Web 应用程序防火墙 CRS 规则组和规则Web Application Firewall CRS rule groups and rules

出现常见的漏洞和攻击时,应用程序网关 Web 应用程序防火墙 (WAF) 可保护 Web 应用程序。Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. 这种保护是由根据 OWASP 核心规则集 3.1、3.0 或 2.2.9 定义的规则实现的。This is done through rules that are defined based on the OWASP core rule sets 3.1, 3.0, or 2.2.9. 可以逐个禁用这些规则。These rules can be disabled on a rule-by-rule basis. 本文包含当前提供的规则和规则集。This article contains the current rules and rule sets offered.

核心规则集Core rule sets

应用程序网关 WAF 中默认已预先配置 CRS 3.0。The Application Gateway WAF comes pre-configured with CRS 3.0 by default. 但你可以选择改用 CRS 3.1 或 CRS 2.2.9。But you can choose to use CRS 3.1 or CRS 2.2.9 instead. CRS 3.1 提供防范 Java 感染的新规则集、一套初始的文件上传检查、已纠正的误报,等等。CRS 3.1 offers new rule sets defending against Java infections, an initial set of file upload checks, fixed false positives, and more. 与 CRS 2.2.9 相比,CRS 3.0 的误报数更少。CRS 3.0 offers reduced false positives compared with CRS 2.2.9. 还可以根据需求自定义规则You can also customize rules to suit your needs.

管理规则Manages rules

WAF 可针对以下 Web 漏洞提供保护:The WAF protects against the following web vulnerabilities:

  • SQL 注入攻击SQL-injection attacks
  • 跨站点脚本攻击Cross-site scripting attacks
  • 其他常见攻击,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion
  • HTTP 协议违规HTTP protocol violations
  • HTTP 协议异常,例如缺少主机用户代理和接受标头HTTP protocol anomalies, such as missing host user-agent and accept headers
  • 机器人、爬网程序和扫描程序Bots, crawlers, and scanners
  • 常见应用程序错误配置(例如 Apache 和 IIS)Common application misconfigurations (for example, Apache and IIS)

OWASP CRS 3.1OWASP CRS 3.1

CRS 3.1 包含下表中所示的 13 个规则组。CRS 3.1 includes 13 rule groups, as shown in the following table. 每个组包含多个可以禁用的规则。Each group contains multiple rules, which can be disabled.

备注

CRS 3.1 仅在 WAF_v2 SKU 上可用。CRS 3.1 is only available on the WAF_v2 SKU.

规则组Rule group 说明Description
常规General 常规组General group
REQUEST-911-METHOD-ENFORCEMENTREQUEST-911-METHOD-ENFORCEMENT 锁定方法(PUT、PATCH)Lock-down methods (PUT, PATCH)
REQUEST-913-SCANNER-DETECTIONREQUEST-913-SCANNER-DETECTION 防范端口和环境扫描程序Protect against port and environment scanners
REQUEST-920-PROTOCOL-ENFORCEMENTREQUEST-920-PROTOCOL-ENFORCEMENT 防范协议和编码问题Protect against protocol and encoding issues
REQUEST-921-PROTOCOL-ATTACKREQUEST-921-PROTOCOL-ATTACK 防范标头注入、请求走私和响应拆分Protect against header injection, request smuggling, and response splitting
REQUEST-930-APPLICATION-ATTACK-LFIREQUEST-930-APPLICATION-ATTACK-LFI 防范文件和路径攻击Protect against file and path attacks
REQUEST-931-APPLICATION-ATTACK-RFIREQUEST-931-APPLICATION-ATTACK-RFI 防范远程文件包含 (RFI) 攻击Protect against remote file inclusion (RFI) attacks
REQUEST-932-APPLICATION-ATTACK-RCEREQUEST-932-APPLICATION-ATTACK-RCE 防范远程代码执行攻击Protect again remote code execution attacks
REQUEST-933-APPLICATION-ATTACK-PHPREQUEST-933-APPLICATION-ATTACK-PHP 防范 PHP 注入攻击Protect against PHP-injection attacks
REQUEST-941-APPLICATION-ATTACK-XSSREQUEST-941-APPLICATION-ATTACK-XSS 防范跨站点脚本攻击Protect against cross-site scripting attacks
REQUEST-942-APPLICATION-ATTACK-SQLIREQUEST-942-APPLICATION-ATTACK-SQLI 防范 SQL 注入攻击Protect against SQL-injection attacks
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATIONREQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION 防范会话固定攻击Protect against session-fixation attacks
REQUEST-944-APPLICATION-ATTACK-SESSION-JAVAREQUEST-944-APPLICATION-ATTACK-SESSION-JAVA 防范 JAVA 攻击Protect against JAVA attacks

