Advertisement
Guest User

httpd.xml

a guest
Oct 17th, 2013
128
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.75 KB | None | 0 0
  1. <?xml version='1.0' encoding='UTF-8'?>
  2. <patterndb version='3' pub_date='2013-09-12'>
  3. <ruleset id='511daaa7-1c02-11e3-919d-ca66d2f45ab4' name='domain-httpd-error-log'>
  4. <pattern>httpd</pattern>
  5. <rules>
  6.  
  7. <rule id='2e6e96c7-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  8. <patterns>
  9. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] [client @IPv4:client_ip@:@NUMBER:client_port@] @ESTRING:httpd.err_code::@ @ESTRING:httpd_log_msg:,@ referer @ANYSTRING:httpd.referer@</pattern>
  10. </patterns>
  11. <examples>
  12. <example>
  13. <test_message program='httpd'>[2013-09-04 03:29:40.270315] [proxy_http:error] [pid 10256:tid 139776264361728] [client 186.220.148.246:46498] AH01114: HTTP: failed to make connection to backend: 108.179.254.183, referer http://www.domain.com.br/wp/wp-content/themes/musicpro/style.css</test_message>
  14. <test_values>
  15. <test_value name="httpd.req.year">2013</test_value>
  16. <test_value name="httpd.req.month">09</test_value>
  17. <test_value name="httpd.req.day">04</test_value>
  18. <test_value name="httpd.req.hour">03</test_value>
  19. <test_value name="httpd.req.min">29</test_value>
  20. <test_value name="httpd.req.sec">40</test_value>
  21. <test_value name="httpd.req.microsec">270315</test_value>
  22. <test_value name="httpd.module">proxy_http</test_value>
  23. <test_value name="httpd_log_level">error</test_value>
  24. <test_value name="httpd.pid">10256</test_value>
  25. <test_value name="httpd.tid">139776264361728</test_value>
  26. <test_value name="client_ip">186.220.148.246</test_value>
  27. <test_value name="client_port">46498</test_value>
  28. <test_value name="httpd.err_code">AH01114</test_value>
  29. <test_value name="httpd_log_msg">HTTP: failed to make connection to backend: 108.179.254.183</test_value>
  30. <test_value name="httpd.referer">http://www.domain.com.br/wp/wp-content/themes/musicpro/style.css</test_value>
  31. </test_values>
  32. </example>
  33. </examples>
  34. </rule>
  35.  
  36. <rule id='4a54e811-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  37. <patterns>
  38. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] [client @IPv4:client_ip@:@NUMBER:client_port@] @ESTRING:httpd.err_code::@ @ANYSTRING:httpd_log_msg@</pattern>
  39. </patterns>
  40. <examples>
  41. <example>
  42. <test_message program='httpd'>[2013-08-30 22:42:14.522911] [core:error] [pid 6031:tid 140122016151296] [client 127.0.0.1:15149] AH00082: an unknown filter was not added: DEFLATE</test_message>
  43. <test_values>
  44. <test_value name="httpd.req.year">2013</test_value>
  45. <test_value name="httpd.req.month">08</test_value>
  46. <test_value name="httpd.req.day">30</test_value>
  47. <test_value name="httpd.req.hour">22</test_value>
  48. <test_value name="httpd.req.min">42</test_value>
  49. <test_value name="httpd.req.sec">14</test_value>
  50. <test_value name="httpd.req.microsec">522911</test_value>
  51. <test_value name="httpd.module">core</test_value>
  52. <test_value name="httpd_log_level">error</test_value>
  53. <test_value name="httpd.pid">6031</test_value>
  54. <test_value name="httpd.tid">140122016151296</test_value>
  55. <test_value name="client_ip">127.0.0.1</test_value>
  56. <test_value name="client_port">15149</test_value>
  57. <test_value name="httpd.err_code">AH00082</test_value>
  58. <test_value name="httpd_log_msg">an unknown filter was not added: DEFLATE</test_value>
  59. </test_values>
  60. </example>
  61. </examples>
  62. </rule>
  63.  
