External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Fri Jan 10 00:27:14 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot] 2025-01-10 00:27:14 +00:00
parent 0c41e95847
commit c68f9937e8
40 changed files with 3401 additions and 3401 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3092
owasp_rules.json
View File

File diff suppressed because one or more lines are too long

34
waf_patterns/apache/attack.conf
View File

@ -1,20 +1,20 @@
# Apache ModSecurity rules for ATTACK # Apache ModSecurity rules for ATTACK
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "\[nr\]" "id:1258,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "@gt\ 0" "id:1075,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1249,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1069,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1255,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1066,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1260,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\." "id:1076,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1262,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1078,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1261,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\[nr\]" "id:1070,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1125,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\[nr\]" "id:1067,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1256,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1072,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1124,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\[nr\]" "id:1073,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1253,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1071,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1263,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "@gt\ 1" "id:1077,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1250,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1064,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1251,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1065,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1254,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1197,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1257,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1196,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1259,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1074,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1252,phase:1,deny,status:403,log,msg:'attack attack detected'" SecRule REQUEST_URI "\[nr\]" "id:1068,phase:1,deny,status:403,log,msg:'attack attack detected'"

16
waf_patterns/apache/correlation.conf
View File

@ -1,11 +1,11 @@
# Apache ModSecurity rules for CORRELATION # Apache ModSecurity rules for CORRELATION
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1039,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1339,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1040,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1343,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ 5" "id:1036,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1344,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1041,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1341,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1035,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1345,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1038,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@gt\ 0" "id:1346,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1042,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1342,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1037,phase:1,deny,status:403,log,msg:'correlation attack detected'" SecRule REQUEST_URI "@ge\ 5" "id:1340,phase:1,deny,status:403,log,msg:'correlation attack detected'"

158
waf_patterns/apache/enforcement.conf
View File

@ -1,82 +1,82 @@
# Apache ModSecurity rules for ENFORCEMENT # Apache ModSecurity rules for ENFORCEMENT
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1304,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "x25" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\.\*\$" "id:1329,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\$" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1311,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1327,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateUrlEncoding" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1286,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\.\*\$" "id:1144,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\['";=\]" "id:1326,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1271,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "x25" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1281,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1290,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@contains\ \#" "id:1132,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1296,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1122,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1274,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@streq\ JSON" "id:1315,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ 1" "id:1133,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1335,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1148,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1292,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1156,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ 50" "id:1314,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUtf8Encoding" "id:1278,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1153,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1276,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1124,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1264,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ 0" "id:1151,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1319,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1320,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1336,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\$" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1337,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1283,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1137,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1277,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1131,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1269,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1310,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1145,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1333,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1138,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1331,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1143,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1313,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1265,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1155,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@streq\ POST" "id:1268,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\.\*\$" "id:1312,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1134,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1323,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1300,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\.\*\$" "id:1127,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1298,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1330,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1267,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateUtf8Encoding" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1309,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\$" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1328,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^0\$" "id:1142,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1279,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ 50" "id:1129,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1334,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1272,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1306,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1338,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1147,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1293,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\$" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1289,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1136,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1322,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1128,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1266,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1149,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1324,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1339,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1140,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1295,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1282,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "charset\.\*\?charset" "id:1123,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "charset\.\*\?charset" "id:1308,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1297,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@streq\ POST" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1307,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@contains\ \#" "id:1317,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1157,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "x25" "id:1273,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1118,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1287,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1318,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\['";=\]" "id:1141,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1299,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1152,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1291,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1139,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "x25" "id:1275,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1294,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1121,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1341,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1301,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1154,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1342,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^0\$" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1285,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1135,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1321,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1332,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1305,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1119,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1316,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1146,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1303,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1150,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1302,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1340,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@validateUrlEncoding" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1280,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1125,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1284,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1120,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1325,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "!@streq\ JSON" "id:1130,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1270,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1288,phase:1,deny,status:403,log,msg:'enforcement attack detected'" SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1126,phase:1,deny,status:403,log,msg:'enforcement attack detected'"

