Changelog
- 🐧Linux Changelog
- 🪟Windows Changelog
- 🧱WAF Rule Changelog
bitninja (3.10.8) Wed, 13 Mar 2024 12:25
- Malware Detection
- Fixed an issue where a crash could have happened when the AI Scan did not get the upload permission from the API.
- Fixed an issue regarding the validating malware signature types in case of the AI Scan where the signature state could have been missing and instead of log-only action quarantine or clean could happen.
- Config Parser
- Changed the new config check interval from 60 minutes to 1 minute.
- SQL Scanner
- Added two new SQL malware signatures to the ruleset.
- SslTerminating
- Added maxconn HAProxy config option to Cloud Config. Default value:
4000
- Spam Detection
- Fixed an issue where the
sendmail_bitninja
wrapper file permissions and group were not set to the same as the original sendmail permissions and group. - Added a fallback logic to the module in case there is an active CageFS service present on the server.
- Added
use_wrapper
config option to the Cloud Config which will force the module to use the sendmail wrapper if there is no active CageFS service present. - Changed the sendmail wrapper setup script to reload the webservers instead of restarting them.
bitninja (3.10.7) Fri, 08 Mar 2024 12:25
- Fixed an issue regarding a dependency version which could have caused the IpFilter module to get stuck and stop communication.
bitninja (3.10.6) Thu, 29 Feb 2024 09:45
- The Patcher (Vulnerability Patcher) module has been renewed, which is now able to fix various vulnerabilities.
- Two new CLI commands have been added regarding the Patcher module:
bitninjacli --module=Patcher --patch=CVE_EXAMPLE_2024_0101 --domainPath=/path/to/dir
bitninjacli --module=Patcher --restorePatch=/var/lib/bitninja/Patcher/backups/2024/01/01/example.php
- UI release is scheduled for a later date.
bitninja (3.10.5) Wed, 14 Feb 2024 10:30
- Fixed an issue regarding the Captcha HTTP where a wrong parameter type could throw a Request Exception in the module.
- Fixed an issue regarding the Malware Detection AI Scanner where the unknown file upload could cause out-of-memory crashes.
- Fixed an issue regarding the Malware Detection quarantine mechanism where during the quarantine process the unlink of the original failed and threw a warning message that it failed to rename the malicious file.
bitninja (3.10.4) Wed, 06 Feb 2024 13:50
- Fixed an issue regarding the SpamDetection module where a combination of settings and software could lead to the temporary disruption of mailing services. - The issue could only occur where CloudLinux and Cagefs were present, and ea-php was used instead of alt-php.
- Fixed an issue regarding the self-update mechanism on RPM-based systems where BitNinja would not auto-start after an update in some cases.
bitninja (3.10.3) Thu, 01 Feb 2024 15:25
- Fixed an issue regarding the MalwareDetection scan command when it would not scan the path if it was a single file.
- Fixed some custom log and certificate collection issues regarding the Config Parser module.
- Increased the MalwareDetection cache cleanup percentage from 1% to 2%.
- Added a mechanism to the MalwareDetection module which forces the module to scan the /var/spool/cron directory every 24 hours.
- Added a new positive incident type to the Captcha which will indicate the result of a BIC or Captcha.
- Extended the SpamDetection detector in a way that it will work with every SMTP solution that uses sendmail.
bitninja (3.10.2) Fri, 19 Jan 2024 12:55
- Fixed the issues regarding the increased messaging error logs and stack traces introduced by the 3.10.1 version.
- Minor changes in our logging system.
bitninja (3.10.1) Tue, 16 Jan 2024 11:45
- Fixed an issue regarding the SslTerminating module where the 60414 and 60415 ports were open after starting BitNinja despite the Close Direct Access config option being turned on.
- Fixed an issue regarding the MalwareDetection module where the AI scanner did not send the files to the AI for further analysis.
- Fixed an issue regarding the WafManager module where some ModSecurity log files were not deleted after 1 day.
- Fixed an issue regarding the WafManager module where it could run out of memory because of oversized request logs.
- Fixed an issue regarding the SqlScanner module where if there were some errors during the scan it could crash.
- Fixed an issue regarding the SqlScanner module where it could crash if there were multiple webservers present on the server.
- Minor fixes regarding the error logging.
- Finetuned the log detection patterns and extended the log detection paths in the SenseLog module.
- Finetuned the PHP cache file detection pattern in the Malware Detection module.
bitninja (3.10.0) Thu, 14 Dec 2023 12:50
- Added RHEL 9 support (Alma Linux 9, Rocky Linux 9, and Centos Stream 9 are now officially supported.)
- Added tar as a dependency. (There were some cases where tar was missing.)
- Changed the old BitNinja Site Protection logo to the BitNinja Server Security logo on the captcha page.
- Fixed an issue regarding the Defense Robot module where the cleanup of the correlations could cause overload on the /tmp folder.
- Moved the WordPress integrity check from Site Protection to the Data Provider module.
bitninja (3.9.2) Mon, 22 Nov 2023 15:02
- Extended the resource limitation with cgroup v2 support.
- Fixed an issue regarding the Malware Detection moduleâs filesystem cache cleaner where it could clean the database more often than it should.
- Fixed an issue regarding the Malware Detection module where the incident queue could not be flushed if bitninja-mq was restarted.
bitninja (3.9.1) Tue, 05 Dec 2023 10:35
- Added an automatic cleanup for correlations to the Defense Robot module. This cleanup solution ensures that only the last 7 days of correlations are being kept.
- Fixed an issue regarding the SystemD service file, where the Type=fork could cause problems starting the BitNinja Agent automatically.
- Fixed the user page redirection and the display of the logo in the DirectAdmin plugin.
bitninja (3.9.0) Mon, 30 Nov 2023 12:35
- Fixed an issue where we used apt-key and it caused a deprecated GPG key location warning.
- Changed the service manager from init.d to systemd.
bitninja (3.8.9) Mon, 22 Nov 2023 15:12
- Extended the resource limitation with cgroup v2 support.
- Fixed an issue regarding the Malware Detection moduleâs filesystem cache cleaner where it could clean the database more often than it should.
- Fixed an issue regarding the Malware Detection module where the incident queue could not be flushed if bitninja-mq was restarted.
bitninja (3.8.8) Mon, 20 Nov 2023 14:50
- Added WP Integrity Check command option to SiteProtection module
bitninja (3.8.7) Mon, 20 Nov 2023 12:10
- The Malware Detection module now invalidates the Log Only results if the Log Only mode is turned off.
- Fixed an issue where the redirections were wrong if a custom interface was added in Cloud Config.
