# SPECIFIC: Block #submit #validate #process #pre_render #post_render #element_validate #after_build #value_callback parameters
SecRule REQUEST_METHOD "^(GET|POST|HEAD)$" "chain,id:402001,t:lowercase,t:none,t:utf8toUnicode,t:urlDecodeUni,t:urldecode,block,\
severity:CRITICAL,\
msg:'Drupal Remote Code Execution - SA-CORE-2018-002: Block specific #submit #validate #process #pre_render #post_render #element_validate #after_build #value_callback parameters',\
logdata:'Drupal RCE - SA-CORE-2018-002 Specific: Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
        SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "^\#(submit|validate|pre_render|post_render|element_validate|after_build|value_callback|process)$|\[(?:\'|\")?#(submit|validate|pre_render|post_render|element_validate|after_build|value_callback|process)" \
        "setvar:tx.bn_inbound_found=+1"
SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "destination" "chain,id:402003,\
  msg:'Drupal Remote Code Execution - SA-CORE-2018-004: Block all destination q[#',\
  severity:CRITICAL,\
  logdata:'Drupal RCE - SA-CORE-2018-004 Generic: Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
  SecRule ARGS|REQUEST_COOKIES "(\?q\[(\#|(%(25)*23))|(&|%(25)*26)q\[(%(25)*23))" \
    setvar:tx.bn_inbound_found=+1"# GENERIC: Block all parameters starting with #
SecRule REQUEST_METHOD "^(GET|POST|HEAD)$" "chain,id:402002,t:lowercase,t:none,t:utf8toUnicode,t:urlDecodeUni,t:urldecode,block,\
severity:CRITICAL,\
msg:'Drupal Remote Code Execution - SA-CORE-2018-002: Block all parameters starting with #',\
logdata:'Drupal RCE - SA-CORE-2018-002 Generic: Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
        SecRule ARGS_NAMES|REQUEST_COOKIES_NAMES "^\#|\[(?:\'|\")?\#.*\]" \
        "setvar:tx.bn_inbound_found=+1"