mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-29 16:15:12 +00:00
Update: [Thu Jan 16 13:07:47 UTC 2025]
This commit is contained in:
github-actions[bot]
@@ -1,19 +1,20 @@
|
||||
# Apache ModSecurity rules for ATTACK
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1151,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1148,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 1" "id:1158,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1154,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1034,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1150,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1155,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1147,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 0" "id:1156,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\." "id:1157,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1152,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1149,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1146,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1033,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1153,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1159,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1037,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1038,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1035,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1033,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1052,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1032,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 0" "id:1039,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1029,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 1" "id:1041,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1030,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1028,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1031,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1053,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\[nr\]" "id:1034,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1036,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "\." "id:1040,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1042,phase:1,deny,status:403,log,msg:'attack attack detected'"
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
# Apache ModSecurity rules for CORRELATION
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "@ge\ 5" "id:1343,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1347,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1344,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 0" "id:1349,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1346,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1345,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1348,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1342,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 0" "id:1327,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1326,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 5" "id:1321,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1320,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1323,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1324,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1322,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1325,phase:1,deny,status:403,log,msg:'correlation attack detected'"
|
||||
|
||||
@@ -1,86 +1,82 @@
|
||||
# Apache ModSecurity rules for ENFORCEMENT
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 1" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \(\?i\)\^\(\?:\&\(\?:\(\?:\[acegiln\-or\-suz\]acut\|\[aeiou\]grav\|\[ain\-o\]tild\)e\|\[c\-elnr\-tz\]caron\|\(\?:\[cgk\-lnr\-t\]cedi\|\[aeiouy\]um\)l\|\[aceg\-josuwy\]circ\|\[au\]ring\|a\(\?:mp\|pos\)\|nbsp\|oslash\);\|\[\^"';=\]\)\*\$" "id:1035,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1042,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1037,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1044,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1052,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 0" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" "id:1049,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1039,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "x25" "id:1048,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?i\)application/x\-www\-form\-urlencoded" "id:1047,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1050,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\.\*\$" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\['";=\]" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1043,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1036,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" "id:1046,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1041,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@contains\ \#" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?i\)up" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@streq\ POST" "id:1040,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1053,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\.\*\$" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "x25" "id:1045,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?i\)multipart/form\-data" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1038,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUtf8Encoding" "id:1051,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "charset\.\*\?charset" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 50" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@streq\ JSON" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "x25" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1121,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1128,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "x25" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1120,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@streq\ JSON" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUtf8Encoding" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1132,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@streq\ POST" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 1" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1131,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\.\*\$" "id:1119,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1123,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 50" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "charset\.\*\?charset" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1130,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1127,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1118,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\$" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1125,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1129,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ 0" "id:1126,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1124,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1122,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\^\.\*\$" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@contains\ \#" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
SecRule REQUEST_URI "\['";=\]" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
|
||||
|
||||
@@ -1,41 +1,41 @@
|
||||
# Apache ModSecurity rules for EVALUATION
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1195,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1190,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1326,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1193,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1327,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1324,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1202,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1191,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1200,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1188,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1189,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1186,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1325,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1198,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1323,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1201,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1199,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1187,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1192,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1196,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1185,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1197,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1194,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1203,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1148,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1154,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1160,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1157,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1163,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1150,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1343,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1159,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1153,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1346,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1164,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1344,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1156,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1158,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1162,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1342,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1345,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1152,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1151,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1149,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1155,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1161,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1166,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 1" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 2" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 4" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@ge\ 3" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1165,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
# Apache ModSecurity rules for EXCEPTIONS
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1004,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@streq\ GET\ /" "id:1000,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1002,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1001,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1003,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1046,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1047,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1044,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@streq\ GET\ /" "id:1043,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1045,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
# Apache ModSecurity rules for FIXATION
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1144,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1145,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1140,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1142,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1143,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1141,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1145,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1142,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1147,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1143,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1146,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1144,phase:1,deny,status:403,log,msg:'fixation attack detected'"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Apache ModSecurity rules for GENERIC