  64. <rule id='52a31c61-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  65. <patterns>
  66. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] @ESTRING:httpd.err_code::@ @ANYSTRING:httpd_log_msg@</pattern>
  67. </patterns>
  68. <examples>
  69. <example>
  70. <test_message program='httpd'>[2013-08-31 03:22:03.344224] [mpm_event:notice] [pid 17230:tid 139776559662848] AH00493: SIGUSR1 received. Doing graceful restart</test_message>
  71. <test_values>
  72. <test_value name="httpd.req.year">2013</test_value>
  73. <test_value name="httpd.req.month">08</test_value>
  74. <test_value name="httpd.req.day">31</test_value>
  75. <test_value name="httpd.req.hour">03</test_value>
  76. <test_value name="httpd.req.min">22</test_value>
  77. <test_value name="httpd.req.sec">03</test_value>
  78. <test_value name="httpd.req.microsec">344224</test_value>
  79. <test_value name="httpd.module">mpm_event</test_value>
  80. <test_value name="httpd_log_level">notice</test_value>
  81. <test_value name="httpd.pid">17230</test_value>
  82. <test_value name="httpd.tid">139776559662848</test_value>
  83. <test_value name="httpd.err_code">AH00493</test_value>
  84. <test_value name="httpd_log_msg">SIGUSR1 received. Doing graceful restart</test_value>
  85. </test_values>
  86. </example>
  87. </examples>
  88. </rule>
  89.  
  90. <rule id='6556ebb2-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  91. <patterns>
  92. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] [@ESTRING:httpd.pagespeed_ver:]@ @ANYSTRING:httpd_log_msg@</pattern>
  93. </patterns>
  94. <examples>
  95. <example>
  96. <test_message program='httpd'>[2013-08-30 22:03:24.430828] [pagespeed:warn] [pid 6031:tid 140121869293312] [mod_pagespeed 1.3.25.4-2941 @6031] 300x75xlogo-sort-300x75.png:0: Resource based on http://www.psyzone.org/wp-content/uploads/2011/10/logo-sort-300x75.png but cannot access the original</test_message>
  97. <test_values>
  98. <test_value name="httpd.req.year">2013</test_value>
  99. <test_value name="httpd.req.month">08</test_value>
  100. <test_value name="httpd.req.day">30</test_value>
  101. <test_value name="httpd.req.hour">22</test_value>
  102. <test_value name="httpd.req.min">03</test_value>
  103. <test_value name="httpd.req.sec">24</test_value>
  104. <test_value name="httpd.req.microsec">430828</test_value>
  105. <test_value name="httpd.module">pagespeed</test_value>
  106. <test_value name="httpd_log_level">warn</test_value>
  107. <test_value name="httpd.pid">6031</test_value>
  108. <test_value name="httpd.tid">140121869293312</test_value>
  109. <test_value name="httpd.pagespeed_ver">mod_pagespeed 1.3.25.4-2941 @6031</test_value>
  110. <test_value name="httpd_log_msg">300x75xlogo-sort-300x75.png:0: Resource based on http://www.psyzone.org/wp-content/uploads/2011/10/logo-sort-300x75.png but cannot access the original</test_value>
  111. </test_values>
  112. </example>
  113. </examples>
  114. </rule>
  115.  
  116. <rule id='6bcd01cd-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  117. <patterns>
  118. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] [client @IPv4:client_ip@] ModSecurity: @ESTRING:httpd.mod_sec.error_type:.@ @ESTRING:httpd.mod_sec.err:.@ [file @QSTRING:httpd.mod_sec.rule_file:"@] [line @QSTRING:httpd.mod_sec.rule_file_line:"@] [id @QSTRING:httpd.mod_sec.rule_id:"@] [msg @QSTRING:httpd_mod_sec_msg:"@] [hostname @QSTRING:httpd.req.domain:"@] [uri @QSTRING:httpd.req.uri:"@] [unique_id @QSTRING:httpd.req.unique_id:"@]</pattern>
  119. </patterns>
  120. <examples>
  121. <example>
  122. <test_message program='httpd'>[2013-09-07 21:37:15.927194] [-:error] [pid 29919:tid 139776111916800] [client 186.220.148.246] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "www.domain.com.br"] [uri "/wp/wp-content/plugins/facebook/style/style.css"] [unique_id "Uiuci8CoALkAAHTftroAAACH"]</test_message>
  123. <test_values>
  124. <test_value name="httpd.req.year">2013</test_value>
  125. <test_value name="httpd.req.month">09</test_value>
  126. <test_value name="httpd.req.day">07</test_value>
  127. <test_value name="httpd.req.hour">21</test_value>
  128. <test_value name="httpd.req.min">37</test_value>
  129. <test_value name="httpd.req.sec">15</test_value>
  130. <test_value name="httpd.req.microsec">927194</test_value>
  131. <test_value name="httpd.module">-</test_value>
  132. <test_value name="httpd_log_level">error</test_value>
  133. <test_value name="httpd.pid">29919</test_value>
  134. <test_value name="httpd.tid">139776111916800</test_value>
  135. <test_value name="client_ip">186.220.148.246</test_value>
  136. <test_value name="httpd.mod_sec.error_type">Warning</test_value>
  137. <test_value name="httpd.mod_sec.err">Operator GE matched 4 at TX:outbound_anomaly_score</test_value>
  138. <test_value name="httpd.mod_sec.rule_file">/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf</test_value>
  139. <test_value name="httpd.mod_sec.rule_file_line">40</test_value>
  140. <test_value name="httpd.mod_sec.rule_id">981205</test_value>
  141. <test_value name="httpd_mod_sec_msg">Outbound Anomaly Score Exceeded (score 4): The application is not available</test_value>
  142. <test_value name="httpd.req.domain">www.domain.com.br</test_value>
  143. <test_value name="httpd.req.uri">/wp/wp-content/plugins/facebook/style/style.css</test_value>
  144. <test_value name="httpd.req.unique_id">Uiuci8CoALkAAHTftroAAACH</test_value>
  145. </test_values>
  146. </example>
  147. </examples>
  148. </rule>
  149.  
