External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 09:45:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Tue Feb 25 00:26:42 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot] 2025-02-25 00:26:42 +00:00
parent 9554870ec8
commit 9f8a891fd8
5 changed files with 2123 additions and 2123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2152
owasp_rules.json
View File

File diff suppressed because it is too large Load Diff

526
waf_patterns/haproxy/waf.acl
View File

@ -9,108 +9,6 @@ http-request deny if block_initialization
acl block_initialization hdr_sub(User-Agent) -i ^[a-f]*([0-9])[a-f]*([0-9])
http-request deny if block_initialization
acl block_exceptions hdr_sub(User-Agent) -i @streq GET /
http-request deny if block_exceptions
acl block_exceptions hdr_sub(User-Agent) -i @ipMatch 127.0.0.1,::1
http-request deny if block_exceptions
acl block_exceptions hdr_sub(User-Agent) -i @endsWith (internal dummy connection)
http-request deny if block_exceptions
acl block_exceptions hdr_sub(User-Agent) -i ^(GET /|OPTIONS *) HTTP/[12]\.[01]$
http-request deny if block_exceptions
acl block_rfi hdr_sub(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
http-request deny if block_rfi
acl block_rfi hdr_sub(User-Agent) -i !@endsWith \.%{request_headers.host}
http-request deny if block_rfi
acl block_leakages hdr_sub(User-Agent) -i (<(TITLE>Index of\.*?<H|title>Index of\.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^#!s?/
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^5d{2}$
http-request deny if block_leakages
acl block_java hdr_sub(User-Agent) -i java.lang\.(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (unmarshaller|base64data|java\.)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i \.*\.(jsp|jspx)\.*$
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]{0,15}($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]*($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i xacxedx00x05
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (rO0ABQ|KztAAU|Cs7QAF)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i javab\.+(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)
http-request deny if block_java
acl block_attack hdr_sub(User-Agent) -i ^content-types*:s*(\.*)$
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i content-transfer-encoding:(\.*)
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i (get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i [rn]W*?(content-(type|length)|set-cookie|location):s*w
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i (bhttp/d|<(html|meta)b)
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i [nr]
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i [nr]+(s|location|refresh|(set-)?cookie|(x-)?(forwarded-(for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?(application/(\.++)?json|(application/(soap+)?|text/)xml)
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i unix:[^|]*|
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?b(((tex|multipar)t|application)|((audi|vide)o|image|cs[sv]|(vn|relate)d|p(df|lain)|json|(soa|cs)p|x(ml|-www-form-urlencoded)|form-data|x-amf|(octe|repor)t|stream)|([+/]))b
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i \.
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i TX:paramcounter_(\.*)
http-request deny if block_attack
acl block_fixation hdr_sub(User-Agent) -i (?i:.cookieb\.*?;W*?(expires|domain)W*?=|bhttp-equivW+set-cookieb)
http-request deny if block_fixation
@ -123,12 +21,6 @@ http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i !@endsWith %{request_headers.host}
http-request deny if block_fixation
acl block_php hdr_sub(User-Agent) -i (b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open|call_user_func)|$_((pos|ge)t|session))b
http-request deny if block_php
acl block_php hdr_sub(User-Agent) -i <?(=|php)?s+
http-request deny if block_php
acl block_sql hdr_sub(User-Agent) -i (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])
http-request deny if block_sql
@ -168,17 +60,155 @@ http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (Sybase message:|Warning\.{2,20}sybase|Sybase\.*Server message\.*)
http-request deny if block_sql
acl block_attack hdr_sub(User-Agent) -i ^content-types*:s*(\.*)$
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i content-transfer-encoding:(\.*)
http-request deny if block_attack
acl block_lfi hdr_sub(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|$))
http-request deny if block_lfi
acl block_generic hdr_sub(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
http-request deny if block_generic
acl block_exceptions hdr_sub(User-Agent) -i @streq GET /
http-request deny if block_exceptions
acl block_generic hdr_sub(User-Agent) -i [s*constructors*]
http-request deny if block_generic
acl block_exceptions hdr_sub(User-Agent) -i @ipMatch 127.0.0.1,::1
http-request deny if block_exceptions
acl block_generic hdr_sub(User-Agent) -i @{\.*}
http-request deny if block_generic
acl block_exceptions hdr_sub(User-Agent) -i @endsWith (internal dummy connection)
http-request deny if block_exceptions
acl block_exceptions hdr_sub(User-Agent) -i ^(GET /|OPTIONS *) HTTP/[12]\.[01]$
http-request deny if block_exceptions
acl block_java hdr_sub(User-Agent) -i java.lang\.(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (unmarshaller|base64data|java\.)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i \.*\.(jsp|jspx)\.*$
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]{0,15}($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]*($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i xacxedx00x05
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (rO0ABQ|KztAAU|Cs7QAF)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i javab\.+(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)
http-request deny if block_java
acl block_xss hdr_sub(User-Agent) -i !@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i @detectXSS
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <script[^>]*>[sS]*?