OWASP CRS 3.0OWASP CRS 3.0

CRS 3.0 包含下表中所示的 12 个规则组。CRS 3.0 includes 12 rule groups, as shown in the following table. 每个组包含多个可以禁用的规则。Each group contains multiple rules, which can be disabled.

规则组Rule group 说明Description
常规General 常规组General group
REQUEST-911-METHOD-ENFORCEMENTREQUEST-911-METHOD-ENFORCEMENT 锁定方法(PUT、PATCH)Lock-down methods (PUT, PATCH)
REQUEST-913-SCANNER-DETECTIONREQUEST-913-SCANNER-DETECTION 防范端口和环境扫描程序Protect against port and environment scanners
REQUEST-920-PROTOCOL-ENFORCEMENTREQUEST-920-PROTOCOL-ENFORCEMENT 防范协议和编码问题Protect against protocol and encoding issues
REQUEST-921-PROTOCOL-ATTACKREQUEST-921-PROTOCOL-ATTACK 防范标头注入、请求走私和响应拆分Protect against header injection, request smuggling, and response splitting
REQUEST-930-APPLICATION-ATTACK-LFIREQUEST-930-APPLICATION-ATTACK-LFI 防范文件和路径攻击Protect against file and path attacks
REQUEST-931-APPLICATION-ATTACK-RFIREQUEST-931-APPLICATION-ATTACK-RFI 防范远程文件包含 (RFI) 攻击Protect against remote file inclusion (RFI) attacks
REQUEST-932-APPLICATION-ATTACK-RCEREQUEST-932-APPLICATION-ATTACK-RCE 防范远程代码执行攻击Protect again remote code execution attacks
REQUEST-933-APPLICATION-ATTACK-PHPREQUEST-933-APPLICATION-ATTACK-PHP 防范 PHP 注入攻击Protect against PHP-injection attacks
REQUEST-941-APPLICATION-ATTACK-XSSREQUEST-941-APPLICATION-ATTACK-XSS 防范跨站点脚本攻击Protect against cross-site scripting attacks
REQUEST-942-APPLICATION-ATTACK-SQLIREQUEST-942-APPLICATION-ATTACK-SQLI 防范 SQL 注入攻击Protect against SQL-injection attacks
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATIONREQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION 防范会话固定攻击Protect against session-fixation attacks

OWASP CRS 2.2.9OWASP CRS 2.2.9

CRS 2.2.9 包含下表中所示的 10 个规则组。CRS 2.2.9 includes 10 rule groups, as shown in the following table. 每个组包含多个可以禁用的规则。Each group contains multiple rules, which can be disabled.

规则组Rule group 说明Description
crs_20_protocol_violationscrs_20_protocol_violations 防范协议违规(例如无效字符,或使用请求正文执行 GET)Protect against protocol violations (such as invalid characters or a GET with a request body)
crs_21_protocol_anomaliescrs_21_protocol_anomalies 防范错误的标头信息Protect against incorrect header information
crs_23_request_limitscrs_23_request_limits 防范参数或文件超出限制Protect against arguments or files that exceed limitations
crs_30_http_policycrs_30_http_policy 防范受限的方法、标头和文件类型Protect against restricted methods, headers, and file types
crs_35_bad_robotscrs_35_bad_robots 防范 Web 爬网程序和扫描程序Protect against web crawlers and scanners
crs_40_generic_attackscrs_40_generic_attacks 防范常规攻击(例如会话固定、远程文件包含和 PHP 注入)Protect against generic attacks (such as session fixation, remote file inclusion, and PHP injection)
crs_41_sql_injection_attackscrs_41_sql_injection_attacks 防范 SQL 注入攻击Protect against SQL-injection attacks
crs_41_xss_attackscrs_41_xss_attacks 防范跨站点脚本攻击Protect against cross-site scripting attacks
crs_42_tight_securitycrs_42_tight_security 防范路径遍历攻击Protect against path-traversal attacks
crs_45_trojanscrs_45_trojans 防范后门特洛伊木马Protect against backdoor trojans

在应用程序网关上使用 Web 应用程序防火墙时可以使用以下规则组和规则。The following rule groups and rules are available when using Web Application Firewall on Application Gateway.

