This is a list of rules from the OWASP ModSecurity Core Rule Set.
- Handling of false positives / false alarms / blocking of legitimate traffic is explained in this tutorial.
- This page here covers the 3.x release(s). The rule IDs from the 2.x.x release(s) are not listed / covered. Look here for some infos.
- Helper rules are omitted.
- Click on link to be taken to github and land on the definition of the rule.
- The link to github points to the 3.0 dev tree.
- The description / message is the msg action from the rule definition mostly.
- Individual rules in this page can be reached via a shortcut. E.g., https://netnea.com/crs/942100.
- If you are lazy, then create a dynamic bookmark and call it with the rule ID as parameter in the address line of the browser: e.g., crs 942100.
- You like what you see? Why don’t you follow me on twitter @ChrFolini to learn about new ModSecurity stuff I publish.
| Rule ID | Paranoia Level | Severity | Description (msg) |
|---|---|---|---|
| 901001 | PL1 | none | Check if crs-set.conf was loaded |
| 901450 | PL1 | none | Sampling: Disable the rule engine based on sampling_percentage |
| 905100 | PL1 | none | Common Exeptions example rule |
| 905110 | PL1 | none | Common Exeptions example rule |
| 910000 | PL1 | critical | Request from Known Malicious Client (Based on previous traffic violations). |
| 910100 | PL1 | critical | Client IP is from a HIGH Risk Country Location. |
| 910150 | PL1 | critical | HTTP Blacklist match for search engine IP, |
| 910160 | PL1 | critical | HTTP Blacklist match for spammer IP |
| 910170 | PL1 | critical | HTTP Blacklist match for suspicious IP |
| 910180 | PL1 | critical | HTTP Blacklist match for harvester IP |
| 911100 | PL1 | critical | Method is not allowed by policy |
| 912120 | PL1 | none | Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)" |
| 912170 | PL1 | none | Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter} |
| 912171 | PL2 | none | Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter} |
| 913100 | PL1 | critical | Found User-Agent associated with security scanner |
| 913101 | PL2 | critical | Found User-Agent associated with scripting/generic HTTP client |
| 913102 | PL2 | critical | Found User-Agent associated with web crawler/bot |
| 913110 | PL1 | critical | Found request header associated with security scanner |
| 913120 | PL1 | critical | Found request filename/argument associated with security scanner |
| 920100 | PL1 | notice | Invalid HTTP Request Line |
| 920120 | PL1 | critical | Attempted multipart/form-data bypass |
| 920130 | PL1 | critical | Failed to parse request body. |
| 920140 | PL1 | critical | Multipart request body failed strict validation: |
| 920160 | PL1 | critical | Content-Length HTTP header is not numeric. |
| 920170 | PL1 | critical | GET or HEAD Request with Body Content. |
| 920180 | PL1 | notice | POST request missing Content-Length Header. |
| 920190 | PL1 | warning | Range: Invalid Last Byte Value. |
| 920200 | PL2 | warning | Range: Too many fields (6 or more) |
| 920201 | PL2 | warning | Range: Too many fields for pdf request (35 or more) |
| 920202 | PL4 | warning | Range: Too many fields for pdf request (6 or more) |
| 920210 | PL1 | warning | Multiple/Conflicting Connection Header Data Found. |
| 920220 | PL1 | warning | URL Encoding Abuse Attack Attempt |
| 920230 | PL2 | warning | Multiple URL Encoding Detected |
| 920240 | PL1 | warning | URL Encoding Abuse Attack Attempt |
| 920250 | PL1 | warning | UTF8 Encoding Abuse Attack Attempt |
| 920260 | PL1 | warning | Unicode Full/Half Width Abuse Attack Attempt |
| 920270 | PL1 | error | Invalid character in request (null character) |
| 920271 | PL2 | critical | Invalid character in request (non printable characters) |
| 920272 | PL3 | critical | Invalid character in request (outside of printable chars below ascii 127) |
| 920273 | PL4 | critical | Invalid character in request (outside of very strict set) |
| 920274 | PL4 | critical | Invalid character in request headers (outside of very strict set) |
| 920280 | PL1 | warning | Request Missing a Host Header |
| 920290 | PL1 | warning | Empty Host Header |
| 920300 | PL2 | notice | Request Missing an Accept Header |
| 920310 | PL1 | notice | Request Has an Empty Accept Header |
| 920311 | PL1 | notice | Request Has an Empty Accept Header |
| 920320 | PL2 | notice | Missing User Agent Header |
| 920330 | PL1 | notice | Empty User Agent Header |
| 920340 | PL1 | notice | Request Containing Content, but Missing Content-Type header |