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i \.(b(x(link:href|html|mlns)|data:text/html|formaction|patternb\.*?=)|!ENTITY[sv]+(%[sv]+)?[^sv]+[sv]+(SYSTEM|PUBLIC)|@import|;base64)b
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <[^0-9<>A-Z_a-z]*([^sv"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(s[^0-9A-Z_a-z]*?(c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(<[0-9A-Z_a-z]\.*[sv/]|["'](\.*[sv/])?)(background|formaction|lowsrc|on(a(bort|ctivate|d(apteradded|dtrack)|fter(print|(scriptexecu|upda)te)|lerting|n(imation(cancel|end|iteration|start)|tennastatechange)|ppcommand|u(dio(end|process|start)|xclick))|b(e(fore((((de)?activa|scriptexecu)t|toggl)e|c(opy|ut)|editfocus|input|p(aste|rint)|u(nload|pdate))|gin(Event)?)|l(ocked|ur)|oun(ce|dary)|roadcast|usy)|c(a((ch|llschang)ed|nplay(through)?|rdstatechange)|(ell|fstate)change|h(a(rging(time)?cha)?nge|ecking)|l(ick|ose)|o(m(mand(update)?|p(lete|osition(end|start|update)))|n(nect(ed|ing)|t(extmenu|rolselect))|py)|u(echange|t))|d(ata((availabl|chang)e|error|setc(hanged|omplete))|blclick|e(activate|livery(error|success)|vice(found|light|(mo|orienta)tion|proximity))|i(aling|s(abled|c(hargingtimechange|onnect(ed|ing))))|o(m(a(ctivate|ttrmodified)|(characterdata|subtree)modified|focus(in|out)|mousescroll|node(inserted(intodocument)?|removed(fromdocument)?))|wnloading)|r(ag(drop|e(n(d|ter)|xit)|(gestur|leav)e|over|start)|op)|urationchange)|e(mptied|n(abled|d(ed|Event)?|ter)|rror(update)?|xit)|f(ailed|i(lterchange|nish)|o(cus(in|out)?|rm(change|input))|ullscreenchange)|g(amepad(axismove|button(down|up)|(dis)?connected)|et)|h(ashchange|e(adphoneschange|l[dp])|olding)|i(cc(cardlockerror|infochange)|n(coming|put|valid))|key(down|press|up)|l(evelchange|o(ad(e(d(meta)?data|nd)|start)?|secapture)|y)|m(ark|essage|o(use(down|enter|(lea|mo)ve|o(ut|ver)|up|wheel)|ve(end|start)?|z(a(fterpaint|udioavailable)|(beforeresiz|orientationchang|t(apgestur|imechang))e|(edgeui(c(ancel|omplet)|start)e|network(down|up)loa)d|fullscreen(change|error)|m(agnifygesture(start|update)?|ouse(hittest|pixelscroll))|p(ointerlock(change|error)|resstapgesture)|rotategesture(start|update)?|s(crolledareachanged|wipegesture(end|start|update)?))))|no(match|update)|o((bsolet|(ff|n)lin)e|pen|verflow(changed)?)|p(a(ge(hide|show)|int|(st|us)e)|lay(ing)?|o(inter(down|enter|((lea|mo)v|rawupdat)e|o(ut|ver)|up)|p(state|up(hid(den|ing)|show(ing|n))))|ro(gress|pertychange))|r(atechange|e(adystatechange|ceived|movetrack|peat(Event)?|quest|s(et|ize|u(lt|m(e|ing)))|trieving)|ow(e(nter|xit)|s(delete|inserted)))|s(croll(end)?|e(arch|ek(complete|ed|ing)|lect(ionchange|start)?|n(ding|t)|t)|how|(ound|peech)(end|start)|t(a(lled|rt|t(echange|uschanged))|k(comma|sessione)nd|op)|u(bmit|ccess|spend)|vg(abort|error|(un)?load|resize|scroll|zoom))|t(ext|ime(out|update)|o(ggle|uch(cancel|en(d|ter)|(lea|mo)ve|start))|ransition(cancel|end|run|start))|u(n(derflow|handledrejection|load)|p(dateready|gradeneeded)|s(erproximity|sdreceived))|v(ersion|o(ic|lum)e)change|w(a(it|rn)ing|ebkit(animation(end|iteration|start)|transitionend)|heel)|zoom)|ping|s(rc|tyle))[x08-nf-r ]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<style\.*?>\.*?(@[ix5c]|([:=]|&#x?0*(58|3A|61|3D);?)\.*?([(x5c]|&#x?0*(40|28|92|5C);?)))