- Fixed an issue where an already established connection was not interrupted when the given IP was added to the greylist or to the blacklist.
- Changed the SiteProtection plugin to open the login page and the dashboard on another page.
- Fix an issue regarding the SiteProtection plugin where our login response handling was incorrect.
bitninja (3.8.6) Wed, 15 Nov 2023 07:10
- Fixed an issue where the Malware Detection Active Scan could not start without the AI Scan enabled.
bitninja (3.8.5) Wed, 08 Nov 2023 16:10
- Added Active AI scan.
- Fixed several 400 Bad Request issues regarding the AI Scan.
- Fixed an issue where there was an error regarding our UFW handling during the stopping of the IpFilter module.
- Changed the minimum value of the resource limitation from 20 to 40 in Cloud Config.
bitninja (3.8.4) Tue, 17 Oct 2023 13:30
- Fixed an issue regarding the Shogun when it lost connection to the message queue, which caused incidents not to be sent to the API.
bitninja (3.8.3) Fri, 06 Oct 2023 07:06
- Fixed an issue regarding the Shogun optimization which caused some messages to get stuck in the message queue.
bitninja (3.8.2) Tue, 04 Oct 2023 14:34
- Optimized incident processing and sending.
- Fixed an issue regarding the Malware Detection module where some files were scanned multiple times.
bitninja (3.8.1) Tue, 03 Oct 2023 14:34
- Fixed an issue regarding the locally saved module status file creation.
- Fixed an issue with the AI Scan API communication error codes.
bitninja (3.8.0) Thu, 28 Sept 2023 15:26
- Phase 2 (Deep Scan) has been added to the AI scan.
- Excluded directories in the Malware Detection module which caused the inotify to use up many resources.
- Changed rule 80_1_023 (SpamBots) to be turned off by default in SenseLog due to false positives.
bitninja (3.7.8) Wed, 21 Sept 2023 15:06
- Added .discord.com to the reverse DNS whitelist.
- Fixed an issue regarding the LiteSpeed config parsing where config files were not parsed correctly in the case of Enhance.
bitninja (3.7.7) Wed, 06 Sept 2023 14:12
- Fixed an issue regarding the AI Scan where there were cases when empty files were uploaded for scan.
- Fixed an issue where the Config Parser module did not parse the LiteSpeed configurations properly in the case of the Enhance Control Panel which caused invalid SSL Certificate errors.
- Reintroduced the certMapping feature. From now on it can be used while the Cloud Config is enabled.
- Cert mapping can be set in the /etc/bitninja/SslTerminating/certMappings.json manually as well as with the two new commands that have been added to the SslTerminating module.
- bitninjacli --module=SslTerminating --add-cert --domain=<domain> --certFile=<certFile> --keyFile=<keyFile> | optional --chainFile=<chainFile>
- bitninjacli --module=SslTerminating --del-cert --domain=<domain>
- After modifying the cert mapping (even after using the add-cert and del-cert commands) a force-recollect will be needed.
- Known Issues:
- The certMapping feature does not support wildcard domains (*.example.com) for now.
bitninja (3.7.6) Fri, 01 Sept 2023 20:44
- Fixed Captcha showing server's IP address in certain server environments.
bitninja (3.7.5) Thu, 31 Aug 2023 10:47
- Fixed an issue regarding the module restart command which caused the module to stop and not start it back.
- Fixed the issue which caused the DirectAdmin plugin not to install.
- Added exclusion for Docker IPs during private IP auto-configuration.
- Added a configuration option to the IPFilter module (enableIpsetMode ) for turning CSF into IPSet mode during integration. This option is ON by default.
- The csf config location can also be set with a new config option called csf.conf. By default it is set to the default csf config path: /etc/csf/csf.conf.
bitninja (3.7.4) Wed, 23 Aug 2023 15:02
- Fixed an issue where delisting blocklisted IPs did not work.
- Fixed an issue regarding the Shogun where it was crashing when there were many incidents.
- Fixed an issue where the Shogun could not keep up with incidents from Malware Detection.
- Fixed an issue where Malware Detection could not add a signature and caused errors.
- Added a new command to the Malware Detection
remove-cache
which adds the ability to remove a file or directory from the filesystem cache. Usage:bitninjacli --module=MalwareDetection --remove-cache=<path> --file | --dir
bitninja (3.7.3) Wed, 16 Aug 2023 09:36:44
- Our service ports now automatically opened in UFW if it is enabled on the server.
- Private IP ranges are now automatically added to the Trusted Proxy.
- Private IPs are now auto-configured for WAF.
- Fixed an issue where the WAFHoneypot could not turn off properly because the honeypot files were not removed.
- Fixed an issue that caused redirect loops with WordPress sites behind Cloudflare.
- Fixed an issue regarding the disappearing WAF and Trusted Proxy redirections.
- Fixed an issue that caused changes to the WAF redirection mode not to apply immediately.
bitninja (3.7.2) Wed, 09 Aug 2023 14:22:22
- Fixed an issue regarding the first startup sync to the cloud-config.
- Fixed a Config Parser issue where the SSL certification was set in the main nginx configuration.
- Fixed an issue that prevented the IpFilter module to apply changes to allowed ports when set from Cloud Config.
- Fixed an issue that prevented the SslTerminating module to apply Cloud Config changes to the HAProxy configs.
bitninja (3.7.1) Wed, 02 Aug 2023 09:30:22
- Extended the filesystem cache cleaning mechanism, ensuring the database size is kept within limits.
- The filesystem cache is now re-enabled if the size is below the filesystem cache size limit.
- Fixed an issue regarding the filesystem cache when the database file was not found.
- Fixed an issue regarding the WAF when HEAD requests were hanging. (Also solves the Enhance file management issues.)
- Added .wordpress.org to the reverse DNS whitelist.
bitninja (3.7.0) Mon, 19 Jul 2023 14:53:23
- Added a config option called cpuUsageLimit in the System module, under the resources section.
- Fixed an issue regarding the crash report uploading.
- Fixed an issue regarding the SslTerminating cert mining when no certs were found.
- The Nginx process and its configuration are now reloaded in case of Cloud Config changes.
- Startup error logs are now more verbose instead of "Failed to access the API server" log.
bitninja (3.6.3) Mon, 10 Jul 2023 12:53:39
- Removed HTTP fallback from the agent.
bitninja (3.6.2) Tue, 4 Jul 2023 14:20:10
- Fixed the issue where users could not delist themselves if there were more than 1 IP addresses present in the X-Forwarded-For header.
- Fixed the issue where sometimes the file sizes were not saved properly in the filesystem cache during the AI scan.