规则集Rule sets

常规General

RuleIdRuleId 说明Description
200004200004 可能的多部分不匹配边界。Possible Multipart Unmatched Boundary.

REQUEST-911-METHOD-ENFORCEMENTREQUEST-911-METHOD-ENFORCEMENT

RuleIdRuleId 说明Description
911100911100 方法不受策略允许Method is not allowed by policy

REQUEST-913-SCANNER-DETECTIONREQUEST-913-SCANNER-DETECTION

RuleIdRuleId 说明Description
913100913100 找到了与安全扫描程序关联的用户代理Found User-Agent associated with security scanner
913101913101 找到了与脚本/通用 HTTP 客户端关联的用户代理Found User-Agent associated with scripting/generic HTTP client
913102913102 找到了与 Web 爬网程序/bot 关联的用户代理Found User-Agent associated with web crawler/bot
913110913110 找到了与安全扫描程序关联的请求标头Found request header associated with security scanner
913120913120 找到了与安全扫描程序关联的请求文件名/参数Found request filename/argument associated with security scanner

REQUEST-920-PROTOCOL-ENFORCEMENTREQUEST-920-PROTOCOL-ENFORCEMENT

RuleIdRuleId 说明Description
920100920100 无效的 HTTP 请求行Invalid HTTP Request Line
920120920120 尝试了多部分/表单数据绕过Attempted multipart/form-data bypass
920121920121 尝试了多部分/表单数据绕过Attempted multipart/form-data bypass
920130920130 未能分析请求正文。Failed to parse request body.
920140920140 多部分请求正文无法通过严格的验证Multipart request body failed strict validation
920160920160 Content-Length HTTP 标头不是数字。Content-Length HTTP header is not numeric.
920170920170 包含正文内容的 GET 或 HEAD 请求。GET or HEAD Request with Body Content.
920171920171 包含 Transfer-Encoding 的 GET 或 HEAD 请求。GET or HEAD Request with Transfer-Encoding.
920180920180 POST 请求缺少 Content-Length 标头。POST request missing Content-Length Header.
920190920190 范围 = 最后一个字节值无效。Range = Invalid Last Byte Value.
920200920200 范围 = 字段太多(6 个或以上)Range = Too many fields (6 or more)
920201920201 范围 = pdf 请求的字段在多(35 个或以上)Range = Too many fields for pdf request (35 or more)
920202920202 范围 = pdf 请求的字段在多(6 个或以上)Range = Too many fields for pdf request (6 or more)
920210920210 找到了多个/有冲突的连接标头数据。Multiple/Conflicting Connection Header Data Found.
920220920220 URL 编码滥用攻击尝试URL Encoding Abuse Attack Attempt
920230920230 检测到多个 URL 编码Multiple URL Encoding Detected
920240920240 URL 编码滥用攻击尝试URL Encoding Abuse Attack Attempt
920250920250 UTF8 编码滥用攻击企图UTF8 Encoding Abuse Attack Attempt
920260920260 Unicode 全角/半角滥用攻击企图Unicode Full/Half Width Abuse Attack Attempt
920270920270 请求中的字符无效(null 字符)Invalid character in request (null character)
920271920271 请求中的字符无效(不可列显的字符)Invalid character in request (non printable characters)
920272920272 请求中的字符无效(不属于 ascii 127 下面的可列显字符)Invalid character in request (outside of printable chars below ascii 127)
920273920273 请求中的字符无效(不属于极严格集)Invalid character in request (outside of very strict set)
920274920274 请求标头中的字符无效(不属于极严格集)Invalid character in request headers (outside of very strict set)
920280920280 请求缺少 Host 标头Request Missing a Host Header
920290920290 Host 标头为空Empty Host Header
920300920300 请求缺少 Accept 标头Request Missing an Accept Header
920310920310 请求包含空的 Accept 标头Request Has an Empty Accept Header
920311920311 请求包含空的 Accept 标头Request Has an Empty Accept Header
920320920320 缺少用户代理标头Missing User Agent Header
920330920330 用户代理标头为空Empty User Agent Header
920340920340 请求包含内容但缺少 Content-Type 标头Request Containing Content but Missing Content-Type header
920341920341 请求包含内容,但需要 Content-Type 标头Request containing content requires Content-Type header
920350920350 Host 标头是数字 IP 地址Host header is a numeric IP address
920360920360 参数名称太长Argument name too long
920370920370 参数值太长Argument value too long
920380920380 请求中的参数太多Too many arguments in request
920390920390 超出了总参数大小Total arguments size exceeded
920400920400 上传的文件太大Uploaded file size too large
920410920410 上传的文件总大小太大Total uploaded files size too large
920420920420 请求内容类型不受策略允许Request content type is not allowed by policy
920430920430 HTTP 协议版本不受策略允许HTTP protocol version is not allowed by policy
920440920440 策略限制了 URL 文件扩展名URL file extension is restricted by policy
920450920450 策略限制了 HTTP 标头 (%@{MATCHED_VAR})HTTP header is restricted by policy (%@{MATCHED_VAR})
920460920460 转义字符异常Abnormal Escape Characters
920470920470 Content-Type 标头非法Illegal Content-Type header
920480920480 在 content-type 标头中限制字符集参数Restrict charset parameter within the content-type header

