patterns/waf_patterns/apache/rce.conf

# Apache ModSecurity rules for RCE
SecRuleEngine On

SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@pmFromFile windows-powershell-commands.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sx0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ~(?:[+-](?:$|[sx0b0-9]+)|[0-9]+)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx !-d" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ba[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@pmFromFile restricted-upload.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ^[^#]+" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{])" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i).|(?:[sx0b]*|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)[-0-9_a-z]+(?:[sx0b]*[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "!@rx [0-9]s*'s*[0-9]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx ;[sx0b]*.[sx0b]*[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx rn.*?b(?:E(?:HLO [-.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [-.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}@.{1,255}>|R(?:CPT TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SETb)|VRFY .{1,64}(?: <.{1,64}@.{1,255}>|@.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20} (?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}=|[+/-9A-Z_a-zx17fx212a]{3}))?=|STARTTLSb|NOOPb(?: .{1,255})?)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sx0b&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[sx0b&)<>|]|pt(?:(?:itude)?[sx0b&)<>|]|-get)|r(?:[sx0b&)<>j|]|(?:p|ch)[sx0b&)<>|]|ia2c)|s(?:h?[sx0b&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sx0b&)<>|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[sx0b&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sx0b&)<>|]|c))|h[sx0b&)<>|])|tch[sx0b&)<>|])|lkid|pftrace|r(?:eaksw|idge[sx0b&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sx0b&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[sx0b&)<>|]|mp|p(?:[sx0b&)<>|]|io|ulimit)|s(?:h|cli[sx0b&)<>|]|plit|vtool)|u(?:t[sx0b&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sx0b&)<>|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[sx0b&)-<>|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sx0b&)<>|]|++)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sx0b&)<>|]|w(?:say|think))|r(?:ash[sx0b&)<>|]|on(?:[sx0b&)<>|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sx0b&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sx0b&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sx0b&)<>|]|n(?:v(?:[sx0b&)<>|]|-update)|d(?:if|sw))|qn|s(?:[sx0b&)<>h|]|ac)|x(?:(?:ec)?[sx0b&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sx0b&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sx0b&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sx0b&)<>|]|le(?:[sx0b&)<>|]|test))|mt|tp(?:[sx0b&)<>|]|stats|who)|acter|o(?:ld[sx0b&)<>|]|reach)|ping)|g(?:c(?:c[^sx0b]|ore)|db|e(?:(?:m|tfacl)[sx0b&)<>|]|ni(?:e[sx0b&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sx0b&)<>|]|nsh)|(?:o|awk)[sx0b&)<>|]|pg|r(?:c|ep[sx0b&)<>|]|oup(?:[sx0b&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sx0b&)<>|]|e(?:ad[sx0b&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sx0b&)<>|]|onice|spell)|j(?:js|q|ava[sx0b&)<>|]|exec|o(?:(?:bs|in)[sx0b&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sx0b&)<>|]|all)|nife[sx0b&)<>|])|l(?:d(?:d?[sx0b&)<>|]|config)|(?:[np]|ynx)[sx0b&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sx0b&)<>|]|(?:la)?tex)|z(?:[sx0b&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sx0b&)<>|]|comm|log(?:in)?)