mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 17:55:48 +00:00
Update: [Sun Dec 29 23:20:18 UTC 2024]
This commit is contained in:
github-actions[bot]
parent
36f08db3eb
commit
3760d3dcde
220
owasp_rules.json
220
owasp_rules.json
File diff suppressed because one or more lines are too long
@ -28,7 +28,7 @@ SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'attack att
|
||||
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "@rx [" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "!@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -13,7 +13,7 @@ SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'enforcemen
|
||||
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^d+$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^0?$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
@ -29,13 +29,13 @@ SecRule REQUEST_URI "@rx (d+)-(d+)" "id:1000,phase:1,deny,status:403,log,msg:'en
|
||||
SecRule REQUEST_URI "@lt %{tx.1}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx x25" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(.*)/(?:[^?]+)?(?.*)?$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^.*%.*.[^sv.]+$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(?i)application/x-www-form-urlencoded" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx x25" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUtf8Encoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)%uff[0-9a-f]{2}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx %u[fF]{2}[0-9a-fA-F]{2}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange 1-255" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
@ -62,10 +62,10 @@ SecRule REQUEST_URI "@rx ^(?i)multipart/form-data" "id:1000,phase:1,deny,status:
|
||||
SecRule REQUEST_URI "@gt %{tx.max_file_size}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq 1" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt %{tx.combined_file_sizes}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^[^;s]+" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx charsets*=s*[" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx charsets*=s*["']?([^;"'s]+)" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx charset.*?charset" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@within %{tx.allowed_http_versions}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
@ -75,7 +75,7 @@ SecRule REQUEST_URI "@rx .[^.~]+~(?:/.*|)$" "id:1000,phase:1,deny,status:403,log
|
||||
SecRule REQUEST_URI "@rx ^.*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within %{tx.restricted_headers_basic}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt 50" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@streq JSON" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)x5cu[0-9a-f]{4}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@contains #" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
@ -89,14 +89,11 @@ SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" "id:1000,phase:1,
|
||||
SecRule REQUEST_URI "@rx %[0-9a-fA-F]{2}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange 9,10,13,32-126,128-255" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ['" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ['";=]" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^0$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq 0" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^.*$" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within %{tx.restricted_headers_extended}" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(?i)application/x-www-form-urlencoded" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@rx x25" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange 32-36,38-126" "id:1000,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
|
||||
@ -3,16 +3,17 @@ SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@pmFromFile ssrf.data" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx Process[sv]*.[sv]*spawn[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^data:(?:(?:*|[^!-" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx [s*constructors*]" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@rx @{.*}" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
|
||||
@ -29,6 +29,5 @@ SecRule REQUEST_URI "@eq 1" "id:1000,phase:1,deny,status:403,log,msg:'initializa
|
||||
SecRule REQUEST_URI "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq 100" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^[a-f]*([0-9])[a-f]*([0-9])" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "nolog" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "!@lt %{tx.sampling_percentage}" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@lt %{tx.blocking_paranoia_level}" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
|
||||
@ -11,10 +11,10 @@ SecRule REQUEST_URI "@pmFromFile php-variables.data" "id:1000,phase:1,deny,statu
|
||||