REQUEST-921-PROTOCOL-ATTACKREQUEST-921-PROTOCOL-ATTACK

RuleIdRuleId 说明Description
921110921110 HTTP 请求走私攻击HTTP Request Smuggling Attack
921120921120 HTTP 响应拆分攻击HTTP Response Splitting Attack
921130921130 HTTP 响应拆分攻击HTTP Response Splitting Attack
921140921140 通过标头展开的 HTTP 标头注入攻击HTTP Header Injection Attack via headers
921150921150 通过有效负载展开的 HTTP 标头注入攻击(检测到 CR/LF)HTTP Header Injection Attack via payload (CR/LF detected)
921151921151 通过有效负载展开的 HTTP 标头注入攻击(检测到 CR/LF)HTTP Header Injection Attack via payload (CR/LF detected)
921160921160 通过有效负载展开的 HTTP 标头注入攻击(检测到 CR/LF 和标头名称)HTTP Header Injection Attack via payload (CR/LF and header-name detected)
921170921170 HTTP 参数污染HTTP Parameter Pollution
921180921180 HTTP 参数污染 (%{TX.1})HTTP Parameter Pollution (%{TX.1})

REQUEST-930-APPLICATION-ATTACK-LFIREQUEST-930-APPLICATION-ATTACK-LFI

RuleIdRuleId 说明Description
930100930100 路径遍历攻击 (/../)Path Traversal Attack (/../)
930110930110 路径遍历攻击 (/../)Path Traversal Attack (/../)
930120930120 OS 文件访问企图OS File Access Attempt
930130930130 受限文件访问企图Restricted File Access Attempt

REQUEST-931-APPLICATION-ATTACK-RFIREQUEST-931-APPLICATION-ATTACK-RFI

RuleIdRuleId 说明Description
931100931100 可能的远程文件包含 (RFI) 攻击 = 使用 IP 地址的 URL 参数Possible Remote File Inclusion (RFI) Attack = URL Parameter using IP Address
931110931110 可能的远程文件包含 (RFI) 攻击 = 对 URL 有效负载使用常见 RFI 漏洞参数名使用Possible Remote File Inclusion (RFI) Attack = Common RFI Vulnerable Parameter Name used w/URL Payload
931120931120 可能的远程文件包含 (RFI) 攻击 = 在 URL 有效负载中使用尾随问号 (?)Possible Remote File Inclusion (RFI) Attack = URL Payload Used w/Trailing Question Mark Character (?)
931130931130 可能的远程文件包含 (RFI) 攻击 = 域外引用/链接Possible Remote File Inclusion (RFI) Attack = Off-Domain Reference/Link