76
waf_patterns/apache/evaluation.conf
View File

@ -1,41 +1,41 @@
# Apache ModSecurity rules for EVALUATION # Apache ModSecurity rules for EVALUATION
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "@ge\ 4" "id:1168,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1042,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1153,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1051,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1171,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1295,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1157,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1313,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1134,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1059,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1166,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1045,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1162,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1304,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1137,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1046,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1146,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1312,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1155,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1048,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1164,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1055,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1131,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1299,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1149,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1057,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1135,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1298,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1167,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1301,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1170,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1308,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1140,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1310,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1144,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1050,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1133,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1303,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1142,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1044,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1161,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1053,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1165,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1058,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1148,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1297,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1145,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1054,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1163,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1306,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1160,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1056,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1139,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1307,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1143,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1309,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1169,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1043,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1154,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1311,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1158,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 1" "id:1296,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1138,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1047,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1141,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1052,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1156,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1049,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1159,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1060,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1132,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 3" "id:1300,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1136,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 2" "id:1305,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1147,phase:1,deny,status:403,log,msg:'evaluation attack detected'" SecRule REQUEST_URI "@ge\ 4" "id:1302,phase:1,deny,status:403,log,msg:'evaluation attack detected'"

10
waf_patterns/apache/exceptions.conf
View File

@ -1,8 +1,8 @@
# Apache ModSecurity rules for EXCEPTIONS # Apache ModSecurity rules for EXCEPTIONS
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1130,phase:1,deny,status:403,log,msg:'exceptions attack detected'" SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1010,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@streq\ GET\ /" "id:1126,phase:1,deny,status:403,log,msg:'exceptions attack detected'" SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1013,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1128,phase:1,deny,status:403,log,msg:'exceptions attack detected'" SecRule REQUEST_URI "@streq\ GET\ /" "id:1009,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1127,phase:1,deny,status:403,log,msg:'exceptions attack detected'" SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1012,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1129,phase:1,deny,status:403,log,msg:'exceptions attack detected'" SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1011,phase:1,deny,status:403,log,msg:'exceptions attack detected'"

12
waf_patterns/apache/fixation.conf
View File

@ -1,9 +1,9 @@
# Apache ModSecurity rules for FIXATION # Apache ModSecurity rules for FIXATION
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1227,phase:1,deny,status:403,log,msg:'fixation attack detected'" SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1160,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1232,phase:1,deny,status:403,log,msg:'fixation attack detected'" SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1161,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1230,phase:1,deny,status:403,log,msg:'fixation attack detected'" SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1158,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1228,phase:1,deny,status:403,log,msg:'fixation attack detected'" SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1159,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1229,phase:1,deny,status:403,log,msg:'fixation attack detected'" SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1162,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1231,phase:1,deny,status:403,log,msg:'fixation attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1163,phase:1,deny,status:403,log,msg:'fixation attack detected'"

6
waf_patterns/apache/generic.conf
View File

@ -1,6 +1,6 @@
# Apache ModSecurity rules for GENERIC # Apache ModSecurity rules for GENERIC
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "@\{\.\*\}" "id:1152,phase:1,deny,status:403,log,msg:'generic attack detected'" SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1194,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1151,phase:1,deny,status:403,log,msg:'generic attack detected'" SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1193,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1150,phase:1,deny,status:403,log,msg:'generic attack detected'" SecRule REQUEST_URI "@\{\.\*\}" "id:1195,phase:1,deny,status:403,log,msg:'generic attack detected'"