- The CaptchaHttp page should now properly show the client IP.
- Added worker_connections as a config option to the WAFManager module which sets the worker_connections config option for Nginx.
- If this option has already been overridden in the local Nginx configs, the agent will automatically migrate it to the WAFManager config.
bitninja (3.6.1) Thu, 29 Jun 2023 14:25:10
- Fixed an issue regarding the Malware Detection scans which caused the scans to start multiple times with AI scan.
bitninja (3.6.0) Wed, 28 Jun 2023 15:22:10
- MalwareDetection
- Added the AI scan feature. Can be enabled via the enable_ai_scan option in the config. Disabled by default.
- Fixed a bug which caused AuditD to find files but the agent did not quarantine them.
- ProxyFilter
- Fixed the bug which caused some firewall rules to get duplicated.
bitninja (3.5.4) Tue, 20 Jun 2023 13:28:56
- Fixed the issue which caused user level trusted proxies to get ignored by the WAF.
- Fixed the issue which prevented blocking and challenging IPs coming from user level trusted proxies.
- The MalwareDetection module now shows if scans are running in its process title.
- Added CLI command for force recollect: bitninjacli --module=SslTerminating --force-recollect.
bitninja (3.5.3) Wed, 14 Jun 2023 11:43:56
- General
- Added a CLI switch to the DataProvider module called send-diagnostics which sends performance related diagnostics to the cloud.
- Enhance control panel is now detected correctly on secondary servers in the cluster.
- Fixed some configuration issues related to logging.
- MalwareDetection
- PostDetection scripts now receive the state and list of the signature which triggered them.
bitninja (3.5.2) Not Available
- MalwareDetection
- Fixed an issue which caused scans to scan excluded directories during a full scan.
- The honeypotify config option works properly now.
- Fixed an issue which caused the file system monitor to start when the module reloads even though the module is disabled.
- WAF
- Updated Nginx from 1.15.6 to 1.23.3.
- IPFilter
- Fixed an issue regarding the IP set hierarchy, where the user-level blocklist was stronger than the global whitelist.
bitninja (3.5.1) Tue, 31 May 2023 16:21:56
- Reloading the ConfigParser module on an Enhance server caused the module to not parse configurations properly, this has been fixed.
- Post Detection scripts received the quarantined file path instead of the real file path if the MalwareDetection module was not in log only mode, this has been fixed.
- Fixed memory issues with the ConfigParser module.
- Fixed a minor issue in SiteProtection.
- Hotfixing in Proxyfilter, iptables rules were created more than once.
bitninja (3.5.0) Tue, 25 May 2023 11:48:29
- IpFilter
- Fixed firewall-related issues when CSF is present on the server.
- Reworked CSF integration.
- ProxyFilter
- The --status command now reports the status of the redirections.
- If redirection creation fails, the module retries multiple times.
- Added health check which runs every 5 minutes. This includes checking the redirections. They are recreated if missing.
- Health check logs the status of the redirections.
- The module can now process commands even during its setup.
- SiteProtection
- Fixed an issue where the login failed on some WordPress sites.
- Added the ability to update/reinstall all SiteProtection related plugins.
- MalwareDetection
- Added the --force-clean switch to the scan command. If this is passed to the command, the module will clean malware even if it is in log only mode. This option can be passed when called from the API as well.
- SslTerminating
- Added tune.maxrewrite, tune.bufsize, and tune.h2.initial-window-size to the Cloud Config. These settings can be fine-tuned if you encounter any issues with upload speeds.
- General
- Fixed numerous firewall issues which caused the server to be unavailable for a short time.
- Removed the error Could not find executable for command
docker
which was thrown around randomly by all modules. This did not cause any specific issues but it cluttered the logs. - Fixed a bug that caused some modules to crash when sending error logs to the API.
- Fixed a bug that caused the agent to revert to HTTP on startup even if it was set to HTTPS.
bitninja (3.4.5) Wed, 10 May 2023 14:55:26
- Fixed the issue which caused the agent to report that it is running even if it was not.
- Added support for the auditd module.
- Fixed an issue which caused the module to consume a lot of CPU.
- Fixed an issue where the Ssh module was not respecting the config's setting for max password failures
- Fixed an issue which caused the process to crash when too many IPs were blocked.
- Fixed the issue where the Shogun module consumed too much CPU when there were many incidents.
bitninja (3.4.4) Wed, 03 May 2023 16:44:56
- Fixed an issue which caused the ConfigParser to not save the files, which resulted in the inability to fetch the configurations.
- Fixed an issue which caused the Network module to use a lot of CPU.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to not log all requests.
- Fixed an issue which caused the DirectAdmin to crash during the cleanup phase.
- Fixed an issue which caused the WAF to sometimes not block IPs.
- The CaptchaHttp page now includes the client IP.
- Fixed an issue which caused the IPFilter to not reload properly.
- Fixed an issue which caused the SslTerminating to not reload properly.
- Fixed an issue which caused the SslTerminating to not respect the correct SSL files.
bitninja (3.4.3) Tue, 25 Apr 2023 16:21:56
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
- Fixed an issue which caused the SslTerminating to not reload properly.
bitninja (3.4.2) Wed, 19 Apr 2023 15:10:22
- Added the config option cert.cglSishedDomains to the SslTerminating module, which allows defining multiple domains for a single cert. Each domain should be separated by a comma.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
bitninja (3.4.1) Tue, 11 Apr 2023 10:35:22
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the SslTerminating to not reload properly.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
bitninja (3.4.0) Tue, 04 Apr 2023 16:21:56
- Added the logs of the PostDetection scripts to the audit logs.
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
bitninja (3.3.5) Tue, 28 Mar 2023 16:21:56
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
bitninja (3.3.4) Tue, 21 Mar 2023 16:21:56
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
bitninja (3.3.3) Tue, 14 Mar 2023 16:21:56
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
bitninja (3.3.2) Tue, 07 Mar 2023 16:21:56
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
bitninja (3.3.1) Wed, 01 Mar 2023 16:21:56
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
bitninja (3.3.0) Tue, 21 Feb 2023 16:21:56
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
bitninja (3.2.6) Wed, 15 Feb 2023 16:21:56
- Fixed an issue which caused the agent to sometimes restart when applying Cloud Config.
- Fixed an issue which caused the ConfigParser to sometimes fail when reading configurations from the cloud.
- Fixed an issue which caused the WAF to block some CDN IPs.
- Fixed an issue which caused the WAF to sometimes not log all requests.
- Fixed an issue which caused the Network module to crash during startup if the server had a lot of network interfaces.
- Fixed an issue which caused the Ssh module to use a lot of CPU when there were many IPs blocked.
- Fixed an issue which caused the Shogun to use a lot of CPU when there were many incidents.
bitninja (3.2.4) Wed, 29 Mar 2023 11:37:10 +0100
- Fixed numerous errors related to messaging.
- The message queue and the Dispatcher should be properly restarted now if they are not running.
- Fixed a bug where the SiteProtection did not get the WordPress path correctly.
- Fixed a bug where the SiteProtection WordPress plugin could not be uninstalled correctly.
- Added more whitelisted files to the SpamProtection config.
bitninja (3.2.3) Thu, 16 Mar 2023 16:38:23 +0100
- MalwareDetection
- Added a command to create a validating signature from a file (can be called from the API),
- name: CreateValidatingSignatureFromFileCommand. Accepts a single argument, which is the file path.
- SslTerminating
- Added tune.maxrewrite, tune.bufsize, and tune.h2.initial-window-size to the config in the haproxyGlobalSettings section. These settings can be fine-tuned if you encounter any issues with upload speeds.
- IpFilter
- Added a CLI command to test an IP against the ipsets for convenience: bitninjacli --checkip=ip
bitninja (3.2.2) Wed, 08 Mar 2023 18:37:08 +0100
- Bug in the messaging system config management while using remote config is fixed
bitninja (3.2.1) Thu, 02 Mar 2023 17:15:08 +0100
- There was a bug in SpamDetection that did not always set the whitelists.
bitninja (3.2.0) Thu, 02 Mar 2023 16:15:08 +0100
- MalwareDetection module
- Added a new signature type: md5-clean.
- md5-clean signatures will clean malware efficiently during scan phase 1.
- Currently, user-level md5-clean signatures only.
- Real-time malware detection can be disabled with the enable_active_scan option.
- The create_signatures_during_phase2 option enables the agent to create
- md5 and md5-clean signatures during the phase 2 scan.
- By default, the option is disabled.
- Added support for inotify versions newer than 3.14.
- A proxy_read_timeout option is now added to the WAFManager module.
- This is a timeout threshold in the Nginx proxy.
- If the option was overridden initially in the local Nginx configs, then the agent migrates the overridden value to this option.
- Added whitelist to SpamDetection for sender scripts.
- There is an option to add scripts by path or by file name.
- Whitelisted files will not be flagged as sender scripts.
- bitninja dispatcher 1.0.1
- Now can restore API connection if it fails.
- Logs are now moved under the /var/log/bitninja-dispatcher/ directory.
- Log rotation is separate. It depends on the log size.
- The current log is always indicated by current.log.
bitninja (3.1.1) Wed, 22 Feb 2023 16:06:36 +0100
- The --create-signature CLI command sometimes did not work, this has been fixed.
bitninja (3.1.0) Wed, 22 Feb 2023 11:55:49 +0100
- Reworked cert watching in the SslTerminating module.
- This should fix most cert detection issues.
- Increased default timeout in HAProxy to 5 minutes.
- Added config option for manual cert mapping.
- HAProxy should no longer crash if we pick up bad certificates.
- Logs will indicate if a certificate is bad.
- SiteProtection extensions are now properly installed for every web server on the users' server.
- Added ability to toggle Malware Source Sending remotely.
- Reworked config parsing.
- Include directives under virtual hosts are properly handled.
- Added support for LiteSpeed XML.
- Fixed some crashes in the SpamDetection module.
bitninja (3.0.1) Thu, 16 Feb 2023 08:55:19 +0100
- Messaging error fixed that caused the Shogun module to sometimes crash upon an incident
bitninja (1.0.2) Mon, 06 Nov 2023 12:32
- Added Malware Detection feature which includes the following features:
- AI Scan
- Parallel malware scans (manual and scheduled)
- Windows Defender compatibility (quarantine folder added to excluded folders)
- Dashboard compatibility. Scans can be started and canceled through the dashboard.
- Changed error handling. If there is an unknown error, there will be a stack trace in the logs which will help to solve the issue.
- Installer changes:
- Uninstall optimization
bitninja (1.0.0.1) Mon, 11 Sep 2023 14:33
- Numerous stability and performance improvements and fixes.
- Improved HTTP packet handling.
bitninja (0.0.1) Tue, 29 Aug 2023 12:15
- Initial Release.
BitNinja WAF Rules 2.0.0 Wed, 14 Feb 2024 10:30
Virtual Honeypot
Rule ID:
400112
This rule will trigger on any request to a file with POST method. You can use this rule to create virtual honeypot locations. Example usage: Your WordPress site had been compromised. There is a malicious file at example.com/wp-uploads/evil-malware/web-shell.php. Add //evil-malware/*.php location pattern with this rule enabled. It will block every POST request on the server which try to reach any php file under any domain located in any uri containing evil-malware.
Rule ID:
400113
This rule will trigger on any request to a file with GET method. You can use this rule to create virtual honeypot locations. Example usage: Your WordPress site had been compromised. There is a malicious file at example.com/wp-uploads/evil-malware/web-shell.php. Add //evil-malware/*.php location pattern with this rule enabled. It will block every GET request on the server which try to reach any php file under any domain located in any uri containing evil-malware.
Rule ID:
400114
Prevent PHP file uploads on this location. This rule is not allowed to used on [/] location.
Rule ID:
400115
WP admin page 200 (SecRule id changed because of honeypot id conflict - 2023-08-14)
Rule ID:
400116
positive WAF rule to check a valid xmlrpc call (SecRule id changed because of honeypot id conflict - 2023-08-14)
Wordpress Backdoor Protection
Rule ID:
401001
Themes General Backdoor Access Protection. Blocks HTTP POST method php calls for the themes directory (/themes/.php)
Rule ID:
401002
Wp-includes General Backdoor Access Protection. Blocks HTTP POST method php calls for the themes directory (/wp-includes/.php)
Rule ID:
401003
Uploads General Backdoor Access Protection. Blocks HTTP POST method php calls for the themes directory (/wp-content/uploads/.php)
Rule ID:
401004
Wordpress Backdoor Protection. Arbitrary file upload in Fancy Product Designer. CVE-2021-24370
Rule ID:
401005
Wordpress Backdoor Protection. Arbitrary file upload in Fancy Product Designer. CVE-2021-24370
Rule ID:
401006
Blocks HTTP POST method php calls for wp-login.php if the referer is exists and different from the domain. Use this rule with caution, it can cause incidents if the wordpress site use multiple domains, and a user try to login from a domain which is not the default one.