SecRule REQUEST_URI "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@pmFromFile php-function-names-933150.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?[" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx [oOcC]:d+:" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?["']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:*.**/|/.*)|#.*[sv]|")*["']*)?[sv]*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx [oOcC]:d+:".+?":d+:{.*}" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:((?:.+)(?:[" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+));" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@pmFromFile php-function-names-933151.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
@ -25,7 +25,7 @@ SecRule REQUEST_URI "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAG
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx .*.(?:phpd*|phtml)..*$" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@pm ?>" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:((?:.+)(?:[" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -18,10 +18,10 @@ SecRule REQUEST_URI "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web She
|
||||
SecRule REQUEST_URI "@rx <title>lama's'hell v. [0-9.]+</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^<html>n<head>n<div align=" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^<html>n<head>n<title>Ru24PostWebShell -" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<meta http-equiv=" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@contains <title>punkholicshell</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
@ -30,7 +30,7 @@ SecRule REQUEST_URI "@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>" "i
|
||||
SecRule REQUEST_URI "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@contains <h1 style=" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@contains <h1 style="margin-bottom: 0">webadmin.php</h1>" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
|
||||
@ -8,72 +8,69 @@ SecRule REQUEST_URI "@rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:informatio
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:select|;)[sv]+(?:benchmark|if|sleep)[sv]*?([sv]*?(?[sv]*?[0-9A-Z_a-z]+" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)["'`](?:[sv]*![sv]*["'0-9A-Z_-z]|;?[sv]*(?:having|select|unionb[sv]*(?:all|(?:distin|sele)ct))b[sv]*[^sv])|b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[sv]*?|select.*?[0-9A-Z_a-z]?user)(|exec(?:ute)?[sv]+master.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[sv+]+(?:dump|out)file[sv]*?["'`]|union(?:[sv]select[sv]@|[sv(0-9A-Z_a-z]*?select))|[sv]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[sv]*?(" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[sv(-)]case[sv]+when.*?then|)[sv]*?like[sv]*?(|select.*?having[sv]*?[^sv]+[sv]*?[^sv0-9A-Z_a-z]|if[sv]?([0-9A-Z_a-z]+[sv]*?[<->~]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:merge.*?usings*?(|executes*?immediates*?[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|["'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+["'`]|;.*?:[sv]*?goto)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:merge.*?usings*?(|executes*?immediates*?["'`]|matchs*?[w(),+-]+s*?againsts*?()" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)union.*?select.*?from" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?["'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)/*[sv]*?[!+](?:[sv(-)-0-9=A-Z_a-z]+)?*/" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(?:[^']*'|[^" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|["'0-9A-Z_-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(?:[^']*'|[^"]*"|[^`]*`)[sv]*;" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)1.e[(-),]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx [" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ["'`][[{].*[]}]["'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)["'`][[{].*[]}]["'`]|json_extract.*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[sv" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:^s*["'`;]+|["'`]+s*$)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?["'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|"[^"]*")[sv]+and[sv]+(?:'[^']*'|"[^"]*"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@streq %{TX.2}" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[sv" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!@streq %{TX.2}" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:/*)+[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i),.*?[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:/*)+["'`]+[sv]?(?:--|[#{]|/*)?|["'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*["'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?["'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)["'`])|[0-9]["'`][sv]+["'`][sv]+[0-9]|^admin[sv]*?["'`]|[sv"'-(`][sv]*?glob[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]=" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i),.*?["')0-9`-f]["'`](?:["'`].*?["'`]|(?:r?n)?z|[^"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?(" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?["'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)["'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|["'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+(" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z]["'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+["'`][0-9A-Z_a-z]|["'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)["'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?["'`]$|["'x5c`]*?(?:["'0-9`]+|[^"'`]+["'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?["'`]|[0-9=]+x)|["'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+["'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?["'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)["'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:^[Wd]+s*?(?:alter|union)b)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)["'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?["'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?["'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^["'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+["'`][^,]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|["'][^=]{1,10}[ "'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?(" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!ARGS:foo" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx [a-zA-Z0-9_-]{61,61}" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx [a-zA-Z0-9_-]{91,91}" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){12})" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:b0x[a-fd]{3,})" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)["'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^"]*?(?:"[^"]*?"[^"]*?)*?"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^(?:and|or)$" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^.*?x5c['" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ^.*?x5c['"`](?:.*?['"`])?s*(?:and|or)b" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@detectSQLi" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)W+d*?s*?bhavingbs*?[^s-]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx [" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!REQUEST_COOKIES:foo_id" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ["'`][sd]*?[^ws]W*?dW*?.*?["'`d]" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){8})" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){6})" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx W{4}" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ';" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){3})" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){2})" "id:1000,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
|
||||
@ -8,16 +8,16 @@ SecRule REQUEST_URI "@detectXSS" "id:1000,phase:1,deny,status:403,log,msg:'xss a
|
||||
SecRule REQUEST_URI "@rx (?i)<script[^>]*>[sS]*?" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|["'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:["']|W*?uW*?rW*?l[sS]*?()|[^-]*?-W*?mW*?oW*?zW*?-W*?bW*?iW*?nW*?dW*?iW*?nW*?g[^:]*?:W*?uW*?rW*?l[sS]*?(" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)(?:v|&#(?:0*8|x0*5)[36];)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*6[26]|x0*(?:98|42));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)<EMBED[s/+].*?(?:src|type).*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx <[?]?import[s/+S]*?implementation[s/+]*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*["'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:<META[s/+].*?charset[s/+]*=)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)<LINK[s/+].*?href[s/+]*=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)<BASE[s/+].*?href[s/+]*=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
@ -28,17 +28,17 @@ SecRule REQUEST_URI "@rx (?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)" "id:10
|
||||
SecRule REQUEST_URI "@rx +ADw-.*(?:+AD4-|>)|<.*+AD4-" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx ![!+ ][]" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sv]+Function|a(?:lert|tob)|btoa|prompt|confirm)[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sv]+Function|a(?:lert|tob)|btoa)[sv]*(" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx ((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@detectXSS" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[s" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[s"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)b(?:s(?:tyle|rc)|href)b[sS]*?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@contains -->" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)[" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i:["'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx (?i)["'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@rx {{.*?}}" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'xss attack detected'"
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
@block_attack {
|
||||
path_regexp attack "(?i)(@lt 1|@lt 1|@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d|@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w|@rx (?:bhttp/d|<(?:html|meta)b)|@rx [nr]|@rx [nr]|@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:|@rx [nr]|@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)|@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)|@rx unix:[^|]*||@lt 2|@lt 2|@rx [nr]|@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b|@lt 3|@lt 3|@gt 0|@rx .|@gt 1|@rx TX:paramcounter_(.*)|@rx (][^]]+$|][^]]+[)|@lt 4|@lt 4|@rx [|!@eq 0|!@within %{tx.allowed_request_content_type_charset}|@rx ^content-types*:s*(.*)$|!@rx ^(?:(?:*|[^!-|@rx content-transfer-encoding:(.*))"
