Web 应用程序防火墙 CRS 规则组和规则Web application firewall CRS rule groups and rules

出现常见的漏洞和攻击时,应用程序网关 Web 应用程序防火墙 (WAF) 可保护 Web 应用程序。Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. 这种保护是由根据 OWASP 核心规则集 3.0 或 2.2.9 定义的规则实现的。This is done through rules that are defined based on the OWASP core rule sets 3.0 or 2.2.9. 可以逐个禁用这些规则。These rules can be disabled on a rule by rule basis. 本文包含当前提供的规则和规则集。This article contains the current rules and rulesets offered.

将应用程序网关与 Web 应用程序防火墙结合使用时可以使用以下规则组和规则。The following rule groups and rules are available when using Application Gateway with web application firewall.

规则集Rule sets

常规General

RuleIdRuleId 说明Description
200004200004 可能的多部分不匹配边界。Possible Multipart Unmatched Boundary.

REQUEST-911-METHOD-ENFORCEMENTREQUEST-911-METHOD-ENFORCEMENT

RuleIdRuleId 说明Description
911100911100 方法不受策略允许Method is not allowed by policy

REQUEST-913-SCANNER-DETECTIONREQUEST-913-SCANNER-DETECTION

RuleIdRuleId 说明Description
913100913100 找到了与安全扫描程序关联的用户代理Found User-Agent associated with security scanner
913110913110 找到了与安全扫描程序关联的请求标头Found request header associated with security scanner
913120913120 找到了与安全扫描程序关联的请求文件名/参数Found request filename/argument associated with security scanner
913101913101 找到了与脚本/通用 HTTP 客户端关联的用户代理Found User-Agent associated with scripting/generic HTTP client
913102913102 找到了与 Web 爬网程序/bot 关联的用户代理Found User-Agent associated with web crawler/bot

REQUEST-920-PROTOCOL-ENFORCEMENTREQUEST-920-PROTOCOL-ENFORCEMENT

RuleIdRuleId 说明Description
920100920100 无效的 HTTP 请求行Invalid HTTP Request Line
920130920130 未能分析请求正文。Failed to parse request body.
920140920140 多部分请求正文无法通过严格的验证Multipart request body failed strict validation
920160920160 Content-Length HTTP 标头不是数字。Content-Length HTTP header is not numeric.
920170920170 包含正文内容的 GET 或 HEAD 请求。GET or HEAD Request with Body Content.
920180920180 POST 请求缺少 Content-Length 标头。POST request missing Content-Length Header.
920190920190 范围 = 最后一个字节值无效。Range = Invalid Last Byte Value.
920210920210 找到了多个/有冲突的连接标头数据。Multiple/Conflicting Connection Header Data Found.
920220920220 URL 编码滥用攻击尝试URL Encoding Abuse Attack Attempt
920240920240 URL 编码滥用攻击尝试URL Encoding Abuse Attack Attempt
920250920250 UTF8 编码滥用攻击企图UTF8 Encoding Abuse Attack Attempt
920260920260 Unicode 全角/半角滥用攻击企图Unicode Full/Half Width Abuse Attack Attempt
920270920270 请求中的字符无效(null 字符)Invalid character in request (null character)
920280920280 请求缺少 Host 标头Request Missing a Host Header
920290920290 Host 标头为空Empty Host Header
920310920310 请求包含空的 Accept 标头Request Has an Empty Accept Header
920311920311 请求包含空的 Accept 标头Request Has an Empty Accept Header
920330920330 用户代理标头为空Empty User Agent Header
920340920340 请求包含内容但缺少 Content-Type 标头Request Containing Content but Missing Content-Type header
920350920350 Host 标头是数字 IP 地址Host header is a numeric IP address
920380920380 请求中的参数太多Too many arguments in request
920360920360 参数名称太长Argument name too long
920370920370 参数值太长Argument value too long
920390920390 超出了总参数大小Total arguments size exceeded
920400920400 上传的文件太大Uploaded file size too large
920410920410 上传的文件总大小太大Total uploaded files size too large
920420920420 请求内容类型不受策略允许Request content type is not allowed by policy
920430920430 HTTP 协议版本不受策略允许HTTP protocol version is not allowed by policy
920440920440 策略限制了 URL 文件扩展名URL file extension is restricted by policy
920450920450 策略限制了 HTTP 标头 (%@{MATCHED_VAR})HTTP header is restricted by policy (%@{MATCHED_VAR})
920200920200 范围 = 字段太多(6 个或以上)Range = Too many fields (6 or more)
920201920201 范围 = pdf 请求的字段在多(35 个或以上)Range = Too many fields for pdf request (35 or more)
920230920230 检测到多个 URL 编码Multiple URL Encoding Detected
920300920300 请求缺少 Accept 标头Request Missing an Accept Header
920271920271 请求中的字符无效(不可列显的字符)Invalid character in request (non printable characters)
920320920320 缺少用户代理标头Missing User Agent Header
920272920272 请求中的字符无效(不属于 ascii 127 下面的可列显字符)Invalid character in request (outside of printable chars below ascii 127)
920202920202 范围 = pdf 请求的字段在多(6 个或以上)Range = Too many fields for pdf request (6 or more)
920273920273 请求中的字符无效(不属于极严格集)Invalid character in request (outside of very strict set)
920274920274 请求标头中的字符无效(不属于极严格集)Invalid character in request headers (outside of very strict set)
920460920460 转义字符异常Abnormal escape characters