|tex[sx0b&)<>|])|ess(?:[sx0b&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sx0b&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sx0b&)<>|]|il(?:[sx0b&)<>q|]|x[sx0b&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sx0b&)<>|]|k(?:dir[sx0b&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sx0b&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sx0b&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sx0b&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sx0b&)<>|]|m(?:[sx0b&)<>|]|ap)|p(?:m[sx0b&)<>|]|ing)|a(?:no[sx0b&)<>|]|sm|wk)|o(?:de[sx0b&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sx0b&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sx0b&)<>|]|s(?:swd|te[sx0b&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sx0b&)<>|]|tp)|g(?:[sx0b&)<>|]|rep)|hp(?:[sx0b&)57<>|]|-cgi)|i(?:(?:co?|ng)[sx0b&)<>|]|p[^sx0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sx0b&)<>|]|int(?:env|f[sx0b&)<>|]))|s(?:[sx0b&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:(?:f|ms)[sx0b&)<>|]|l(?:[sx0b&)5<>|]|sh))|opd|u(?:ppet[sx0b&)<>|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[sx0b&)<>|]|k(?:e[sx0b&)<>|]|u))|c(?:p[sx0b&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sx0b&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sx0b&)<>|]|user)|pm(?:[sx0b&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sx0b&)<>|]|sync|u(?:by[^sx0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[sx0b&)<>|])|e(?:(?:d|lf|rvice)[sx0b&)<>|]|t(?:(?:facl)?[sx0b&)<>|]|arch|env|sid)|ndmail)|(?:g|ash)[sx0b&)<>|]|h(?:(?:adow|ells)?[sx0b&)<>|]|.distrib|u(?:f|tdown[sx0b&)<>|]))|s(?:[sx0b&)<>|]|h(?:[sx0b&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sx0b&)<>|]|do)|vn|diff|ftp|l(?:eep[sx0b&
SecRule REQUEST_URI "@rx (?i)(?:^|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx rn.*?b(?:DATA|QUIT|HELP(?: .{1,255})?)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx rn.*?b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@rx !(?:d|!)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for RCE`
			`SecRuleEngine On`

			`SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)(?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)(?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@pmFromFile windows-powershell-commands.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]\|\|\|?\|&&?)[sx0b]*[sx0b" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
			`SecRule REQUEST_URI "@rx $(?:((?:.\|(.)))\|{.}\|[.])\|[<>](.)\|/[0-9A-Z_a-z][!?.+]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx b(?:for(?:/[dflr].)? %+[^ ]+ in(.)[sx0b]?do\|if(?:/i)?(?: not)?(?: (?:e(?:xist\|rrorlevel)\|defined\|cmdextversion)b\|[ (].*(?:b(?:g(?:eq\|tr)\|equ\|neq\|l(?:eq\|ss))b\|==)))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx ~(?:[+-](?:$\|[sx0b0-9]+)\|[0-9]+)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)(?:^\|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)(?:^\|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx !-d" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx ^(s*)s+{" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx ba[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@pmFromFile restricted-upload.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]\|\|\|?\|&&?)[sx0b]*[sx0b" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
			SecRule REQUEST_URI "@rx (?i)(?:[nr;`{]\|\|\|?\|&&?)[sx0b]*[sx0b" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
			`SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx $(?:((?:.\|(.)))\|{.}\|[.])\|[<>](.)\|/[0-9A-Z_a-z][!?.+]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			SecRule REQUEST_URI "@rx ['?x5c`][^n/]+/\|/[^/]+?['?x5c`]\|$[!#$(*-0-9?-[_a-{]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
