Tags used by OWASP CRS ModSecurity rules

I couldn’t find a definitive list of the tags used by the OWASP CRS ModSecurity rules, so after a bit of faffing around, here’s what I’ve come up with for the “base” rules in OWASP CRS version 2.2.9 (current at the time of writing).

I’ve tried to group them together as best I can:

Web Attack:

OWASP_CRS/WEB_ATTACK/XSS
OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL
OWASP_CRS/WEB_ATTACK/RFI
OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION
OWASP_CRS/WEB_ATTACK/CF_INJECTION
OWASP_CRS/WEB_ATTACK/SQL_INJECTION
OWASP_CRS/WEB_ATTACK/FILE_INJECTION
OWASP_CRS/WEB_ATTACK/PHP_INJECTION
OWASP_CRS/WEB_ATTACK/LDAP_INJECTION
OWASP_CRS/WEB_ATTACK/SSI_INJECTION
OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING
OWASP_CRS/WEB_ATTACK/SESSION_FIXATION

Protocol Violation:

OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST
OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ
OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA
OWASP_CRS/PROTOCOL_VIOLATION/EVASION
OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS

Policy:

OWASP_CRS/POLICY/SIZE_LIMIT
OWASP_CRS/POLICY/EXT_RESTRICTED
OWASP_CRS/POLICY/FILES_NOT_ALLOWED
OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED
OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED
OWASP_CRS/POLICY/METHOD_NOT_ALLOWED

Leekage:

OWASP_CRS/LEAKAGE/INFO_STATISTICS
OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING
OWASP_CRS/LEAKAGE/INFO_FILE
OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP
OWASP_CRS/LEAKAGE/SOURCE_CODE_CF
OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP
OWASP_CRS/LEAKAGE/ERRORS_IIS
OWASP_CRS/LEAKAGE/ERRORS_CF
OWASP_CRS/LEAKAGE/ERRORS_PHP
OWASP_CRS/LEAKAGE/ERRORS_ZOPE
OWASP_CRS/LEAKAGE/ERRORS_SQL

Malicious:

OWASP_CRS/MALICIOUS_CODE
OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN
OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME (not sure why this one has “OWASP_CRS” in it twice)

Automation:

OWASP_CRS/AUTOMATION/MALICIOUS
OWASP_CRS/AUTOMATION/SECURITY_SCANNER

Miscellaneous:

OWASP_TOP_10/A6
PCI/6.5.6
WASCTC/WASC-13
CAPEC-272

Share