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<\.*[:]?vmlframe\.*?[s/+]*?src[s/+]*=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <EMBED[s/+]\.*?(src|type)\.*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <[?]?import[s/+S]*?implementation[s/+]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?http-equiv[s/+]*=[s/+]*["'`]?((c|&#x?0*(67|43|99|63);?)|(r|&#x?0*(82|52|114|72);?)|(s|&#x?0*(83|53|115|73);?)))
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?charset[s/+]*=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <LINK[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <BASE[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <APPLET[s/+>]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <OBJECT[s/+]\.*?(type|codetype|classid|code|data)[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i xbc[^xbe>]*[xbe>]|<[^xbe]*xbe
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (xbcs*/s*[^xbe>]*[xbe>])|(<s*/s*[^xbe]*xbe)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (([[^]]*][^\.]*\.)|Reflect[^\.]*\.)\.*(map|sort|apply)[^\.]*\.\.*call[^`]*`\.*`
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i [s"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i b(s(tyle|rc)|href)b[sS]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i @contains -->
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:["'][ ]*([^a-z0-9~_:' ]|in)\.*?((l|x5cu006C)(o|x5cu006F)(c|x5cu0063)(a|x5cu0061)(t|x5cu0074)(i|x5cu0069)(o|x5cu006F)(n|x5cu006E)|(n|x5cu006E)(a|x5cu0061)(m|x5cu006D)(e|x5cu0065)|(o|x5cu006F)(n|x5cu006E)(e|x5cu0065)(r|x5cu0072)(r|x5cu0072)(o|x5cu006F)(r|x5cu0072)|(v|x5cu0076)(a|x5cu0061)(l|x5cu006C)(u|x5cu0075)(e|x5cu0065)(O|x5cu004F)(f|x5cu0066))\.*?=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i ["'][ ]*([^a-z0-9~_:' ]|in)\.+?[\.]\.+?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i {{\.*?}}
http-request deny if block_xss
acl block_rfi hdr_sub(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
http-request deny if block_rfi
acl block_rfi hdr_sub(User-Agent) -i !@endsWith \.%{request_headers.host}
http-request deny if block_rfi
acl block_leakages hdr_sub(User-Agent) -i (<(TITLE>Index of\.*?<H|title>Index of\.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^#!s?/
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^5d{2}$
http-request deny if block_leakages
acl block_php hdr_sub(User-Agent) -i (<?([^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(/|x5c)?php])
http-request deny if block_php
@ -348,167 +378,44 @@ http-request deny if block_enforcement
acl block_enforcement hdr_sub(User-Agent) -i (^|[^x5c])x5c[cdeghijklmpqwxyz123456789]
http-request deny if block_enforcement
acl block_xss hdr_sub(User-Agent) -i !@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122
http-request deny if block_xss
acl block_generic hdr_sub(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
http-request deny if block_generic
acl block_xss hdr_sub(User-Agent) -i @detectXSS
http-request deny if block_xss
acl block_generic hdr_sub(User-Agent) -i [s*constructors*]
http-request deny if block_generic
acl block_xss hdr_sub(User-Agent) -i <script[^>]*>[sS]*?