Drupal Remote Execution Protection
Rule ID:
402001
Drupal Remote Code Execution - SA-CORE-2018-002. Block specific #submit #validate #process #pre_render #post_render #element_validate #after_build #value_callback parameters.
Reference: https://www.drupal.org/sa-core-2018-002
Rule ID:
402002
Drupal Remote Code Execution - SA-CORE-2018-002. Block all parameters starting with #.
Reference: https://www.drupal.org/sa-core-2018-002
Rule ID:
402003
Drupal Remote Code Execution - SA-CORE-2018-004. Block all destination q[#.
Reference: https://www.drupal.org/sa-core-2018-004
Modx Revolution Remote Execution Protection
Rule ID:
403001
Modx Revolution < 2.6.4 - Remote Code Execution - CVE-2018-1000207
Scanner Detection
Rule ID:
404001
Scanner protection based on Hello Peppa botnet:
Reference:https://dshield.org/forums/diary/Well+Hello+Again+Peppa/23860/
Rule ID:
404002
Scanner protection based on Hello Peppa botnet
Reference:https://dshield.org/forums/diary/Well+Hello+Again+Peppa/23860/
Rule ID:
404003
Scripting user agent protection.
Reference:https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/scripting-user-agents.data
Rule ID:
404004
WAF Rule against Bytespider User-Agent (not malicious, but you can block them with this rule if you want)
Magento Remote Execution Protection
Rule ID:
405001
Magento Shoplift Remote Code Execution
Rule ID:
405002
Multiple XSS vulnerabilities in the Magento Mass Importer (CVE-2015-2068)
Rule ID:
405003
Directory traversal vulnerability in Magento Mass Importer (CVE-2015-2067)
Rule ID:
405004
SQL Injection vulnerability in Magento (PRODSECBUG-2198)
Rule ID:
405005
Magento Webforms Arbitrary File Upload
Rule ID:
405006
Magento Webforms Upload Vulnerability
Rule ID:
405007
SQLi in Adobe Commerce and Magento Open Source before 2.4.3-p1
Rule ID:
405008
Inproper input validation in Adobe Commerce and Magento Open Source before 2.4.3
Wordpress Plugin Vulnerability Protection
Rule ID:
406001
Duplicator <= 1.2.40 - Arbitrary Code Execution
Reference: https://wpvulndb.com/vulnerabilities/9123
Rule ID:
406002
OptinMonster plugin <= 2.6.4 - Authentication vulnerability protection.
Reference:
Rule ID:
406003
Rank Math SEO Plugin <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11514
Rule ID:
406004
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11738
Rule ID:
406005
The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-16283
Rule ID:
406006
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-0992
Rule ID:
406007
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-0992
Rule ID:
406008
Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1657
Rule ID:
406009
The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-3477
Rule ID:
406010
The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-3477
Rule ID:
406011
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24280
Rule ID:
406012
The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1020
Rule ID:
406013
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24175
Rule ID:
406014
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24175
Rule ID:
406015
An issue was discovered in the IMPress for IDX Broker plugin before 2.6.2 for WordPress. wrappers.php allows a logged-in user (with the Subscriber role) to permanently delete arbitrary posts and pages, create new posts with arbitrary subjects, and modify the subjects of existing posts and pages (via create_dynamic_page and delete_dynamic_page).
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-9514
Rule ID:
406016
The plugin does not escape the 'code' parameter in the /pmpro/v1/order REST route before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability.
Reference: https://www.tenable.com/security/research/tra-2023-2
Rule ID:
406017
The plugin does not escape the 's' parameter in the 'edd_download_search' action before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability. The vulnerable part of the code corresponds to the 'edd_ajax_download_search()' function of the './includes/ajax-functions.php' file.
Reference: https://www.tenable.com/security/research/tra-2023-2
Rule ID:
406018
The plugin does not escape the ‘surveys_ids’ parameter in the 'ays_surveys_export_json' action before using it in a SQL statement, leading to an authenticated SQL injection vulnerability. The vulnerability requires the attacker to be authenticated but does not require administrator privileges
Reference: https://www.tenable.com/security/research/tra-2023-2
Rule ID:
406019
The Quick Restaurant Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to update menu items, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-0554
Rule ID:
406020
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the 'Record Exclusions' option to be enabled on the vulnerable site.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-0513
Rule ID:
406021
Privilege escalation in WPGateway WordPress plugin <= 3.5 (CVE-2022-3180)
Reference: https://securityonline.info/actively-exploited-zero-day-cve-2022-3180-found-in-popular-wordpress-plugin/
Rule ID:
406022
Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-45359
Rule ID:
406023
Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-45359
Rule ID:
406024
Elementor Pro, a popular page builder plugin for WordPress, a broken access control vulnerability affecting versions <=3.11.6 that could allow full site takeover.
Reference: https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin/
Rule ID:
406025
Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-32243
Rule ID:
406026
Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-32243
Rule ID:
406027
The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-0992
Rule ID:
406028
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-1895
Rule ID:
406029
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_screen_options[option]' and 'wp_screen_options[value]' parameters during a screen option update.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-2833
Rule ID:
406030
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1903
Rule ID:
406031
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.
Reference: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/payment-gateway-stripe-and-woocommerce-integration/stripe-payment-plugin-for-woocommerce-377-authentication-bypass
Rule ID:
406032
The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'save_users_map_name' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'usernames' parameter.
Reference: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wedevs-project-manager/wp-project-manager-264-arbitrary-usermeta-update-to-authenticated-subscriber-privilege-escalation
Rule ID:
406033
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-4634
Rule ID:
406034
The Donation Forms by Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the 'update_core_user' function. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-4404
Rule ID:
406035
WordPress Slimstat Analytics plugin versions 5.0.9 and below suffer from cross-site scripting and remote SQL injection vulnerabilities.
