cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
haproxy-manager-base/coraza-spoa/overrides.conf

106 lines
6.0 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# WHP day-one enforce overrides for coraza-spoa.
#
# Global mode in config.yaml is SecRuleEngine DetectionOnly. The rule ID
# ranges below are promoted to enforcement individually, chosen for very
# low false-positive rate on the kinds of customer traffic seen on WHP
# (WordPress, WooCommerce, Divi page builders).
#
# When bumping the upstream coraza-spoa pin (and thus the bundled CRS):
# 1. Skim the CRS CHANGELOG for new/changed rules in these ID ranges.
# 2. Verify they're still high-confidence before promoting the new image.
# 3. Smoke-test in staging detect-only mode for 24h before flipping enforce.
#
# Per-customer false-positive tuning lives in a future per-customer
# override mechanism; v1 is server-wide.
# ---------------------------------------------------------------------------
# 930120 — LFI: explicit traversal to sensitive system files
# (/etc/passwd, /proc/self/, /.ssh/, /etc/shadow, /etc/group, etc.)
# Unambiguous probe pattern; no legitimate site path leads here.
# Note: 930xxx as a whole includes broader traversal patterns that can FP
# on legitimate relative-path file browsers — keep those detect-only.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 930120 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 932100-932160 — RCE: Unix shell command injection
# Patterns like `; cat /etc/passwd`, `|whoami`, backtick `\`uname\``,
# $(...) substitution, &&/|| chaining with shell builtins.
# Don't appear in normal POST bodies, URL params, or headers. Targeting
# these is unambiguous attempted command execution.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 932100-932160 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 933170-933200 — PHP Webshell access patterns
# Direct requests to known webshell paths: c99.php, r57.php, b374k.php,
# wso.php, alfa.php, mini.php, etc. Almost universally reconnaissance
# scanning for post-exploitation. Even legitimate WordPress installs
# never serve these paths.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 933170-933200 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 944100-944300 — Log4Shell / JNDI injection
# `${jndi:ldap://}`, `${jndi:rmi://}`, and obfuscated variants thereof
# in headers, query strings, or bodies. Even our PHP/Node stack isn't
# vulnerable, but blocking at the edge keeps logs clean and protects
# any future Java workloads.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 944100-944300 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 920440 — URL file extension restricted by policy
# Catches probes for backup / config / dump files: .bak, .old, .save,
# .swp, .sql, .dist, .backup. Promoted to enforce after empirical
# observation on whp01 (2026-05-12, first ~30 min of detect-only):
# 124 events, all backup-file recon — `/wp-config.php.old`,
# `/db_backup.sql`, `/.env.save`, `/releases.sql`, etc. — from a
# single GCP-hosted scanner. Zero false positives observed; standard
# WP/WooCommerce/Divi/HPR URLs do not end in these extensions.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 920440 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 930130 — Restricted File Access Attempt
# Catches dotfile / VCS / config-disclosure probes: .env (and .env.local /
# .env.bak / .env.save variants), .git/config, config.php at root or under
# /admin /backend, etc. Distinct from 930120 (system file paths like
# /etc/passwd); this targets application secret files.
#
# Promoted to enforce on the same observation pass that justified 920440:
# 117 events split across joshuaknapp.net (136), cgdannyb.com (51),
# onlinesupplements.net (23) — all `.env`-class disclosure probes.
# Zero false positives observed. Notably, HPR's `/ccdn.php?filename=...`
# audio delivery path does NOT trigger this rule — verified empirically.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate
# on customer mix. Promote individually after observation:
#
# 913xxx (Scanner UAs)— matches legitimate ActivityPub federation
# (Mastodon's "...Bot" UA) and SiteLockSpider (a
# paid customer-security service some sites use).
# Observed on whp01 burn-in 2026-05-13:
# 20/185 hits = ~11% FP rate on HPR + greggfranklin
# + suchascream. Detection adds anomaly score
# either way; enforce upside is low.
# 941xxx (XSS) — Divi rich-text editor saves, TinyMCE submissions
# 942xxx (SQLi) — WP admin queries reflected in params
# 920xxx (other) — most 920xxx rules; 920440 specifically promoted above
# 933150 — PHP injection FP on WooCommerce checkout
# (`session_start` literal appearing in billing form data)
# 950xxx-953xxx — Data leakage / backup-file disclosure (mixed FP)
# ---------------------------------------------------------------------------
# ---------------------------------------------------------------------------
# RESERVED RULE-ID RANGE: 990000000 990999999
# WHP's coraza_rule_manager generates per-host-exception rules in this range
# (rule ID = 990000000 + target_rule_id). Do NOT add new rules in this range
# from any other source. When bumping the coraza-spoa pin, check the CRS
# changelog for new rules with 9-digit IDs (rare but possible) and re-namespace
# if collision risk emerges.
# ---------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink