External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024]

Browse Source
This commit is contained in:
github-actions[bot]
2024-12-21 00:30:30 +00:00
parent 034d133d1c
commit 79ac2edf7b
40 changed files with 2892 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
waf_patterns/caddy/attack.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_attack {
path_regexp attack "(?i)(@lt 1|@lt 1|@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d|@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w|@rx (?:bhttp/d|<(?:html|meta)b)|@rx [nr]|@rx [nr]|@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:|@rx [nr]|@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)|@rx ^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)|@rx unix:[^|]*||@lt 2|@lt 2|@rx [nr]|@rx ^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b|@lt 3|@lt 3|@gt 0|@rx .|@gt 1|@rx (][^]]+$|][^]]+[)|@lt 4|@lt 4|@rx [|!@eq 0|!@within %{tx.allowed_request_content_type_charset}|@rx ^content-types*:s*(.*)$|!@rx ^(?:(?:*|[^!|@rx content-transfer-encoding:(.*)|@rx [^x21-x7E][x21-x39x3B-x7E]*:)"
}
respond @block_attack 403

4
waf_patterns/caddy/correlation.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_correlation {
path_regexp correlation "(?i)(@eq 0|@ge 5|@eq 0|@ge %{tx.inbound_anomaly_score_threshold}|@ge %{tx.outbound_anomaly_score_threshold}|@lt 2|@ge %{tx.inbound_anomaly_score_threshold}|@ge %{tx.outbound_anomaly_score_threshold}|@lt 3|@gt 0|@lt 4|@lt 1|@lt 1|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_correlation 403

4
waf_patterns/caddy/detection.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_detection {
path_regexp detection "(?i)(@lt 1|@lt 1|@pmFromFile scanners-user-agents.data|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_detection 403

4
waf_patterns/caddy/enforcement.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_enforcement {
path_regexp enforcement "(?i)(@lt 1|@lt 1|!@within %{tx.allowed_methods}|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4|@lt 1|@lt 1|!@rx (?i)^(?:get /[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sx0b]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?)[sx0b]+[.-9A-Z_a-z]+)$|!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^|!@rx ^d+$|@rx ^(?:GET|HEAD)$|!@rx ^0?$|@rx ^(?:GET|HEAD)$|!@eq 0|!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0|@streq POST|@eq 0|@eq 0|!@eq 0|!@eq 0|@rx (d+)-(d+)|@lt %{tx.1}|@rx b(?:keep-alive|close),s?(?:keep-alive|close)b|@rx x25|@rx ^(.*)/(?:[^?]+)?(?.*)?$|@validateUrlEncoding|!@rx ^.*%.*.[^sx0b.]+$|@validateUrlEncoding|@eq 1|@validateUtf8Encoding|@rx (?i)%uff[0-9a-f]{2}|@validateByteRange 1-255|@eq 0|@rx ^$|@rx ^$|!@rx ^OPTIONS$|!@pm AppleWebKit Android Business Enterprise Entreprise|@rx ^$|!@rx ^OPTIONS$|@eq 0|@rx ^$|!@rx ^0$|@eq 0|@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)|@eq 1|@gt %{tx.max_num_args}|@eq 1|@gt %{tx.arg_name_length}|@eq 1|@gt %{tx.arg_length}|@eq 1|@gt %{tx.total_arg_length}|@eq 1|@rx ^(?i)multipart/form-data|@gt %{tx.max_file_size}|@eq 1|@gt %{tx.combined_file_sizes}|!@rx ^[w/.+*-]+(?:s?;s*(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['|@rx ^[^;s]+|!@within %{tx.allowed_request_content_type}|@rx charsets*=s*[|!@within %{tx.allowed_request_content_type_charset}|@rx charset.*?charset|!@within %{tx.allowed_http_versions}|@rx .([^.]+)$|@within %{tx.restricted_extensions}|@rx .[^.~]+~(?:/.*|)$|@rx ^.*$|@within %{tx.restricted_headers_basic}|@gt 100|!@rx ^(?:(?:*|[^!|!@streq JSON|@rx (?i)x5cu[0-9a-f]{4}|@contains #|@gt 1|@lt 2|@lt 2|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}|!@endsWith .pdf|@endsWith .pdf|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}|@rx %[0-9a-fA-F]{2}|@validateByteRange 9,10,13,32-126,128-255|@eq 0|@rx ['|!@rx ^0$|@eq 0|@rx ^.*$|@within %{tx.restricted_headers_extended}|@rx ^(?i)application/x-www-form-urlencoded|@rx x25|@validateUrlEncoding|@lt 3|@lt 3|@validateByteRange 32-36,38-126|@eq 0|!@rx ^(?:OPTIONS|CONNECT)$|!@pm AppleWebKit Android|@ge 1|@rx ^(?i)up|@gt 0|!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$|!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)|@lt 4|@lt 4|@endsWith .pdf|@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}|@validateByteRange 38,44-46,48-58,61,65-90,95,97-122|@validateByteRange 32,34,38,42-59,61,65-90,95,97-122|!@rx ^(?:?[01])?$|@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789])"
}
respond @block_enforcement 403

