ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / rules

# ------------------------------------------------------------------------
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
# The OWASP CRS is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#

# [ Unix command injection ]
#
# This rule detects Unix command injections.
# A command injection takes a form such as:
#
#   foo.jpg;uname -a
#   foo.jpg||uname -a
#
# The vulnerability exists when an application executes a shell command
# without proper input escaping/validation.
#
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
#
# To prevent false positives, we look for a 'starting sequence' that
# precedes a command in shell syntax, such as: ; | & $( ` <( >(
# Anatomy of the regexp with examples of patterns caught:
#
# 1. Starting tokens
#
# ;        ;ifconfig
# \{       {ifconfig}
# \|       |ifconfig
# \|\|     ||ifconfig
# &        &ifconfig
# &&       &&ifconfig
# \n       ;\nifconfig
# \r       ;\rifconfig
# \$$     $(ifconfig)
# \$\(\(   $((ifconfig))
# `        `ifconfig`
# \${      ${ifconfig}
# <\(      <( ifconfig )
# >\(      >( ifconfig )
# \(\s*$  a() ( ifconfig; ); a
#
# 2. Command prefixes
#
# {        { ifconfig }
# \s*$\s* ( ifconfig )
# \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+   VARNAME=xyz ifconfig
# !\s*     ! ifconfig
# \$       $ifconfig
#
# 3. Quoting
#
# '        'ifconfig'
# \"       "ifconfig"
#
# 4. Paths
#
# [\?\*\[\]\($\-\|+\w'\"\./\x5c]+/   /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc.
#
# An effort was made to combat evasions by shell quoting (e.g. 'ls',
# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine
# transformation built-in to deal with this, but unfortunately, it
# replaces ';' characters and lowercases the payload, which is less
# useful for this case. However, emulating the transformation makes
# the regexp more complex.
#
# This is the base Rule to prevent Unix Command Injection
# for prefix + two and three characters.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932230.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932230
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|(?:(?:b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z|x)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z|h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|[ckz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?f|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[dg]|g[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\-\.0-9A-Z_a-z][\"'\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\*\-0-9\?@_a-\{]*)?\x5c?)+[\s\x0b&,<>\|]).*|p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?g)|i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b|l[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:4|[\s\x0b&$,<>\|].*))|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|(?:e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?)?h)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n)|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?3[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)\b" \
    "id:932230,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection (2-3 chars)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Unix command injection ]
#
# This is the base Rule to prevent Unix Command Injection
# for prefix + more than 4 characters.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932235.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932235
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\x0b&$<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|nsible|pt(?:-get|itude[\s\x0b&\)<>\|])|r(?:ch[\s\x0b&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\x0b&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab))|s(?:plit|vtool)|u(?:psfilter|rl[\s\x0b&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\x0b&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\x0b&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\x0b&\)<>\|]|grep|i(?:le(?:[\s\x0b&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\x0b&\)<>\|])|o(?:ld[\s\x0b&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\x0b&\)<>\|]|core|e(?:ni(?:e[\s\x0b&\)<>\|]|soimage)|tfacl[\s\x0b&\)<>\|])|hci|i(?:mp[\s\x0b&\)<>\|]|nsh)|r(?:ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|dconfig|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\x0b&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ke[\s\x0b&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\x0b&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\x0b&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\x0b&\)<>\|]|map|o(?:de[\s\x0b&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\x0b&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\x0b&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\x0b&\)<>\|]|shd)|wd\.db|y(?:thon[^\s\x0b]|3?versions))|r(?:ak(?:e[\s\x0b&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\x0b&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\x0b&\)<>\|]|user)|nano|oute[\s\x0b&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[\s\x0b&\)<>\|]|c(?:hed|r(?:een|ipt)[\s\x0b&\)<>\|])|diff|e(?:(?:lf|rvice)[\s\x0b&\)<>\|]|ndmail|t(?:arch|env|facl[\s\x0b&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\x0b&\)<>\|]|u(?:f|tdown[\s\x0b&\)<>\|]))|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:datectl|out[\s\x0b&\)<>\|])|mux|ouch[\s\x0b&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\x0b&\)<>\|]|gr|mdiff|pw|rsh)|olatility[\s\x0b&\)<>\|])|w(?:a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \
    "id:932235,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Windows PowerShell, cmdlets and options ]
#
# Detect some common PowerShell commands, cmdlets and options.
# These commands should be relatively uncommon in normal text, but
# potentially useful for code injection.
#
# If you are not running Windows, it is safe to disable this rule.
#
# https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff714569(v=msdn.10)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \
    "id:932120,\
    phase:2,\
    block,\
    capture,\
    t:none,t:cmdLine,\
    msg:'Remote Command Execution: Windows PowerShell Command Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'language-powershell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Windows Powershell cmdlet aliases ]
#
# Attempts to detect aliases of the common PowerShell cmdlets in windows-powershell-commands.data
# If you are not running Windows, it is safe to disable this rule.
#
# There are other aliases which are similar to Unix, but they are properly handled by rule 932105
#
# Regular expression generated from regex-assembly/932125.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932125
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\x0b,\./;<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\x0b,\./;<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\x0b,\./;<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\x0b,\./;<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[uv])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\x0b,\./;<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\x0b,\./;<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\x0b,\./;<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\x0b,\./;<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\x0b,\./;<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\x0b,\./;<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
    "id:932125,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Windows Powershell Alias Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Unix shell expressions ]