REQUEST-921-PROTOCOL-ATTACKREQUEST-921-PROTOCOL-ATTACK

RuleIdRuleId 说明Description
921100921100 HTTP 请求走私攻击。HTTP Request Smuggling Attack.
921110921110 HTTP 请求走私攻击HTTP Request Smuggling Attack
921120921120 HTTP 响应拆分攻击HTTP Response Splitting Attack
921130921130 HTTP 响应拆分攻击HTTP Response Splitting Attack
921140921140 通过标头展开的 HTTP 标头注入攻击HTTP Header Injection Attack via headers
921150921150 通过有效负载展开的 HTTP 标头注入攻击(检测到 CR/LF)HTTP Header Injection Attack via payload (CR/LF detected)
921160921160 通过有效负载展开的 HTTP 标头注入攻击(检测到 CR/LF 和标头名称)HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921151921151 通过有效负载展开的 HTTP 标头注入攻击(检测到 CR/LF)HTTP Header Injection Attack via payload (CR/LF detected)
921170921170 HTTP 参数污染HTTP Parameter Pollution
921180921180 HTTP 参数污染 (%@{TX.1})HTTP Parameter Pollution (%@{TX.1})

REQUEST-930-APPLICATION-ATTACK-LFIREQUEST-930-APPLICATION-ATTACK-LFI

RuleIdRuleId 说明Description
930100930100 路径遍历攻击 (/../)Path Traversal Attack (/../)
930110930110 路径遍历攻击 (/../)Path Traversal Attack (/../)
930120930120 OS 文件访问企图OS File Access Attempt
930130930130 受限文件访问企图Restricted File Access Attempt

REQUEST-931-APPLICATION-ATTACK-RFIREQUEST-931-APPLICATION-ATTACK-RFI

RuleIdRuleId 说明Description
931100931100 可能的远程文件包含 (RFI) 攻击 = 使用 IP 地址的 URL 参数Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address
931110931110 可能的远程文件包含 (RFI) 攻击 = 对 URL 有效负载使用常见 RFI 漏洞参数名使用Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload
931120931120 可能的远程文件包含 (RFI) 攻击 = 在 URL 有效负载中使用尾随问号 (?)Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?)
931130931130 可能的远程文件包含 (RFI) 攻击 = 域外引用/链接Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link

REQUEST-932-APPLICATION-ATTACK-RCEREQUEST-932-APPLICATION-ATTACK-RCE

RuleIdRuleId 说明Description
932120932120 远程命令执行 = 找到 Windows PowerShell 命令Remote Command Execution = Windows PowerShell Command Found
932130932130 远程命令执行 = 找到 Unix Shell 表达式Remote Command Execution = Unix Shell Expression Found
932140932140 远程命令执行 = 找到 Windows FOR/IF 命令Remote Command Execution = Windows FOR/IF Command Found
932160932160 远程命令执行 = 找到 Unix Shell 代码Remote Command Execution = Unix Shell Code Found
932170932170 远程命令执行 = Shellshock (CVE-2014-6271)Remote Command Execution = Shellshock (CVE-2014-6271)
932171932171 远程命令执行 = Shellshock (CVE-2014-6271)Remote Command Execution = Shellshock (CVE-2014-6271)

REQUEST-933-APPLICATION-ATTACK-PHPREQUEST-933-APPLICATION-ATTACK-PHP

RuleIdRuleId 说明Description
933100933100 PHP 注入攻击 = 找到开始/结束标记PHP Injection Attack = Opening/Closing Tag Found
933110933110 PHP 注入攻击 = 找到 PHP 脚本文件上传PHP Injection Attack = PHP Script File Upload Found
933120933120 PHP 注入攻击 = 找到配置指令PHP Injection Attack = Configuration Directive Found
933130933130 PHP 注入攻击 = 找到变量PHP Injection Attack = Variables Found
933150933150 PHP 注入攻击 = 找到高风险的 PHP 函数名称PHP Injection Attack = High-Risk PHP Function Name Found
933160933160 PHP 注入攻击 = 找到高风险的 PHP 函数调用PHP Injection Attack = High-Risk PHP Function Call Found
933180933180 PHP 注入攻击 = 找到可变函数调用PHP Injection Attack = Variable Function Call Found
933151933151 PHP 注入攻击 = 找到中等风险的 PHP 函数名称PHP Injection Attack = Medium-Risk PHP Function Name Found
933131933131 PHP 注入攻击 = 找到变量PHP Injection Attack = Variables Found
933161933161 PHP 注入攻击 = 找到低值 PHP 函数调用PHP Injection Attack = Low-Value PHP Function Call Found
933111933111 PHP 注入攻击 = 找到 PHP 脚本文件上传PHP Injection Attack = PHP Script File Upload Found

REQUEST-941-APPLICATION-ATTACK-XSSREQUEST-941-APPLICATION-ATTACK-XSS

RuleIdRuleId 说明Description
941100941100 检测到通过 libinjection 展开的 XSS 攻击XSS Attack Detected via libinjection
941110941110 XSS 筛选器 - 类别 1 = 脚本标记向量XSS Filter - Category 1 = Script Tag Vector
941130941130 XSS 筛选器 - 类别 3 = 属性向量XSS Filter - Category 3 = Attribute Vector
941140941140 XSS 筛选器 - 类别 4 = Javascript URI 向量XSS Filter - Category 4 = Javascript URI Vector
941150941150 XSS 筛选器 - 类别 5 = 不允许的 HTML 属性XSS Filter - Category 5 = Disallowed HTML Attributes
941180941180 节点验证器方块列表关键字Node-Validator Blacklist Keywords
941190941190 使用样式表的 XSSXSS using style sheets
941200941200 使用 VML 帧的 XSSXSS using VML frames
941210941210 使用经过模糊处理的 Javascript 的 XSSXSS using obfuscated Javascript
941220941220 使用经过模糊处理的 VB Script 的 XSSXSS using obfuscated VB Script
941230941230 使用“embed”标记的 XSSXSS using 'embed' tag
941240941240 使用“import”或“implementation”属性的 XSSXSS using 'import' or 'implementation' attribute
941260941260 使用“meta”标记的 XSSXSS using 'meta' tag
941270941270 使用“link”href 的 XSSXSS using 'link' href
941280941280 使用“base”标记的 XSSXSS using 'base' tag
941290941290 使用“applet”标记的 XSSXSS using 'applet' tag
941300941300 使用“object”标记的 XSSXSS using 'object' tag
941310941310 US-ASCII 格式错误编码 XSS 筛选器 - 检测到攻击。US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941330941330 IE XSS 筛选器 - 检测到攻击。IE XSS Filters - Attack Detected.
941340941340 IE XSS 筛选器 - 检测到攻击。IE XSS Filters - Attack Detected.
941350941350 UTF-7 编码 IE XSS - 检测到攻击。UTF-7 Encoding IE XSS - Attack Detected.
941320941320 检测到可能的 XSS 攻击 - HTML 标记处理程序Possible XSS Attack Detected - HTML Tag Handler

