Skip to content

Core Ruleset: 932xxx

Rules with the 931xxx prefix protect web applications from command injection attacks.

Paranoia Level 1 (default)

Rule: 932100

This is compound rule (101, 105, 106) based on paranoia level and will protect the web server and prevent the request from including anything that appears as a unix command. This ensures that weak applications cannot be tricked into executing unix commands directly.

This rule matches against incoming cookies, parameters and URL strings.

Message: Remote Command Execution: Unix Command Injection

Example:

curl --request GET \
--url http://localhost:8088/test.jpg \
--header 'Cookie: a=uname -i'
Rule: 932120

Protects against commonly used PowerShell commands, cmdlets and options which can be exploited to grant an attacker elevated access to a system.

Message: Remote Command Execution: Windows PowerShell Command Found

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=Add-Computer -WorkgroupName WORKGROUP-A'
Rule: 932130

Protects against common command expressions used by Unix systems.

Applies: Cookies, cookie names, parameters and parameter names

Message: Remote Command Execution: Unix Shell Expression Found

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=$(foo)'
Rule: 932140

Protects against FOR, IF commands for Windows systems.

Message: Remote Command Execution: Windows FOR/IF Command Found

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2'
Rule: 932160

Prevents common unix command sequences.

Message: Remote Command Execution: Unix Shell Code Found

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=bin/bunzip2'
Rule: 932170

Detects and prevents exploitation of the “Shellshock” GNU Bash RCE vulnerability.

Click here for more information on the Shellshock exploit

Message: Remote Command Execution: Shellshock (CVE-2014-6271)

Example:

curl --request GET \
--url 'http://localhost:8088/?a=env%20x%3D'\''()%20%7B%20%3A%3B%7D%3B%20echo%20vulnerable'\''%20bash%20-c%20%22echo%20this%20is%20a%20test%22'
Rule: 932180

Prevents uploading of suspicious files, this protects from attackers using a file upload form to upload configuration files or other files that might change the behaviour of the web server possibly causing remote code execution.

Message: Restricted File Upload Attempt

Example:

curl --request POST \
--url http://localhost:8088/ \
--header 'X-Filename: .htaccess'
Rule: 932330

Detects attempts made to traverse unix shell history and invoke previously issued commands. This command has a stricter rule set which matches on more fields of the request when running at paranoia level 3.

Message: Remote Command Execution: Unix shell history invocation

Example:

curl --request GET \
--url 'http://localhost:8088/?rce=!-1!-2'

Paranoia Level 2

Rule: 932200

Blocks RCE bypass using various techniques including; unititialised variables, string concatenations and globbing patterns.

Message: RCE Bypass Technique

Example:

curl --request POST \
--url http://localhost:8088/ \
--header 'X-Filename: .htaccess'
Rule: 932210

Prevent SQLite CLI commands from being sent to the server.

Message: RCE Bypass Technique

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=system id'
Rule: 932300

Prevent SMTP command execution based on the RFCs for the SMTP protocol. List of SMTP commands: from rfc 5321 (https://www.rfc-editor.org/rfc/rfc5321)

Message: Remote Command Execution: SMTP Command Execution

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=MAIL FROM:test@test.com \r\n'
Rule: 932310

Prevent IMAP4 command execution based on the RFCs for the IMAP4 protocol. List of IMAP4 commands: from rfc 3501 (https://datatracker.ietf.org/doc/html/rfc3501#section-9)

Message: Remote Command Execution: IMAP Command Execution

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=fetch 1:* all'
Rule: 932320

Prevent POP3 command execution based on the RFCs for the POP3 protocol. List of POP3 commands: from rfc rfc1939 (https://www.rfc-editor.org/rfc/rfc1939#appendix-B)

Message: Remote Command Execution: POP3 Command Execution

Example:

curl --request GET \
--url http://localhost:8088/ \
--header 'Cookie: a=\r\nAUTH asdf'

Paranoia Level 3

This module does not define checks for paranoia level 3.

Paranoia Level 4

This module does not define checks for paranoia level 4.