|
||||
path_regexp attack "(?i)(@lt 1|@lt 1|@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d|@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w|@rx (?:bhttp/d|<(?:html|meta)b)|@rx [nr]|@rx [nr]|@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:|@rx [nr]|@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)|@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)|@rx unix:[^|]*||@lt 2|@lt 2|@rx [nr]|@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b|@lt 3|@lt 3|@gt 0|@rx .|@gt 1|@rx TX:paramcounter_(.*)|@rx (][^]]+$|][^]]+[)|@lt 4|@lt 4|@rx [|!@eq 0|!@within |%{tx.allowed_request_content_type_charset}||@rx ^content-types*:s*(.*)$|!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$|@rx content-transfer-encoding:(.*))"
|
||||
}
|
||||
respond @block_attack 403
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -1,4 +1,4 @@
|
||||
@block_enforcement {
|
||||
path_regexp enforcement "(?i)(@lt 1|@lt 1|!@within %{tx.allowed_methods}|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4|@lt 1|@lt 1|!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$|!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^|!@rx ^d+$|@rx ^(?:GET|HEAD)$|!@rx ^0?$|@rx ^(?:GET|HEAD)$|!@eq 0|!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0|@streq POST|@eq 0|@eq 0|!@eq 0|!@eq 0|@rx (d+)-(d+)|@lt %{tx.1}|@rx b(?:keep-alive|close),s?(?:keep-alive|close)b|@rx x25|@rx ^(.*)/(?:[^?]+)?(?.*)?$|@validateUrlEncoding|!@rx ^.*%.*.[^sv.]+$|@validateUrlEncoding|@eq 1|@validateUtf8Encoding|@rx (?i)%uff[0-9a-f]{2}|@validateByteRange 1-255|@eq 0|@rx ^$|@rx ^$|!@rx ^OPTIONS$|!@pm AppleWebKit Android Business Enterprise Entreprise|@rx ^$|!@rx ^OPTIONS$|@eq 0|@rx ^$|!@rx ^0$|@eq 0|@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)|@eq 1|@gt %{tx.max_num_args}|@eq 1|@gt %{tx.arg_name_length}|@eq 1|@gt %{tx.arg_length}|@eq 1|@gt %{tx.total_arg_length}|@eq 1|@rx ^(?i)multipart/form-data|@gt %{tx.max_file_size}|@eq 1|@gt %{tx.combined_file_sizes}|!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['|@rx ^[^;s]+|!@within %{tx.allowed_request_content_type}|@rx charsets*=s*[|!@within %{tx.allowed_request_content_type_charset}|@rx charset.*?charset|!@within %{tx.allowed_http_versions}|@rx .([^.]+)$|@within %{tx.restricted_extensions}|@rx .[^.~]+~(?:/.*|)$|@rx ^.*$|@within %{tx.restricted_headers_basic}|@gt 50|!@rx ^(?:(?:*|[^!-|!@streq JSON|@rx (?i)x5cu[0-9a-f]{4}|@contains #|@gt 1|@lt 2|@lt 2|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}|!@endsWith .pdf|@endsWith .pdf|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}|@rx %[0-9a-fA-F]{2}|@validateByteRange 9,10,13,32-126,128-255|@eq 0|@rx ['|!@rx ^0$|@eq 0|@rx ^.*$|@within %{tx.restricted_headers_extended}|@rx ^(?i)application/x-www-form-urlencoded|@rx x25|@validateUrlEncoding|@lt 3|@lt 3|@validateByteRange 32-36,38-126|@eq 0|!@rx ^(?:OPTIONS|CONNECT)$|!@pm AppleWebKit Android|@ge 1|@rx ^(?i)up|@gt 0|!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$|!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)|@lt 4|@lt 4|@endsWith .pdf|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}|@validateByteRange 38,44-46,48-58,61,65-90,95,97-122|@validateByteRange 32,34,38,42-59,61,65-90,95,97-122|!@rx ^(?:?[01])?$|@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789])"
|
||||
path_regexp enforcement "(?i)(@lt 1|@lt 1|!@within %{tx.allowed_methods}|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4|@lt 1|@lt 1|!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$|!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$|!@rx ^d+$|@rx ^(?:GET|HEAD)$|!@rx ^0?$|@rx ^(?:GET|HEAD)$|!@eq 0|!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0|@streq POST|@eq 0|@eq 0|!@eq 0|!@eq 0|@rx (d+)-(d+)|@lt %{tx.1}|@rx b(?:keep-alive|close),s?(?:keep-alive|close)b|@rx x25|@validateUrlEncoding|@rx ^(?i)application/x-www-form-urlencoded|@rx x25|@validateUrlEncoding|@eq 1|@validateUtf8Encoding|@rx %u[fF]{2}[0-9a-fA-F]{2}|@validateByteRange 1-255|@eq 0|@rx ^$|@rx ^$|!@rx ^OPTIONS$|!@pm AppleWebKit Android Business Enterprise Entreprise|@rx ^$|!@rx ^OPTIONS$|@eq 0|@rx ^$|!@rx ^0$|@eq 0|@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)|@eq 1|@gt %{tx.max_num_args}|@eq 1|@gt %{tx.arg_name_length}|@eq 1|@gt %{tx.arg_length}|@eq 1|@gt %{tx.total_arg_length}|@eq 1|@rx ^(?i)multipart/form-data|@gt %{tx.max_file_size}|@eq 1|@gt %{tx.combined_file_sizes}|!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$|@rx ^[^;s]+|!@within %{tx.allowed_request_content_type}|@rx charsets*=s*["']?([^;"'s]+)|!@within %{tx.allowed_request_content_type_charset}|@rx charset.*?charset|!@within %{tx.allowed_http_versions}|@rx .([^.]+)$|@within %{tx.restricted_extensions}|@rx .[^.~]+~(?:/.*|)$|@rx ^.*$|@within %{tx.restricted_headers_basic}|@gt 50|!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$|!@streq JSON|@rx (?i)x5cu[0-9a-f]{4}|@contains #|@gt 1|@lt 2|@lt 2|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}|!@endsWith .pdf|@endsWith .pdf|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}|@rx %[0-9a-fA-F]{2}|@validateByteRange 9,10,13,32-126,128-255|@eq 0|@rx ['";=]|!@rx ^0$|@eq 0|@rx ^.*$|@within %{tx.restricted_headers_extended}|@lt 3|@lt 3|@validateByteRange 32-36,38-126|@eq 0|!@rx ^(?:OPTIONS|CONNECT)$|!@pm AppleWebKit Android|@ge 1|@rx ^(?i)up|@gt 0|!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$|!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)|@lt 4|@lt 4|@endsWith .pdf|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}|@validateByteRange 38,44-46,48-58,61,65-90,95,97-122|@validateByteRange 32,34,38,42-59,61,65-90,95,97-122|!@rx ^(?:?[01])?$|@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789])"