Rule ID:
406036
Arbitrary File Deletion in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5212)
Rule ID:
406037
SQL Injection in AI ChatBot Plugin < 4.9.1 for WordPress (CVE-2023-5204)
Rule ID:
406038
Unauthenticated Stored XSS in tagDiv Composer < 4.2 Wordpress plugin (CVE-2023-3169)
Rule ID:
406039
Unauthenticated File Upload Vulnerability in Royal Elementor Addons and Templates <= 1.3.78 Plugin For WordPress (CVE-2023-5360)
Rule ID:
406040
Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)
Rule ID:
406041
Possible Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)
Rule ID:
406042
Arbitrary File Upload Vulnerability in User Registration WordPress Plugin (CVE-2023-3342)
Rule ID:
406043
Unauthenticated Insecure Deserialization in BuddyForms Plugin < 2.7.8 for WordPress (CVE-2023–26326)
Rule ID:
406044
Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)
Rule ID:
406045
Authentication Bypass in WooCommerce Payments before 4.8.0-5.6.1 plugin for WordPress (CVE-2023-28121)
Rule ID:
406046
Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)
Rule ID:
406047
Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)
Rule ID:
406048
Possible Authentication Bypass in WooCommerce Payments before plugin for WordPress 4.8.0-5.6.1 (CVE-2023-28121)
Botnet Protection
Rule ID:
407001
Protection against HEXA botnet attacks
Rule ID:
407002
Apache Log4J vulnerability Rule, for jndi pattern.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Rule ID:
407003
Apache Log4J vulnerability Rule, for jndi pattern.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Symfony Protection
Rule ID:
408001
You can disable some symfony directory access with this rule (_preview_error /_wdt /_profiler*) which should never be deployed in production. PrestaShop debug mode can also trigger this WAF rule
AntiMalware Protection
Rule ID:
409001
Rule against PHP RCE malware (63bd2f7a8302fd1dfe373344)
Rule ID:
409002
hidden and default_enabled WAF rule for helper SecRules init values and checking payload values which hint for malicious activity which can we use in blocking WAF rules EDIT WITH CAUTION!
Rule ID:
409003
Rule against PHP RCE malware Payload COOKIE contains 'str_rot13' in two parts AND 'perngr_shapgvba' (which is rotated create_function) in two parts AND 'onfr64_qrpbqr' (which is rotated base64_decode) in two parts
Rule ID:
409004
Rule against PHP RCE malware (63b301bc5205bf358a4caa0c) Payload COOKIE contains 'base64_decode' in two parts AND 'YmFzZTY0X2RlY29kZQ==' (which is base64_decode('base64_decode')) in two parts
Rule ID:
409005
Rule against PHP RCE malware (63048c774603e53b7a7f78b5) Payload POST contains 'fuckyou4321' key
Rule ID:
409006
Rule against PHP RCE malware (6284da8fef85056b327414fc) REQUEST_HEADERS contains 'create_function' and 'base64_decode' values too
Rule ID:
409007
Rule against PHP RCE malware (644b8c53ff5eec21f06b36d2) GET is empty, POST has only one request_option value which is a crypted php script
Rule ID:
409008
Rule against PHP RCE malware (644b680f1173f831663f5255)
Rule ID:
409009
Rule against PHP WebShell malware (64632ac5ff5eec21f06b3768)
Rule ID:
409010
Rule against PHP RCE malware (644b680f1173f831663f5255)
Rule ID:
409011
Rule against PHP RCE malware (60e3365f6dca960e3365f6dc)
Rule ID:
409012
Rule against PHP RCE malware (wp_ajx)
Rule ID:
409013
Rule against PHP Uploader malware (xcWD23)
Rule ID:
409014
Rule against PHP RCE malware (cdshell)
Rule ID:
409015
Rule against PHP malware (6548af1f7eef18d697055726) actmet1 & actmet2
Rule ID:
409016
Rule against ALFA TEaM Shell load
Rule ID:
409017
Rule against ALFA TEaM Shell cookie
Rule ID:
409018
Rule against PHP RCE malware (coco,login,cmd)
Other Rules
Rule ID:
410001
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
Reference:https://nvd.nist.gov/vuln/detail/CVE-2022-35914
Rule ID:
410002
PrestaShop is an open-source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-39526
Rule ID:
410003
RCE vulnerability in Laravel < 8.4.2 ignition module (CVE-2021-3129)
Rule ID:
410004
SQL injection vulnerability in Solidres 2.5.1 component for Joomla (CVE-2018-5980)
Rule ID:
410005
SQL injection vulnerability in Zh YandexMap 6.2.1.0 Zh BaiduMap 3.0.0.1 and Zh GoogleMap 8.4.0.0 for Joomla (CVE-2018-6582 CVE-2018-6604 CVE-2018-6605)
Rule ID:
410006
SQL injection vulnerability in the Gallery WD 1.3.6 component for Joomla! (CVE-2018-5981)
Rule ID:
410007
SQL injection vulnerability in DT Register 3.2.7 component for Joomla (CVE-2018-6584)
Rule ID:
410008
SQL injection vulnerability in JomEstate PRO through 3.7 component for Joomla (CVE-2018-6368)
Rule ID:
410009
SQL injection vulnerability in Fastball 2.5 component for Joomla (CVE-2018-6373)
Rule ID:
410010
SQL injection vulnerability in OS Property Real Estate 3.12.7 component for Joomla (CVE-2018-7319)
Rule ID:
410011
SQL injection vulnerability in Swap Factory 2.2.1 Raffle Factory 3.5.2 Penny Auction Factory 2.0.4 component for Joomla! (CVE-2018-17379 CVE-2018-17378 CVE-2018-17384)
Rule ID:
410012
SQL injection vulnerability in Zap Calendar Lite 4.3.4 component for Joomla
Rule ID:
410013
SQL injection vulnerability in Pinterest Clone Social Pinboard 2.0 component for Joomla (CVE-2018-5987)
Rule ID:
410014
SQL Injection vulnerability in ccNewsletter 2.x component for Joomla (CVE-2018-5989)
Rule ID:
410015
SQL Injection vulnerability in AllVideos Reloaded 1.2.x component for Joomla (CVE-2018-5990)
Rule ID:
410016
SQL injection vulnerability in the iJoomla com_adagency plugin 6.0.9 for Joomla! (CVE-2018-5696)
Rule ID:
410017
XSS vulnerability in Joomla! before 3.8.12 (CVE-2018-15880)
Rule ID:
410018
Arbitrary File Download vulnerability in Jtag Members Directory 5.3.7 component for Joomla (CVE-2018-6008)
Rule ID:
410019
Directory traversal vulnerability in K2 component 2.8.0 for Joomla (CVE-2018-7482)
Rule ID:
410020
SQLi vulnerability in J2Store plugin 3.x before 3.3.7 for Joomla! (CVE-2019-9184)
Rule ID:
410021
Directory Traversal vulnerability in Joomla before 3.9.5 (CVE-2019-10945)
Rule ID:
410022
Missing input validation within the template manager in Joomla! v3.2.0-v3.9.24 (CVE-2021-23131)
Rule ID:
410023
Improper access check in webservice endpoints in Joomla! (CVE-2023-23752)
Rule ID:
410024
SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function.
Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-51210
Typo3 and Magento Exclusions
Rule ID:
1040001
Remove HTML injection false-positives for TYPO3 backend edit requests
Rule ID:
1040002
Remove HTML injection false-positives for Magento backend edit requests
OWASP WAF Rules 2.0.0 Wed, 14 Feb 2024 10:30
Scanner Detection
Rule ID:
913101
Scripting/Generic User-Agents
This rule detects user-agents associated with various HTTP client libraries and scripting languages. Detection suggests attempted access by some automated tool.
This rule is a sibling of rule 913100.
Rule ID:
913102
Crawler User-Agents
This rule detects user-agents associated with various crawlers, SEO tools, and bots, which have been reported to potentially misbehave.
These crawlers can have legitimate uses when used with authorization.
This rule is a sibling of rule 913100.
Rule ID:
913110
Found request header associated with security scanner
Rule ID:
913120
Found request filename/argument associated with security scanner
Protocol Attack
Rule ID:
921110
HTTP Request Smuggling
Rule Logic
This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name.
This would point to an attempt to inject a 2nd request into the request, thus bypassing tests carried out on the primary request.
References
http://projects.webappsec.org/HTTP-Request-Smuggling
Rule ID:
921120
HTTP Response Splitting
Rule Logic
These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
These characters may cause problems if the data is returned in a response header and may be interpreted by an intermediary proxy server and treated as two separate responses.
References
http://projects.webappsec.org/HTTP-Response-Splitting
Rule ID:
921130
HTTP Response Splitting Attack
Rule ID:
921140
HTTP Header Injection
Rule Logic
These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, on their own or in combination with header field names.
These characters may cause problems if the data is returned in a response header and interpreted by the client.
The rules are similar to rules defending against the HTTP Request Splitting and Request Smuggling rules.
References
https://en.wikipedia.org/wiki/HTTP_header_injection
Rule ID:
921150
Checking for GET arguments has been moved to paranoia level 2 (921151) in order to mitigate possible false positives.
Rule ID:
921151
Detect newlines in GET argument values.
These may point to a HTTP header injection attack, but can also sometimes occur in benign query parameters.
See also: rule 921140, 921150
Rule ID:
921160
HTTP Header Injection Attack via payload (CR/LF and header-name detected)
Rule ID:
921170
HTTP Parameter Pollution
Rule Logic
These rules look for multiple parameters with the same name.
921170 counts the occurrences of the individual parameters.
921180 checks if any counter is > 1.
One HPP attack vector is to try evade signature filters by distributing the attack payload across multiple parameters with the same name.
This works as many security devices only apply signatures to individual parameter payloads, however the back-end web application may (in the case of ASP.NET) consolidate all of the payloads into one thus making the attack payload active.
References
http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
https://capec.mitre.org/data/definitions/460.html
Rule ID:
921180
HTTP Parameter Pollution (%{TX.1})
Local File Inclusion
Rule ID:
930100
Directory Traversal Attacks
Ref: https://github.com/wireghoul/dotdotpwn
Encoded /../ Payloads
Rule ID:
930110
Decoded /../ Payloads
Rule ID:
930120
OS File Access
Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
Rule ID:
930130
Restricted File Access
Detects attempts to retrieve application source code, metadata, credentials and version control history possibly reachable in a web root.
Remote File Inclusion
Rule ID:
931100
Rule Logic
These rules look for common types of Remote File Inclusion (RFI) attack methods.
- URL Contains an IP Address
- The PHP "include()" Function
- RFI Data Ends with Question Mark(s) (?)
- RFI Host Doesn't Match Local Host
References
http://projects.webappsec.org/Remote-File-Inclusion
http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
Rule ID:
931110
Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload
Rule ID:
931120
Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)
Rule ID:
931130
-= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
Remote Code Execution
Rule ID:
932100
Unix command injection
This rule detects Unix command injections. A command injection takes a form such as:
foo.jpg;uname -a
foo.jpg||uname -a
The vulnerability exists when an application executes a shell command without proper input escaping/validation. To prevent false positives, we look for a 'starting sequence' that precedes a command in shell syntax, such as: ; | & $( ` <( >(
Rule ID:
932105
Therefore, some remaining commands have been split off to a separate rule. For explanation of this rule, see rule 932100.
Rule ID:
932110
This rule detects Windows shell command injections. If you are not running Windows, it is safe to disable this rule. A command injection takes a form such as:
foo.jpg&ver /r
foo.jpg|ver /r
The vulnerability exists when an application executes a shell command without proper input escaping/validation. To prevent false positives, we look for a 'starting sequence' that precedes a command in CMD syntax, such as: ; | & `
Rule ID:
932115
Therefore, some remaining commands have been split off to a separate rule. For explanation of this rule, see rule 932110.
Rule ID:
932120
Detect some common PowerShell commands, cmdlets and options. These commands should be relatively uncommon in normal text, but potentially useful for code injection. If you are not running Windows, it is safe to disable this rule.
https://technet.microsoft.com/en-us/magazine/ff714569.aspx
https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help
Rule ID:
932130
Detects the following patterns which are common in Unix shell scripts and oneliners:
$(foo) Command substitution
${foo} Parameter expansion
<(foo) Process substitution
>(foo) Process substitution
$((foo)) Arithmetic expansion
Rule ID:
932140
This rule detects Windows command shell FOR and IF commands. If you are not running Windows, it is safe to disable this rule. Examples:
FOR %a IN (set) DO
FOR /D %a IN (dirs) DO
FOR /F "options" %a IN (text|"text") DO
FOR /L %a IN (start,step,end) DO
FOR /R C:\dir %A IN (set) DO
IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n
IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2
IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2)
http://ss64.com/nt/if.html
http://ss64.com/nt/for.html
Rule ID:
932150
Detects Unix commands at the start of a parameter (direct RCE). Example: foo=wget%20www.example.com
This case is different from command injection (rule 932100), where a command string is appended (injected) to a regular parameter, and then passed to a shell unescaped.
Rule ID:
932160
Detect some common sequences found in shell commands and scripts. Some commands which were restricted in earlier rules due to FP, have been added here with their full path, in order to catch some cases where the full path is sent.
Rule ID:
932170
Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. Based on ModSecurity rules created by Red Hat.
Rule ID:
932171
Remote Command Execution: Shellshock (CVE-2014-6271)
PHP General Attacks
Rule ID:
933100
PHP Open Tag Found
Detects PHP open tags "<?" and "<?php".
Rule ID:
933110
PHP Script Uploads
Blocks file uploads with PHP extensions (.php, .php5, .phtml etc).
Rule ID:
933111
PHP Script Uploads: Superfluous extension
Blocks file uploads with PHP extensions (.php, .php5, .phtml etc) anywhere in the name, followed by a dot.