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1119,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1120,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@\{\.\*\}" "id:1121,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1180,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "@\{\.\*\}" "id:1182,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1181,phase:1,deny,status:403,log,msg:'generic attack detected'"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Apache ModSecurity rules for IIS
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1297,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^404\$" "id:1296,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1295,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1292,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^404\$" "id:1293,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1291,phase:1,deny,status:403,log,msg:'iis attack detected'"
|
||||
|
||||
@@ -1,31 +1,31 @@
|
||||
# Apache ModSecurity rules for INITIALIZATION
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\^\.\*\$" "id:1027,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1010,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1016,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1025,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1019,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1021,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1024,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1027,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1006,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1012,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1003,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1009,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1015,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1012,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1018,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1024,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1030,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1021,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1005,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "\^\.\*\$" "id:1022,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 100" "id:1026,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1002,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1008,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1005,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1011,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1017,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1014,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1020,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1023,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1010,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1023,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1017,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1001,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1004,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1007,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1013,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1019,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1032,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1016,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1022,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1028,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 100" "id:1031,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 0" "id:1025,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1026,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
SecRule REQUEST_URI "@eq\ 1" "id:1029,phase:1,deny,status:403,log,msg:'initialization attack detected'"
|
||||
|
||||
@@ -1,18 +1,18 @@
|
||||
# Apache ModSecurity rules for JAVA
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1131,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1126,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1125,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1129,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1132,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1136,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "xacxedx00x05" "id:1133,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1134,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1130,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1135,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1138,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1127,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1128,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1137,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1139,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1199,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1187,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1198,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1191,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1190,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "xacxedx00x05" "id:1194,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1193,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1195,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1192,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1196,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1197,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1189,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1200,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1188,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1186,phase:1,deny,status:403,log,msg:'java attack detected'"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Apache ModSecurity rules for LEAKAGES
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?<H\|title>Index\ of\.\*\?<h\)1>Index\ of\|>\[To\ Parent\ Directory\]</\[Aa\]><br>\)" "id:1182,phase:1,deny,status:403,log,msg:'leakages attack detected'"
|
||||
SecRule REQUEST_URI "\^5d\{2\}\$" "id:1184,phase:1,deny,status:403,log,msg:'leakages attack detected'"
|
||||
SecRule REQUEST_URI "\^\#!s\?/" "id:1183,phase:1,deny,status:403,log,msg:'leakages attack detected'"
|
||||
SecRule REQUEST_URI "\^\#!s\?/" "id:1184,phase:1,deny,status:403,log,msg:'leakages attack detected'"
|
||||
SecRule REQUEST_URI "\^5d\{2\}\$" "id:1185,phase:1,deny,status:403,log,msg:'leakages attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?<H\|title>Index\ of\.\*\?<h\)1>Index\ of\|>\[To\ Parent\ Directory\]</\[Aa\]><br>\)" "id:1183,phase:1,deny,status:403,log,msg:'leakages attack detected'"
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Apache ModSecurity rules for LFI
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1118,phase:1,deny,status:403,log,msg:'lfi attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1051,phase:1,deny,status:403,log,msg:'lfi attack detected'"
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
# Apache ModSecurity rules for PHP
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1292,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1177,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@pm\ =" "id:1175,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1176,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1179,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1180,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1174,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1173,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1178,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@pm\ \?>" "id:1181,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1293,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@pm\ \?>" "id:1141,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1138,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1140,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1254,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1137,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1136,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1139,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1134,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1133,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1253,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
SecRule REQUEST_URI "@pm\ =" "id:1135,phase:1,deny,status:403,log,msg:'php attack detected'"
|
||||
|
||||
@@ -1,29 +1,29 @@
|
||||
# Apache ModSecurity rules for RCE
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1273,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1271,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/" "id:1275,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/" "id:1281,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/" "id:1278,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1288,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1286,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1274,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1290,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1285,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1277,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1289,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1268,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1270,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1283,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1266,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1284,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1287,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1267,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1280,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "s" "id:1276,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "s" "id:1279,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1272,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "s" "id:1282,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1291,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!\-d" "id:1269,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1244,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1227,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1235,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1249,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1246,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/" "id:1239,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/" "id:1236,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/" "id:1242,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!\-d" "id:1230,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1250,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1251,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1248,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1238,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1232,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1245,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1247,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "s" "id:1240,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "s" "id:1237,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "s" "id:1243,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1234,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1231,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1229,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1252,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1241,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1233,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1228,phase:1,deny,status:403,log,msg:'rce attack detected'"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Apache ModSecurity rules for RFI
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1123,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
||||
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1124,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1122,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
||||
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1049,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
||||