| 920350 | PL1 | warning | Host header is a numeric IP address |
| 920360 | PL1 | critical | Argument name too long |
| 920370 | PL1 | critical | Argument value too long |
| 920380 | PL1 | critical | Too many arguments in request |
| 920390 | PL1 | critical | Total arguments size exceeded |
| 920400 | PL1 | critical | Uploaded file size too large |
| 920410 | PL1 | critical | Total uploaded files size too large |
| 920420 | PL1 | critical | Request content type is not allowed by policy |
| 920430 | PL1 | critical | HTTP protocol version is not allowed by policy |
| 920440 | PL1 | critical | URL file extension is restricted by policy |
| 920450 | PL1 | critical | HTTP header is restricted by policy (%{MATCHED_VAR}) |
| 920460 | PL4 | critical | Abnormal character escape detected |
| 921100 | PL1 | critical | HTTP Request Smuggling Attack. |
| 921110 | PL1 | critical | HTTP Request Smuggling Attack |
| 921120 | PL1 | critical | HTTP Response Splitting Attack |
| 921130 | PL1 | critical | HTTP Response Splitting Attack |
| 921140 | PL1 | critical | HTTP Header Injection Attack via headers |
| 921150 | PL1 | critical | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921151 | PL2 | critical | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921160 | PL1 | critical | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| 921180 | PL3 | critical | HTTP Parameter Pollution (%{TX.1}) |
| 930100 | PL1 | critical | Path Traversal Attack (/../) |
| 930110 | PL1 | critical | Path Traversal Attack (/../) |
| 930120 | PL1 | critical | OS File Access Attempt |
| 930130 | PL1 | critical | Restricted File Access Attempt |
| 931100 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
| 931110 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
| 931120 | PL1 | critical | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
| 931130 | PL2 | critical | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
| 932100 | PL1 | critical | Remote Command Execution: Unix Command Injection |
| 932105 | PL1 | critical | Remote Command Execution: Unix Command Injection |
| 932110 | PL1 | critical | Remote Command Execution: Windows Command Injection |
| 932115 | PL1 | critical | Remote Command Execution: Windows Command Injection |
| 932120 | PL1 | critical | Remote Command Execution: Windows PowerShell Command Found |
| 932130 | PL1 | critical | Remote Command Execution: Unix Shell Expression Found |
| 932140 | PL1 | critical | Remote Command Execution: Windows FOR/IF Command Found |
| 932150 | PL1 | critical | Remote Command Execution: Direct Unix Command Execution |
| 932160 | PL1 | critical | Remote Command Execution: Unix Shell Code Found |
| 932170 | PL1 | critical | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932171 | PL1 | critical | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 933100 | PL1 | critical | PHP Injection Attack: Opening/Closing Tag Found |
| 933110 | PL1 | critical | PHP Injection Attack: PHP Script File Upload Found |
| 933111 | PL3 | critical | PHP Injection Attack: PHP Script File Upload Found |
| 933120 | PL1 | critical | PHP Injection Attack: Configuration Directive Found |
| 933130 | PL1 | critical | PHP Injection Attack: Variables Found |
| 933131 | PL3 | critical | PHP Injection Attack: Variables Found |
| 933140 | PL1 | critical | PHP Injection Attack: I/O Stream Found |
| 933150 | PL1 | critical | PHP Injection Attack: High-Risk PHP Function Name Found |
| 933151 | PL2 | critical | PHP Injection Attack: Medium-Risk PHP Function Name Found |
| 933160 | PL1 | critical | PHP Injection Attack: High-Risk PHP Function Call Found |
| 933161 | PL3 | critical | PHP Injection Attack: Low-Value PHP Function Call Found |
| 933170 | PL1 | critical | PHP Injection Attack: Serialized Object Injection |
| 933180 | PL1 | critical | PHP Injection Attack: Variable Function Call Found |
| 941100 | PL1 | critical | XSS Attack Detected via libinjection |
| 941110 | PL1 | critical | XSS Filter - Category 1: Script Tag Vector |
| 941120 | PL1 | critical | XSS Filter - Category 2: Event Handler Vector |
| 941130 | PL1 | critical | XSS Filter - Category 3: Attribute Vector |
| 941140 | PL1 | critical | XSS Filter - Category 4: Javascript URI Vector |
| 941150 | PL1 | critical | XSS Filter - Category 5: Disallowed HTML Attributes |
| 941160 | PL1 | critical | NoScript XSS InjectionChecker: HTML Injection |
| 941170 | PL1 | critical | NoScript XSS InjectionChecker: Attribute Injection |
| 941180 | PL1 | critical | Node-Validator Blacklist Keywords |