4
waf_patterns/caddy/evaluation.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_evaluation {
path_regexp evaluation "(?i)(@ge 1|@ge 1|@ge 2|@ge 2|@ge 3|@ge 3|@ge 4|@ge 4|@ge 1|@ge 1|@ge 2|@ge 2|@ge 3|@ge 3|@ge 4|@ge 4|@ge %{tx.inbound_anomaly_score_threshold}|@eq 1|@ge %{tx.inbound_anomaly_score_threshold}|@lt 1|@lt 1|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4|@ge 1|@ge 1|@ge 2|@ge 2|@ge 3|@ge 3|@ge 4|@ge 4|@ge 1|@ge 1|@ge 2|@ge 2|@ge 3|@ge 3|@ge 4|@ge 4|@ge %{tx.outbound_anomaly_score_threshold}|@eq 1|@ge %{tx.outbound_anomaly_score_threshold}|@lt 1|@lt 1|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_evaluation 403

4
waf_patterns/caddy/exceptions.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_exceptions {
path_regexp exceptions "(?i)(@streq GET /|@ipMatch 127.0.0.1,::1|@ipMatch 127.0.0.1,::1|@endsWith (internal dummy connection)|@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$)"
}
respond @block_exceptions 403

4
waf_patterns/caddy/fixation.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_fixation {
path_regexp fixation "(?i)(@lt 1|@lt 1|@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)|@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$|@rx ^(?:ht|f)tps?://(.*?)/|!@endsWith %{request_headers.host}|@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$|@eq 0|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_fixation 403

4
waf_patterns/caddy/generic.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_generic {
path_regexp generic "(?i)(@lt 1|@lt 1|@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sx0b]+Function[sx0b]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sx0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sx0b]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[|@pmFromFile ssrf.data|@rx (?:__proto__|constructors*(?:.|[)s*prototype)|@rx Process[sx0b]*.[sx0b]*spawn[sx0b]*(|@rx while[sx0b]*([sx0b(]*(?:!+(?:false|null|undefined|NaN|[+-]?0||@rx ^data:(?:(?:*|[^!|@lt 2|@lt 2|@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sx0b]*(|@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][-.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sx0b]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][-.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+)|@rx ^(?:[^@]|@[^{])*@+{.*}|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_generic 403

4
waf_patterns/caddy/iis.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_iis {
path_regexp iis "(?i)(@pm gzip compress deflate br zstd|@lt 1|@lt 1|@rx [a-z]:x5cinetpubb|@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)|@pmFromFile iis-errors.data|!@rx ^404$|@rx bServer Error in.{0,50}?bApplicationb|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_iis 403

4
waf_patterns/caddy/initialization.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_initialization {
path_regexp initialization "(?i)(@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 0|@eq 1|@unconditionalMatch|!@rx (?:URLENCODED|MULTIPART|XML|JSON)|@eq 1|!@rx (?:URLENCODED|MULTIPART|XML|JSON)|@eq 100|@rx ^[a-f]*([0-9])[a-f]*([0-9])|nolog|!@lt %{tx.sampling_percentage}|@lt %{tx.blocking_paranoia_level})"
}
respond @block_initialization 403

4
waf_patterns/caddy/java.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_java {
path_regexp java "(?i)(@lt 1|@lt 1|@rx java.lang.(?:runtime|processbuilder)|@rx (?:runtime|processbuilder)|@rx (?i)(?:unmarshaller|base64data|java.)|@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)|@rx (?:runtime|processbuilder)|@pmFromFile java-classes.data|@rx .*.(?:jsp|jspx).*$|@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)|@lt 2|@lt 2|@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)|@rx xacxedx00x05|@rx (?:rO0ABQ|KztAAU|Cs7QAF)|@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)|@rx javab.+(?:runtime|processbuilder)|@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)|@lt 3|@lt 3|@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)|@lt 4|@lt 4|@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|@pm gzip compress deflate br zstd|@lt 1|@lt 1|@pmFromFile java-code-leakages.data|@pmFromFile java-errors.data|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_java 403