#
# Detects the following patterns which are common in Unix shell scripts
# and one-liners:
#
# $(foo)    Command substitution
# ${foo}    Parameter expansion
# <(foo)    Process substitution
# >(foo)    Process substitution
# $((foo))  Arithmetic expansion
# /e[t]c    Shell glob expression to bypass wordlists
#
# This rule has a stricter sibling: 932131 (PL2) that applies the same regex to User-Agent and Referer
#
# This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150)
#
# Regular expression generated from regex-assembly/932130.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932130
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:$(?:.*|\(.*$)\)|\{.*\})|[<>]$.*$|/[0-9A-Z_a-z]*\[!?.+\]" \
    "id:932130,\
    phase:2,\
    block,\
    capture,\
    t:none,t:cmdLine,\
    msg:'Remote Command Execution: Unix Shell Expression Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Windows FOR, IF commands ]
#
# This rule detects Windows command shell FOR and IF commands.
# If you are not running Windows, it is safe to disable this rule.
#
# Examples:
#
#   FOR              %a IN (set) DO
#   FOR /D           %a IN (dirs) DO
#   FOR /F "options" %a IN (text|"text") DO
#   FOR /L           %a IN (start,step,end) DO
#   FOR /R C:\dir    %A IN (set) DO
#
#   IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n
#   IF [/I] [NOT] item1   [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2
#   IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2)
#
# http://ss64.com/nt/if.html
# http://ss64.com/nt/for.html
#
# Regular expression generated from regex-assembly/932140.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932140
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in$.*$[\s\x0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" \
    "id:932140,\
    phase:2,\
    block,\
    capture,\
    t:none,t:cmdLine,\
    msg:'Remote Command Execution: Windows FOR/IF Command Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Unix direct remote command execution ]
#
# Detects Unix commands at the start of a parameter (direct RCE).
# Example: foo=wget%20www.example.com
#
# In this rule we use a different check from command injection (rule 932230), where a
# command string is appended (injected) to a regular parameter, and then
# passed to a shell unescaped.
#
# Additionaly, we require a trailing space (denoting command parameters) or command
# separator character after the command.
#
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
#
# An effort was made to combat evasions by shell quoting (e.g. 'ls',
# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine
# transformation built-in to deal with this, but unfortunately, it
# replaces ';' characters and lowercases the payload, which is less
# useful for this case. However, emulating the transformation makes
# the regexp more complex.
#
# This is the base Rule to prevent Direct Unix Command Injection
# without prefix match.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932250.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932250
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|(?:b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z|x)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z|[ckz][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?f|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[dg]|g[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?g)|(?:h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b|l[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?4)?)|p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p)?|s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n)|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?3[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m)[\s\x0b&$<>\|]" \
    "id:932250,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Direct Unix Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Unix command injection ]
#
# This rule complements rule 932250 for commands of 4 characters and up.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932260.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932260
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|xel[\s\x0b&$<>\|])|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:ef[\s\x0b&\)\-<>\|]|g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\x0b&\)<>\|]|proc)|ron[\s\x0b&\)<>\|])|d(?:iff[\s\x0b&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\x0b&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\x0b&\)<>\|]|l[\s\x0b&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\x0b&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[23]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\x0b&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\x0b&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:c(?:at|mp)|diff|[ef]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \
    "id:932260,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Direct Unix Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{TX.932260_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.932260_matched_var_name=%{matched_var_name}',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Unix shell history invocation ]
#
# Detects Unix shell history invocations in any context.
#
# Example:
#   GET /?rce=example.com
#   GET /?rce=curl%20
#   GET /?rce=!-1!-2
#
# Will execute `curl example.com`. We should be able to detect the '!-<digit>' sequence with a very low risk of false-positives since the sequence is very specific
# and does not allow for whitespaces in between.
#
# This rule has stricter siblings:
#   * 932331 (PL3)
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" \
    "id:932330,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix shell history invocation',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Unix shell snippets ]
#
# Detect some common sequences found in shell commands and scripts.
#
# Some commands which were restricted in earlier rules due to FP,
# have been added here with their full path, in order to catch some
# cases where the full path is sent.
#
# Rule relations:
#
#  .932160 (base rule, PL1, unix shell commands with full path)
#  ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers)
#
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
#
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \
    "id:932160,\
    phase:2,\
    block,\
    capture,\
    t:none,t:cmdLine,t:normalizePath,\
    msg:'Remote Command Execution: Unix Shell Code Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL', chain"
SecRule &TX:BN_CPANEL_CALL "@eq 0" \
    "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ]
#
# Detect exploitation of "Shellshock" GNU Bash RCE vulnerability.
#
# Based on ModSecurity rules created by Red Hat.
# Permission for use was granted by Martin Prpic <secalert@redhat.com>
#
# https://access.redhat.com/articles/1212303
#
SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^$\s*$\s+{" \
    "id:932170,\
    phase:1,\
    block,\
    capture,\
    t:none,t:urlDecode,\
    msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^$\s*$\s+{" \
    "id:932171,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecode,t:urlDecodeUni,\
    msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Unix shell alias detection ]
#
# Detects Unix shell alias invocations in any context.
#
# Example:
#   GET /?rce=alias%20a=b
#
# Shell aliasing can be performed to substitute anything in commands, escaping
#
# References: https://pubs.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap03.html#tag_03_10 :
# "In the shell command language, a word consisting solely of underscores, digits, and alphabetics
# from the portable character set and any of the following characters: '!', '%', ',', '@'."
#
# Implementations may allow other characters within alias names as an extension.
#
# Regular expression generated from regex-assembly/932175.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932175
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s\b[\s\x0b]+[!\"%',0-9@-Z_a-z]+=[^\s\x0b]" \
    "id:932175,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix shell alias invocation',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

#
# -=[ Restricted File Upload ]=-
#
# Detects attempts to upload a file with a forbidden filename.
#
# Many application contain Unrestricted File Upload vulnerabilities.
# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
#
# These might be abused to upload configuration files or other files
# that affect the behavior of the web server, possibly causing remote
# code execution.
#
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \
    "@pmFromFile restricted-upload.data" \
    "id:932180,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Restricted File Upload Attempt',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# [ Windows command injection ]
#
# This rule detects Windows shell command injections.
# If you are not running Windows, it is safe to disable this rule.
#
# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380.
# The new rules target specific Windows binaries to simplify future updates of the command list.
#
# A command injection takes a form such as:
#
#   foo.jpg&ver /r
#   foo.jpg|ver /r
#
# The vulnerability exists when an application executes a shell command
# without proper input escaping/validation.
#
# To prevent false positives, we look for a 'starting sequence' that
# precedes a command in CMD syntax, such as: ; | & `
#
# Anatomy of the regexp:
#
# 1. Starting tokens
#
# ;        ;cmd
# \{       {cmd
# \|       |cmd
# \|\|     ||cmd
# &        &cmd
# &&       &&cmd
# \n       \ncmd
# \r       \rcmd
# `        `cmd
#
# 2. Command prefixes
#
# (        (cmd)
# ,        ,cmd
# @        @cmd
# '        'cmd'
# "        "cmd"
# \s       spacing+cmd
#
# 3. Paths
#
# [\w'\"\./]+/                          /path/cmd
# [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c     C:\Program Files\cmd
# [\^\.\w '\"/\x5c]*\x5c)?[\"\^]*       \\net\share\dir\cmd
#
# 4. Quoting
#
# \"       "cmd"
# \^       ^cmd
#
# 5. Extension/switches
#
# \.[\"\^]*\w+      cmd.com, cmd.exe, etc.
# /b                cmd/h
#
# An effort is made to combat evasions by CMD syntax; for example,
# the following strings are valid: c^md, @cmd, "c"md. ModSecurity
# has a t:cmdLine transformation built-in to deal with some of these,
# but unfortunately, that transformation replaces ';' characters (so
# we cannot match on the start of a command) and '\' characters (so we
# have trouble matching paths). This makes the regexp more complex.
#
# This rule is case-insensitive.
#
# Regular expression generated from regex-assembly/932370.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932370
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\x0b,\./;<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\x0b,\./;<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\x0b,\./;<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\x0b,\./;<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
    "id:932370,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Windows Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

#
# This rule detects Windows shell command injections.
# If you are not running Windows, it is safe to disable this rule.
#
# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380.
# The new rules target specific Windows binaries to simplify future updates of the command list.
#
# See rule 932370 above for further explanation.
#
# This rule is case-insensitive.
#
# Regular expression generated from regex-assembly/932380.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932380
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r(?:[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)?|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|f|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[qr])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*(?:o[\"\^]*l|s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*(?:e[\"\^]*r[\"\^]*e|o[\"\^]*a[\"\^]*m[\"\^]*i)|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
    "id:932380,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Windows Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-windows',\
    tag:'attack-rce',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#

# [ Unix command injection ]
#
# This rule targets pefix + the source command (dot character) at PL2.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932231.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932231
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \
    "id:932231,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# This is a stricter sibling of rule 932130.
#
# It applies the same regular expression to the
# User-Agent and Referer HTTP headers.
#
# Unlike the sibling rule, this rule runs in phase 1.
#
# Regular expression generated from regex-assembly/932131.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932131
#
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:$(?:.*|\(.*$)\)|\{.*\})|[<>]$.*$|/[0-9A-Z_a-z]*\[!?.+\]" \
    "id:932131,\
    phase:1,\
    block,\
    capture,\
    t:none,t:cmdLine,\
    msg:'Remote Command Execution: Unix Shell Expression Found',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

#
# -=[ Rule 932200 ]=-
#
# Block RCE Bypass using different techniques:
# - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/)
# - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
# - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8)
#
# Examples:
# - foo;cat$u+/etc$u/passwd
# - bar;cd+/etc;/bin$u/ca*+passwd
# - foo;ca\t+/et\c/pa\s\swd
# - foo;c'at'+/etc/pa's'swd
# - foo;c$@at+/et$@c/pas$@swd
# - foo;c$!at+/et$!c/pas$!swd
# - foo;c$*at+/et$*c/pas$*swd
# - foo;c$?at+/et$?c/pas$?swd
# - foo;c$-at+/et$-c/pas$-swd
# - foo;c$_at+/et$_c/pas$_swd
# - foo;c$$at+/et$$c/pas$$swd
#
# Regex notes: https://regex101.com/r/V6wrCO/1
#
# Regular expression generated from regex-assembly/932200.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932200
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{]" \
    "id:932200,\
    phase:2,\
    block,\
    capture,\
    t:none,t:lowercase,t:urlDecodeUni,\
    msg:'RCE Bypass Technique',\
    logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.932200_matched_var_name=%{matched_var_name}',\
    chain"
    SecRule MATCHED_VAR "@rx /" \
        "t:none,t:urlDecodeUni,\
        chain"
        SecRule MATCHED_VAR "@rx \s" \
            "t:none,t:urlDecodeUni,\
            setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
            setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

#
# -=[ Rule 932205 ]=-
#
# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200
# and must be handled with additional checks.
#
# The last chain prevents FPs against the "Scroll to text fragment" browser feature
# (https://wicg.github.io/scroll-to-text-fragment/).
#
# Regular expression generated from regex-assembly/932205.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932205
#
SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \
    "id:932205,\
    phase:1,\
    block,\
    capture,\
    t:none,t:lowercase,t:urlDecodeUni,\
    msg:'RCE Bypass Technique',\
    logdata:'Matched Data: %{TX.2} found within %{TX.932205_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.932205_matched_var_name=%{matched_var_name}',\
    chain"
    SecRule TX:0 "@rx ^[^\.]+\.[^;\?]+[;\?](.*(['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{]))" \
        "capture,\
        t:none,t:urlDecodeUni,\
        chain"
        SecRule TX:1 "@rx /" \
            "t:none,t:urlDecodeUni,\
            chain"
            SecRule TX:1 "@rx \s" \
                "t:none,t:urlDecodeUni,\
                setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
                setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

#
# -=[ Rule 932206 ]=-
#
# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200
# and must be handled with additional checks.
#
# Regular expression generated from regex-assembly/932206.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932206
#
SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{])" \
    "id:932206,\
    phase:1,\
    block,\
    capture,\
    t:none,t:lowercase,t:urlDecodeUni,\
    msg:'RCE Bypass Technique',\
    logdata:'Matched Data: %{TX.0} found within %{TX.932206_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.932206_matched_var_name=%{matched_var_name}',\
    chain"
    SecRule MATCHED_VAR "@rx /" \
        "t:none,t:urlDecodeUni,\
        chain"
        SecRule MATCHED_VAR "@rx \s" \
            "t:none,t:urlDecodeUni,\
            setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
            setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# Regular expression generated from regex-assembly/932220.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932220
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|G[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?E[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?T|a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:b|(?:p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?)?t|r(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[jp])?|s(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[ks])|b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[gr])|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[bdx]|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n|s(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h)?)|f[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p)|g[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m|i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?g)|h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[dp]|r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:d(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d)?|[nps]|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a|z(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:[at][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b|f|(?:k[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?)?g|h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[cp]|r(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r|c(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p)?|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[dv]|(?:p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?)?m)|s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[ghu]|s(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h)?|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|l)|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m)|z[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))" \
    "id:932220,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection with pipe',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# -=[ Rule 932240 ]=-
#
# Generic RCE Bypass blocking using different techniques: see https://github.com/coreruleset/coreruleset/issues/2632
#
# This rule complements rule 932230 with generic evasion detection.
# Anything that uses a well-known evasion technique should be blocked at this level.
# The chained rule will exclude false positives due to german thousands separators (e.g., 10'000).
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932240.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932240
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\s\x0b]*[\"'][^\s\x0b\"']+[\"']|(?:[\"'][\"']+|[\[-\]]+|\$+[!#\*\-0-9\?@\x5c_a-\{]+|``|[\$<>])[\s\x0b]*)[\-0-9_a-z]+" \
    "id:932240,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',\
    logdata:'Matched Data: %{TX.0} found within %{TX.932240_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.932240_matched_var_name=%{matched_var_name}',\
    chain"
    SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \
        "t:none,\
        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
        setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# [ Sqlite System Command Execution ]
#
# This rule prevents execution of SQLite CLI commands like .system and .shell
#
# You can find a vulnerable script and a sample payload here:
# https://github.com/qxxxb/ctf/tree/master/2021/zer0pts_ctf/baby_sqli
#
# List of sqlite3 CLI commands:
# https://sqlite.org/cli.html
#
# Regular expression generated from regex-assembly/932210.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932210
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\x0b]*\.[\s\x0b]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" \
    "id:932210,\
    phase:2,\
    block,\
    t:none,t:escapeSeqDecode,t:compressWhitespace,\
    msg:'Remote Command Execution: SQLite System Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# -=[ SMTP/IMAP/POP3 Command Execution ]=-
#
# Rationale
# =========
#
# The rules for email command execution are based on the RFCs for each protocol.
# Some of the commands have optional and/or additional parameters, so we tried to be
# precise to avoid as many FP in PL2 rules.
# For those commands that resemble common English words, and may pose a higher risk of false positives,
# they have been split off to a sibling rule in PL3.