REQUEST-932-APPLICATION-ATTACK-RCEREQUEST-932-APPLICATION-ATTACK-RCE

RuleIdRuleId 说明Description
932100932100 远程命令执行:Unix 命令注入Remote Command Execution: Unix Command Injection
932105932105 远程命令执行:Unix 命令注入Remote Command Execution: Unix Command Injection
932106932106 远程命令执行:Unix 命令注入Remote Command Execution: Unix Command Injection
932110932110 远程命令执行:Windows 命令注入Remote Command Execution: Windows Command Injection
932115932115 远程命令执行:Windows 命令注入Remote Command Execution: Windows Command Injection
932120932120 远程命令执行 = 找到 Windows PowerShell 命令Remote Command Execution = Windows PowerShell Command Found
932130932130 远程命令执行 = 找到 Unix Shell 表达式Remote Command Execution = Unix Shell Expression Found
932140932140 远程命令执行 = 找到 Windows FOR/IF 命令Remote Command Execution = Windows FOR/IF Command Found
932150932150 远程命令执行:直接 Unix 命令执行Remote Command Execution: Direct Unix Command Execution
932160932160 远程命令执行 = 找到 Unix Shell 代码Remote Command Execution = Unix Shell Code Found
932170932170 远程命令执行 = Shellshock (CVE-2014-6271)Remote Command Execution = Shellshock (CVE-2014-6271)
932171932171 远程命令执行 = Shellshock (CVE-2014-6271)Remote Command Execution = Shellshock (CVE-2014-6271)
932180932180 受限文件上传企图Restricted File Upload Attempt
932190932190 远程命令执行:通配符绕过方法尝试Remote Command Execution: Wildcard bypass technique attempt

REQUEST-933-APPLICATION-ATTACK-PHPREQUEST-933-APPLICATION-ATTACK-PHP

RuleIdRuleId 说明Description
933100933100 PHP 注入攻击 = 找到开始/结束标记PHP Injection Attack = Opening/Closing Tag Found
933110933110 PHP 注入攻击 = 找到 PHP 脚本文件上传PHP Injection Attack = PHP Script File Upload Found
933111933111 PHP 注入攻击:找到 PHP 脚本文件上传PHP Injection Attack: PHP Script File Upload Found
933120933120 PHP 注入攻击 = 找到配置指令PHP Injection Attack = Configuration Directive Found
933130933130 PHP 注入攻击 = 找到变量PHP Injection Attack = Variables Found
933131933131 PHP 注入攻击:找到变量PHP Injection Attack: Variables Found
933140933140 PHP 注入攻击:找到 I/O 流PHP Injection Attack: I/O Stream Found
933150933150 PHP 注入攻击 = 找到高风险的 PHP 函数名称PHP Injection Attack = High-Risk PHP Function Name Found
933151933151 PHP 注入攻击:找到中等风险的 PHP 函数名称PHP Injection Attack: Medium-Risk PHP Function Name Found
933160933160 PHP 注入攻击 = 找到高风险的 PHP 函数调用PHP Injection Attack = High-Risk PHP Function Call Found
933161933161 PHP 注入攻击:找到低值 PHP 函数调用PHP Injection Attack: Low-Value PHP Function Call Found
933170933170 PHP 注入攻击:序列化对象注入PHP Injection Attack: Serialized Object Injection
933180933180 PHP 注入攻击 = 找到可变函数调用PHP Injection Attack = Variable Function Call Found
933190933190 PHP 注入攻击:找到 PHP 结束标记PHP Injection Attack: PHP Closing Tag Found