| 941190 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941200 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941210 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941220 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941230 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941240 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941250 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941260 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941270 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941280 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941290 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941300 | PL1 | critical | IE XSS Filters - Attack Detected. |
| 941310 | PL1 | critical | US-ASCII Malformed Encoding XSS Filter - Attack Detected. |
| 941320 | PL2 | critical | Possible XSS Attack Detected - HTML Tag Handler |
| 941330 | PL2 | critical | IE XSS Filters - Attack Detected. |
| 941340 | PL2 | critical | IE XSS Filters - Attack Detected. |
| 941350 | PL1 | critical | UTF-7 Encoding IE XSS - Attack Detected. |
| 942100 | PL1 | critical | SQL Injection Attack Detected via libinjection |
| 942110 | PL2 | warning | SQL Injection Attack: Common Injection Testing Detected |
| 942120 | PL2 | critical | SQL Injection Attack: SQL Operator Detected |
| 942130 | PL2 | critical | SQL Injection Attack: SQL Tautology Detected. |
| 942140 | PL1 | critical | SQL Injection Attack: Common DB Names Detected |
| 942150 | PL2 | critical | SQL Injection Attack |
| 942160 | PL1 | critical | Detects blind sqli tests using sleep() or benchmark(). |
| 942170 | PL1 | critical | Detects SQL benchmark and sleep injection attempts including conditional queries |
| 942180 | PL2 | critical | Detects basic SQL authentication bypass attempts 1/3 |
| 942190 | PL1 | critical | Detects MSSQL code execution and information gathering attempts |
| 942200 | PL2 | critical | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| 942210 | PL2 | critical | Detects chained SQL injection attempts 1/2 |
| 942220 | PL1 | critical | Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash |
| 942230 | PL1 | critical | Detects conditional SQL injection attempts |
| 942240 | PL1 | critical | Detects MySQL charset switch and MSSQL DoS attempts |
| 942250 | PL1 | critical | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
| 942251 | PL3 | critical | Detects HAVING injections |
| 942260 | PL2 | critical | Detects basic SQL authentication bypass attempts 2/3 |
| 942270 | PL1 | critical | Looking for basic sql injection. Common attack string for mysql, oracle and others. |
| 942280 | PL1 | critical | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
| 942290 | PL1 | critical | Finds basic MongoDB SQL injection attempts |
| 942300 | PL2 | critical | Detects MySQL comments, conditions and ch(a)r injections |
| 942310 | PL2 | critical | Detects chained SQL injection attempts 2/2 |
| 942320 | PL1 | critical | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942330 | PL2 | critical | Detects classic SQL injection probings 1/2 |
| 942340 | PL2 | critical | Detects basic SQL authentication bypass attempts 3/3 |
| 942350 | PL1 | critical | Detects MySQL UDF injection and other data/structure manipulation attempts |
| 942360 | PL1 | critical | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942370 | PL2 | critical | Detects classic SQL injection probings 2/2 |
| 942380 | PL2 | critical | SQL Injection Attack |
| 942390 | PL2 | critical | SQL Injection Attack |
| 942400 | PL2 | critical | SQL Injection Attack |
| 942410 | PL2 | critical | SQL Injection Attack |
| 942420 | PL3 | warning | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
| 942421 | PL4 | warning | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
| 942430 | PL2 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| 942431 | PL3 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
| 942432 | PL4 | warning | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
| 942440 | PL2 | critical | SQL Comment Sequence Detected. |
| 942450 | PL2 | critical | SQL Hex Encoding Identified |
| 942460 | PL3 | warning | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
| 943100 | PL1 | critical | Possible Session Fixation Attack: Setting Cookie Values in HTML |
| 943110 | PL1 | critical | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
| 943120 | PL1 | critical | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
| 949100 | PL1 | none | Request Denied by IP Reputation Enforcement. |