			`SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx ^[^#]+" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			SecRule REQUEST_URI "@rx ^[^.]+.[^;?]+[;?](.(['?x5c`][^n/]+/\|/[^/]+?['?x5c`]\|$[!#$(-0-9?-[_a-{]))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
			`SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			SecRule REQUEST_URI "@rx ^[^.]?(?:['?x5c`][^n/]+/\|/[^/]+?['?x5c`]\|$[!#$(-0-9?-[_a-{])" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"
			`SecRule REQUEST_URI "@rx /" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx s" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i).\|(?:[sx0b]*\|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)[-0-9_a-z]+(?:[sx0b]*[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "!@rx [0-9]s's[0-9]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx ;[sx0b].[sx0b][" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx rn.?b(?:E(?:HLO [-.A-Za-zx17fx212a]{1,255}\|XPN .{1,64})\|HELO [-.A-Za-zx17fx212a]{1,255}\|MAIL FROM:<.{1,64}@.{1,255}>\|R(?:CPT TO:(?:<.{1,64}@.{1,255}>\| )?<.{1,64}>\|SETb)\|VRFY .{1,64}(?: <.{1,64}@.{1,255}>\|@.{1,255})\|AUTH [-0-9A-Z_a-zx17fx212a]{1,20} (?:(?:[+/-9A-Z_a-zx17fx212a]{4})(?:[+/-9A-Z_a-zx17fx212a]{2}=\|[+/-9A-Z_a-zx17fx212a]{3}))?=\|STARTTLSb\|NOOPb(?: .{1,255})?)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?is)rn.?b(?:(?:LIST\|TOP [0-9]+)(?: [0-9]+)?\|U(?:SER .+?\|IDL(?: [0-9]+)?)\|PASS .+?\|(?:RETR\|DELE) [0-9]+?\|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}\|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})(?:[+/-9A-Z_a-z]{2}=\|[+/-9A-Z_a-z]{3}))?=))" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)(?:^\|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?i)(?:^\|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@pmFromFile unix-shell.data" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?:b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			SecRule REQUEST_URI "@rx (?i)b(?:7z[arx]?\|(?:(?:GE\|POS)T\|HEAD)[sx0b&)<>\|]\|a(?:(?:b\|w[ks]\|l(?:ias\|pine)\|xel)[sx0b&)<>\|]\|pt(?:(?:itude)?[sx0b&)<>\|]\|-get)\|r(?:[sx0b&)<>j\|]\|(?:p\|ch)[sx0b&)<>\|]\|ia2c)\|s(?:h?[sx0b&)<>\|]\|cii(?:-xfr\|85)\|pell)\|t(?:[sx0b&)<>\|]\|obm)\|dd(?:group\|user)\|getty\|nsible)\|b(?:z(?:z[sx0b&)<>\|]\|c(?:at\|mp)\|diff\|e(?:grep\|xe)\|f?grep\|ip2(?:recover)?\|less\|more)\|a(?:s(?:e(?:32\|64\|n(?:ame[sx0b&)<>\|]\|c))\|h[sx0b&)<>\|])\|tch[sx0b&)<>\|])\|lkid\|pftrace\|r(?:eaksw\|idge[sx0b&)<>\|])\|sd(?:cat\|iff\|tar)\|u(?:iltin\|n(?:dler[sx0b&)<>\|]\|zip2)\|s(?:ctl\|ybox))\|y(?:ebug\|obu))\|c(?:[89]9\|(?:a(?:t\|ncel\|psh)\|c)[sx0b&)<>\|]\|mp\|p(?:[sx0b&)<>\|]\|io\|ulimit)\|s(?:h\|cli[sx0b&)<>\|]\|plit\|vtool)\|u(?:t[sx0b&)<>\|]\|psfilter)\|ertbot\|h(?:attr\|(?:dir\|root)[sx0b&)<>\|]\|e(?:ck_(?:by_ssh\|cups\|log\|memory\|raid\|s(?:sl_cert\|tatusfile))\|f[sx0b&)-<>\|])\|(?:flag\|pas)s\|g(?:passwd\|rp)\|mod\|o(?:om\|wn)\|sh)\|lang(?:[sx0b&)<>\|]\|++)\|o(?:(?:b\|pro)c\|(?:lumn\|m(?:m(?:and)?\|p(?:oser\|ress)))[sx0b&)<>\|]\|w(?:say\|think))\|r(?:ash[sx0b&)<>\|]\|on(?:[sx0b&)<>\|]\|tab)))\|d(?:(?:[du]\|i(?:(?:alo)?g\|r\|ff)\|a(?:sh\|te))[sx0b&)<>\|]\|n?f\|hclient\|m(?:esg\|idecode\|setup)\|o(?:as\|(?:cker\|ne)[sx0b&)<>\|]\|sbox)\|pkg\|vips)\|e(?:(?:[bd]\|cho)[sx0b&)<>\|]\|n(?:v(?:[sx0b&)<>\|]\|-update)\|d(?:if\|sw))\|qn\|s(?:[sx0b&)<>h\|]\|ac)\|x(?:(?:ec)?[sx0b&)<>\|]\|iftool\|p(?:(?:and\|(?:ec\|or)t)[sx0b&)<>\|]\|r))\|2fsck\|(?:asy_instal\|va)l\|fax\|grep\|macs)\|f(?:(?:c\|etch\|lock\|unction)[sx0b&)<>\|]\|d\|g(?:rep)?