  150. <rule id='74c17b58-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  151. <patterns>
  152. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] [client @IPv4:client_ip@] ModSecurity: @ESTRING:httpd.mod_sec.error_type:.@ @ESTRING:httpd.mod_sec.err:. @[file @QSTRING:httpd.mod_sec.rule_file:"@] [line @QSTRING:httpd.mod_sec.rule_file_line:"@] [id @QSTRING:httpd.mod_sec.rule_id:"@] [msg @QSTRING:httpd_mod_sec_msg:"@] [data @QSTRING:httpd_mod_sec_msg_data:"@] [hostname @QSTRING:httpd.req.domain:"@] [uri @QSTRING:httpd.req.uri:"@] [unique_id @QSTRING:httpd.req.unique_id:"@]</pattern>
  153. </patterns>
  154. <examples>
  155. <example>
  156. <test_message program='httpd'>[2013-09-08 23:58:54.708926] [-:error] [pid 23103:tid 139776069957376] [client 177.148.201.194] ModSecurity: Warning. Pattern match (.*) at TX:950901-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:s. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25, SQLi=5, XSS=20): Last Matched Message: IE XSS Filters - Attack Detected."] [data "Last Matched Data: script> corinthians"] [hostname "www.domain.com.br"] [uri "/wp/"] [unique_id "Ui0PPsCoALkAAFo-HwwAAADK"]</test_message>
  157. <test_values>
  158. <test_value name="httpd.req.year">2013</test_value>
  159. <test_value name="httpd.req.month">09</test_value>
  160. <test_value name="httpd.req.day">08</test_value>
  161. <test_value name="httpd.req.hour">23</test_value>
  162. <test_value name="httpd.req.min">58</test_value>
  163. <test_value name="httpd.req.sec">54</test_value>
  164. <test_value name="httpd.req.microsec">708926</test_value>
  165. <test_value name="httpd.module">-</test_value>
  166. <test_value name="httpd_log_level">error</test_value>
  167. <test_value name="httpd.pid">23103</test_value>
  168. <test_value name="httpd.tid">139776069957376</test_value>
  169. <test_value name="client_ip">177.148.201.194</test_value>
  170. <test_value name="httpd.mod_sec.error_type">Warning</test_value>
  171. <test_value name="httpd.mod_sec.err">Pattern match (.*) at TX:950901-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:s</test_value>
  172. <test_value name="httpd.mod_sec.rule_file">/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf</test_value>
  173. <test_value name="httpd.mod_sec.rule_file_line">26</test_value>
  174. <test_value name="httpd.mod_sec.rule_id">981176</test_value>
  175. <test_value name="httpd_mod_sec_msg">Inbound Anomaly Score Exceeded (Total Score: 25, SQLi=5, XSS=20): Last Matched Message: IE XSS Filters - Attack Detected.</test_value>
  176. <test_value name="httpd_mod_sec_msg_data">Last Matched Data: script> corinthians</test_value>
  177. <test_value name="httpd.req.domain">www.domain.com.br</test_value>
  178. <test_value name="httpd.req.uri">/wp/</test_value>
  179. <test_value name="httpd.req.unique_id">Ui0PPsCoALkAAFo-HwwAAADK</test_value>
  180. </test_values>
  181. </example>
  182. </examples>
  183. </rule>
  184.  