4
waf_patterns/caddy/leakages.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_leakages {
path_regexp leakages "(?i)(@eq 1|@pm gzip compress deflate br zstd|@lt 1|@lt 1|@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)|@rx ^#!s?/|@lt 2|@lt 2|@rx ^5d{2}$|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_leakages 403

4
waf_patterns/caddy/lfi.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_lfi {
path_regexp lfi "(?i)(@lt 1|@lt 1|@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[01]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))|@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))|@pmFromFile lfi-os-files.data|@pmFromFile restricted-files.data|@lt 2|@lt 2|@pmFromFile lfi-os-files.data|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_lfi 403

4
waf_patterns/caddy/php.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_php {
path_regexp php "(?i)(@lt 1|@lt 1|@rx (?i)<?(?:[^x]|x(?:[^m]|m(?:[^l]|l(?:[^sx0b]|[sx0b]+[^a-z]|$)))|$|php)|[[/x5c]?php]|@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$|@pmFromFile php-config-directives.data|@rx b([^s]+)s*=[^=]|@pmFromFile php-config-directives.data|@pmFromFile php-variables.data|@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)|@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://|@pmFromFile php-function-names-933150.data|@rx (?i)b(?[|@rx [oOcC]:d+:|@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)|@rx (?:((?:.+)(?:[|@lt 2|@lt 2|@pmFromFile php-function-names-933151.data|@rx b([^s]+)s*[(]|@pmFromFile php-function-names-933151.data|@lt 3|@lt 3|@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI|@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sx0b]|/*.**/|(?:#|//).*)*(.*)|@rx .*.(?:phpd*|phtml)..*$|@pm ?>|@rx (?:((?:.+)(?:[|@lt 4|@lt 4|@pm gzip compress deflate br zstd|@lt 1|@lt 1|@pmFromFile php-errors.data|@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b|@rx (?i)<?(?:=|php)?s+|@lt 2|@lt 2|@pmFromFile php-errors-pl2.data|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_php 403

4
waf_patterns/caddy/rce.conf Normal file
View File

File diff suppressed because one or more lines are too long

4
waf_patterns/caddy/rfi.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_rfi {
path_regexp rfi "(?i)(@lt 1|@lt 1|@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})|@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://|@rx ^(?i:file|ftps?|https?).*??+$|@lt 2|@lt 2|@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)|!@endsWith .%{request_headers.host}|@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)|!@endsWith .%{request_headers.host}|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_rfi 403

4
waf_patterns/caddy/shells.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_shells {
path_regexp shells "(?i)(@pm gzip compress deflate br zstd|@lt 1|@lt 1|@pmFromFile web-shells-php.data|@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>|@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>|@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>|@rx <title>Mini Shell</title>.*Developed By LameHacker|@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>|@rx <title>Symlink_Sa [0-9.]+</title>|@rx <title>CasuS [0-9.]+ by MafiABoY</title>|@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+|@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$|@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -|@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>|@rx <title>lama's'hell v. [0-9.]+</title>|@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -|@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->|@rx ^<html>n<head>n<div align=|@rx ^<html>n<head>n<title>Ru24PostWebShell|@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>|@rx ^<html>rn<head>rn<meta http-equiv=|@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+|@contains <title>punkholicshell</title>|@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>|@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=|@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>|@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>|@lt 2|@lt 2|@contains <h1 style=|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_shells 403

4
waf_patterns/caddy/sql.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_sql {
path_regexp sql "(?i)(@pm gzip compress deflate br zstd|@lt 1|@lt 1|!@pmFromFile sql-errors.data|@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])|@rx (?i)bORA-[0-9][0-9][0-9][0-9][0-9]:|java.sql.SQLException|Oracle(?: erro|[^()]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})|@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()|@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)|@rx (?i)Dynamic SQL Error|@rx (?i)Exception (?:condition )?d+. Transaction rollback.|@rx (?i)org.hsqldb.jdbc|@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)|@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)|@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)|@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)|@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)|@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[()_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):|@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)() [|org.postgresql.util.PSQLException):|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er|@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)|@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)|@lt 2|@lt 2|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_sql 403