REQUEST-942-APPLICATION-ATTACK-SQLIREQUEST-942-APPLICATION-ATTACK-SQLI

RuleIdRuleId 说明Description
942100942100 检测到通过 libinjection 展开的 SQL 注入攻击SQL Injection Attack Detected via libinjection
942110942110 SQL 注入攻击:检测到常见注入测试SQL Injection Attack: Common Injection Testing Detected
942130942130 SQL 注入攻击:检测到 SQL 同义反复。SQL Injection Attack: SQL Tautology Detected.
942140942140 SQL 注入攻击 = 检测到常用 DB 名称SQL Injection Attack = Common DB Names Detected
942160942160 检测到使用 sleep() 或 benchmark() 的盲注 sqli 测试。Detects blind sqli tests using sleep() or benchmark().
942170942170 检测到包含条件查询的 SQL 基准和休眠注入企图Detects SQL benchmark and sleep injection attempts including conditional queries
942190942190 检测到 MSSQL 代码执行和信息收集尝试Detects MSSQL code execution and information gathering attempts
942200942200 检测到 MySQL 注释/空间经过模糊处理的注入和反引号终止Detects MySQL comment-/space-obfuscated injections and backtick termination
942230942230 检测到条件 SQL 注入企图Detects conditional SQL injection attempts
942260942260 检测到基本 SQL 身份验证绕过尝试 2/3Detects basic SQL authentication bypass attempts 2/3
942270942270 正在查找基本 sql 注入。Looking for basic sql injection. 针对 mysql oracle 和其他系统的常见攻击字符串。Common attack string for mysql oracle and others.
942290942290 查找基本 MongoDB SQL 注入企图Finds basic MongoDB SQL injection attempts
942300942300 检测到 MySQL 注释、条件和 ch(a)r 注入Detects MySQL comments, conditions and ch(a)r injections
942310942310 检测链式 SQL 注入尝试次数 2/2Detects chained SQL injection attempts 2/2
942320942320 检测 MySQL 和 PostgreSQL 存储过程/函数注入Detects MySQL and PostgreSQL stored procedure/function injections
942330942330 检测到经典 SQL 注入探测 1/2Detects classic SQL injection probings 1/2
942340942340 检测到基本 SQL 身份验证绕过尝试 3/3Detects basic SQL authentication bypass attempts 3/3
942350942350 检测 MySQL UDF 注入和其他数据/结构操作企图Detects MySQL UDF injection and other data/structure manipulation attempts
942360942360 检测到连接的基本 SQL 注入和 SQLLFI 尝试Detects concatenated basic SQL injection and SQLLFI attempts
942370942370 检测到经典 SQL 注入探测 2/2Detects classic SQL injection probings 2/2
942150942150 SQL 注入攻击SQL Injection Attack
942410942410 SQL 注入攻击SQL Injection Attack
942430942430 受限 SQL 字符异常情况检测 (args):已超出特殊字符数 (12)Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942440942440 检测到 SQL 注释序列。SQL Comment Sequence Detected.
942450942450 识别到 SQL 十六进制编码SQL Hex Encoding Identified
942251942251 检测 HAVING 注入Detects HAVING injections
942460942460 元字符异常检测警报 - 重复的非单词字符Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATIONREQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

RuleIdRuleId 说明Description
943100943100 可能的会话固定攻击 = 在 HTML 中设置 Cookie 值Possible Session Fixation Attack = Setting Cookie Values in HTML
943110943110 可能的会话固定攻击 = 包含域外引用方的 SessionID 参数名称Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer
943120943120 可能的会话固定攻击 = 不包含引用方的 SessionID 参数名称Possible Session Fixation Attack = SessionID Parameter Name with No Referrer

后续步骤Next steps

了解如何禁用 WAF 规则:自定义 WAF 规则Learn how to disable WAF rules: Customize WAF rules