# =[ SMTP Command Execution ]=
#
# This rule prevents execution of SMTP related system commands.
#
# List of SMTP commands: from rfc 5321 (https://www.rfc-editor.org/rfc/rfc5321)
#
# Regular expression generated from regex-assembly/932300.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932300
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:E(?:HLO [\-\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\-\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}@.{1,255}>|R(?:CPT TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\b)|VRFY .{1,64}(?: <.{1,64}@.{1,255}>|@.{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20} (?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}=|[\+/-9A-Z_a-z\x17f\x212a]{3}))?=|STARTTLS\b|NOOP\b(?: .{1,255})?)" \
    "id:932300,\
    phase:2,\
    block,\
    t:none,t:escapeSeqDecode,\
    msg:'Remote Command Execution: SMTP Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/137/134',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# =[ IMAP Command Execution ]=
#
# This rule prevents execution of IMAP4 related system commands.
#
# List of IMAP4 commands: from rfc 3501 (https://datatracker.ietf.org/doc/html/rfc3501#section-9)
#
# Note: Mailbox International Naming Convention uses UTF-7, so it was left out explicitly.
#
# Regular expression generated from regex-assembly/932310.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932310
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"#%&\*\--9A-Z\x5c_a-z]+)?(?: $[ \x5ca-z]+$)?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"#\*\.-9A-Z_a-z~]+)? (?:[\"%&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%&\*\--9A-Z\x5c_a-z]+)? $(?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+$|ETACL (?:[\"%&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eiklpr-twx]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%&\*\--9A-Z\x5c_a-z]+)?)" \
    "id:932310,\
    phase:2,\
    block,\
    t:none,t:escapeSeqDecode,\
    msg:'Remote Command Execution: IMAP Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/137/134',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# =[ POP3 Command Execution ]=
#
# This rule prevents execution of POP3 related system commands.
#
# List of POP3 commands:
# - from rfc 1939 (https://www.rfc-editor.org/rfc/rfc1939#appendix-B)
# - extensions from rfc 2449 (https://www.rfc-editor.org/rfc/rfc2449)
#
# These commands all have some kind of parameter that makes them a good PL2 target.
#
# Regular expression generated from regex-assembly/932320.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932320
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9A-Z_]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" \
    "id:932320,\
    phase:2,\
    block,\
    t:none,t:escapeSeqDecode,\
    msg:'Remote Command Execution: POP3 Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/137/134',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# [ Unix command injection ]
#
# This is a stricter sibling of rules 932230, 932235, 932250, 932260.
# This stricter sibling detects Unix RCE with and without prefix and words of any length.
# It uses the same regex.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932236.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932236
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&$<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[^\s\x0b]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\x0b&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
    "id:932236,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# [ Unix command injection ]
#
# This is a sibling of rule 932236.
# This sibling detects Unix RCE in request headers Referer and User-Agent.
# It uses the same regex but excludes known user-agents to avoid false positives.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
#
# Regular expression generated from regex-assembly/932239.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932239
#
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&$<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\x0b&\)<>\|])|w(?:c|a(?:ll|tch)[\s\x0b&\)<>\|]|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
    "id:932239,\
    phase:1,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection found in user-agent or referer header',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# [ Unix shell snippets ]
#
# Detect some common sequences found in shell commands and scripts.
#
# Some commands which were restricted in earlier rules due to FP,
# have been added here with their full path, in order to catch some
# cases where the full path is sent.
#
# Rule relations:
#
#  .932160 (base rule, PL1, unix shell commands with full path)
#  ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers)
#
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-shell.data" \
    "id:932161,\
    phase:1,\
    block,\
    capture,\
    t:none,t:cmdLine,t:normalizePath,\
    msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#

# [ Unix command injection ]
#
# This rule targets pefix + commans that are prone to false positive detection at PL3.
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932232.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932232
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?2[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?f|p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|s)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&$,<>\|].*))\b" \
    "id:932232,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Remote Command Execution: Unix Command Injection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

