1[
2  {
3    "enabled":1,
4    "version_min":300000,
5    "title":"Testing ctl:ruleRemoveById - issue 2099",
6    "expected":{
7      "http_code":200
8    },
9    "client":{
10      "ip":"200.249.12.31",
11      "port":123
12    },
13    "request":{
14      "headers":{
15        "Host":"localhost",
16        "User-Agent":"curl/7.38.0",
17        "Accept":"*/*"
18      },
19      "uri":"/remote.php/webdav?bar=foo",
20      "method":"GET",
21      "body": ""
22    },
23    "server":{
24      "ip":"200.249.12.31",
25      "port":80
26    },
27    "rules":[
28        "SecRuleEngine On",
29        "SecRequestBodyAccess On",
30        "SecRule REQUEST_FILENAME \"@contains /remote.php/webdav\" \"id:9003100,phase:2,pass,t:none,nolog,ctl:ruleRemoveByTag=attack-injection-php,ctl:ruleRemoveById=941000-942999,ctl:ruleRemoveById=951000-951999,ctl:ruleRemoveById=953100-953130,ctl:ruleRemoveById=920420,ctl:ruleRemoveById=920440\"",
31        "SecRule ARGS \"@contains foo\" \"id:951001,phase:2,t:none,drop\""
32    ]
33  },
34  {
35    "enabled":1,
36    "version_min":300000,
37    "title":"Testing ctl:ruleRemoveById against - issue 2099",
38    "expected":{
39      "http_code":403
40    },
41    "client":{
42      "ip":"200.249.12.31",
43      "port":123
44    },
45    "request":{
46      "headers":{
47        "Host":"localhost",
48        "User-Agent":"curl/7.38.0",
49        "Accept":"*/*"
50      },
51      "uri":"/remote.php?bar=foo",
52      "method":"GET",
53      "body": ""
54    },
55    "server":{
56      "ip":"200.249.12.31",
57      "port":80
58    },
59    "rules":[
60        "SecRuleEngine On",
61        "SecRequestBodyAccess On",
62        "SecRule REQUEST_FILENAME \"@contains /remote.php/webdav\" \"id:9003100,phase:2,pass,t:none,nolog,ctl:ruleRemoveByTag=attack-injection-php,ctl:ruleRemoveById=941000-942999,ctl:ruleRemoveById=951000-951999,ctl:ruleRemoveById=953100-953130,ctl:ruleRemoveById=920420,ctl:ruleRemoveById=920440\"",
63        "SecRule ARGS \"@contains foo\" \"id:951001,phase:2,t:none,drop\""
64    ]
65  },
66  {
67    "enabled":1,
68    "version_min":300000,
69    "title":"Testing ctl:ruleRemoveByTag - issue 2099",
70    "expected":{
71      "http_code":200
72    },
73    "client":{
74      "ip":"200.249.12.31",
75      "port":123
76    },
77    "request":{
78      "headers":{
79        "Host":"localhost",
80        "User-Agent":"curl/7.38.0",
81        "Accept":"*/*"
82      },
83      "uri":"/remote.php/webdav?bar=foo",
84      "method":"GET",
85      "body": ""
86    },
87    "server":{
88      "ip":"200.249.12.31",
89      "port":80
90    },
91    "rules":[
92        "SecRuleEngine On",
93        "SecRequestBodyAccess On",
94        "SecRule REQUEST_FILENAME \"@contains /remote.php/webdav\" \"id:1000001,phase:2,pass,t:none,nolog,ctl:ruleRemoveByTag=attack-injection-php,ctl:ruleRemoveById=1100000-2100000,ctl:ruleRemoveById=9990000\"",
95        "SecRule ARGS \"@contains foo\" \"id:4400000,tag:'attack-injection-php',phase:2,t:none,msg:'test rule',drop\""
96    ]
97  },
98  {
99    "enabled":1,
100    "version_min":300000,
101    "title":"Testing ctl:ruleRemoveByTag against - issue 2099",
102    "expected":{
103      "http_code":403
104    },
105    "client":{
106      "ip":"200.249.12.31",
107      "port":123
108    },
109    "request":{
110      "headers":{
111        "Host":"localhost",
112        "User-Agent":"curl/7.38.0",
113        "Accept":"*/*"
114      },
115      "uri":"/remote.php?bar=foo",
116      "method":"GET",
117      "body": ""
118    },
119    "server":{
120      "ip":"200.249.12.31",
121      "port":80
122    },
123    "rules":[
124        "SecRuleEngine On",
125        "SecRequestBodyAccess On",
126        "SecRule REQUEST_FILENAME \"@contains /remote.php/webdav\" \"id:1000001,phase:2,pass,t:none,nolog,ctl:ruleRemoveByTag=attack-injection-php,ctl:ruleRemoveById=1100000-2100000,ctl:ruleRemoveById=9990000\"",
127        "SecRule ARGS \"@contains foo\" \"id:4400000,tag:'attack-injection-php',phase:2,t:none,msg:'test rule',drop\""
128    ]
129  },
130  {
131    "enabled":1,
132    "version_min":300000,
133    "title":"Testing ctl:ruleRemoveTargetByTag - issue 2099",
134    "expected":{
135      "http_code":200
136    },
137    "client":{
138      "ip":"1.2.3.4",
139      "port":123
140    },
141    "request":{
142      "headers":{
143        "Host":"localhost",
144        "User-Agent":"curl/7.38.0",
145        "Accept":"*/*"
146      },
147      "uri":"/test.php?a=a",
148      "method":"GET",
149      "body": ""
150    },
151    "server":{
152      "ip":"200.249.12.31",
153      "port":80
154    },
155    "rules":[
156        "SecRuleEngine On",
157        "SecRequestBodyAccess On",
158        "SecRule REQUEST_URI \"@contains /test.php\" \"id:100,phase:1,nolog,pass,ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:a,ctl:ruleRemoveTargetByTag=attack-rce;ARGS:a\"",
159        "SecRule ARGS \"@contains a\" \"id:4400000,tag:'attack-injection-php',phase:2,t:none,msg:'test rule',drop\""
160    ]
161  },
162  {
163    "enabled":1,
164    "version_min":300000,
165    "title":"Testing ctl:ruleRemoveTargetByTag against - issue 2099",
166    "expected":{
167      "http_code":403
168    },
169    "client":{
170      "ip":"1.2.3.4",
171      "port":123
172    },
173    "request":{
174      "headers":{
175        "Host":"localhost",
176        "User-Agent":"curl/7.38.0",
177        "Accept":"*/*"
178      },
179      "uri":"/index.php?a=a",
180      "method":"GET",
181      "body": ""
182    },
183    "server":{
184      "ip":"200.249.12.31",
185      "port":80
186    },
187    "rules":[
188        "SecRuleEngine On",
189        "SecRequestBodyAccess On",
190        "SecRule REQUEST_URI \"@contains /test.php\" \"id:100,phase:1,nolog,pass,ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:a,ctl:ruleRemoveTargetByTag=attack-rce;ARGS:a\"",
191        "SecRule ARGS \"@contains a\" \"id:4400000,tag:'attack-injection-php',phase:2,t:none,msg:'test rule',drop\""
192    ]
193  }
194]
195
196