cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f1bc1837e62543f4316e6cbdc4b2721d3c8a7b8
haproxy-manager-base/coraza-spoa/overrides.conf
Josh Knapp 753743de20
All checks were successful
Build and push coraza-spoa / Build-and-Push (push) Successful in 40s
Details
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 54s
Details
coraza: drop 913xxx scanner-UA from enforce list (FP on Mastodon + SiteLock) 
25h whp01 burn-in (2026-05-13) found ~11% FP rate on rule 913100:
ActivityPub federation pulls (Mastodon UA "...Bot" on hackerpublicradio.org
and blog.anti-social.online) and SiteLockSpider scans (a customer-paid
security service hitting greggfranklin.com + suchascream.net). The other
six promoted rule families (930120, 932100-160, 933170-200, 944100-300,
920440, 930130) showed zero FPs across the same window and stay enforced.

Detection-only still feeds the anomaly score, so we lose ~no real
blocking value by demoting this family.
2026-05-13 19:13:22 -07:00

97 lines
5.5 KiB
Plaintext
Raw Blame History

# WHP day-one enforce overrides for coraza-spoa.
#
# Global mode in config.yaml is SecRuleEngine DetectionOnly. The rule ID
# ranges below are promoted to enforcement individually, chosen for very
# low false-positive rate on the kinds of customer traffic seen on WHP
# (WordPress, WooCommerce, Divi page builders).
#
# When bumping the upstream coraza-spoa pin (and thus the bundled CRS):
# 1. Skim the CRS CHANGELOG for new/changed rules in these ID ranges.
# 2. Verify they're still high-confidence before promoting the new image.
# 3. Smoke-test in staging detect-only mode for 24h before flipping enforce.
#
# Per-customer false-positive tuning lives in a future per-customer
# override mechanism; v1 is server-wide.
# ---------------------------------------------------------------------------
# 930120 — LFI: explicit traversal to sensitive system files
# (/etc/passwd, /proc/self/, /.ssh/, /etc/shadow, /etc/group, etc.)
# Unambiguous probe pattern; no legitimate site path leads here.
# Note: 930xxx as a whole includes broader traversal patterns that can FP
# on legitimate relative-path file browsers — keep those detect-only.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 930120 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 932100-932160 — RCE: Unix shell command injection
# Patterns like `; cat /etc/passwd`, `|whoami`, backtick `\`uname\``,
# $(...) substitution, &&/|| chaining with shell builtins.
# Don't appear in normal POST bodies, URL params, or headers. Targeting
# these is unambiguous attempted command execution.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 932100-932160 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 933170-933200 — PHP Webshell access patterns
# Direct requests to known webshell paths: c99.php, r57.php, b374k.php,
# wso.php, alfa.php, mini.php, etc. Almost universally reconnaissance
# scanning for post-exploitation. Even legitimate WordPress installs
# never serve these paths.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 933170-933200 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 944100-944300 — Log4Shell / JNDI injection
# `${jndi:ldap://}`, `${jndi:rmi://}`, and obfuscated variants thereof
# in headers, query strings, or bodies. Even our PHP/Node stack isn't
# vulnerable, but blocking at the edge keeps logs clean and protects
# any future Java workloads.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 944100-944300 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 920440 — URL file extension restricted by policy
# Catches probes for backup / config / dump files: .bak, .old, .save,
# .swp, .sql, .dist, .backup. Promoted to enforce after empirical
# observation on whp01 (2026-05-12, first ~30 min of detect-only):
# 124 events, all backup-file recon — `/wp-config.php.old`,
# `/db_backup.sql`, `/.env.save`, `/releases.sql`, etc. — from a
# single GCP-hosted scanner. Zero false positives observed; standard
# WP/WooCommerce/Divi/HPR URLs do not end in these extensions.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 920440 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 930130 — Restricted File Access Attempt
# Catches dotfile / VCS / config-disclosure probes: .env (and .env.local /
# .env.bak / .env.save variants), .git/config, config.php at root or under
# /admin /backend, etc. Distinct from 930120 (system file paths like
# /etc/passwd); this targets application secret files.
#
# Promoted to enforce on the same observation pass that justified 920440:
# 117 events split across joshuaknapp.net (136), cgdannyb.com (51),
# onlinesupplements.net (23) — all `.env`-class disclosure probes.
# Zero false positives observed. Notably, HPR's `/ccdn.php?filename=...`
# audio delivery path does NOT trigger this rule — verified empirically.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate
# on customer mix. Promote individually after observation:
#
# 913xxx (Scanner UAs)— matches legitimate ActivityPub federation
# (Mastodon's "...Bot" UA) and SiteLockSpider (a
# paid customer-security service some sites use).
# Observed on whp01 burn-in 2026-05-13:
# 20/185 hits = ~11% FP rate on HPR + greggfranklin
# + suchascream. Detection adds anomaly score
# either way; enforce upside is low.
# 941xxx (XSS) — Divi rich-text editor saves, TinyMCE submissions
# 942xxx (SQLi) — WP admin queries reflected in params
# 920xxx (other) — most 920xxx rules; 920440 specifically promoted above
# 933150 — PHP injection FP on WooCommerce checkout
# (`session_start` literal appearing in billing form data)
# 950xxx-953xxx — Data leakage / backup-file disclosure (mixed FP)
# ---------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink