WAF Core Rules Reference

Core Rule Set Reference

The following table presents the rules of the WAF Core Rule Set (CRS) as defined in the OWASP CRS:

Rule ID Rule Description
932160 Remote Command Execution: Unix Shell Code Found
942100 SQL Injection Attack Detected via libinjection
942250 Detects MATCH AGAINST MERGE and EXECUTE IMMEDIATE injections
942460 Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
910150 HTTP Blacklist match for search engine IP
913110 Found request header associated with security scanner
920190 Range: Invalid Last Byte Value.
921120 HTTP Response Splitting Attack
951120 Oracle SQL Information Leakage
953100 PHP Information Leakage
954100 Disclosure of IIS install location
941340 IE XSS Filters - Attack Detected.
942170 Detects SQL benchmark and sleep injection attempts including conditional queries
944300 Base64 encoded string matched suspicious keyword
910180 HTTP Blacklist match for harvester IP
920350 Host header is a numeric IP address
932100 Remote Command Execution: Unix Command Injection
941290 IE XSS Filters - Attack Detected.
920480 Request content type charset is not allowed by policy
930120 OS File Access Attempt
931120 Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
941150 XSS Filter - Category 5: Disallowed HTML Attributes
942400 SQL Injection Attack
954110 Application Availability Error
920201 Range: Too many fields for pdf request (63 or more)
931100 Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address
932170 Remote Command Execution: Shellshock (CVE-2014-6271)
933150 PHP Injection Attack: High-Risk PHP Function Name Found
920380 Too many arguments in request
933111 PHP Injection Attack: PHP Script File Upload Found
951230 mysql SQL Information Leakage
4295005 Enable Nextcloud specific CRS exclusions
953120 PHP source code leakage
954130 IIS Information Leakage
920440 URL file extension is restricted by policy
920450 HTTP header is restricted by policy (%{MATCHED_VAR})
932180 Restricted File Upload Attempt
941170 NoScript XSS InjectionChecker: Attribute Injection
920470 Illegal Content-Type header
920230 Multiple URL Encoding Detected
932190 Remote Command Execution: Wildcard bypass technique attempt
941300 IE XSS Filters - Attack Detected.
944250 Remote Command Execution: Suspicious Java method detected
910100 Client IP is from a HIGH Risk Country Location.
920273 Invalid character in request (outside of very strict set)
921151 HTTP Header Injection Attack via payload (CR/LF detected)
930100 Path Traversal Attack (/../)
941310 US-ASCII Malformed Encoding XSS Filter - Attack Detected.
942150 SQL Injection Attack
950130 Directory Listing
4295001 Enable Drupal specific CRS exclusions
932130 Remote Command Execution: Unix Shell Expression Found
933140 PHP Injection Attack: I/O Stream Found
941140 XSS Filter - Category 4: Javascript URI Vector
941260 IE XSS Filters - Attack Detected.
933130 PHP Injection Attack: Variables Found
942260 Detects basic SQL authentication bypass attempts 2/3
952100 Java Source Code Leakage
4295002 Enable Wordpress specific CRS exclusions
920210 Multiple/Conflicting Connection Header Data Found.
920272 Invalid character in request (outside of printable chars below ascii 127)
932110 Remote Command Execution: Windows Command Injection
932115 Remote Command Execution: Windows Command Injection
920430 HTTP protocol version is not allowed by policy
951220 mssql SQL Information Leakage
942120 SQL Injection Attack: SQL Operator Detected
942470 SQL Injection Attack
944240 Remote Command Execution: Java serialization (CVE-2015-5842)
910160 HTTP Blacklist match for spammer IP
920171 GET or HEAD Request with Transfer-Encoding.
920220 URL Encoding Abuse Attack Attempt
941130 XSS Filter - Category 3: Attribute Vector
944130 Suspicious Java class detected
953110 PHP source code leakage
913100 Found User-Agent associated with security scanner
941160 NoScript XSS InjectionChecker: HTML Injection
942140 SQL Injection Attack: Common DB Names Detected
942380 SQL Injection Attack
951200 interbase SQL Information Leakage
910000 Request from Known Malicious Client (Based on previous traffic violations).
920360 Argument name too long
941120 XSS Filter - Category 2: Event Handler Vector
942480 SQL Injection Attack
942450 SQL Hex Encoding Identified
943120 Possible Session Fixation Attack: SessionID Parameter Name with No Referer
951250 sqlite SQL Information Leakage
951260 Sybase SQL Information Leakage
920240 URL Encoding Abuse Attack Attempt
920410 Total uploaded files size too large
921110 HTTP Request Smuggling Attack
933120 PHP Injection Attack: Configuration Directive Found
942350 Detects MySQL UDF injection and other data/structure manipulation attempts
944210 Magic bytes Detected Base64 Encoded probable java serialization in use
952110 Java Errors
920271 Invalid character in request (non printable characters)
921140 HTTP Header Injection Attack via headers
932140 Remote Command Execution: Windows FOR/IF Command Found
941180 Node-Validator Blacklist Keywords
930130 Restricted File Access Attempt
931130 Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
932106 Remote Command Execution: Unix Command Injection
941230 IE XSS Filters - Attack Detected.
911100 Method is not allowed by policy
912120 Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)
920202 Range: Too many fields for pdf request (6 or more)
921130 HTTP Response Splitting Attack
941270 IE XSS Filters - Attack Detected.
941280 IE XSS Filters - Attack Detected.
943110 Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
951210 maxDB SQL Information Leakage
4295003 Enable Cpanel specific CRS exclusions
913102 Found User-Agent associated with web crawler/bot
920400 Uploaded file size too large
942290 Finds basic MongoDB SQL injection attempts
942490 Detects classic SQL injection probings 3/3
941110 XSS Filter - Category 1: Script Tag Vector
941101 XSS Attack Detected via libinjection
942330 Detects classic SQL injection probings 1/3
942410 SQL Injection Attack
920130 Failed to parse request body.
920420 Request content type is not allowed by policy
921160 HTTP Header Injection Attack via payload (CR/LF and header-name detected)
933131 PHP Injection Attack: Variables Found
944110 Remote Command Execution: Java process spawn (CVE-2017-9805)
944200 Magic bytes Detected probable java serialization in use
4295006 Enable Xenforo specific CRS exclusions
920120 Attempted multipart/form-data bypass
920460 Abnormal character escapes in request
941320 Possible XSS Attack Detected - HTML Tag Handler
942361 Detects basic SQL injection based on keyword alter or union
910170 HTTP Blacklist match for suspicious IP
932150 Remote Command Execution: Direct Unix Command Execution
941240 IE XSS Filters - Attack Detected.
942310 Detects chained SQL injection attempts 2/2
941350 UTF-7 Encoding IE XSS - Attack Detected.
951170 hsqldb SQL Information Leakage
920170 GET or HEAD Request with Body Content.
920370 Argument value too long
920390 Total arguments size exceeded
941100 XSS Attack Detected via libinjection
4295004 Enable Dokuwiki specific CRS exclusions
920140 Multipart request body failed strict validation:PE %{REQBODY_PROCESSOR_ERROR},BQ %{MULTIPART_BOUNDARY_QUOTED},BW %{MULTIPART_BOUNDARY_WHITESPACE},DB %{MULTIPART_DATA_BEFORE},DA %{MULTIPART_DATA_AFTER},HF %{MULTIPART_HEADER_FOLDING},LF %{MULTIPART_LF_LINE},SM %{MULTIPART_MISSING_SEMICOLON},IQ %{MULTIPART_INVALID_QUOTING},IH %{MULTIPART_INVALID_HEADER_FOLDING},FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}
942160 Detects blind sqli tests using sleep() or benchmark().
942130 SQL Injection Attack: SQL Tautology Detected.
942200 Detects MySQL comment-/space-obfuscated injections and backtick termination
942270 Looking for basic sql injection. Common attack string for mysql oracle and others.
933100 PHP Injection Attack: PHP Open Tag Found
933190 PHP Injection Attack: PHP Closing Tag Found
942220 Looking for integer overflow attacks these are taken from skipfish except 3.0.00738585072007e-308 is the \
942240 Detects MySQL charset switch and MSSQL DoS attempts
951110 Microsoft Access SQL Information Leakage
920250 UTF8 Encoding Abuse Attack Attempt
933110 PHP Injection Attack: PHP Script File Upload Found
933170 PHP Injection Attack: Serialized Object Injection
942190 Detects MSSQL code execution and information gathering attempts
944120 Remote Command Execution: Java serialization (CVE-2015-5842)
951160 Frontbase SQL Information Leakage
930110 Path Traversal Attack (/../)
931110 Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
932171 Remote Command Execution: Shellshock (CVE-2014-6271)
942110 SQL Injection Attack: Common Injection Testing Detected
920270 Invalid character in request (null character)
921150 HTTP Header Injection Attack via payload (CR/LF detected)
932120 Remote Command Execution: Windows PowerShell Command Found
941330 IE XSS Filters - Attack Detected.
942360 Detects concatenated basic SQL injection and SQLLFI attempts
951190 ingres SQL Information Leakage
913120 Found request filename/argument associated with security scanner
920160 Content-Length HTTP header is not numeric.
920180 POST without Content-Length or Transfer-Encoding headers.
920121 Attempted multipart/form-data bypass
951240 postgres SQL Information Leakage
920200 Range: Too many fields (6 or more)
920341 Request Containing Content Requires Content-Type header
932105 Remote Command Execution: Unix Command Injection
951150 firebird SQL Information Leakage
951130 DB2 SQL Information Leakage
951180 informix SQL Information Leakage
920260 Unicode Full/Half Width Abuse Attack Attempt
942390 SQL Injection Attack
943100 Possible Session Fixation Attack: Setting Cookie Values in HTML
944100 Remote Command Execution: Suspicious Java class detected
920274 Invalid character in request headers (outside of very strict set)
942230 Detects conditional SQL injection attempts
950100 The Application Returned a 500-Level Status Code
951140 EMC SQL Information Leakage
954120 IIS Information Leakage
913101 Found User-Agent associated with scripting/generic HTTP client
933151 PHP Injection Attack: Medium-Risk PHP Function Name Found
941200 IE XSS Filters - Attack Detected.
942251 Detects HAVING injections