Rule ID:
933120
PHP Configuration Directives
Detects potential attacks related to PHP configuration directives.
Rule ID:
933130
PHP Variables
Detects potential attacks related to PHP variables.
Rule ID:
933131
PHP Variables: Common Variable Indexes
Detects potential attacks related to common variable indexes in PHP.
Rule ID:
933140
PHP I/O Streams
Detects potential attacks related to PHP I/O streams.
Rule ID:
933150
PHP Functions: High-Risk PHP Function Names
Blocks high-risk PHP function names that are indicative of a PHP injection attack.
Rule ID:
933151
PHP Functions: Medium-Risk PHP Function Names
Blocks medium-risk PHP function names that may indicate a PHP injection attack.
Cross Site Scripting
Rule ID:
941100
Libinjection - XSS Detection
Detects XSS attacks using libinjection.
Rule ID:
941101
This is a stricter sibling of rule 941100.
Rule ID:
941110
XSS Filters - Category 1
Script tag based XSS vectors, e.g., <script> alert(1)</script>
Rule ID:
941120
XSS Filters - Category 2
XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
Rule ID:
941140
XSS Filters - Category 4
XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">
Rule ID:
941150
XSS Filters - Category 5
HTML attributes - src, style and href
Rule ID:
941160
NoScript XSS Filters
[NoScript InjectionChecker] HTML injection
Rule ID:
941170
[NoScript InjectionChecker] Attributes injection
Rule ID:
941180
[Blacklist Keywords from Node-Validator]
Blacklist keywords from Node.js validator.js
Rule ID:
941190
XSS Filters from IE
IE XSS filters based on rules
Rule ID:
941310
XSS Filter Evasion Cheat Sheet
US-ASCII encoding bypass listed on XSS filter evasion
Rule ID:
941350
UTF-7 encoding XSS filter evasion for IE.
Reported by Vladimir Ivanov
SQL Injection
Rule ID:
942100
LibInjection Check
Rule ID:
942110
String Termination/Statement Ending Injection Testing
Rule ID:
942120
SQL Operators
Rule ID:
942130
SQL Tautologies
Rule ID:
942140
Detect DB Names
Rule ID:
942150
SQL Function Names
Rule ID:
942160
PHPIDS - Converted SQLI Filters
Rule ID:
942170
Detects SQL benchmark and sleep injection attempts including conditional queries
Rule ID:
942180
Detects basic SQL authentication bypass attempts 1/3
Rule ID:
942190
Detects MSSQL code execution and information gathering attempts
Rule ID:
942200
Detects MySQL comment-/space-obfuscated injections and backtick termination
Rule ID:
942210
Detects chained SQL injection attempts 1/2
Rule ID:
942220
Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash
Rule ID:
942230
Detects conditional SQL injection attempts
Rule ID:
942240
Detects MySQL charset switch and MSSQL DoS attempts
Rule ID:
942250
Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections
Rule ID:
942251
SQL HAVING queries
Rule ID:
942260
Detects basic SQL authentication bypass attempts 2/3
Rule ID:
942270
Looking for basic sql injection. Common attack string for mysql, oracle and others.
Rule ID:
942280
Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts
Rule ID:
942290
Finds basic MongoDB SQL injection attempts
Rule ID:
942300
Detects MySQL comments, conditions and ch(a)r injections
Rule ID:
942310
Detects chained SQL injection attempts 2/2
Rule ID:
942320
Detects MySQL and PostgreSQL stored procedure/function injections
Rule ID:
942330
Detects classic SQL injection probings 1/2
Rule ID:
942340
Detects basic SQL authentication bypass attempts 3/3
Rule ID:
942350
Detects MySQL UDF injection and other data/structure manipulation attempts
Rule ID:
942360
Detects concatenated basic SQL injection and SQLLFI attempts
Rule ID:
942370
Detects classic SQL injection probings 2/2
Rule ID:
942380
SQL Injection Attack
Rule ID:
942390
SQL Injection Attack
Rule ID:
942400
SQL Injection Attack
Rule ID:
942410
SQL Injection Attack
Rule ID:
942420
SQL Injection Character Anomaly Usage
Rule ID:
942421
SQL Injection Character Anomaly Usage
Rule ID:
942430
SQL Injection Character Anomaly Usage
Rule ID:
942431
SQL Injection Character Anomaly Usage
Rule ID:
942432
SQL Injection Character Anomaly Usage
Rule ID:
942440
Detect SQL Comment Sequences
Rule ID:
942450
SQL Hex Evasion Methods
Rule ID:
942460
Repetitive Non-Word Characters
Session Fixation
Rule ID:
943100
Session fixation
Rule ID:
943110
Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer
Rule ID:
943120
Possible Session Fixation Attack: SessionID Parameter Name with No Referer
Data Leakages
Rule ID:
950130
Directory Listing
Data Leakages (SQL)
Rule ID:
951100
SQL Error Leakages
Rule ID:
951110
Microsoft Access SQL Information Leakage
Rule ID:
951120
Oracle SQL Information Leakage
Rule ID:
951130
DB2 SQL Information Leakage
Rule ID:
951140
EMC SQL Information Leakage
Rule ID:
951150
firebird SQL Information Leakage
Rule ID:
951160
Frontbase SQL Information Leakage
Rule ID:
951170
hsqldb SQL Information Leakage
Rule ID:
951180
informix SQL Information Leakage
Rule ID:
951190
ingres SQL Information Leakage
Rule ID:
951200
interbase SQL Information Leakage
Rule ID:
951210
maxDB SQL Information Leakage
Rule ID:
951220
mssql SQL Information Leakage
Rule ID:
951230
mysql SQL Information Leakage
Rule ID:
951240
postgres SQL Information Leakage
Rule ID:
951250
sqlite SQL Information Leakage
Rule ID:
951260
Sybase SQL Information Leakage
Data_Leakages_Java
Rule ID:
952100
Java Source Code Leakages
Rule ID:
952110
Java Errors
Data_Leakages_PHP
Rule ID:
953100
PHP Error Message Leakage
Rule ID:
953110
PHP source code leakage
Rule ID:
953120
To prevent false positives due to the short "<?" sequence, an attempt is made to stop alerts in binary output. This is done by detecting some common binary file format headers, such as gzip (\x1f\x8b\x08), png (IHDR), mp3 (ID3), movie formats et cetera.
Data_Leakages_IIS
Rule ID:
954100
IIS default location
Rule ID:
954110
Application Availability Error
Rule ID:
954120
IIS Errors leakage
Rule ID:
954130
IIS Information Leakage