WAF Core Rules Reference
On This Page:
Core Rule Set Reference
The following table presents the rules of the WAF Core Rule Set (CRS) as defined in the OWASP CRS:
| Rule ID | Rule Description |
|---|---|
| 910000 | Request from Known Malicious Client (Based on previous traffic violations). |
| 910100 | Client IP is from a HIGH Risk Country Location. |
| 910150 | HTTP Blacklist match for search engine IP |
| 910160 | HTTP Blacklist match for spammer IP |
| 910170 | HTTP Blacklist match for suspicious IP |
| 910180 | HTTP Blacklist match for harvester IP |
| 911100 | Method is not allowed by policy |
| 912120 | Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert) |
| 913100 | Found User-Agent associated with security scanner |
| 913101 | Found User-Agent associated with scripting/generic HTTP client |
| 913102 | Found User-Agent associated with web crawler/bot |
| 913110 | Found request header associated with security scanner |
| 913120 | Found request filename/argument associated with security scanner |
| 920100 | Invalid HTTP Request Line |
| 920120 | Attempted multipart/form-data bypass |
| 920121 | Attempted multipart/form-data bypass |
| 920130 | Failed to parse request body. |
| 920140 | Multipart request body failed strict validation:PE %{REQBODY_PROCESSOR_ERROR},BQ %{MULTIPART_BOUNDARY_QUOTED},BW %{MULTIPART_BOUNDARY_WHITESPACE},DB %{MULTIPART_DATA_BEFORE},DA %{MULTIPART_DATA_AFTER},HF %{MULTIPART_HEADER_FOLDING},LF %{MULTIPART_LF_LINE},SM %{MULTIPART_MISSING_SEMICOLON},IQ %{MULTIPART_INVALID_QUOTING},IH %{MULTIPART_INVALID_HEADER_FOLDING},FLE %{MULTIPART_FILE_LIMIT_EXCEEDED} |
| 920160 | Content-Length HTTP header is not numeric. |
| 920170 | GET or HEAD Request with Body Content. |
| 920171 | GET or HEAD Request with Transfer-Encoding. |
| 920180 | POST without Content-Length or Transfer-Encoding headers. |
| 920190 | Range: Invalid Last Byte Value. |
| 920200 | Range: Too many fields (6 or more) |
| 920201 | Range: Too many fields for pdf request (63 or more) |
| 920202 | Range: Too many fields for pdf request (6 or more) |
| 920210 | Multiple/Conflicting Connection Header Data Found. |
| 920220 | URL Encoding Abuse Attack Attempt |
| 920230 | Multiple URL Encoding Detected |
| 920240 | URL Encoding Abuse Attack Attempt |
| 920250 | UTF8 Encoding Abuse Attack Attempt |
| 920260 | Unicode Full/Half Width Abuse Attack Attempt |
| 920270 | Invalid character in request (null character) |
| 920271 | Invalid character in request (non printable characters) |
| 920272 | Invalid character in request (outside of printable chars below ascii 127) |
| 920273 | Invalid character in request (outside of very strict set) |
| 920274 | Invalid character in request headers (outside of very strict set) |
| 920341 | Request Containing Content Requires Content-Type header |
| 920350 | Host header is a numeric IP address |
| 920360 | Argument name too long |
| 920370 | Argument value too long |
| 920380 | Too many arguments in request |
| 920390 | Total arguments size exceeded |
| 920400 | Uploaded file size too large |
| 920410 | Total uploaded files size too large |
| 920420 | Request content type is not allowed by policy |
| 920430 | HTTP protocol version is not allowed by policy |
| 920440 | URL file extension is restricted by policy |
| 920450 | HTTP header is restricted by policy (%{MATCHED_VAR}) |
| 920460 | Abnormal character escapes in request |
| 920470 | Illegal Content-Type header |
| 920480 | Request content type charset is not allowed by policy |
| 921110 | HTTP Request Smuggling Attack |
| 921120 | HTTP Response Splitting Attack |
| 921130 | HTTP Response Splitting Attack |
| 921140 | HTTP Header Injection Attack via headers |
| 921150 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921151 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921160 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| 930100 | Path Traversal Attack (/../) |
| 930110 | Path Traversal Attack (/../) |
| 930120 | OS File Access Attempt |
| 930130 | Restricted File Access Attempt |
| 931100 | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