8
waf_patterns/apache/iis.conf
View File

@ -1,7 +1,7 @@
# Apache ModSecurity rules for IIS # Apache ModSecurity rules for IIS
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1346,phase:1,deny,status:403,log,msg:'iis attack detected'" SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1292,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "!@rx\ \^404\$" "id:1345,phase:1,deny,status:403,log,msg:'iis attack detected'" SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1291,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1344,phase:1,deny,status:403,log,msg:'iis attack detected'" SecRule REQUEST_URI "!@rx\ \^404\$" "id:1293,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1343,phase:1,deny,status:403,log,msg:'iis attack detected'" SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'"

56
waf_patterns/apache/initialization.conf
View File

@ -1,31 +1,31 @@
# Apache ModSecurity rules for INITIALIZATION # Apache ModSecurity rules for INITIALIZATION
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "@eq\ 0" "id:1050,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1038,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1056,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1019,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1064,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1016,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1067,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1022,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1059,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1039,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1068,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1025,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1062,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1031,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1070,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1028,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1046,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1034,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1043,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1015,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1049,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1021,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1052,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1018,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1058,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1024,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1055,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1027,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1061,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1033,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 100" "id:1069,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1030,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "\^\.\*\$" "id:1065,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1041,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1048,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "\^\.\*\$" "id:1036,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1045,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 100" "id:1040,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1051,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1014,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1054,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1017,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1060,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1020,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1066,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1026,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1057,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1037,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1063,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1023,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1044,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1029,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1047,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 0" "id:1032,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1053,phase:1,deny,status:403,log,msg:'initialization attack detected'" SecRule REQUEST_URI "@eq\ 1" "id:1035,phase:1,deny,status:403,log,msg:'initialization attack detected'"

30
waf_patterns/apache/java.conf
View File

@ -1,18 +1,18 @@
# Apache ModSecurity rules for JAVA # Apache ModSecurity rules for JAVA
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "xacxedx00x05" "id:1081,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1223,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1078,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1222,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1083,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1212,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1075,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1216,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1074,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1215,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1073,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1213,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1077,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1211,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1076,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1218,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1080,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1217,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1082,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1221,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1079,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1220,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1086,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1214,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1084,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1225,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1087,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1224,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1085,phase:1,deny,status:403,log,msg:'java attack detected'" SecRule REQUEST_URI "xacxedx00x05" "id:1219,phase:1,deny,status:403,log,msg:'java attack detected'"

6
waf_patterns/apache/leakages.conf
View File

@ -1,6 +1,6 @@
# Apache ModSecurity rules for LEAKAGES # Apache ModSecurity rules for LEAKAGES
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "\^\#!s\?/" "id:1225,phase:1,deny,status:403,log,msg:'leakages attack detected'" SecRule REQUEST_URI "\^5d\{2\}\$" "id:1192,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?<H\|title>Index\ of\.\*\?<h\)1>Index\ of\|>\[To\ Parent\ Directory\]</\[Aa\]><br>\)" "id:1224,phase:1,deny,status:403,log,msg:'leakages attack detected'" SecRule REQUEST_URI "\^\#!s\?/" "id:1191,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "\^5d\{2\}\$" "id:1226,phase:1,deny,status:403,log,msg:'leakages attack detected'" SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?<H\|title>Index\ of\.\*\?<h\)1>Index\ of\|>\[To\ Parent\ Directory\]</\[Aa\]><br>\)" "id:1190,phase:1,deny,status:403,log,msg:'leakages attack detected'"

2
waf_patterns/apache/lfi.conf
View File

@ -1,4 +1,4 @@
# Apache ModSecurity rules for LFI # Apache ModSecurity rules for LFI
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1223,phase:1,deny,status:403,log,msg:'lfi attack detected'" SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1226,phase:1,deny,status:403,log,msg:'lfi attack detected'"

22
waf_patterns/apache/php.conf
View File

@ -1,14 +1,14 @@
# Apache ModSecurity rules for PHP # Apache ModSecurity rules for PHP
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1032,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1004,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1026,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1001,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1030,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1289,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1029,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1027,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1007,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm\ =" "id:1028,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "@pm\ \?>" "id:1008,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1072,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1003,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1033,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "@pm\ =" "id:1002,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1031,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1006,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1071,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1290,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm\ \?>" "id:1034,phase:1,deny,status:403,log,msg:'php attack detected'" SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1005,phase:1,deny,status:403,log,msg:'php attack detected'"

52
waf_patterns/apache/rce.conf
View File

@ -1,29 +1,29 @@
# Apache ModSecurity rules for RCE # Apache ModSecurity rules for RCE
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1022,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1263,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "s" "id:1016,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1285,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1006,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1281,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1004,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1269,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1011,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1288,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1014,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1271,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1024,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1268,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1007,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1286,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1023,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1277,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1002,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1284,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1017,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1270,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1020,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "/" "id:1272,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1018,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "/" "id:1278,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1008,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "/" "id:1275,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "/" "id:1009,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1267,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "/" "id:1015,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "!\-d" "id:1266,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "/" "id:1012,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "s" "id:1273,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1001,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "s" "id:1279,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1025,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1274,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1000,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1282,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1021,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "s" "id:1276,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1019,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1287,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1005,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1265,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "!\-d" "id:1003,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1280,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "s" "id:1010,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1264,phase:1,deny,status:403,log,msg:'rce attack detected'"
SecRule REQUEST_URI "s" "id:1013,phase:1,deny,status:403,log,msg:'rce attack detected'" SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1283,phase:1,deny,status:403,log,msg:'rce attack detected'"

6
waf_patterns/apache/rfi.conf
View File

@ -1,6 +1,6 @@
# Apache ModSecurity rules for RFI # Apache ModSecurity rules for RFI
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1235,phase:1,deny,status:403,log,msg:'rfi attack detected'" SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1062,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1233,phase:1,deny,status:403,log,msg:'rfi attack detected'" SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1061,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1234,phase:1,deny,status:403,log,msg:'rfi attack detected'" SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1063,phase:1,deny,status:403,log,msg:'rfi attack detected'"

50
waf_patterns/apache/shells.conf
View File

@ -1,28 +1,28 @@
# Apache ModSecurity rules for SHELLS # Apache ModSecurity rules for SHELLS
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1203,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1331,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1221,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1326,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1199,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1327,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1210,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1316,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1212,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1335,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1213,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1338,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1204,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1325,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1205,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1315,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1200,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1321,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1209,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1318,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1219,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1330,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1217,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1329,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1214,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1324,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1215,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1333,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1207,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1319,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1206,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1332,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1198,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1317,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1222,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1328,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1202,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1314,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1218,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1334,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1201,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1323,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1211,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1337,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1216,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1322,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1220,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1320,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1208,phase:1,deny,status:403,log,msg:'shells attack detected'" SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1336,phase:1,deny,status:403,log,msg:'shells attack detected'"

26
waf_patterns/apache/sql.conf
View File

@ -1,16 +1,16 @@
# Apache ModSecurity rules for SQL # Apache ModSecurity rules for SQL
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1237,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1199,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1238,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1207,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1243,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1204,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1247,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1209,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1246,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1210,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1236,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1208,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1244,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1198,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1240,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1201,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1242,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1200,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1239,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1206,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1245,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1203,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1248,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1202,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1241,phase:1,deny,status:403,log,msg:'sql attack detected'" SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1205,phase:1,deny,status:403,log,msg:'sql attack detected'"

