost universally reconnaissance # scanning for post-exploitation. Even legitimate WordPress installs # never serve these paths. # --------------------------------------------------------------------------- SecRuleUpdateActionById 933170-933200 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 944100-944300 — Log4Shell / JNDI injection # `${jndi:ldap://}`, `${jndi:rmi://}`, and obfuscated variants thereof # in headers, query strings, or bodies. Even our PHP/Node stack isn't # vulnerable, but blocking at the edge keeps logs clean and protects # any future Java workloads. # --------------------------------------------------------------------------- SecRuleUpdateActionById 944100-944300 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 920440 — URL file extension restricted by policy # Catches probes for backup / config / dump files: .bak, .old, .save, # .swp, .sql, .dist, .backup. Promoted to enforce after empirical # observation on whp01 (2026-05-12, first ~30 min of detect-only): # 124 events, all backup-file recon — `/wp-config.php.old`, # `/db_backup.sql`, `/.env.save`, `/releases.sql`, etc. — from a # single GCP-hosted scanner. Zero false positives observed; standard # WP/WooCommerce/Divi/HPR URLs do not end in these extensions. # --------------------------------------------------------------------------- SecRuleUpdateActionById 920440 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # 930130 — Restricted File Access Attempt # Catches dotfile / VCS / config-disclosure probes: .env (and .env.local / # .env.bak / .env.save variants), .git/config, config.php at root or under # /admin /backend, etc. Distinct from 930120 (system file paths like # /etc/passwd); this targets application secret files. # # Promoted to enforce on the same observation pass that justified 920440: # 117 events split across joshuaknapp.net (136), cgdannyb.com (51), # onlinesupplements.net (23) — all `.env`-class disclosure probes. # Zero false positives observed. Notably, HPR's `/ccdn.php?filename=...` # audio delivery path does NOT trigger this rule — verified empirically. # --------------------------------------------------------------------------- SecRuleUpdateActionById 930130 "ctl:ruleEngine=On" # --------------------------------------------------------------------------- # Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate # on customer mix. Promote individually after observation: # # 913xxx (Scanner UAs)— matches legitimate ActivityPub federation # (Mastodon's "...Bot" UA) and SiteLockSpider (a # paid customer-security service some sites use). # Observed on whp01 burn-in 2026-05-13: # 20/185 hits = ~11% FP rate on HPR + greggfranklin # + suchascream. Detection adds anomaly score # either way; enforce upside is low. # 941xxx (XSS) — Divi rich-text editor saves, TinyMCE submissions # 942xxx (SQLi) — WP admin queries reflected in params # 920xxx (other) — most 920xxx rules; 920440 specifically promoted above # 933150 — PHP injection FP on WooCommerce checkout # (`session_start` literal appearing in billing form data) # 950xxx-953xxx — Data leakage / backup-file disclosure (mixed FP) # ---------------------------------------------------------------------------