|
||||
}
|
||||
respond @block_enforcement 403
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
@block_generic {
|
||||
path_regexp generic "(?i)(@lt 1|@lt 1|@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[|@pmFromFile ssrf.data|@rx (?:__proto__|constructors*(?:.|[)s*prototype)|@rx Process[sv]*.[sv]*spawn[sv]*(|@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0||@rx ^data:(?:(?:*|[^!-|@lt 2|@lt 2|@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(|@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))|@rx @{.*}|@lt 3|@lt 3|@lt 4|@lt 4)"
|
||||
path_regexp generic "(?i)(@lt 1|@lt 1|@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])|@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(|@pmFromFile ssrf.data|@rx (?:__proto__|constructors*(?:.|[)s*prototype)|@rx Process[sv]*.[sv]*spawn[sv]*(|@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)|@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*|@lt 2|@lt 2|@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))|@rx [s*constructors*]|@rx @{.*}|@lt 3|@lt 3|@lt 4|@lt 4)"
|
||||
}
|
||||
respond @block_generic 403
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
@block_initialization {
|
||||
path_regexp initialization "(?i)(@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 1|@rx ^.*$|!@rx (?:URLENCODED|MULTIPART|XML|JSON)|@eq 1|!@rx (?:URLENCODED|MULTIPART|XML|JSON)|@eq 100|@rx ^[a-f]*([0-9])[a-f]*([0-9])|nolog|!@lt %{tx.sampling_percentage}|@lt %{tx.blocking_paranoia_level})"
|
||||
path_regexp initialization "(?i)(@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 1|@rx ^.*$|!@rx (?:URLENCODED|MULTIPART|XML|JSON)|@eq 1|!@rx (?:URLENCODED|MULTIPART|XML|JSON)|@eq 100|@rx ^[a-f]*([0-9])[a-f]*([0-9])|!@lt %{tx.sampling_percentage}|@lt %{tx.blocking_paranoia_level})"
|
||||
}
|
||||
respond @block_initialization 403
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
@block_php {
|
||||
path_regexp php "(?i)(@lt 1|@lt 1|@rx (?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])|@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$|@pmFromFile php-config-directives.data|@pm =|@pmFromFile php-variables.data|@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)|@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://|@pmFromFile php-function-names-933150.data|@rx (?i)b(?[|@rx [oOcC]:d+:|@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)|@rx (?:((?:.+)(?:[|@lt 2|@lt 2|@pmFromFile php-function-names-933151.data|@pm (|@lt 3|@lt 3|@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI|@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)|@rx .*.(?:phpd*|phtml)..*$|@pm ?>|@rx (?:((?:.+)(?:[|@lt 4|@lt 4|@lt 1|@lt 1|@pmFromFile php-errors.data|@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b|@rx (?i)<?(?:=|php)?s+|@lt 2|@lt 2|@pmFromFile php-errors-pl2.data|@lt 3|@lt 3|@lt 4|@lt 4)"
|
||||
path_regexp php "(?i)(@lt 1|@lt 1|@rx (?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])|@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$|@pmFromFile php-config-directives.data|@pm =|@pmFromFile php-variables.data|@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)|@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://|@pmFromFile php-function-names-933150.data|@rx (?i)b(?["']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:*.**/|/.*)|#.*[sv]|")*["']*)?[sv]*(.*)|@rx [oOcC]:d+:".+?":d+:{.*}|@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)|@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+));|@lt 2|@lt 2|@pmFromFile php-function-names-933151.data|@pm (|@lt 3|@lt 3|@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI|@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)|@rx .*.(?:phpd*|phtml)..*$|@pm ?>|@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?|@lt 4|@lt 4|@lt 1|@lt 1|@pmFromFile php-errors.data|@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b|@rx (?i)<?(?:=|php)?s+|@lt 2|@lt 2|@pmFromFile php-errors-pl2.data|@lt 3|@lt 3|@lt 4|@lt 4)"
|
||||
}
|
||||
respond @block_php 403
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -1,4 +1,4 @@
|
||||
@block_shells {
|
||||