| 949110 | PL1 | none | Check of inbound anomaly score |
| 950100 | PL2 | error | The Application Returned a 500-Level Status Code |
| 950130 | PL1 | error | Directory Listing |
| 951110 | PL1 | critical | Microsoft Access SQL Information Leakage |
| 951120 | PL1 | critical | Oracle SQL Information Leakage |
| 951130 | PL1 | critical | DB2 SQL Information Leakage |
| 951140 | PL1 | critical | EMC SQL Information Leakage |
| 951150 | PL1 | critical | firebird SQL Information Leakage |
| 951160 | PL1 | critical | Frontbase SQL Information Leakage |
| 951170 | PL1 | critical | hsqldb SQL Information Leakage |
| 951180 | PL1 | critical | informix SQL Information Leakage |
| 951190 | PL1 | critical | ingres SQL Information Leakage |
| 951200 | PL1 | critical | interbase SQL Information Leakage |
| 951210 | PL1 | critical | maxDB SQL Information Leakage |
| 951220 | PL1 | critical | mssql SQL Information Leakage |
| 951230 | PL1 | critical | mysql SQL Information Leakage |
| 951240 | PL1 | critical | postgres SQL Information Leakage |
| 951250 | PL1 | critical | sqlite SQL Information Leakage |
| 951260 | PL1 | critical | Sybase SQL Information Leakage |
| 952100 | PL1 | error | Java Source Code Leakage |
| 952110 | PL1 | error | Java Errors |
| 953100 | PL1 | error | PHP Information Leakage |
| 953110 | PL1 | error | PHP source code leakage |
| 953120 | PL1 | error | PHP source code leakage |
| 954100 | PL1 | error | Disclosure of IIS install location |
| 954110 | PL1 | error | Application Availability Error |
| 954120 | PL1 | error | IIS Information Leakage |
| 954130 | PL1 | error | IIS Information Leakage |
| 959100 | PL1 | none | Check of outbound anomaly score |
| 980100 | PL1 | none | Anomaly score correlation rule |
| 980110 | PL1 | none | Anomaly score correlation rule |
| 980120 | PL1 | none | Anomaly score correlation rule |
| 980130 | PL1 | none | Anomaly score correlation rule |
| 980140 | PL1 | none | Anomaly score correlation rule |
| 9001000 | PL1 | none | Drupal rule exception |
| 9001110 | PL1 | none | Drupal rule exception |
| 9001112 | PL1 | none | Drupal rule exception |
| 9001114 | PL1 | none | Drupal rule exception |
| 9001116 | PL1 | none | Drupal rule exception |
| 9001120 | PL1 | none | Drupal rule exception |
| 9001122 | PL1 | none | Drupal rule exception |
| 9001124 | PL1 | none | Drupal rule exception |
| 9001126 | PL1 | none | Drupal rule exception |
| 9001128 | PL1 | none | Drupal rule exception |
| 9001140 | PL1 | none | Drupal rule exception |
| 9001150 | PL1 | none | Drupal rule exception |
| 9001170 | PL1 | none | Drupal rule exception |
| 9001180 | PL1 | none | Drupal rule exception |
| 9001182 | PL1 | none | Drupal rule exception |
| 9001184 | PL1 | none | Drupal rule exception |
| 9001200 | PL1 | none | Drupal rule exception |
| 9001202 | PL1 | none | Drupal rule exception |
| 9001204 | PL1 | none | Drupal rule exception |
| 9001206 | PL1 | none | Drupal rule exception |
| 9001208 | PL1 | none | Drupal rule exception |
| 9001210 | PL1 | none | Drupal rule exception |
| 9001212 | PL1 | none | Drupal rule exception |
| 9001214 | PL1 | none | Drupal rule exception |
| 9001216 | PL1 | none | Drupal rule exception |
| 9002000 | PL1 | none | WordPress rule exception |
| 9002001 | PL1 | none | WordPress rule exception |
| 9002100 | PL1 | none | WordPress rule exception |
| 9002120 | PL1 | none | WordPress rule exception |
| 9002130 | PL1 | none | WordPress rule exception |
| 9002150 | PL1 | none | WordPress rule exception |
| 9002160 | PL1 | none | WordPress rule exception |
| 9002200 | PL1 | none | WordPress rule exception |
| 9002400 | PL1 | none | WordPress rule exception |
| 9002401 | PL1 | none | WordPress rule exception |
| 9002410 | PL1 | none | WordPress rule exception |
| 9002420 | PL1 | none | WordPress rule exception |
| 9002520 | PL1 | none | WordPress rule exception |
| 9002530 | PL1 | none | WordPress rule exception |
| 9002540 | PL1 | none | WordPress rule exception |
| 9002700 | PL1 | none | WordPress rule exception |
| 9002710 | PL1 | none | WordPress rule exception |
| 9002720 | PL1 | none | WordPress rule exception |
| 9002730 | PL1 | none | WordPress rule exception |
| 9002740 | PL1 | none | WordPress rule exception |
| 9002750 | PL1 | none | WordPress rule exception |
| 9002800 | PL1 | none | WordPress rule exception |
| 9002810 | PL1 | none | WordPress rule exception |
| 9002820 | PL1 | none | WordPress rule exception |
| 9002900 | PL1 | none | WordPress rule exception |