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1050,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1048,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
||||
|
||||
@@ -1,28 +1,28 @@
|
||||
# Apache ModSecurity rules for SHELLS
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1322,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1319,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1311,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1302,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1316,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1313,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1320,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1308,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1304,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1307,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1301,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1306,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1305,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1299,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1309,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1314,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1303,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1300,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1312,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1318,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1310,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1317,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1315,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1321,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1298,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1301,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1305,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1315,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1296,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1302,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1310,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1309,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1317,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1312,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1298,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1319,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1297,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1295,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1308,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1316,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1299,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1303,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1313,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1318,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1300,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1306,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1304,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1314,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1311,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1307,phase:1,deny,status:403,log,msg:'shells attack detected'"
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
# Apache ModSecurity rules for SQL
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1161,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1170,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1164,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1165,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1167,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1172,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1169,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1171,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1168,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1163,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1160,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1162,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1166,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1167,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1169,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1171,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1176,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1179,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1168,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1174,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1170,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1177,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1178,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1172,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1175,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1173,phase:1,deny,status:403,log,msg:'sql attack detected'"
|
||||
|
||||
@@ -1,39 +1,39 @@
|
||||
# Apache ModSecurity rules for SQLI
|
||||
SecRuleEngine On
|
||||
|
||||
SecRule REQUEST_URI "\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" "id:1246,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" "id:1232,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\.\*\?x5c\['"`\]\(\?:\.\*\?\['"`\]\)\?s\*\(\?:and\|or\)b" "id:1256,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@detectSQLi" "id:1257,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{12\}\)" "id:1250,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\["'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\["'`d\]" "id:1259,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1242,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "';" "id:1263,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@streq\ %\{TX\.2\}" "id:1241,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:\[\^'\]\*'\|\[\^"\]\*"\|\[\^`\]\*`\)\[sv\]\*;" "id:1237,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" "id:1258,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "W\{4\}" "id:1262,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\["'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" "id:1235,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\["'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\["'`\]\|like\[sv\]\*\?\["'`\]%\|select\[sv\]\+\?\[sv"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" "id:1244,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" "id:1247,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" "id:1253,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^"\]\*\?\(\?:"\[\^"\]\*\?"\[\^"\]\*\?\)\*\?"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1254,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{2\}\)" "id:1265,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" "id:1236,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" "id:1251,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!@streq\ %\{TX\.2\}" "id:1243,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)1\.e\[\(\-\),\]" "id:1238,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:and\|or\)\$" "id:1255,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" "id:1231,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{6\}\)" "id:1261,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:b0x\[a\-fd\]\{3,\}\)" "id:1252,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)union\.\*\?select\.\*\?from" "id:1234,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{3\}\)" "id:1264,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\["'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\["'`\]\|;\.\*\?:\[sv\]\*\?goto\)" "id:1233,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\ \?\[<\->\]\+\)" "id:1248,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" "id:1249,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@detectSQLi" "id:1230,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1240,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\["'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\["'`\]\$\|\["'x5c`\]\*\?\(\?:\["'0\-9`\]\+\|\[\^"'`\]\+\["'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\["'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\["'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\["'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\["'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" "id:1245,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\^s\*\["'`;\]\+\|\["'`\]\+s\*\$\)" "id:1239,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{8\}\)" "id:1260,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\["'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\["'`\]\|like\[sv\]\*\?\["'`\]%\|select\[sv\]\+\?\[sv"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" "id:1269,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" "id:1261,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@detectSQLi" "id:1255,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:b0x\[a\-fd\]\{3,\}\)" "id:1277,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "';" "id:1288,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{6\}\)" "id:1286,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" "id:1271,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" "id:1283,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@streq\ %\{TX\.2\}" "id:1266,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^"\]\*\?\(\?:"\[\^"\]\*\?"\[\^"\]\*\?\)\*\?"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1279,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1267,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "@detectSQLi" "id:1282,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{12\}\)" "id:1275,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\["'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\["'`\]\$\|\["'x5c`\]\*\?\(\?:\["'0\-9`\]\+\|\[\^"'`\]\+\["'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\["'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\["'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\["'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\["'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" "id:1270,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" "id:1256,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1265,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" "id:1257,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)union\.\*\?select\.\*\?from" "id:1259,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\.\*\?x5c\['"`\]\(\?:\.\*\?\['"`\]\)\?s\*\(\?:and\|or\)b" "id:1281,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!@streq\ %\{TX\.2\}" "id:1268,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" "id:1276,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:and\|or\)\$" "id:1280,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\["'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\["'`d\]" "id:1284,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" "id:1278,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{8\}\)" "id:1285,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{2\}\)" "id:1290,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\["'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\["'`\]\|;\.\*\?:\[sv\]\*\?goto\)" "id:1258,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\["'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" "id:1260,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?:\^s\*\["'`;\]\+\|\["'`\]\+s\*\$\)" "id:1264,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\^\(\?:\[\^'\]\*'\|\[\^"\]\*"\|\[\^`\]\*`\)\[sv\]\*;" "id:1262,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" "id:1272,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" "id:1274,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\ \?\[<\->\]\+\)" "id:1273,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "W\{4\}" "id:1287,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´’‘`<>\]\*\?\)\{3\}\)" "id:1289,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
SecRule REQUEST_URI "\(\?i\)1\.e\[\(\-\),\]" "id:1263,phase:1,deny,status:403,log,msg:'sqli attack detected'"
|
||||
|
||||
File diff suppressed because one or more lines are too long
Reference in New Issue
Block a user