  185. <rule id='7e95e8ca-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  186. <patterns>
  187. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] [client @IPv4:client_ip@] ModSecurity: @ESTRING:httpd.mod_sec.error_type:.@ @ESTRING:httpd.mod_sec.err:. @[file @QSTRING:httpd.mod_sec.rule_file:"@] [line @QSTRING:httpd.mod_sec.rule_file_line:"@] [id @QSTRING:httpd.mod_sec.rule_id:"@] [msg @QSTRING:httpd_mod_sec_msg:"@] [severity @QSTRING:httpd.mod_sec.severity:"@] [hostname @QSTRING:httpd.req.domain:"@] [uri @QSTRING:httpd.req.uri:"@] [unique_id @QSTRING:httpd.req.unique_id:"@]</pattern>
  188. </patterns>
  189. <examples>
  190. <example>
  191. <test_message program='httpd'>[2013-09-09 00:21:12.894361] [-:error] [pid 24738:tid 140121907083008] [client 177.148.201.194] ModSecurity: Warning. Operator GE matched 1 at TX. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "29"] [id "981202"] [msg "Correlated Attack Attempt Identified: (Total Score: 7, SQLi=1, XSS=) Inbound Attack (Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded Inbound Anomaly Score: 3) + Outbound Application Error (The application is not available - Outbound Anomaly Score: 4)"] [severity "ALERT"] [hostname "www.domain.com.br"] [uri "/wp/"] [unique_id "Ui0UeMbHU0UAAGCi-RoAAADQ"]</test_message>
  192. <test_values>
  193. <test_value name="httpd.req.year">2013</test_value>
  194. <test_value name="httpd.req.month">09</test_value>
  195. <test_value name="httpd.req.day">09</test_value>
  196. <test_value name="httpd.req.hour">00</test_value>
  197. <test_value name="httpd.req.min">21</test_value>
  198. <test_value name="httpd.req.sec">12</test_value>
  199. <test_value name="httpd.req.microsec">894361</test_value>
  200. <test_value name="httpd.module">-</test_value>
  201. <test_value name="httpd_log_level">error</test_value>
  202. <test_value name="httpd.pid">24738</test_value>
  203. <test_value name="httpd.tid">140121907083008</test_value>
  204. <test_value name="client_ip">177.148.201.194</test_value>
  205. <test_value name="httpd.mod_sec.error_type">Warning</test_value>
  206. <test_value name="httpd.mod_sec.err">Operator GE matched 1 at TX</test_value>
  207. <test_value name="httpd.mod_sec.rule_file">/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf</test_value>
  208. <test_value name="httpd.mod_sec.rule_file_line">29</test_value>
  209. <test_value name="httpd.mod_sec.rule_id">981202</test_value>
  210. <test_value name="httpd_mod_sec_msg">Correlated Attack Attempt Identified: (Total Score: 7, SQLi=1, XSS=) Inbound Attack (Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded Inbound Anomaly Score: 3) + Outbound Application Error (The application is not available - Outbound Anomaly Score: 4)</test_value>
  211. <test_value name="httpd.mod_sec.severity">ALERT</test_value>
  212. <test_value name="httpd.req.domain">www.domain.com.br</test_value>
  213. <test_value name="httpd.req.uri">/wp/</test_value>
  214. <test_value name="httpd.req.unique_id">Ui0UeMbHU0UAAGCi-RoAAADQ</test_value>
  215. </test_values>
  216. </example>
  217. </examples>
  218. </rule>
  219.  