http-request deny if block_xss
acl block_generic hdr_sub(User-Agent) -i @{\.*}
http-request deny if block_generic
acl block_xss hdr_sub(User-Agent) -i \.(b(x(link:href|html|mlns)|data:text/html|formaction|patternb\.*?=)|!ENTITY[sv]+(%[sv]+)?[^sv]+[sv]+(SYSTEM|PUBLIC)|@import|;base64)b
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i (get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i <[^0-9<>A-Z_a-z]*([^sv"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(s[^0-9A-Z_a-z]*?(c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(<[0-9A-Z_a-z]\.*[sv/]|["'](\.*[sv/])?)(background|formaction|lowsrc|on(a(bort|ctivate|d(apteradded|dtrack)|fter(print|(scriptexecu|upda)te)|lerting|n(imation(cancel|end|iteration|start)|tennastatechange)|ppcommand|u(dio(end|process|start)|xclick))|b(e(fore((((de)?activa|scriptexecu)t|toggl)e|c(opy|ut)|editfocus|input|p(aste|rint)|u(nload|pdate))|gin(Event)?)|l(ocked|ur)|oun(ce|dary)|roadcast|usy)|c(a((ch|llschang)ed|nplay(through)?|rdstatechange)|(ell|fstate)change|h(a(rging(time)?cha)?nge|ecking)|l(ick|ose)|o(m(mand(update)?|p(lete|osition(end|start|update)))|n(nect(ed|ing)|t(extmenu|rolselect))|py)|u(echange|t))|d(ata((availabl|chang)e|error|setc(hanged|omplete))|blclick|e(activate|livery(error|success)|vice(found|light|(mo|orienta)tion|proximity))|i(aling|s(abled|c(hargingtimechange|onnect(ed|ing))))|o(m(a(ctivate|ttrmodified)|(characterdata|subtree)modified|focus(in|out)|mousescroll|node(inserted(intodocument)?|removed(fromdocument)?))|wnloading)|r(ag(drop|e(n(d|ter)|xit)|(gestur|leav)e|over|start)|op)|urationchange)|e(mptied|n(abled|d(ed|Event)?|ter)|rror(update)?|xit)|f(ailed|i(lterchange|nish)|o(cus(in|out)?|rm(change|input))|ullscreenchange)|g(amepad(axismove|button(down|up)|(dis)?connected)|et)|h(ashchange|e(adphoneschange|l[dp])|olding)|i(cc(cardlockerror|infochange)|n(coming|put|valid))|key(down|press|up)|l(evelchange|o(ad(e(d(meta)?data|nd)|start)?|secapture)|y)|m(ark|essage|o(use(down|enter|(lea|mo)ve|o(ut|ver)|up|wheel)|ve(end|start)?|z(a(fterpaint|udioavailable)|(beforeresiz|orientationchang|t(apgestur|imechang))e|(edgeui(c(ancel|omplet)|start)e|network(down|up)loa)d|fullscreen(change|error)|m(agnifygesture(start|update)?|ouse(hittest|pixelscroll))|p(ointerlock(change|error)|resstapgesture)|rotategesture(start|update)?|s(crolledareachanged|wipegesture(end|start|update)?))))|no(match|update)|o((bsolet|(ff|n)lin)e|pen|verflow(changed)?)|p(a(ge(hide|show)|int|(st|us)e)|lay(ing)?|o(inter(down|enter|((lea|mo)v|rawupdat)e|o(ut|ver)|up)|p(state|up(hid(den|ing)|show(ing|n))))|ro(gress|pertychange))|r(atechange|e(adystatechange|ceived|movetrack|peat(Event)?|quest|s(et|ize|u(lt|m(e|ing)))|trieving)|ow(e(nter|xit)|s(delete|inserted)))|s(croll(end)?|e(arch|ek(complete|ed|ing)|lect(ionchange|start)?|n(ding|t)|t)|how|(ound|peech)(end|start)|t(a(lled|rt|t(echange|uschanged))|k(comma|sessione)nd|op)|u(bmit|ccess|spend)|vg(abort|error|(un)?load|resize|scroll|zoom))|t(ext|ime(out|update)|o(ggle|uch(cancel|en(d|ter)|(lea|mo)ve|start))|ransition(cancel|end|run|start))|u(n(derflow|handledrejection|load)|p(dateready|gradeneeded)|s(erproximity|sdreceived))|v(ersion|o(ic|lum)e)change|w(a(it|rn)ing|ebkit(animation(end|iteration|start)|transitionend)|heel)|zoom)|ping|s(rc|tyle))[x08-nf-r ]*?=
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i [rn]W*?(content-(type|length)|set-cookie|location):s*w
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i (?i:<style\.*?>\.*?(@[ix5c]|([:=]|&#x?0*(58|3A|61|3D);?)\.*?([(x5c]|&#x?0*(40|28|92|5C);?)))