path_regexp shells "(?i)(@lt 1|@lt 1|@pmFromFile web-shells-php.data|@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)|@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>|@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>|@rx <title>Mini Shell</title>.*Developed By LameHacker|@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>|@rx <title>Symlink_Sa [0-9.]+</title>|@rx <title>CasuS [0-9.]+ by MafiABoY</title>|@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+|@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$|@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -|@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>|@rx <title>lama's'hell v. [0-9.]+</title>|@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -|@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->|@rx ^<html>n<head>n<div align=|@rx ^<html>n<head>n<title>Ru24PostWebShell -|@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>|@rx ^<html>rn<head>rn<meta http-equiv=|@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+|@contains <title>punkholicshell</title>|@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>|@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=|@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>|@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>|@lt 2|@lt 2|@contains <h1 style=|@lt 3|@lt 3|@lt 4|@lt 4)"
|
||||
path_regexp shells "(?i)(@lt 1|@lt 1|@pmFromFile web-shells-php.data|@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)|@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>|@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>|@rx <title>Mini Shell</title>.*Developed By LameHacker|@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>|@rx <title>Symlink_Sa [0-9.]+</title>|@rx <title>CasuS [0-9.]+ by MafiABoY</title>|@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+|@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$|@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -|@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>|@rx <title>lama's'hell v. [0-9.]+</title>|@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -|@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->|@rx ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">|@rx ^<html>n<head>n<title>Ru24PostWebShell -|@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>|@rx ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>|@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+|@contains <title>punkholicshell</title>|@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>|@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=|@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>|@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>|@lt 2|@lt 2|@contains <h1 style="margin-bottom: 0">webadmin.php</h1>|@lt 3|@lt 3|@lt 4|@lt 4)"
|
||||
}
|
||||
respond @block_shells 403
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -110,7 +110,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@within %{tx.allowed_request_content_type_charset}") {
|
||||
if ($request_uri ~* "!@within |%{tx.allowed_request_content_type_charset}|") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -118,7 +118,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-") {
|
||||
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -50,7 +50,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^") {
|
||||
if ($request_uri ~* "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -114,15 +114,15 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^(.*)/(?:[^?]+)?(?.*)?$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateUrlEncoding") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^.*%.*.[^sv.]+$") {
|
||||
if ($request_uri ~* "@rx ^(?i)application/x-www-form-urlencoded") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx x25") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -138,7 +138,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)%uff[0-9a-f]{2}") {
|
||||
if ($request_uri ~* "@rx %u[fF]{2}[0-9a-fA-F]{2}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -246,7 +246,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['") {
|
||||
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -258,7 +258,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx charsets*=s*[") {
|
||||
if ($request_uri ~* "@rx charsets*=s*["']?([^;"'s]+)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -298,7 +298,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-") {
|
||||
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -354,7 +354,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ['") {
|
||||
if ($request_uri ~* "@rx ['";=]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -374,18 +374,6 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^(?i)application/x-www-form-urlencoded") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx x25") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@validateUrlEncoding") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 3") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -10,7 +10,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[") {
|
||||
if ($request_uri ~* "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -26,11 +30,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|") {
|
||||
if ($request_uri ~* "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^data:(?:(?:*|[^!-") {
|
||||