72
waf_patterns/apache/sqli.conf
View File

@ -1,39 +1,39 @@
# Apache ModSecurity rules for SQLI # Apache ModSecurity rules for SQLI
SecRuleEngine On SecRuleEngine On
SecRule REQUEST_URI "\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" "id:1089,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1239,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{3\}\)" "id:1122,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\^\(\?:\[\^'\]\*'\|\[\^"\]\*"\|\[\^`\]\*`\)\[sv\]\*;" "id:1234,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^"\]\*\?\(\?:"\[\^"\]\*\?"\[\^"\]\*\?\)\*\?"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1112,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\ \?\[<\->\]\+\)" "id:1245,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{8\}\)" "id:1118,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{2\}\)" "id:1262,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" "id:1090,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "@detectSQLi" "id:1227,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" "id:1111,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "!@streq\ %\{TX\.2\}" "id:1240,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@detectSQLi" "id:1088,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" "id:1243,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" "id:1104,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?:\^s\*\["'`;\]\+\|\["'`\]\+s\*\$\)" "id:1236,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)union\.\*\?select\.\*\?from" "id:1092,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" "id:1246,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" "id:1116,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\["'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" "id:1232,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{2\}\)" "id:1123,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^"\]\*\?\(\?:"\[\^"\]\*\?"\[\^"\]\*\?\)\*\?"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1251,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\["'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\["'`\]\|;\.\*\?:\[sv\]\*\?goto\)" "id:1091,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i:b0x\[a\-fd\]\{3,\}\)" "id:1249,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@detectSQLi" "id:1115,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\["'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\["'`d\]" "id:1256,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" "id:1094,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\^\(\?:and\|or\)\$" "id:1252,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" "id:1109,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "@detectSQLi" "id:1254,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\["'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\["'`\]\$\|\["'x5c`\]\*\?\(\?:\["'0\-9`\]\+\|\[\^"'`\]\+\["'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\["'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\["'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\["'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\["'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" "id:1103,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" "id:1255,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\(\?:\[\^'\]\*'\|\[\^"\]\*"\|\[\^`\]\*`\)\[sv\]\*;" "id:1095,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)1\.e\[\(\-\),\]" "id:1235,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" "id:1105,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" "id:1233,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?:\^s\*\["'`;\]\+\|\["'`\]\+s\*\$\)" "id:1097,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" "id:1244,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\ \?\[<\->\]\+\)" "id:1106,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" "id:1248,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\.\*\?x5c\['"`\]\(\?:\.\*\?\['"`\]\)\?s\*\(\?:and\|or\)b" "id:1114,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\["'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\["'`\]\|like\[sv\]\*\?\["'`\]%\|select\[sv\]\+\?\[sv"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" "id:1241,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1100,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\["'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\["'`\]\$\|\["'x5c`\]\*\?\(\?:\["'0\-9`\]\+\|\[\^"'`\]\+\["'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\["'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\["'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\["'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\["'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" "id:1242,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i:b0x\[a\-fd\]\{3,\}\)" "id:1110,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{6\}\)" "id:1258,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{6\}\)" "id:1119,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" "id:1228,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{12\}\)" "id:1108,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1237,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "!@streq\ %\{TX\.2\}" "id:1101,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "W\{4\}" "id:1259,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@streq\ %\{TX\.2\}" "id:1099,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" "id:1229,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\(\?:and\|or\)\$" "id:1113,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{12\}\)" "id:1247,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1098,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{3\}\)" "id:1261,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\["'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" "id:1093,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)union\.\*\?select\.\*\?from" "id:1231,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" "id:1107,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\^\.\*\?x5c\['"`\]\(\?:\.\*\?\['"`\]\)\?s\*\(\?:and\|or\)b" "id:1253,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "W\{4\}" "id:1120,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\["'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\["'`\]\|;\.\*\?:\[sv\]\*\?goto\)" "id:1230,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "';" "id:1121,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "@streq\ %\{TX\.2\}" "id:1238,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)1\.e\[\(\-\),\]" "id:1096,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "';" "id:1260,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\["'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\["'`d\]" "id:1117,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{8\}\)" "id:1257,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\["'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\["'`\]\|like\[sv\]\*\?\["'`\]%\|select\[sv\]\+\?\[sv"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" "id:1102,phase:1,deny,status:403,log,msg:'sqli attack detected'" SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" "id:1250,phase:1,deny,status:403,log,msg:'sqli attack detected'"

