🛡️ OWASP CRS v4
CloFix (CRS) Guide
Complete OWASP CRS v4 protection with CloFixRule custom directives, intelligent bypass management, and comprehensive coverage of OWASP Top 10 vulnerabilities.
25 CRS Rule Files
SQLi / XSS / LFI / RFI
Command Injection
SSRF Protection
NoSQL Injection
Bot Detection
Paranoia Levels 1-4
Anomaly Scoring
CloFixRule Directive
Intelligent Bypass
01 Introduction
The CloFix OWASP Core Rule Set (CRS) is a complete implementation of the OWASP CRS v4 — the industry standard for web application firewall rules. It provides comprehensive protection against the OWASP Top 10 vulnerabilities and countless other attack vectors.
🎯 What is OWASP CRS?
The OWASP Core Rule Set is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. CloFix CRS brings this industry-standard protection to your infrastructure with additional CloFixRule custom directives.
| Feature | Description |
|---|---|
| 25 Rule Files | Complete OWASP CRS v4 rule set covering all attack categories |
| 4 Paranoia Levels | Adjustable protection from low (1) to maximum (4) |
| Anomaly Scoring | Threshold-based blocking with configurable scores |
| CloFixRule Directive | CRS-style custom rules with CloFix branding |
| Intelligent Bypass | Bypass specific rules, tags, phases, paths, or IPs |
02 Architecture
The CloFix CRS engine processes every HTTP request through multiple phases, applying rules in sequence.
pipeline
HTTP Request
│
▼
┌─────────────────────────────────────────────┐
│ Phase 1: Request Headers │
│ - Method enforcement, protocol validation │
│ - IP reputation, bot detection │
└───────────────────┬─────────────────────────┘
│
▼
┌─────────────────────────────────────────────┐
│ Phase 2: Request Body │
│ - SQL injection detection │
│ - XSS detection, LFI/RFI detection │
│ - Command injection, NoSQL injection │
└───────────────────┬─────────────────────────┘
│
▼
┌─────────────────────────────────────────────┐
│ Phase 3: Response Headers │
│ - Data leakage detection │
│ - Security header validation │
└───────────────────┬─────────────────────────┘
│
▼
┌─────────────────────────────────────────────┐
│ Phase 4: Response Body │
│ - Information disclosure detection │
│ - Error message sanitization │
└───────────────────┬─────────────────────────┘
│
▼
Backend / Proxy
📁 Rule File Loading Order
Rules are loaded in OWASP CRS order: initialization → exceptions → IP reputation → protocol enforcement → application attacks → blocking evaluation → response rules.
03 Rule Files
CloFix CRS loads all 25 standard OWASP CRS rule files in the correct order.
| File | Purpose |
|---|---|
| REQUEST-901-INITIALIZATION.conf | Initial setup, paranoia level, anomaly thresholds |
| REQUEST-905-COMMON-EXCEPTIONS.conf | Common false positive exceptions |
| REQUEST-910-IP-REPUTATION.conf | IP reputation and blacklist detection |
| REQUEST-911-METHOD-ENFORCEMENT.conf | HTTP method restrictions |
| REQUEST-912-DOS-PROTECTION.conf | DoS attack detection |
| REQUEST-913-SCANNER-DETECTION.conf | Security scanner detection |
| REQUEST-920-PROTOCOL-ENFORCEMENT.conf | HTTP protocol validation |
| REQUEST-921-PROTOCOL-ATTACK.conf | Protocol-level attacks |
| REQUEST-930-APPLICATION-ATTACK-LFI.conf | Local File Inclusion attacks |
| REQUEST-931-APPLICATION-ATTACK-RFI.conf | Remote File Inclusion attacks |
| REQUEST-932-APPLICATION-ATTACK-RCE.conf | Remote Command Execution |
| REQUEST-933-APPLICATION-ATTACK-PHP.conf | PHP injection attacks |
| REQUEST-934-APPLICATION-ATTACK-GENERIC.conf | Generic application attacks |
| REQUEST-941-APPLICATION-ATTACK-XSS.conf | Cross-Site Scripting (XSS) |
| REQUEST-942-APPLICATION-ATTACK-SQLI.conf | SQL Injection (SQLi) |
| REQUEST-943-APPLICATION-ATTACK-JAVA.conf | Java injection attacks |
| REQUEST-949-BLOCKING-EVALUATION.conf | Blocking decision based on anomaly score |
| RESPONSE-950-DATA-LEAKAGES.conf | Data leakage detection |
| RESPONSE-951-DATA-LEAKAGES-SQL.conf | SQL data leakage detection |
| RESPONSE-959-BLOCKING-EVALUATION.conf | Response blocking evaluation |
| RESPONSE-980-CORRELATION.conf | Correlation of multiple rules |
04 CloFixRule Syntax
CloFix CRS supports both standard CloFixRule directives and custom CloFixRule directives with the same powerful syntax.
CloFixRule — Custom Directive
CloFixRule [VARIABLES] "[OPERATOR] [PATTERN]" \
"id:[RULE_ID],\
phase:[1-4],\
t:[TRANSFORMATIONS],\
name:'[RULE_NAME]',\
msg:'[MESSAGE]',\
severity:'[CRITICAL|ERROR|WARNING|NOTICE|INFO]',\
tag:'[TAGS]',\
status:[HTTP_STATUS],\
[ACTION]"
Variables
ARGS, REQUEST_HEADERS, REQUEST_URI, REQUEST_METHOD, REQUEST_COOKIES, BODY, RESPONSE_HEADERS
Operators
@rx, @contains, @streq, @pm, @beginsWith, @endsWith
Transformations
t:lowercase, t:urlDecode, t:htmlEntityDecode, t:removeNulls, t:compressWhitespace
Actions
block, pass, allow, log, chain, deny
Example — SQL Injection Protection
# CloFixRule custom rule
CloFixRule ARGS|BODY "@rx (union.*select|insert.*into|drop.*table)" \
"id:1000001,\
phase:2,\
t:lowercase,\
t:urlDecode,\
name:'SQL Injection Protection',\
msg:'SQL injection attempt blocked',\
severity:'CRITICAL',\
tag:'clofix',\
tag:'attack-sqli',\
status:403,\
block"
# Standard OWASP CloFixRule (also supported)
CloFixRule ARGS|BODY "@rx
05 Attack Protection
SQL Injection (A03:2021) — Rule 942100-942999
sql_injection.conf
# SQL Injection - Union Based Attack
CloFixRule ARGS|BODY "@rx (union.*select|select.*from|insert.*into|update.*set|delete.*from)" \
"id:942100,\
phase:2,\
t:lowercase,\
t:urlDecode,\
msg:'SQL Injection Attack Detected via libinjection',\
severity:'CRITICAL',\
tag:'attack-sqli',\
tag:'paranoia-level/1',\
status:403,\
block"
# SQL Injection - Time Based Blind Attack
CloFixRule ARGS|BODY "@rx (sleep\(|benchmark\(|waitfor\s+delay|pg_sleep)" \
"id:942200,\
phase:2,\
t:lowercase,\
msg:'Time-Based SQL Injection Attack Detected',\
severity:'CRITICAL',\
tag:'attack-sqli',\
status:403,\
block"
# SQL Injection - Boolean Based Blind Attack
CloFixRule ARGS|BODY "@rx (or\s+1=1|and\s+1=1|or\s+1=2|and\s+1=2|or\s+true)" \
"id:942300,\
phase:2,\
t:lowercase,\
msg:'Boolean-Based SQL Injection Attack Detected',\
severity:'CRITICAL',\
tag:'attack-sqli',\
status:403,\
block"
Cross-Site Scripting (XSS) (A03:2021) — Rule 941100-941999
xss_detection.conf
# XSS - Script Tag Injection
CloFixRule ARGS|BODY|REQUEST_HEADERS "@rx (<script|</script|javascript:|vbscript:|onerror=|onload=|onclick=)" \
"id:941100,\
phase:2,\
t:lowercase,\
t:urlDecode,\
msg:'XSS Attack Detected',\
severity:'CRITICAL',\
tag:'attack-xss',\
status:403,\
block"
# XSS - Event Handler Injection
CloFixRule ARGS|BODY "@rx (onload=|onerror=|onclick=|onmouseover=|onfocus=|onblur=)" \
"id:941200,\
phase:2,\
t:lowercase,\
msg:'XSS Attack - Event Handler',\
severity:'CRITICAL',\
tag:'attack-xss',\
status:403,\
block"
# XSS - JavaScript Protocol
CloFixRule ARGS|BODY|REQUEST_URI "@rx (javascript:|vbscript:|data:text/html)" \
"id:941300,\
phase:2,\
t:lowercase,\
msg:'XSS Attack - JavaScript Protocol',\
severity:'CRITICAL',\
tag:'attack-xss',\
status:403,\
block"
Local/Remote File Inclusion (A01:2021) — Rule 930100-931999
lfi_rfi.conf
# LFI - Path Traversal
CloFixRule ARGS|REQUEST_URI "@rx (\.\./|\.\.\\|\.\.%2f|\.\.%5c|%2e%2e%2f|%2e%2e%5c)" \
"id:930100,\
phase:2,\
t:lowercase,\
t:urlDecode,\
msg:'Path Traversal Attack Detected',\
severity:'CRITICAL',\
tag:'attack-lfi',\
status:403,\
block"
# LFI - Sensitive File Access
CloFixRule ARGS "@rx (/etc/passwd|/etc/shadow|/etc/hosts|/proc/self/environ|/windows/win.ini)" \
"id:930200,\
phase:2,\
t:lowercase,\
msg:'Sensitive File Access Attempt',\
severity:'CRITICAL',\
tag:'attack-lfi',\
status:403,\
block"
# RFI - Remote File Inclusion
CloFixRule ARGS "@rx (https?://|ftp://|php://|file://|expect://|data://)" \
"id:931100,\
phase:2,\
t:lowercase,\
msg:'Remote File Inclusion Attempt',\
severity:'CRITICAL',\
tag:'attack-rfi',\
status:403,\
block"
Command Injection (A03:2021) — Rule 932100-932999
cmd_injection.conf
# Unix Command Injection
CloFixRule ARGS|BODY "@rx (;|\||\&\&|`|cmd|bash|sh|nc|wget|curl|ping|nslookup|whoami|id|uname|cat|ls|rm)" \
"id:932100,\
phase:2,\
t:lowercase,\
t:urlDecode,\
msg:'Unix Command Injection Attack',\
severity:'CRITICAL',\
tag:'attack-rce',\
status:403,\
block"
# Windows Command Injection
CloFixRule ARGS|BODY "@rx (cmd\.exe|powershell|regsvr32|wmic|rundll32|net\s+user)" \
"id:932200,\
phase:2,\
t:lowercase,\
msg:'Windows Command Injection Attack',\
severity:'CRITICAL',\
tag:'attack-rce',\
status:403,\
block"
Server-Side Request Forgery (SSRF) (A10:2021)
ssrf_protection.conf
# SSRF - Internal IP Access
CloFixRule ARGS "@rx (127\.0\.0\.1|localhost|169\.254\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)" \
"id:933100,\
phase:2,\
t:lowercase,\
msg:'SSRF - Internal IP Access Attempt',\
severity:'CRITICAL',\
tag:'attack-ssrf',\
status:403,\
block"
# SSRF - Cloud Metadata Service
CloFixRule ARGS "@rx (169\.254\.169\.254|metadata\.google\.internal|metadata\.aws\.internal)" \
"id:933200,\
phase:2,\
t:lowercase,\
msg:'SSRF - Cloud Metadata Service Access',\
severity:'CRITICAL',\
tag:'attack-ssrf',\
status:403,\
block"
NoSQL Injection Protection
nosql_injection.conf
# NoSQL Injection - MongoDB Operators
CloFixRule ARGS|BODY "@rx (\$ne|\$gt|\$lt|\$or|\$and|\$where|\$regex|\$exists)" \
"id:970100,\
phase:2,\
t:lowercase,\
msg:'NoSQL Injection Attack Detected',\
severity:'CRITICAL',\
tag:'attack-nosql',\
status:403,\
block"
# NoSQL Injection - JavaScript Injection
CloFixRule ARGS|BODY "@rx (function\(|return\s+this|db\.|collection\.|find\(|update\()" \
"id:970200,\
phase:2,\
t:lowercase,\
msg:'NoSQL Injection - JavaScript Injection',\
severity:'CRITICAL',\
tag:'attack-nosql',\
status:403,\
block"
Bot Detection — Rule 910100-910999
bot_detection.conf
# Malicious User Agents
CloFixRule REQUEST_HEADERS:User-Agent "@rx (sqlmap|nikto|nmap|wpscan|dirbuster|gobuster|burpsuite|acunetix)" \
"id:910100,\
phase:1,\
t:lowercase,\
msg:'Malicious Bot Detected',\
severity:'WARNING',\
tag:'attack-bot',\
status:403,\
block"
# Headless Browser Detection
CloFixRule REQUEST_HEADERS:User-Agent "@rx (headless|phantom|puppeteer|playwright|selenium)" \
"id:910200,\
phase:1,\
t:lowercase,\
msg:'Headless Browser Detected',\
severity:'MEDIUM',\
tag:'attack-bot',\
status:403,\
block"
06 Intelligent Bypass System
CloFix CRS provides flexible bypass options to handle false positives and legitimate exceptions.