if ($request_uri ~* "@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -42,14 +46,14 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [s*constructors*]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx @{.*}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -114,10 +114,6 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "nolog") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@lt %{tx.sampling_percentage}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -42,11 +42,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)b(?[") {
|
||||
if ($request_uri ~* "@rx (?i)b(?["']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:*.**/|/.*)|#.*[sv]|")*["']*)?[sv]*(.*)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [oOcC]:d+:") {
|
||||
if ($request_uri ~* "@rx [oOcC]:d+:".+?":d+:{.*}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -54,7 +54,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?:((?:.+)(?:[") {
|
||||
if ($request_uri ~* "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+));") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -98,7 +98,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?:((?:.+)(?:[") {
|
||||
if ($request_uri ~* "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -70,7 +70,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^<html>n<head>n<div align=") {
|
||||
if ($request_uri ~* "@rx ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -82,7 +82,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^<html>rn<head>rn<meta http-equiv=") {
|
||||
if ($request_uri ~* "@rx ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -118,7 +118,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@contains <h1 style=") {
|
||||
if ($request_uri ~* "@contains <h1 style="margin-bottom: 0">webadmin.php</h1>") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[") {
|
||||
if ($request_uri ~* "@rx (?i)["'`](?:[sv]*![sv]*["'0-9A-Z_-z]|;?[sv]*(?:having|select|unionb[sv]*(?:all|(?:distin|sele)ct))b[sv]*[^sv])|b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[sv]*?|select.*?[0-9A-Z_a-z]?user)(|exec(?:ute)?[sv]+master.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[sv+]+(?:dump|out)file[sv]*?["'`]|union(?:[sv]select[sv]@|[sv(0-9A-Z_a-z]*?select))|[sv]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[sv]*?(") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -42,11 +42,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[") {
|
||||
if ($request_uri ~* "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|["'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+["'`]|;.*?:[sv]*?goto)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i:merge.*?usings*?(|executes*?immediates*?[") {
|
||||
if ($request_uri ~* "@rx (?i:merge.*?usings*?(|executes*?immediates*?["'`]|matchs*?[w(),+-]+s*?againsts*?()") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -54,7 +54,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[") {
|
||||
if ($request_uri ~* "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?["'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -70,15 +70,15 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|[") {
|
||||
if ($request_uri ~* "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|["'0-9A-Z_-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)/*[sv]*?[!+](?:[sv(-)-0-9=A-Z_a-z]+)?*/") {
|
||||
if ($request_uri ~* "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^(?:[^']*'|[^") {
|
||||
if ($request_uri ~* "@rx ^(?:[^']*'|[^"]*"|[^`]*`)[sv]*;") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -86,7 +86,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [") {
|
||||
if ($request_uri ~* "@rx ["'`][[{].*[]}]["'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)["'`][[{].*[]}]["'`]|json_extract.*(.*)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -98,11 +98,15 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[") {
|
||||
if ($request_uri ~* "@rx (?:^s*["'`;]+|["'`]+s*$)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[sv") {
|
||||
if ($request_uri ~* "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?["'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|"[^"]*")[sv]+and[sv]+(?:'[^']*'|"[^"]*"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -110,7 +114,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[sv") {
|
||||
if ($request_uri ~* "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -122,35 +126,35 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)(?:/*)+[") {
|
||||
if ($request_uri ~* "@rx (?i)(?:/*)+["'`]+[sv]?(?:--|[#{]|/*)?|["'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*["'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?["'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)["'`])|[0-9]["'`][sv]+["'`][sv]+[0-9]|^admin[sv]*?["'`]|[sv"'-(`][sv]*?glob[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]=") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i),.*?[") {
|
||||
if ($request_uri ~* "@rx (?i),.*?["')0-9`-f]["'`](?:["'`].*?["'`]|(?:r?n)?z|[^"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?(") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?[") {
|
||||
if ($request_uri ~* "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?["'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[") {