| 931110 | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
| 931120 | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
| 931130 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
| 932100 | Remote Command Execution: Unix Command Injection |
| 932105 | Remote Command Execution: Unix Command Injection |
| 932106 | Remote Command Execution: Unix Command Injection |
| 932110 | Remote Command Execution: Windows Command Injection |
| 932115 | Remote Command Execution: Windows Command Injection |
| 932120 | Remote Command Execution: Windows PowerShell Command Found |
| 932130 | Remote Command Execution: Unix Shell Expression Found |
| 932140 | Remote Command Execution: Windows FOR/IF Command Found |
| 932150 | Remote Command Execution: Direct Unix Command Execution |
| 932160 | Remote Command Execution: Unix Shell Code Found |
| 932170 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932171 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932180 | Restricted File Upload Attempt |
| 932190 | Remote Command Execution: Wildcard bypass technique attempt |
| 933100 | PHP Injection Attack: PHP Open Tag Found |
| 933110 | PHP Injection Attack: PHP Script File Upload Found |
| 933111 | PHP Injection Attack: PHP Script File Upload Found |
| 933120 | PHP Injection Attack: Configuration Directive Found |
| 933130 | PHP Injection Attack: Variables Found |
| 933131 | PHP Injection Attack: Variables Found |
| 933140 | PHP Injection Attack: I/O Stream Found |
| 933150 | PHP Injection Attack: High-Risk PHP Function Name Found |
| 933151 | PHP Injection Attack: Medium-Risk PHP Function Name Found |
| 933160 | PHP Injection Attack: High-Risk PHP Function Call Found |
| 933161 | PHP Injection Attack: Low-Value PHP Function Call Found |
| 933170 | PHP Injection Attack: Serialized Object Injection |
| 933180 | PHP Injection Attack: Variable Function Call Found |
| 933190 | PHP Injection Attack: PHP Closing Tag Found |
| 941100 | XSS Attack Detected via libinjection |
| 941101 | XSS Attack Detected via libinjection |
| 941110 | XSS Filter - Category 1: Script Tag Vector |
| 941120 | XSS Filter - Category 2: Event Handler Vector |
| 941130 | XSS Filter - Category 3: Attribute Vector |
| 941140 | XSS Filter - Category 4: Javascript URI Vector |
| 941150 | XSS Filter - Category 5: Disallowed HTML Attributes |
| 941160 | NoScript XSS InjectionChecker: HTML Injection |
| 941170 | NoScript XSS InjectionChecker: Attribute Injection |
| 941180 | Node-Validator Blacklist Keywords |
| 941190 | IE XSS Filters - Attack Detected. |
| 941200 | IE XSS Filters - Attack Detected. |
| 941210 | IE XSS Filters - Attack Detected. |
| 941220 | IE XSS Filters - Attack Detected. |
| 941230 | IE XSS Filters - Attack Detected. |
| 941240 | IE XSS Filters - Attack Detected. |
| 941250 | IE XSS Filters - Attack Detected. |
| 941260 | IE XSS Filters - Attack Detected. |
| 941270 | IE XSS Filters - Attack Detected. |
| 941280 | IE XSS Filters - Attack Detected. |
| 941290 | IE XSS Filters - Attack Detected. |
| 941300 | IE XSS Filters - Attack Detected. |
| 941310 | US-ASCII Malformed Encoding XSS Filter - Attack Detected. |
| 941320 | Possible XSS Attack Detected - HTML Tag Handler |
| 941330 | IE XSS Filters - Attack Detected. |
| 941340 | IE XSS Filters - Attack Detected. |
| 941350 | UTF-7 Encoding IE XSS - Attack Detected. |
| 942100 | SQL Injection Attack Detected via libinjection |
| 942110 | SQL Injection Attack: Common Injection Testing Detected |
| 942120 | SQL Injection Attack: SQL Operator Detected |
| 942130 | SQL Injection Attack: SQL Tautology Detected. |
| 942140 | SQL Injection Attack: Common DB Names Detected |
| 942150 | SQL Injection Attack |
| 942160 | Detects blind sqli tests using sleep() or benchmark(). |
| 942170 | Detects SQL benchmark and sleep injection attempts including conditional queries |
| 942180 | Detects basic SQL authentication bypass attempts 1/3 |
| 942190 | Detects MSSQL code execution and information gathering attempts |
| 942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| 942210 | Detects chained SQL injection attempts 1/2 |
| 942220 | Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \ |
| 942230 | Detects conditional SQL injection attempts |
| 942240 | Detects MySQL charset switch and MSSQL DoS attempts |
| 942250 | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
| 942251 | Detects HAVING injections |
| 942260 | Detects basic SQL authentication bypass attempts 2/3 |
| 942270 | Looking for basic sql injection. Common attack string for mysql, oracle and others. |
| 942280 | Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts |
| 942290 | Finds basic MongoDB SQL injection attempts |
| 942300 | Detects MySQL comments, conditions and ch(a)r injections |
| 942310 | Detects chained SQL injection attempts 2/2 |
| 942320 | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942330 | Detects classic SQL injection probings 1/3 |
| 942340 | Detects basic SQL authentication bypass attempts 3/3 |
| 942350 | Detects MySQL UDF injection and other data/structure manipulation attempts |
| 942360 | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942361 | Detects basic SQL injection based on keyword alter or union |
| 942370 | Detects classic SQL injection probings 2/3 |
| 942380 | SQL Injection Attack |
| 942390 | SQL Injection Attack |
| 942400 | SQL Injection Attack |
| 942410 | SQL Injection Attack |
| 942420 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
| 942421 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
| 942430 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| 942431 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
| 942432 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2) |
| 942440 | SQL Comment Sequence Detected. |
| 942450 | SQL Hex Encoding Identified |
| 942460 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
| 942470 | SQL Injection Attack |
| 942480 | SQL Injection Attack |
| 942490 | Detects classic SQL injection probings 3/3 |
| 943100 | Possible Session Fixation Attack: Setting Cookie Values in HTML |
| 943110 | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
| 943120 | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
| 944100 | Remote Command Execution: Suspicious Java class detected |
| 944110 | Remote Command Execution: Java process spawn (CVE-2017-9805) |
| 944120 | Remote Command Execution: Java serialization (CVE-2015-5842) |
| 944130 | Suspicious Java class detected |
| 944200 | Magic bytes Detected, probable java serialization in use |
| 944210 | Magic bytes Detected Base64 Encoded, probable java serialization in use |
| 944240 | Remote Command Execution: Java serialization (CVE-2015-5842) |
| 944250 | Remote Command Execution: Suspicious Java method detected |
| 944300 | Base64 encoded string matched suspicious keyword |
| 950100 | The Application Returned a 500-Level Status Code |
| 950130 | Directory Listing |
| 951110 | Microsoft Access SQL Information Leakage |
| 951120 | Oracle SQL Information Leakage |
| 951130 | DB2 SQL Information Leakage |
| 951140 | EMC SQL Information Leakage |
| 951150 | firebird SQL Information Leakage |
| 951160 | Frontbase SQL Information Leakage |
| 951170 | hsqldb SQL Information Leakage |
| 951180 | informix SQL Information Leakage |
| 951190 | ingres SQL Information Leakage |
| 951200 | interbase SQL Information Leakage |
| 951210 | maxDB SQL Information Leakage |
| 951220 | mssql SQL Information Leakage |
| 951230 | mysql SQL Information Leakage |
| 951240 | postgres SQL Information Leakage |
| 951250 | sqlite SQL Information Leakage |
| 951260 | Sybase SQL Information Leakage |
| 952100 | Java Source Code Leakage |
| 952110 | Java Errors |
| 953100 | PHP Information Leakage |
| 953110 | PHP source code leakage |
| 953120 | PHP source code leakage |
| 954100 | Disclosure of IIS install location |
| 954110 | Application Availability Error |
| 954120 | IIS Information Leakage |
| 954130 | IIS Information Leakage |
| 4295001 | Enable Drupal specific CRS exclusions |
| 4295002 | Enable Wordpress specific CRS exclusions |
| 4295003 | Enable Cpanel specific CRS exclusions |
| 4295004 | Enable Dokuwiki specific CRS exclusions |
| 4295005 | Enable Nextcloud specific CRS exclusions |
| 4295006 | Enable Xenforo specific CRS exclusions |