4
waf_patterns/caddy/sqli.conf Normal file
View File

File diff suppressed because one or more lines are too long

4
waf_patterns/caddy/xss.conf Normal file
View File

@@ -0,0 +1,4 @@
@block_xss {
path_regexp xss "(?i)(@lt 1|@lt 1|!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122|@detectXSS|@rx (?i)<script[^>]*>[sS]*?|@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sx0b]+(?:%[sx0b]+)?[^sx0b]+[sx0b]+(?:SYSTEM|PUBLIC)|@import|;base64)b|@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript|@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sx0b|@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[|@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[|@rx (?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))|@rx (?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)|@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).|@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).|@rx (?i)<EMBED[s/+].*?(?:src|type).*?=|@rx <[?]?import[s/+S]*?implementation[s/+]*?=|@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[|@rx (?i:<META[s/+].*?charset[s/+]*=)|@rx (?i)<LINK[s/+].*?href[s/+]*=|@rx (?i)<BASE[s/+].*?href[s/+]*=|@rx (?i)<APPLET[s/+>]|@rx (?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=|@rx xbc[^xbe>]*[xbe>]|<[^xbe]*xbe|@rx (?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)|@rx +ADw-.*(?:+AD4-|>)|<.*+AD4-|@rx ![!+ ][]|@rx (?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)|@rx (?i)b(?:eval|set(?:timeout|interval)|new[sx0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[sx0b]*(|@rx ((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`|@lt 2|@lt 2|@detectXSS|@rx (?i)[s|@rx (?i)b(?:s(?:tyle|rc)|href)b[sS]*?=|@contains -->|@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W|@rx (?i:[|@rx (?i)[|@rx {{.*?}}|@lt 3|@lt 3|@lt 4|@lt 4)"
}
respond @block_xss 403

132
waf_patterns/nginx/attack.conf Normal file
View File

@@ -0,0 +1,132 @@
# Nginx WAF rules for ATTACK
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx unix:[^|]*|") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (][^]]+$|][^]]+[)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type_charset}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^content-types*:s*(.*)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:*|[^!") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx content-transfer-encoding:(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [^x21-x7E][x21-x39x3B-x7E]*:") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

84
waf_patterns/nginx/correlation.conf Normal file
View File

@@ -0,0 +1,84 @@
# Nginx WAF rules for CORRELATION
location / {
set $attack_detected 0;
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 5") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

44
waf_patterns/nginx/detection.conf Normal file
View File

@@ -0,0 +1,44 @@
# Nginx WAF rules for DETECTION
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile scanners-user-agents.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

468
waf_patterns/nginx/enforcement.conf Normal file
View File

@@ -0,0 +1,468 @@
# Nginx WAF rules for ENFORCEMENT
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_methods}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?i)^(?:get /[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sx0b]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?)[sx0b]+[.-9A-Z_a-z]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^d+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0?$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq POST") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (d+)-(d+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt %{tx.1}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx x25") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(.*)/(?:[^?]+)?(?.*)?$") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^.*%.*.[^sx0b.]+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUtf8Encoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)%uff[0-9a-f]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 1-255") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_num_args}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)multipart/form-data") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_file_size}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.combined_file_sizes}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s*(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^;s]+") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx charsets*=s*[") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type_charset}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx charset.*?charset") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_http_versions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .([^.]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .[^.~]+~(?:/.*|)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 100") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:*|[^!") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq JSON") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)x5cu[0-9a-f]{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains #") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx %[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ['") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)application/x-www-form-urlencoded") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx x25") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32-36,38-126") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)up") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:?[01])?$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

224
waf_patterns/nginx/evaluation.conf Normal file
View File

@@ -0,0 +1,224 @@
# Nginx WAF rules for EVALUATION
location / {
set $attack_detected 0;
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

28
waf_patterns/nginx/exceptions.conf Normal file
View File

@@ -0,0 +1,28 @@
# Nginx WAF rules for EXCEPTIONS
location / {
set $attack_detected 0;
if ($request_uri ~* "@streq GET /") {
set $attack_detected 1;
}
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith (internal dummy connection)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

64
waf_patterns/nginx/fixation.conf Normal file
View File

@@ -0,0 +1,64 @@
# Nginx WAF rules for FIXATION
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:ht|f)tps?://(.*?)/") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith %{request_headers.host}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