REQUEST-941-APPLICATION-ATTACK-XSSREQUEST-941-APPLICATION-ATTACK-XSS

RuleIdRuleId 说明Description
941100941100 检测到通过 libinjection 展开的 XSS 攻击XSS Attack Detected via libinjection
941101941101 检测到通过 libinjection 展开的 XSS 攻击XSS Attack Detected via libinjection
941110941110 XSS 筛选器 - 类别 1 = 脚本标记向量XSS Filter - Category 1 = Script Tag Vector
941130941130 XSS 筛选器 - 类别 3 = 属性向量XSS Filter - Category 3 = Attribute Vector
941140941140 XSS 筛选器 - 类别 4 = Javascript URI 向量XSS Filter - Category 4 = Javascript URI Vector
941150941150 XSS 筛选器 - 类别 5 = 不允许的 HTML 属性XSS Filter - Category 5 = Disallowed HTML Attributes
941160941160 NoScript XSS InjectionChecker:HTML 注入NoScript XSS InjectionChecker: HTML Injection
941170941170 NoScript XSS InjectionChecker:属性注入NoScript XSS InjectionChecker: Attribute Injection
941180941180 节点验证器方块列表关键字Node-Validator Blacklist Keywords
941190941190 使用样式表的 XSSXSS using style sheets
941200941200 使用 VML 帧的 XSSXSS using VML frames
941210941210 使用经过模糊处理的 Javascript 的 XSSXSS using obfuscated Javascript
941220941220 使用经过模糊处理的 VB Script 的 XSSXSS using obfuscated VB Script
941230941230 使用“embed”标记的 XSSXSS using 'embed' tag
941240941240 使用“import”或“implementation”属性的 XSSXSS using 'import' or 'implementation' attribute
941250941250 IE XSS 筛选器 - 检测到攻击IE XSS Filters - Attack Detected
941260941260 使用“meta”标记的 XSSXSS using 'meta' tag
941270941270 使用“link”href 的 XSSXSS using 'link' href
941280941280 使用“base”标记的 XSSXSS using 'base' tag
941290941290 使用“applet”标记的 XSSXSS using 'applet' tag
941300941300 使用“object”标记的 XSSXSS using 'object' tag
941310941310 US-ASCII 格式错误编码 XSS 筛选器 - 检测到攻击。US-ASCII Malformed Encoding XSS Filter - Attack Detected.
941320941320 检测到可能的 XSS 攻击 - HTML 标记处理程序Possible XSS Attack Detected - HTML Tag Handler
941330941330 IE XSS 筛选器 - 检测到攻击。IE XSS Filters - Attack Detected.
941340941340 IE XSS 筛选器 - 检测到攻击。IE XSS Filters - Attack Detected.
941350941350 UTF-7 编码 IE XSS - 检测到攻击。UTF-7 Encoding IE XSS - Attack Detected.