Rule ID Bypass
bypass_rules.txt
# Bypass specific rule IDs # Lines starting with # are comments # SQL Injection Rules (false positives on search) 942100 942110 # XSS Rules (legitimate HTML content) 941100 941110 # LFI Rules (legitimate file access) 930100
Tag Bypass
go config — tag bypass
config.BypassTags = []string{
"attack-sqli", // Bypass all SQL injection rules
"paranoia-level/3", // Bypass paranoia level 3 rules
"attack-xss", // Bypass all XSS rules
}
Phase Bypass
phase bypass
config.BypassPhases = []int{
3, // Bypass response headers phase
4, // Bypass response body phase (for binary data)
}
Path Bypass
path bypass
config.BypassPaths = []string{
"/health", // Health check endpoint
"/metrics", // Prometheus metrics
"/api/public/*", // All public API endpoints
"/static/*", // Static files
"/webhook/*", // Webhook receivers
}
IP Bypass
ip bypass
config.BypassIPs = []string{
"127.0.0.1", // Localhost
"192.168.1.*", // Internal network
"10.0.0.*", // Private network
"172.16.*.*", // Private network
}
📋 Bypass Best Practices
• Document every bypass with reason
• Use specific rule ID bypass over tag bypass
• Test bypass thoroughly before production
• Monitor bypassed endpoints for abuse
• Review bypasses regularly
• Never bypass critical security rules without justification
• Use specific rule ID bypass over tag bypass
• Test bypass thoroughly before production
• Monitor bypassed endpoints for abuse
• Review bypasses regularly
• Never bypass critical security rules without justification
07 Configuration Reference
Paranoia Levels (1-4)
| Level | Description | Use Case |
|---|---|---|
| 1 | Minimal false positives | Production with high traffic, low risk |
| 2 | Moderate protection (default) | General production use |
| 3 | High security | High-risk applications, financial services |
| 4 | Maximum security | Maximum protection, may have false positives |
Anomaly Scoring
anomaly scoring
# Anomaly score thresholds
SecAction "id:900100,\
phase:1,\
setvar:tx.inbound_anomaly_score_threshold=5,\
setvar:tx.outbound_anomaly_score_threshold=4"
# Severity scoring:
# CRITICAL = 5 points
# ERROR = 4 points
# WARNING = 3 points
# NOTICE = 2 points
# INFO = 1 point
Transformations
| Transformation | Description | Example |
|---|---|---|
| t:lowercase | Convert to lowercase | "SCRIPT" → "script" |
| t:urlDecode | Decode URL-encoded strings | "%3C" → "<" |
| t:htmlEntityDecode | Decode HTML entities | "<" → "<" |
| t:removeNulls | Remove null bytes | "\x00script" → "script" |
| t:compressWhitespace | Compress multiple spaces | "a b" → "a b" |
08 Testing
test commands
# Test normal request
curl https://your-domain.com/
# Test SQL injection (should be blocked)
curl "https://your-domain.com/?id=1' OR '1'='1"
# Test XSS (should be blocked)
curl "https://your-domain.com/?q=%3Cscript%3Ealert('xss')%3C/script%3E"
# Test LFI (should be blocked)
curl "https://your-domain.com/?file=../../../etc/passwd"
# Test command injection (should be blocked)
curl "https://your-domain.com/?cmd=; cat /etc/passwd"
# Test with malicious user agent (should be blocked)
curl -A "sqlmap/1.7" https://your-domain.com/
# Watch WAF logs
sudo tail -f /var/log/clofix/waf.log | grep -i '\[CRS\]'
09 Best Practices
- Start with Paranoia Level 1 — Monitor false positives before increasing protection
- Use Bypass for False Positives — Target specific rules, not entire categories
- Monitor Anomaly Scores — Track scores to identify attack patterns
- Test with Attack Payloads — Regularly validate protection with known attack vectors
- Update CRS Rules — Keep OWASP CRS rules updated for emerging threats
- Document Bypasses — Record why each bypass was implemented
- Review Bypasses Quarterly — Remove bypasses that are no longer needed
- Enable Structured Logging — Use JSON logs for SIEM integration
🎯 Pro Tip
When creating custom CloFixRule directives, always use multiple transformations (t:lowercase, t:urlDecode) to defeat evasion techniques. Order matters — apply transformations in sequence for best results.
10 Troubleshooting
| Issue | Common Cause | Solution |
|---|---|---|
| Legitimate traffic blocked | False positive rule match | Add rule ID to bypass list; check paranoia level |
| Attack not blocked | Rule missing or disabled | Verify rule is loaded; check paranoia level includes rule |
| High latency | Too many rules or transformations | Reduce paranoia level; optimize patterns |
| Rules not loading | Incorrect file path or syntax | Check file permissions; validate CRS path |
| Bypass not working | Incorrect bypass configuration | Verify rule ID exists; check bypass order |
🆘 Need Help?
For CloFix CRS support, configuration questions, or to report issues, visit the Support section or contact us.