@@ -64,6 +64,7 @@ SecRule REQUEST_HEADERS:Referer "!@rx (?i)^(?:[a-z][a-z0-9+-.]*://|/|about:blank
6464 ver:'referer-hardening-plugin/1.0.0',\
6565 severity:'CRITICAL',\
6666 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
67+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
6768 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
6869
6970# Fragment component check.
@@ -83,6 +84,7 @@ SecRule REQUEST_HEADERS:Referer "@contains #" \
8384 ver:'referer-hardening-plugin/1.0.0',\
8485 severity:'CRITICAL',\
8586 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
87+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
8688 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
8789
8890# Userinfo component check.
@@ -102,6 +104,7 @@ SecRule REQUEST_HEADERS:Referer "@rx (?i)^[a-z][a-z0-9+-.]*://[^/]*@" \
102104 ver:'referer-hardening-plugin/1.0.0',\
103105 severity:'CRITICAL',\
104106 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
107+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
105108 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
106109
107110# Parse URL components (only for non-empty, non-relative referers).
@@ -141,6 +144,7 @@ SecRule REQUEST_HEADERS:Referer "@rx (?i)^data:" \
141144 ver:'referer-hardening-plugin/1.0.0',\
142145 severity:'CRITICAL',\
143146 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
147+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
144148 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
145149
146150SecRule TX:referer-hardening-plugin_domain_name "@gt 253" \
@@ -160,6 +164,7 @@ SecRule TX:referer-hardening-plugin_domain_name "@gt 253" \
160164 ver:'referer-hardening-plugin/1.0.0',\
161165 severity:'CRITICAL',\
162166 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
167+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
163168 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
164169
165170SecRule TX:referer-hardening-plugin_domain_name "!@rx (?i)^[a-z0-9\-.]+$" \
@@ -179,6 +184,7 @@ SecRule TX:referer-hardening-plugin_domain_name "!@rx (?i)^[a-z0-9\-.]+$" \
179184 ver:'referer-hardening-plugin/1.0.0',\
180185 severity:'CRITICAL',\
181186 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
187+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
182188 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
183189
184190SecRule TX:referer-hardening-plugin_port "!@rx ^$" \
@@ -200,6 +206,7 @@ SecRule TX:referer-hardening-plugin_port "!@rx ^$" \
200206 chain"
201207 SecRule TX:referer-hardening-plugin_port "!@rx ^[0-9]+$" \
202208 "setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
209+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
203210 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
204211
205212SecRule TX:referer-hardening-plugin_port "@gt 65535" \
@@ -219,6 +226,7 @@ SecRule TX:referer-hardening-plugin_port "@gt 65535" \
219226 ver:'referer-hardening-plugin/1.0.0',\
220227 severity:'CRITICAL',\
221228 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
229+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
222230 setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
223231
224232SecMarker "END-REFERER-HARDENING-PLUGIN-PL1"
@@ -249,7 +257,8 @@ SecRule REQUEST_HEADERS:Referer "@rx ^$" \
249257 ver:'referer-hardening-plugin/1.0.0',\
250258 severity:'CRITICAL',\
251259 setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
252- setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
260+ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
261+ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
253262
254263
255264
0 commit comments