File: //opt/bitninja-waf/etc/BitNinja/407-BOTNET-PROTECTION.conf
SecRule REQUEST_FILENAME "^.*\/[a-z]{8}\.php$" \
"chain,\
phase:2,\
id:407001,\
t:none,\
auditlog,\
block,\
severity:CRITICAL,\
msg:'Protection against HEXA botnet',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule REQUEST_HEADERS:Content-Type ^application/x-www-form-urlencoded$ "t:lowercase,chain"
SecRule &ARGS_POST "@eq 1" "chain"
SecRule ARGS_POST "^[0-9a-fA-F]+$" "chain"
SecRule REQUEST_BODY_LENGTH "@gt 2000" \
"setvar:tx.bn_inbound_found=+1"
SecRule ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "jndi:ldap:|jndi:dns:|jndi:rmi:|jndi:rni:|\${jndi:" \
"phase:1, \
id:407002, \
t:none, \
deny, \
status:403, \
log, \
auditlog, \
msg:'DVT: CVE-2021-44228 - deny known \"jndi:\" pattern', \
severity:'2', \
rev:1, \
tag:'no_ar',\
setvar:'tx.bn_inbound_found=+1'"
SecRule ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "jndi:ldap:|jndi:dns:|jndi:rmi:|jndi:rni:|\${jndi:" \
"phase:2, \
id:407003, \
t:none, \
deny, \
status:403, \
log, \
auditlog, \
msg:'DVT: CVE-2021-44228 - deny known \"jndi:\" pattern', \
severity:'2', \
rev:1, \
tag:'no_ar',\
setvar:'tx.bn_inbound_found=+1'"