76
waf_patterns/nginx/generic.conf Normal file
View File

@@ -0,0 +1,76 @@
# Nginx WAF rules for GENERIC
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sx0b]+Function[sx0b]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sx0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sx0b]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile ssrf.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:__proto__|constructors*(?:.|[)s*prototype)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx Process[sx0b]*.[sx0b]*spawn[sx0b]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx while[sx0b]*([sx0b(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^data:(?:(?:*|[^!") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sx0b]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][-.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sx0b]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][-.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:[^@]|@[^{])*@+{.*}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

64
waf_patterns/nginx/iis.conf Normal file
View File

@@ -0,0 +1,64 @@
# Nginx WAF rules for IIS
location / {
set $attack_detected 0;
if ($request_uri ~* "@pm gzip compress deflate br zstd") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [a-z]:x5cinetpubb") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile iis-errors.data") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^404$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx bServer Error in.{0,50}?bApplicationb") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

136
waf_patterns/nginx/initialization.conf Normal file
View File

@@ -0,0 +1,136 @@
# Nginx WAF rules for INITIALIZATION
location / {
set $attack_detected 0;
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@unconditionalMatch") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?:URLENCODED|MULTIPART|XML|JSON)") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?:URLENCODED|MULTIPART|XML|JSON)") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 100") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[a-f]*([0-9])[a-f]*([0-9])") {
set $attack_detected 1;
}
if ($request_uri ~* "nolog") {
set $attack_detected 1;
}
if ($request_uri ~* "!@lt %{tx.sampling_percentage}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt %{tx.blocking_paranoia_level}") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

148
waf_patterns/nginx/java.conf Normal file
View File

@@ -0,0 +1,148 @@
# Nginx WAF rules for JAVA
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx java.lang.(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:unmarshaller|base64data|java.)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile java-classes.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .*.(?:jsp|jspx).*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx xacxedx00x05") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:rO0ABQ|KztAAU|Cs7QAF)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx javab.+(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm gzip compress deflate br zstd") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile java-code-leakages.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile java-errors.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

60
waf_patterns/nginx/leakages.conf Normal file
View File

@@ -0,0 +1,60 @@
# Nginx WAF rules for LEAKAGES
location / {
set $attack_detected 0;
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm gzip compress deflate br zstd") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^#!s?/") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^5d{2}$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

60
waf_patterns/nginx/lfi.conf Normal file
View File

@@ -0,0 +1,60 @@
# Nginx WAF rules for LFI
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[01]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile lfi-os-files.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile restricted-files.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile lfi-os-files.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

176
waf_patterns/nginx/php.conf Normal file
View File

@@ -0,0 +1,176 @@
# Nginx WAF rules for PHP
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<?(?:[^x]|x(?:[^m]|m(?:[^l]|l(?:[^sx0b]|[sx0b]+[^a-z]|$)))|$|php)|[[/x5c]?php]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-config-directives.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx b([^s]+)s*=[^=]") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-config-directives.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-variables.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-function-names-933150.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [oOcC]:d+:") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:((?:.+)(?:[") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-function-names-933151.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx b([^s]+)s*[(]") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-function-names-933151.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sx0b]|/*.**/|(?:#|//).*)*(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .*.(?:phpd*|phtml)..*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm ?>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:((?:.+)(?:[") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm gzip compress deflate br zstd") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-errors.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<?(?:=|php)?s+") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-errors-pl2.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

228
waf_patterns/nginx/rce.conf Normal file
View File

File diff suppressed because one or more lines are too long

68
waf_patterns/nginx/rfi.conf Normal file
View File

@@ -0,0 +1,68 @@
# Nginx WAF rules for RFI
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i:file|ftps?|https?).*??+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .%{request_headers.host}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .%{request_headers.host}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

148
waf_patterns/nginx/shells.conf Normal file
View File

@@ -0,0 +1,148 @@
# Nginx WAF rules for SHELLS
location / {
set $attack_detected 0;
if ($request_uri ~* "@pm gzip compress deflate br zstd") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile web-shells-php.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>Mini Shell</title>.*Developed By LameHacker") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>Symlink_Sa [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<head>n<div align=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<head>n<title>Ru24PostWebShell") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>rn<head>rn<meta http-equiv=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <title>punkholicshell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style=") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