|
||||
if ($request_uri ~* "@rx (?i)["'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|[") {
|
||||
if ($request_uri ~* "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|["'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+(") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z][") {
|
||||
if ($request_uri ~* "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z]["'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+["'`][0-9A-Z_a-z]|["'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[") {
|
||||
if ($request_uri ~* "@rx (?i)["'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?["'`]$|["'x5c`]*?(?:["'0-9`]+|[^"'`]+["'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?[") {
|
||||
if ($request_uri ~* "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?["'`]|[0-9=]+x)|["'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+["'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?["'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)["'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -158,23 +162,23 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|[") {
|
||||
if ($request_uri ~* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[") {
|
||||
if ($request_uri ~* "@rx (?i)["'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?["'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?["'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^["'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+["'`][^,]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[") {
|
||||
if ($request_uri ~* "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|["'][^=]{1,10}[ "'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[") {
|
||||
if ($request_uri ~* "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[") {
|
||||
if ($request_uri ~* "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -190,19 +194,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!ARGS:foo") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [a-zA-Z0-9_-]{61,61}") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [a-zA-Z0-9_-]{91,91}") {
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){12})") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -222,11 +214,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[") {
|
||||
if ($request_uri ~* "@rx (?i)["'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^") {
|
||||
if ($request_uri ~* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^"]*?(?:"[^"]*?"[^"]*?)*?"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -234,7 +226,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^.*?x5c['") {
|
||||
if ($request_uri ~* "@rx ^.*?x5c['"`](?:.*?['"`])?s*(?:and|or)b") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -262,19 +254,15 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [") {
|
||||
if ($request_uri ~* "@rx ["'`][sd]*?[^ws]W*?dW*?.*?["'`d]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!REQUEST_COOKIES:foo_id") {
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){8})") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){6})") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -298,11 +286,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){3})") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
|
||||
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´’‘`<>][^~!@#$%^&*()-+={}[]|:;"'´’‘`<>]*?){2})") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
|
||||
@ -30,11 +30,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv") {
|
||||
if ($request_uri ~* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|["'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[") {
|
||||
if ($request_uri ~* "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:["']|W*?uW*?rW*?l[sS]*?()|[^-]*?-W*?mW*?oW*?zW*?-W*?bW*?iW*?nW*?dW*?iW*?nW*?g[^:]*?:W*?uW*?rW*?l[sS]*?(") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -54,7 +54,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
|
||||
if ($request_uri ~* "@rx (?i)(?:v|&#(?:0*8|x0*5)[36];)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*6[26]|x0*(?:98|42));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -66,7 +66,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[") {
|
||||
if ($request_uri ~* "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*["'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -110,7 +110,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sv]+Function|a(?:lert|tob)|btoa|prompt|confirm)[sv]*(") {
|
||||
if ($request_uri ~* "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sv]+Function|a(?:lert|tob)|btoa)[sv]*(") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -130,7 +130,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[s") {
|
||||
if ($request_uri ~* "@rx (?i)[s"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@ -146,11 +146,11 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i:[") {
|
||||
if ($request_uri ~* "@rx (?i:["'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?i)[") {
|
||||
if ($request_uri ~* "@rx (?i)["'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
x
Reference in New Issue
Block a user