\|i(?:(?:n(?:d\|ger)\|sh)?[sx0b&)<>\|]\|le(?:[sx0b&)<>\|]\|test))\|mt\|tp(?:[sx0b&)<>\|]\|stats\|who)\|acter\|o(?:ld[sx0b&)<>\|]\|reach)\|ping)\|g(?:c(?:c[^sx0b]\|ore)\|db\|e(?:(?:m\|tfacl)[sx0b&)<>\|]\|ni(?:e[sx0b&)<>\|]\|soimage))\|hci?\|i(?:(?:t\|mp)[sx0b&)<>\|]\|nsh)\|(?:o\|awk)[sx0b&)<>\|]\|pg\|r(?:c\|ep[sx0b&)<>\|]\|oup(?:[sx0b&)<>\|]\|mod))\|tester\|unzip\|z(?:cat\|exe\|ip))\|h(?:(?:d\|up\|ash\|i(?:ghlight\|story))[sx0b&)<>\|]\|e(?:ad[sx0b&)<>\|]\|xdump)\|ost(?:id\|name)\|ping3\|t(?:digest\|op\|passwd))\|i(?:d\|p(?:6?tables\|config)?\|rb\|conv\|f(?:config\|top)\|nstall[sx0b&)<>\|]\|onice\|spell)\|j(?:js\|q\|ava[sx0b&)<>\|]\|exec\|o(?:(?:bs\|in)[sx0b&)<>\|]\|urnalctl)\|runscript)\|k(?:s(?:h\|shell)\|ill(?:[sx0b&)<>\|]\|all)\|nife[sx0b&)<>\|])\|l(?:d(?:d?[sx0b&)<>\|]\|config)\|(?:[np]\|ynx)[sx0b&)<>\|]\|s(?:-F\|b_release\|cpu\|hw\|mod\|of\|pci\|usb)?\|ua(?:[sx0b&)<>\|]\|(?:la)?tex)\|z(?:[sx0b&)4<>\|]\|4c(?:at)?\|c(?:at\|mp)\|diff\|[ef]?grep\|less\|m(?:a(?:dec\|info)?\|ore))\|a(?:st(?:[sx0b&)<>\|]\|comm\|log(?:in)?)\|tex[sx0b&)<>\|])\|ess(?:[sx0b&)<>\|]\|echo\|(?:fil\|pip)e)\|ftp(?:get)?\|o(?:(?:ca(?:l\|te)\|ok)[sx0b&)<>\|]\|g(?:inctl\|(?:nam\|sav)e)\|setup)\|trace\|wp-(?:d(?:ownload\|ump)\|mirror\|request))\|m(?:a(?:(?:n\|ke)[sx0b&)<>\|]\|il(?:[sx0b&)<>q\|]\|x[sx0b&)<>\|])\|ster.passwd\|wk)\|tr\|(?:v\|utt)[sx0b&)<>\|]\|k(?:dir[sx0b&)<>\|]\|fifo\|nod\|temp)\|locate\|o(?:(?:re\|unt)[sx0b&)<>\|]\|squitto)\|sg(?:attrib\|c(?:at\|onv)\|filter\|merge\|uniq)\|ysql(?:admin\|dump(?:slow)?\|hotcopy\|show)?)\|n(?:c(?:[sx0b&)<>\|]\|.(?:openbsd\|traditional)\|at)\|e(?:t(?:[sx0b&)<>\|]\|(?:c\|st)at\|kit-ftp\|plan)\|ofetch)\|(?:(?:ul)?l\|ice)[sx0b&)<>\|]\|m(?:[sx0b&)<>\|]\|ap)\|p(?:m[sx0b&)<>\|]\|ing)\|a(?:no[sx0b&)<>\|]\|sm\|wk)\|o(?:de[sx0b&)<>\|]\|hup)\|roff\|s(?:enter\|lookup\|tat))\|o(?:(?:d\|ctave)[sx0b&)<>\|]\|nintr\|p(?:en(?:ssl\|v(?:pn\|t))\|kg))\|p(?:a(?:(?:x\|cman\|rted\|tch)[sx0b&)<>\|]\|s(?:swd\|te[sx0b&)<>\|]))\|d(?:b\|f(?:la)?tex\|ksh)\|f(?:[sx0b&)<>\|]\|tp)\|g(?:[sx0b&)<>\|]\|rep)\|hp(?:[sx0b&)57<>\|]\|-cgi)\|i(?:(?:co?\|ng)[sx0b&)<>\|]\|p[^sx0b]\|dstat\|gz)\|k(?:g(?:_?info)?\|exec\|ill)\|r(?:y?[sx0b&)<>\|]\|int(?:env\|f[sx0b&)<>\|]))\|s(?:[sx0b&)<>\|]\|ed\|ftp\|ql)?\|t(?:x\|ar(?:diff\|grep)?)\|wd(?:.db)?\|xz\|er(?:(?:f\|ms)[sx0b&)<>\|]\|l(?:[sx0b&)5<>\|]\|sh))\|opd\|u(?:ppet[sx0b&)<>\|]\|shd)\|y(?:thon[23]\|3?versions))\|r(?:a(?:r[sx0b&)<>\|]\|k(?:e[sx0b&)<>\|]\|u))\|c(?:p[sx0b&)<>\|])?\|e(?:(?:d(?:carpet)?\|v\|name\|p(?:eat\|lace))[sx0b&)<>\|]\|a(?:delf\|lpath)\|stic)\|m(?:(?:dir)?[sx0b&)<>\|]\|user)\|pm(?:[sx0b&)<>\|]\|db\|(?:quer\|verif)y)\|bash\|l(?:ogin\|wrap)\|nano\|oute[sx0b&)<>\|]\|sync\|u(?:by[^sx0b]\|n-(?:mailcap\|parts))\|vi(?:ew\|m))\|s(?:c(?:p\|(?:hed\|r(?:een\|ipt))[sx0b&)<>\|])\|e(?:(?:d\|lf\|rvice)[sx0b&)<>\|]\|t(?:(?:facl)?[sx0b&)<>\|]\|arch\|env\|sid)\|ndmail)\|(?:g\|ash)[sx0b&)<>\|]\|h(?:(?:adow\|ells)?[sx0b&)<>\|]\|.distrib\|u(?:f\|tdown[sx0b&)<>\|]))\|s(?:[sx0b&)<>\|]\|h(?:[sx0b&)<>\|]\|-key(?:ge\|sca)n\|pass))\|u(?:[sx0b&)<>\|]\|do)\|vn\|diff\|ftp\|l(?:eep[sx0b&
			`SecRule REQUEST_URI "@rx (?i)(?:^\|b[" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx /(?:[?]+[a-z/]+\|[a-z/]+[?]+)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx rn.*?b(?:DATA\|QUIT\|HELP(?: .{1,255})?)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE\|OPY [*,0-:]+) [" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx rn.*?b(?:(?:QUI\|STA\|RSE)T\|NOOP\|CAPA)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@rx !(?:d\|!)" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`
			`SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'"`