External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Sun Dec 22 00:28:28 UTC 2024]

Browse Source
This commit is contained in:
github-actions[bot]
2024-12-22 00:28:28 +00:00
parent b05a7d87c2
commit 1e4bb70b5d
50 changed files with 428 additions and 577 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
waf_patterns/apache/php.conf
View File

@@ -3,11 +3,10 @@ SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)<?(?:[^x]|x(?:[^m]|m(?:[^l]|l(?:[^sx0b]|[sx0b]+[^a-z]|$)))|$|php)|[[/x5c]?php]" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-config-directives.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx b([^s]+)s*=[^=]" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-config-directives.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm =" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-variables.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
@@ -19,18 +18,16 @@ SecRule REQUEST_URI "@rx (?:((?:.+)(?:[" "id:1000,phase:1,deny,status:403,log,ms
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-function-names-933151.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx b([^s]+)s*[(]" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-function-names-933151.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm (" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sx0b]|/*.**/|(?:#|//).*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx .*.(?:phpd*|phtml)..*$" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm ?>" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:((?:.+)(?:[" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm gzip compress deflate br zstd" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-errors.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"