# [ Unix command injection ]
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932237.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932237
#
SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:(?:itude)?[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h?[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\)<>\|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\x0b&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:(?:out)?[\s\x0b&\)<>\|]|datectl))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|diff)|gr|pw|rsh)|algrind|olatility[\s\x0b&\)<>\|])|w(?:[\s\x0b&\)<>c\|]|h(?:o(?:[\s\x0b&\)<>\|]|ami|is)?|iptail[\s\x0b&\)<>\|])|a(?:ll|tch)[\s\x0b&\)<>\|]|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \
    "id:932237,\
    phase:1,\
    block,\
    capture,\
    t:none,t:cmdLine,t:normalizePath,\
    msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

# [ Unix command injection ]
#
# Rule relations:
#
#  .932230 (base rule, PL1, targets prefix + two and three character commands)
#  ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command)
#  ..932232 (stricter sibling, PL3, targets prefix + additional command words)
#  .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion)
#
#  .932250 (base rule, PL1, targets two and three character commands)
#  .932260 (base rule, PL1, targets known command word of length > 3 without evasion)
#
#  .932240 (generic detection, PL2, targets generic evasion attempts)
#  .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2,
#       - with and without prefix
#       - words of any length)
#  ..932239 (sibling of 932236, PL2,
#       - with and without prefix
#       - words of any length
#       - targets request headers user-agent and referer only
#       - excluded words: known user-agents)
#  ..932238 (stricter sibling of 932236, PL3,
#       - no excluded words)
#  .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3,
#       - targets request headers user-agent and referer only
#       - without prefix
#       - with word boundaries
#       - words of any length
#       - excluded words: known user-agents)
#
#
# Regular expression generated from regex-assembly/932238.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932238
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?s[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?y[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?b[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?r[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*$)[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*$|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?2[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?d[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?e|v[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?f|p[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?c[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?m[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?a[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?n[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&$,<>\|].*|s)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'$\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#$\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&$,<>\|].*))" \
    "id:932238,\
    phase:2,\
    block,\
    capture,\
    t:none,t:cmdLine,t:normalizePath,\
    msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

#
# -=[ Bypass Rule 930120 (wildcard) ]=-
#
# When Paranoia Level is set to 1 and 2, a Remote Command Execution
# could be exploited bypassing rule 930120 (OS File Access Attempt)
# by using wildcard characters.
#
# In some other cases, it could be bypassed even if the Paranoia Level is set to 3.
# Please, keep in mind that this rule could lead to many false positives.
#
# The following two blog posts explain the evasions this rule is designed to detect:
# - https://medium.com/secjuice/waf-evasion-techniques-718026d693d8
# - https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0

SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
    "id:932190,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
    msg:'Remote Command Execution: Wildcard bypass technique attempt',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

# -=[ SMTP commands ]=-
#
# This rule prevents execution of SMTP related system commands.
#
# These commands may have a higher risk of false positives.
# For explanation of this rule, see above rule 932300.
#
# Rule 932301 is a stricter sibling of rule 932300.
#
# Regular expression generated from regex-assembly/932301.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932301
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" \
    "id:932301,\
    phase:2,\
    block,\
    t:none,t:escapeSeqDecode,\
    msg:'Remote Command Execution: SMTP Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/137/134',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

# =[ IMAP4 Command Execution ]=
#
# This rule prevents execution of IMAP4 related system commands.
#
# These commands may have a higher risk of false positives.
# For explanation of this rule, see above rule 932310.
#
# Rule 932311 is a stricter sibling of rule 932310.
#
# Regular expression generated from regex-assembly/932311.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932311
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"#%&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"#%&\*\-\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"#%&\*\-\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"#\*\--9A-Z\x5c_a-z~]+? [\"#%&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\-\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"#%&\*\--9A-Z\x5c_a-z]+? [\"#%&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"#%&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\-\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:$\x5c[a-z]{1,20}$)?|ARTTLS)|UBSCRIBE [\"#%&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"#%&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" \
    "id:932311,\
    phase:2,\
    block,\
    t:none,t:escapeSeqDecode,\
    msg:'Remote Command Execution: IMAP Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/137/134',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

