External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Sun Dec 22 00:28:28 UTC 2024]

Browse Source
This commit is contained in:
github-actions[bot]
2024-12-22 00:28:28 +00:00
parent b05a7d87c2
commit 1e4bb70b5d
50 changed files with 428 additions and 577 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
waf_patterns/apache/shells.conf
View File

@@ -1,12 +1,11 @@
# Apache ModSecurity rules for SHELLS
SecRuleEngine On
SecRule REQUEST_URI "@pm gzip compress deflate br zstd" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@pmFromFile web-shells-php.data" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>Mini Shell</title>.*Developed By LameHacker" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
@@ -20,7 +19,7 @@ SecRule REQUEST_URI "@rx <title>lama's'hell v. [0-9.]+</title>" "id:1000,phase:1
SecRule REQUEST_URI "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<div align=" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<title>Ru24PostWebShell" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<title>Ru24PostWebShell -" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<meta http-equiv=" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"