mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-29 16:15:12 +00:00
Update: [Tue Jan 7 18:00:52 UTC 2025]
This commit is contained in:
github-actions[bot]
@@ -2,95 +2,35 @@
|
||||
location / {
|
||||
set $attack_detected 0;
|
||||
|
||||
if ($request_uri ~* "!@eq 0") {
|
||||
if ($request_uri ~* "content-transfer-encoding:(.*)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@within |%{tx.allowed_request_content_type_charset}|") {
|
||||
if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^content-types*:s*(.*)$") {
|
||||
if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
|
||||
if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx content-transfer-encoding:(.*)") {
|
||||
if ($request_uri ~* ".") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 1") {
|
||||
if ($request_uri ~* "[nr]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 1") {
|
||||
if ($request_uri ~* "TX:paramcounter_(.*)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (?:bhttp/d|<(?:html|meta)b)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [nr]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [nr]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [nr]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx unix:[^|]*|") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 2") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 2") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [nr]") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 3") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 3") {
|
||||
if ($request_uri ~* "unix:[^|]*|") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@@ -98,7 +38,15 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx .") {
|
||||
if ($request_uri ~* "^content-types*:s*(.*)$") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
@@ -106,23 +54,7 @@ location / {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx TX:paramcounter_(.*)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx (][^]]+$|][^]]+[)") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 4") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@lt 4") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~* "@rx [") {
|
||||
if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
|
||||
set $attack_detected 1;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user