# =[ POP3 Command Execution ]=
#
# This rule prevents execution of POP3 related system commands.
#
# These commands may have a higher risk of false positives.
# For explanation of this rule, see above rule 932320.
#
# Rule 932321 is a stricter sibling of rule 932320.
#
# Regular expression generated from regex-assembly/932321.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
#   crs-toolchain regex update 932321
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)" \
    "id:932321,\
    phase:2,\
    block,\
    t:none,t:escapeSeqDecode,\
    msg:'Remote Command Execution: POP3 Command Execution',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/137/134',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

# =[ Unix shell history invocation ]=
#
# This rule is a stricter sibling of 932330.
# Shell history can also be invoked by providing an absolute position: '!1' or by repeating the last command '!!'.
# The latter might seem harmless as you would expect that it already requires a successful exploitation, but it is a threat in disguise.
#
# Imagine the following requests:
#   GET /?rce=c
#   GET /?rce=!!!!
# The last request will invoke /usr/bin/cc, which is otherwise blocked by 932150.
#
# Neither !1 nor !! is necessarily valid speech, but blocking either of them is much more likely to cause false-positives than 932330.
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" \
    "id:932331,\
    phase:2,\
    block,\
    t:none,\
    msg:'Remote Command Execution: Unix shell history invocation',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-shell',\
    tag:'platform-unix',\
    tag:'attack-rce',\
    tag:'paranoia-level/3',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/88',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/4.1.0',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE"

[-] REQUEST-932-APPLICATION-ATTACK-RCE.conf [edit]
[-] REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf [edit]
[-] ssrf.data [edit]
[-] REQUEST-931-APPLICATION-ATTACK-RFI.conf [edit]
[+] ..
[-] REQUEST-941-APPLICATION-ATTACK-XSS.conf [edit]
[-] REQUEST-920-PROTOCOL-ENFORCEMENT.conf [edit]
[-] REQUEST-949-BLOCKING-EVALUATION.conf [edit]
[-] RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example [edit]
[-] REQUEST-922-MULTIPART-ATTACK.conf [edit]
[-] web-shells-php.data [edit]
[-] REQUEST-933-APPLICATION-ATTACK-PHP.conf [edit]
[-] RESPONSE-953-DATA-LEAKAGES-PHP.conf [edit]
[-] RESPONSE-950-DATA-LEAKAGES.conf [edit]
[-] REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example [edit]
[-] sql-errors.data [edit]
[-] restricted-files.data [edit]
[-] restricted-upload.data [edit]
[-] REQUEST-921-PROTOCOL-ATTACK.conf [edit]
[-] REQUEST-913-SCANNER-DETECTION.conf [edit]
[-] php-config-directives.data [edit]
[-] RESPONSE-951-DATA-LEAKAGES-SQL.conf [edit]
[-] php-variables.data [edit]
[-] RESPONSE-954-DATA-LEAKAGES-IIS.conf [edit]
[-] unix-shell.data [edit]
[-] REQUEST-901-INITIALIZATION.conf [edit]
[-] php-function-names-933151.data [edit]
[-] iis-errors.data [edit]
[-] REQUEST-911-METHOD-ENFORCEMENT.conf [edit]
[-] RESPONSE-952-DATA-LEAKAGES-JAVA.conf [edit]
[-] scanners-user-agents.data [edit]
[-] RESPONSE-980-CORRELATION.conf [edit]
[-] php-function-names-933150.data [edit]
[-] REQUEST-944-APPLICATION-ATTACK-JAVA.conf [edit]
[-] java-errors.data [edit]
[-] windows-powershell-commands.data [edit]
[-] REQUEST-942-APPLICATION-ATTACK-SQLI.conf [edit]
[-] java-classes.data [edit]
[-] php-errors-pl2.data [edit]
[-] php-errors.data [edit]
[-] REQUEST-905-COMMON-EXCEPTIONS.conf [edit]
[-] RESPONSE-959-BLOCKING-EVALUATION.conf [edit]
[-] REQUEST-930-APPLICATION-ATTACK-LFI.conf [edit]
[-] RESPONSE-955-WEB-SHELLS.conf [edit]
[-] java-code-leakages.data [edit]
[-] REQUEST-934-APPLICATION-ATTACK-GENERIC.conf [edit]
[-] lfi-os-files.data [edit]