52
waf_patterns/apache/xss.conf
View File

File diff suppressed because one or more lines are too long

888
waf_patterns/haproxy/waf.acl
View File

@ -1,65 +1,5 @@
# HAProxy WAF ACL rules # HAProxy WAF ACL rules
acl block_rce hdr_sub(User-Agent) -i $(((\.*|(\.*)))|{\.*})|[<>](\.*)|/[0-9A-Z_a-z]*[!?\.+]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i b(for(/[dflr]\.*)? %+[^ ]+ in(\.*)[sv]?do|if(/i)?( not)?( (e(xist|rrorlevel)|defined|cmdextversion)b|[ (]\.*(b(g(eq|tr)|equ|neq|l(eq|ss))b|==)))
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ![0-9]s*'s*[0-9]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i !-d
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ^(s*)s+{
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ba["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-"%',0-9@-Z_a-z]+=[^sv]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ($((((\.*)|\.*))|{\.*})|[<>](\.*)|[!?\.+])
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i /
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i s
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ^[^\.]+\.[^;?]+[;?](\.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ^[^\.]*?(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ;[sv]*\.[sv]*["']?(a(rchive|uth)|b(a(ckup|il)|inary)|c(d|h(anges|eck)|lone|onnection)|d(atabases|b(config|info)|ump)|e(cho|qp|x(cel|it|p(ert|lain)))|f(ilectrl|ullschema)|he(aders|lp)|i(mpo(rt|ster)|ndexes|otrace)|l(i(mi|n)t|o(ad|g))|(mod|n(onc|ullvalu)|unmodul)e|o(nce|pen|utput)|p(arameter|r(int|o(gress|mpt)))|quit|re(ad|cover|store)|s(ave|c(anstats|hema)|e(lftest|parator|ssion)|h(a3sum|ell|ow)?|tats|ystem)|t(ables|estc(ase|trl)|ime(out|r)|race)|vfs(info|list|name)|width)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((?i:E)(HLO [--.A-Za-zx17fx212a]{1,255}|XPN \.{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:R)(CPT TO:((?i:<)\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i: ))?(?i:<)\.{1,64}(?i:>)|SETb)|VRFY \.{1,64}( <\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:@)\.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(([+/-9A-Z_a-zx17fx212a]{4})*([+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb((?i: )\.{1,255})?)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i (?is)rn\.*?b((LIST|TOP [0-9]+)( [0-9]+)?|U(SER \.+?|IDL( [0-9]+)?)|PASS \.+?|(RETR|DELE) [0-9]+?|A(POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (([+/-9A-Z_a-z]{4})*([+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i /([?*]+[a-z/]+|[a-z/]+[?*]+)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b(DATA|QUIT|HELP( \.{1,255})?)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i (?is)rn[0-9A-Z_a-z]{1,50}b (C((REATE|OPY [*,0-:]+) ["-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE ["-#%-&*--.0-9A-Zx5c_a-z]+|EX(AMINE ["-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(IST ["-#*--9A-Zx5c_a-z~]+? ["-#%-&*--9A-Zx5c_a-z]+|OG(IN [--.0-9@_a-z]{1,40} \.*?|OUT))|RENAME ["-#%-&*--9A-Zx5c_a-z]+? ["-#%-&*--9A-Zx5c_a-z]+|S(E(LECT ["-#%-&*--9A-Zx5c_a-z]+|ARCH( CHARSET [--.0-9A-Z_a-z]{1,40})? ((KEYWORD x5c)?(A(LL|NSWERED)|BCC|D(ELETED|RAFT)|(FLAGGE|OL)D|RECENT|SEEN|UN((ANSWER|FLAGG)ED|D(ELETED|RAFT)|SEEN)|NEW)|(BODY|CC|FROM|HEADER \.{1,100}|NOT|OR \.{1,255}|T(EXT|O)) \.{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(BEFORE|ON|S(ENT((BEFOR|SINC)E|ON)|INCE)) "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}"?|S(MALLER [0-9]{1,20}|UBJECT \.{1,255})|U(ID [*,0-:]+?|NKEYWORD x5c(Seen|(Answer|Flagg)ed|D(eleted|raft)|Recent))))|T(ORE [*,0-:]+? [+-]?FLAGS(.SILENT)? ((x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+)|UN(SUBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((QUI|STA|RSE)(?i:T)|NOOP|CAPA)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i !(d|!)
http-request deny if block_rce
acl block_php hdr_sub(User-Agent) -i (<?([^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(/|x5c)?php]) acl block_php hdr_sub(User-Agent) -i (<?([^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(/|x5c)?php])