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i (bhttp/d|<(html|meta)b)
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i (?i:<\.*[:]?vmlframe\.*?[s/+]*?src[s/+]*=)
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i [nr]
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i <EMBED[s/+]\.*?(src|type)\.*?=
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i [nr]+(s|location|refresh|(set-)?cookie|(x-)?(forwarded-(for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i <[?]?import[s/+S]*?implementation[s/+]*?=
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?(application/(\.++)?json|(application/(soap+)?|text/)xml)
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?http-equiv[s/+]*=[s/+]*["'`]?((c|&#x?0*(67|43|99|63);?)|(r|&#x?0*(82|52|114|72);?)|(s|&#x?0*(83|53|115|73);?)))
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i unix:[^|]*|
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?charset[s/+]*=)
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i ^[^sv,;]+[sv,;]\.*?b(((tex|multipar)t|application)|((audi|vide)o|image|cs[sv]|(vn|relate)d|p(df|lain)|json|(soa|cs)p|x(ml|-www-form-urlencoded)|form-data|x-amf|(octe|repor)t|stream)|([+/]))b
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i <LINK[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_attack hdr_sub(User-Agent) -i \.
http-request deny if block_attack
acl block_xss hdr_sub(User-Agent) -i <BASE[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <APPLET[s/+>]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <OBJECT[s/+]\.*?(type|codetype|classid|code|data)[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i xbc[^xbe>]*[xbe>]|<[^xbe]*xbe
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (xbcs*/s*[^xbe>]*[xbe>])|(<s*/s*[^xbe]*xbe)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (([[^]]*][^\.]*\.)|Reflect[^\.]*\.)\.*(map|sort|apply)[^\.]*\.\.*call[^`]*`\.*`
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i [s"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i b(s(tyle|rc)|href)b[sS]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i @contains -->
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:["'][ ]*([^a-z0-9~_:' ]|in)\.*?((l|x5cu006C)(o|x5cu006F)(c|x5cu0063)(a|x5cu0061)(t|x5cu0074)(i|x5cu0069)(o|x5cu006F)(n|x5cu006E)|(n|x5cu006E)(a|x5cu0061)(m|x5cu006D)(e|x5cu0065)|(o|x5cu006F)(n|x5cu006E)(e|x5cu0065)(r|x5cu0072)(r|x5cu0072)(o|x5cu006F)(r|x5cu0072)|(v|x5cu0076)(a|x5cu0061)(l|x5cu006C)(u|x5cu0075)(e|x5cu0065)(O|x5cu004F)(f|x5cu0066))\.*?=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i ["'][ ]*([^a-z0-9~_:' ]|in)\.+?[\.]\.+?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i {{\.*?}}
http-request deny if block_xss
acl block_iis hdr_sub(User-Agent) -i [a-z]:x5cinetpubb
http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i (Microsoft OLE DB Provider for SQL Server(</font>\.{1,20}?error '800(04005|40e31)'\.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>\.*?<h2>part of the server has crashed or it has a configuration error\.</h2>|cannot connect to the server: timed out)
http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i !^404$
http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i bServer Error in\.{0,50}?bApplicationb
http-request deny if block_iis
acl block_shells hdr_sub(User-Agent) -i (<title>r57 Shell Version [0-9\.]+</title>|<title>r57 shell</title>)
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>\.*? - WSO [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i B4TM4N SH3LL</title>\.*<meta name='author' content='k4mpr3t'/>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Mini Shell</title>\.*Developed By LameHacker
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>\.:: \.* ~ Ashiyane V [0-9\.]+ ::\.</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Symlink_Sa [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>CasuS [0-9\.]+ by MafiABoY</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<title>GRP WebShell [0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <small>NGHshell [0-9\.]+ by Cr4sh</body></html>n$
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>SimAttacker - (Version|Vrsion) : [0-9\.]+ -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<!DOCTYPE html>n<html>n<!-- By Artyum \.*<title>Web Shell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>lama's'hell v\. [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<title>Ru24PostWebShell -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>s72 Shell v[0-9\.]+ Codinf by Cr@zy_King</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html>nn<head>nn<title>g00nshell v[0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <title>punkholicshell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n <head>n <title>azrail [0-9\.]+ by C-W-M</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<title>\.*? ~ Shell I</title>n<head>n<style>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html><head><title>:: b374k m1n1 [0-9\.]+ ::</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <h1 style="margin-bottom: 0">webadmin.php</h1>