  220. <rule id='854da8bd-1bff-11e3-919d-ca66d2f45ab4' provider='domain' class='error'>
  221. <patterns>
  222. <pattern>[@NUMBER:httpd.req.year@-@NUMBER:httpd.req.month@-@NUMBER:httpd.req.day@ @NUMBER:httpd.req.hour@:@NUMBER:httpd.req.min@:@NUMBER:httpd.req.sec@.@NUMBER:httpd.req.microsec@] [@ESTRING:httpd.module::@@ESTRING:httpd_log_level:]@ [pid @NUMBER:httpd.pid@:tid @NUMBER:httpd.tid@] [client @IPv4:client_ip@] ModSecurity: @ESTRING:httpd.mod_sec.error_type:.@ @ESTRING:httpd.mod_sec.err:. @[file @QSTRING:httpd.mod_sec.rule_file:"@] [line @QSTRING:httpd.mod_sec.rule_file_line:"@] [id @QSTRING:httpd.mod_sec.rule_id:"@] [rev "@NUMBER@"] [msg @QSTRING:httpd_mod_sec_msg:"@] [data @QSTRING:httpd_mod_sec_msg_data:"@] [severity @QSTRING:httpd_mod_sec_severity:"@] [ver @QSTRING:httpd.mod_sec.owasp_ver:"@] [maturity @QSTRING:httpd.mod_sec.maturity:"@] [accuracy @QSTRING:httpd.mod_sec.accuracy:"@] [tag @QSTRING:httpd.mod_sec.attack_type:"@] [tag @QSTRING:httpd.mod_sec.attack_class1:"@] [tag @QSTRING:httpd.mod_sec.attack_class2:"@] [tag @QSTRING:httpd.mod_sec.attack_rank:"@] [tag @QSTRING::"@] [tag @QSTRING::"@] [hostname @QSTRING:httpd.req.domain:"@] [uri @QSTRING:httpd.req.uri:"@] [unique_id @QSTRING:httpd.req.unique_id:"@]</pattern>
  223. </patterns>
  224. <examples>
  225. <example>
  226. <test_message program='httpd'>[2013-09-08 23:58:54.707369] [-:error] [pid 23103:tid 139776069957376] [client 177.148.201.194] ModSecurity: Warning. Pattern match "(?i)(*?)" at ARGS:s. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "14"] [id "973336"] [rev "1"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: script> found within ARGS:s: script> corinthians"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "1"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "www.domain.com.br"] [uri "/wp/"] [unique_id "Ui0PPsCoALkAAFo-HwwAAADK"]</test_message>
  227. <test_values>
  228. <test_value name="httpd.req.year">2013</test_value>
  229. <test_value name="httpd.req.month">09</test_value>
  230. <test_value name="httpd.req.day">08</test_value>
  231. <test_value name="httpd.req.hour">23</test_value>
  232. <test_value name="httpd.req.min">58</test_value>
  233. <test_value name="httpd.req.sec">54</test_value>
  234. <test_value name="httpd.req.microsec">707369</test_value>
  235. <test_value name="httpd.module">-</test_value>
  236. <test_value name="httpd_log_level">error</test_value>
  237. <test_value name="httpd.pid">23103</test_value>
  238. <test_value name="httpd.tid">139776069957376</test_value>
  239. <test_value name="client_ip">177.148.201.194</test_value>
  240. <test_value name="httpd.mod_sec.error_type">Warning</test_value>
  241. <test_value name="httpd.mod_sec.err">Pattern match "(?i)(*?)" at ARGS:s</test_value>
  242. <test_value name="httpd.mod_sec.rule_file">/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf</test_value>
  243. <test_value name="httpd.mod_sec.rule_file_line">14</test_value>
  244. <test_value name="httpd.mod_sec.rule_id">973336</test_value>
  245. <test_value name="httpd_mod_sec_msg">XSS Filter - Category 1: Script Tag Vector</test_value>
  246. <test_value name="httpd_mod_sec_msg_data">Matched Data: script> found within ARGS:s: script> corinthians</test_value>
  247. <test_value name="httpd.mod_sec.severity">CRITICAL</test_value>
  248. <test_value name="httpd.mod_sec.owasp_ver">OWASP_CRS/2.2.7</test_value>
  249. <test_value name="httpd.mod_sec.maturity">1</test_value>
  250. <test_value name="httpd.mod_sec.accuracy">8</test_value>
  251. <test_value name="httpd.mod_sec.attack_type">OWASP_CRS/WEB_ATTACK/XSS</test_value>
  252. <test_value name="httpd.mod_sec.attack_class1">WASCTC/WASC-8</test_value>
  253. <test_value name="httpd.mod_sec.attack_class2">WASCTC/WASC-22</test_value>
  254. <test_value name="httpd.mod_sec.attack_rank">OWASP_TOP_10/A2</test_value>
  255. <test_value name="httpd.req.domain">www.domain.com.br</test_value>
  256. <test_value name="httpd.req.uri">/wp/</test_value>
  257. <test_value name="httpd.req.unique_id">Ui0PPsCoALkAAFo-HwwAAADK</test_value>
  258. </test_values>
  259. </example>
  260. </examples>
  261. </rule>
  262.  
  263. </rules>
  264. </ruleset>
  265. </patterndb>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement