From cd68091a6d331ff9163726f5af3651d07e609888 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= Date: Thu, 14 Sep 2017 15:12:00 -0300 Subject: [PATCH 1/2] fix issue 882 --- rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf index a7993504d..88fe861e2 100644 --- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -125,8 +125,9 @@ SecRule ARGS "^(?i)(?:file|ftps?|https?)://(.*)$" \ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS/WEB_ATTACK/RFI',\ - tag:'paranoia-level/2'" - SecRule TX:1 "!@beginsWith %{request_headers.host}" \ + tag:'paranoia-level/2'\ + setvar:tx.rfi_parameter_%{matched_var_name}=%{tx.1}" + SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \ "setvar:'tx.msg=%{rule.msg}',\ setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ From 7b63197f4dcd19a668f8d83b171d1f01f541dd26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= Date: Thu, 14 Sep 2017 15:14:09 -0300 Subject: [PATCH 2/2] forgot the comma --- rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf index 88fe861e2..dda28109d 100644 --- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -125,7 +125,7 @@ SecRule ARGS "^(?i)(?:file|ftps?|https?)://(.*)$" \ tag:'platform-multi',\ tag:'attack-rfi',\ tag:'OWASP_CRS/WEB_ATTACK/RFI',\ - tag:'paranoia-level/2'\ + tag:'paranoia-level/2',\ setvar:tx.rfi_parameter_%{matched_var_name}=%{tx.1}" SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \ "setvar:'tx.msg=%{rule.msg}',\