112
waf_patterns/nginx/sql.conf Normal file
View File

@@ -0,0 +1,112 @@
# Nginx WAF rules for SQL
location / {
set $attack_detected 0;
if ($request_uri ~* "@pm gzip compress deflate br zstd") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pmFromFile sql-errors.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)bORA-[0-9][0-9][0-9][0-9][0-9]:|java.sql.SQLException|Oracle(?: erro|[^()]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)Dynamic SQL Error") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)Exception (?:condition )?d+. Transaction rollback.") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)org.hsqldb.jdbc") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[()_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)() [|org.postgresql.util.PSQLException):|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

312
waf_patterns/nginx/sqli.conf Normal file
View File

@@ -0,0 +1,312 @@
# Nginx WAF rules for SQLI
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectSQLi") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:select|;)[sx0b]+(?:benchmark|if|sleep)[sx0b]*?([sx0b]*?(?[sx0b]*?[0-9A-Z_a-z]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[sx0b()]case[sx0b]+when.*?then|)[sx0b]*?like[sx0b]*?(|select.*?having[sx0b]*?[^sx0b]+[sx0b]*?[^sx0b0-9A-Z_a-z]|if[sx0b]?([0-9A-Z_a-z]+[sx0b]*?[<->~]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)alter[sx0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sx0b]+set[sx0b]+[0-9A-Z_a-z]+|[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:merge.*?usings*?(|executes*?immediates*?[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)union.*?select.*?from") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)select[sx0b]*?pg_sleep|waitfor[sx0b]*?delay[sx0b]?[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)create[sx0b]+function[sx0b].+[sx0b]returns|;[sx0b]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sx0b]*?[([]?[0-9A-Z_a-z]{2,}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)b[sx0b]*(?|end[sx0b]*?);)|[sx0b(]load_file[sx0b]*?(|[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)/*[sx0b]*?[!+](?:[sx0b()-0-9=A-Z_a-z]+)?*/") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:[^']*'|[^") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)1.e[(),]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[!=]=|&&||||->|>[=>]|<(?:[<=]|>(?:[sx0b]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[sx0b") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[sx0b") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:/*)+[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i),.*?[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sx0b(]+[0-9A-Z_a-z]+[sx0b)]*?[!+=]+[sx0b0-9]*?[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i))[sx0b]*?when[sx0b]*?[0-9]+[sx0b]*?then|[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:([sx0b]*?select[sx0b]*?[0-9A-Z_a-z]+|coalesce|order[sx0b]+by[sx0b]+if[0-9A-Z_a-z]*?)[sx0b]*?(|*/from|+[sx0b]*?[0-9]+[sx0b]*?+[sx0b]*?@|[0-9A-Z_a-z][") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)in[sx0b]*?(+[sx0b]*?select|(?:(?:N?AND|X?X?OR|DIV|LIKE|BETWEEN|NOT)[sx0b]+|(?:|||&&)[sx0b]*)[sx0b+0-9A-Z_a-z]+(?:regexp[sx0b]*?(|sounds[sx0b]+like[sx0b]*?[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:^[Wd]+s*?(?:alter|union)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)[sx0b]?(?|end[sx0b]*?);|[sx0b(]load_file[sx0b]*?(|[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:havingb(?:[sx0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[sx0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:orb(?:[sx0b]?(?:[0-9]{1,10}|[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)bandb(?:[sx0b]+(?:[0-9]{1,10}[sx0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[12]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'") {
set $attack_detected 1;
}
if ($request_uri ~* "!ARGS:foo") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [a-zA-Z0-9_-]{61,61}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [a-zA-Z0-9_-]{91,91}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx /*!?|*/|[';]--|--(?:[sx0b]|[^-]*?-)|[^&-]#.*?[sx0b]|;?x00") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:b0x[a-fd]{3,})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:and|or)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*?x5c['") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectSQLi") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)W+d*?s*?bhavingbs*?[^s-]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [") {
set $attack_detected 1;
}
if ($request_uri ~* "!REQUEST_COOKIES:foo_id") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx W{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ';") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}

180
waf_patterns/nginx/xss.conf Normal file
View File

@@ -0,0 +1,180 @@
# Nginx WAF rules for XSS
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectXSS") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<script[^>]*>[sS]*?") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sx0b]+(?:%[sx0b]+)?[^sx0b]+[sx0b]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sx0b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[tnr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <[?]?import[s/+S]*?implementation[s/+]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<LINK[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<APPLET[s/+>]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx +ADw-.*(?:+AD4-|>)|<.*+AD4-") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ![!+ ][]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sx0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[sx0b]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectXSS") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[s") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains -->") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx {{.*?}}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}