http-request deny if block_shells
acl block_attack hdr_sub(User-Agent) -i TX:paramcounter_(\.*)
http-request deny if block_attack
acl block_sqli hdr_sub(User-Agent) -i @detectSQLi
http-request deny if block_sqli
@ -675,3 +582,96 @@ http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i !(d|!)
http-request deny if block_rce
acl block_php hdr_sub(User-Agent) -i (b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open|call_user_func)|$_((pos|ge)t|session))b
http-request deny if block_php
acl block_php hdr_sub(User-Agent) -i <?(=|php)?s+
http-request deny if block_php
acl block_iis hdr_sub(User-Agent) -i [a-z]:x5cinetpubb
http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i (Microsoft OLE DB Provider for SQL Server(</font>\.{1,20}?error '800(04005|40e31)'\.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>\.*?<h2>part of the server has crashed or it has a configuration error\.</h2>|cannot connect to the server: timed out)
http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i !^404$
http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i bServer Error in\.{0,50}?bApplicationb
http-request deny if block_iis
acl block_shells hdr_sub(User-Agent) -i (<title>r57 Shell Version [0-9\.]+</title>|<title>r57 shell</title>)
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>\.*? - WSO [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i B4TM4N SH3LL</title>\.*<meta name='author' content='k4mpr3t'/>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Mini Shell</title>\.*Developed By LameHacker
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>\.:: \.* ~ Ashiyane V [0-9\.]+ ::\.</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Symlink_Sa [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>CasuS [0-9\.]+ by MafiABoY</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<title>GRP WebShell [0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <small>NGHshell [0-9\.]+ by Cr4sh</body></html>n$
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>SimAttacker - (Version|Vrsion) : [0-9\.]+ -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<!DOCTYPE html>n<html>n<!-- By Artyum \.*<title>Web Shell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>lama's'hell v\. [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<title>Ru24PostWebShell -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>s72 Shell v[0-9\.]+ Codinf by Cr@zy_King</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html>nn<head>nn<title>g00nshell v[0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <title>punkholicshell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n <head>n <title>azrail [0-9\.]+ by C-W-M</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<title>\.*? ~ Shell I</title>n<head>n<style>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html><head><title>:: b374k m1n1 [0-9\.]+ ::</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <h1 style="margin-bottom: 0">webadmin.php</h1>
http-request deny if block_shells

524
waf_patterns/nginx/waf_maps.conf
View File

File diff suppressed because one or more lines are too long

122
waf_patterns/nginx/waf_rules.conf
View File

@ -9,12 +9,54 @@
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_fixation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_evaluation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_sql) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_attack) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_lfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_exceptions) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_java) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_xss) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_rfi) {
return 403;
# Log the blocked request (optional)
@ -27,73 +69,19 @@
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_java) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_attack) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_fixation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_php) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_sql) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_lfi) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_generic) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_evaluation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_enforcement) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_xss) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_iis) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_shells) {
if ($waf_block_generic) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
@ -105,15 +93,27 @@
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_correlation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_rce) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_iis) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_correlation) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}
if ($waf_block_shells) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}

922
waf_patterns/traefik/middleware.toml
View File

File diff suppressed because one or more lines are too long