REQUEST-942-APPLICATION-ATTACK-SQLIREQUEST-942-APPLICATION-ATTACK-SQLI

RuleIdRuleId 说明Description
942100942100 检测到通过 libinjection 展开的 SQL 注入攻击SQL Injection Attack Detected via libinjection
942110942110 SQL 注入攻击:检测到常见注入测试SQL Injection Attack: Common Injection Testing Detected
942120942120 SQL 注入攻击:检测到 SQL 运算符SQL Injection Attack: SQL Operator Detected
942130942130 SQL 注入攻击:检测到 SQL 同义反复。SQL Injection Attack: SQL Tautology Detected.
942140942140 SQL 注入攻击 = 检测到常用 DB 名称SQL Injection Attack = Common DB Names Detected
942150942150 SQL 注入攻击SQL Injection Attack
942160942160 检测到使用 sleep() 或 benchmark() 的盲注 sqli 测试。Detects blind sqli tests using sleep() or benchmark().
942170942170 检测到包含条件查询的 SQL 基准和休眠注入企图Detects SQL benchmark and sleep injection attempts including conditional queries
942180942180 检测到基本 SQL 身份验证绕过尝试 1/3Detects basic SQL authentication bypass attempts 1/3
942190942190 检测到 MSSQL 代码执行和信息收集尝试Detects MSSQL code execution and information gathering attempts
942200942200 检测到 MySQL 注释/空间经过模糊处理的注入和反引号终止Detects MySQL comment-/space-obfuscated injections and backtick termination
942210942210 检测链式 SQL 注入尝试次数 1/2Detects chained SQL injection attempts 1/2
942220942220 正在查找整数溢出攻击,这些项取自 skipfish,3.0.00738585072 除外Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072
942230942230 检测到条件 SQL 注入企图Detects conditional SQL injection attempts
942240942240 检测 MySQL 字符集开关和 MSSQL DoS 尝试Detects MySQL charset switch and MSSQL DoS attempts
942250942250 检测 MATCH AGAINST、MERGE 和 EXECUTE IMMEDIATE 注入Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
942251942251 检测 HAVING 注入Detects HAVING injections
942260942260 检测到基本 SQL 身份验证绕过尝试 2/3Detects basic SQL authentication bypass attempts 2/3
942270942270 正在查找基本 sql 注入。Looking for basic sql injection. 针对 mysql oracle 和其他系统的常见攻击字符串Common attack string for mysql oracle and others
942280942280 检测 Postgres pg_sleep 注入、waitfor 延迟攻击和数据库关闭尝试Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
942290942290 查找基本 MongoDB SQL 注入企图Finds basic MongoDB SQL injection attempts
942300942300 检测到 MySQL 注释、条件和 ch(a)r 注入Detects MySQL comments, conditions and ch(a)r injections
942310942310 检测链式 SQL 注入尝试次数 2/2Detects chained SQL injection attempts 2/2
942320942320 检测 MySQL 和 PostgreSQL 存储过程/函数注入Detects MySQL and PostgreSQL stored procedure/function injections
942330942330 检测到经典 SQL 注入探测 1/2Detects classic SQL injection probings 1/2
942340942340 检测到基本 SQL 身份验证绕过尝试 3/3Detects basic SQL authentication bypass attempts 3/3
942350942350 检测 MySQL UDF 注入和其他数据/结构操作企图Detects MySQL UDF injection and other data/structure manipulation attempts
942360942360 检测到连接的基本 SQL 注入和 SQLLFI 尝试Detects concatenated basic SQL injection and SQLLFI attempts
942361942361 检测基于关键字 alter 或 union 的基本 SQL 注入Detects basic SQL injection based on keyword alter or union
942370942370 检测到经典 SQL 注入探测 2/2Detects classic SQL injection probings 2/2
942380942380 SQL 注入攻击SQL Injection Attack
942390942390 SQL 注入攻击SQL Injection Attack
942400942400 SQL 注入攻击SQL Injection Attack
942410942410 SQL 注入攻击SQL Injection Attack
942420942420 受限 SQL 字符异常情况检测 (cookie):已超出特殊字符数 (8)Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
942421942421 受限 SQL 字符异常情况检测 (cookie):已超出特殊字符数 (3)Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
942430942430 受限 SQL 字符异常情况检测 (args):已超出特殊字符数 (12)Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
942431942431 受限 SQL 字符异常情况检测 (args):已超出特殊字符数 (6)Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
942432942432 受限 SQL 字符异常情况检测 (args):已超出特殊字符数 (2)Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
942440942440 检测到 SQL 注释序列。SQL Comment Sequence Detected.
942450942450 识别到 SQL 十六进制编码SQL Hex Encoding Identified
942460942460 元字符异常检测警报 - 重复的非单词字符Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
942470942470 SQL 注入攻击SQL Injection Attack
942480942480 SQL 注入攻击SQL Injection Attack
942490942490 检测经典 SQL 注入探测 3/3Detects classic SQL injection probings 3/3

REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATIONREQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

RuleIdRuleId 说明Description
943100943100 可能的会话固定攻击 = 在 HTML 中设置 Cookie 值Possible Session Fixation Attack = Setting Cookie Values in HTML
943110943110 可能的会话固定攻击 = 包含域外引用方的 SessionID 参数名称Possible Session Fixation Attack = SessionID Parameter Name with Off-Domain Referrer
943120943120 可能的会话固定攻击 = 不包含引用方的 SessionID 参数名称Possible Session Fixation Attack = SessionID Parameter Name with No Referrer

REQUEST-944-APPLICATION-ATTACK-SESSION-JAVAREQUEST-944-APPLICATION-ATTACK-SESSION-JAVA

RuleIdRuleId 说明Description
944120944120 可能的有效负载执行和远程命令执行Possible payload execution and remote command execution
944130944130 可疑的 Java 类Suspicious Java classes
944200944200 利用 Java 反序列化 Apache CommonsExploitation of Java deserialization Apache Commons

后续步骤Next steps