http-request deny if block_php http-request deny if block_php
@ -87,171 +27,6 @@ http-request deny if block_php
acl block_php hdr_sub(User-Agent) -i @pm ?> acl block_php hdr_sub(User-Agent) -i @pm ?>
http-request deny if block_php http-request deny if block_php
acl block_initialization hdr_sub(User-Agent) -i ^\.*$
http-request deny if block_initialization
acl block_initialization hdr_sub(User-Agent) -i !(URLENCODED|MULTIPART|XML|JSON)
http-request deny if block_initialization
acl block_initialization hdr_sub(User-Agent) -i ^[a-f]*([0-9])[a-f]*([0-9])
http-request deny if block_initialization
acl block_php hdr_sub(User-Agent) -i (b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open|call_user_func)|$_((pos|ge)t|session))b
http-request deny if block_php
acl block_php hdr_sub(User-Agent) -i <?(=|php)?s+
http-request deny if block_php
acl block_java hdr_sub(User-Agent) -i java.lang\.(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (unmarshaller|base64data|java\.)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i \.*\.(jsp|jspx)\.*$
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]{0,15}($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]*($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i xacxedx00x05
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (rO0ABQ|KztAAU|Cs7QAF)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i javab\.+(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)
http-request deny if block_java
acl block_sqli hdr_sub(User-Agent) -i @detectSQLi
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (?i:sleep(s*?d*?s*?)|benchmark(\.*?,\.*?))
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i alter[sv]*?[0-9A-Z_a-z]+\.*?char(acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|["'`](;*?[sv]*?waitfor[sv]+(time|delay)[sv]+["'`]|;\.*?:[sv]*?goto)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i union\.*?select\.*?from
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?["'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?([#;{]|/*|--)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i create[sv]+function[sv]\.+[sv]returns|;[sv]*?(alter|((cre|trunc|upd)at|renam)e|d(e(lete|sc)|rop)|(inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^([^']*'|[^"]*"|[^`]*`)[sv]*;
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i 1.e[(-),]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (^s*["'`;]+|["'`]+s*$)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i [sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(=|<=>|(sounds[sv]+)?like|glob|r(like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i @streq %{TX.2}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i [sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(like|r(like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i !@streq %{TX.2}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((and|n(and|ot)|(xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?b(x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(2[37]|3d)|^(\.?["'`]$|["'x5c`]*?(["'0-9`]+|[^"'`]+["'`])[sv]*?b(and|n(and|ot)|(xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-\.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@([0-9A-Z_a-z]+[sv]+(and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`]\.|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (?i:^[Wd]+s*?(alter|union)b)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i b(orb([sv]?([0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|xorb[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|'[sv]+x?or[sv]+\.{1,20}[!+-<->]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i bandb([sv]+([0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?([0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i autonomous_transaction|(current_use|n?varcha|tbcreato)r|db(a_users|ms_java)|open(owa_util|query|rowset)|s(p_((addextendedpro|sqlexe)c|execute(sql)?|help|is_srvrolemember|makewebtask|oacreate|p(assword|repare)|replwritetovarbin)|ql_(longvarchar|variant))|utl_(file|http)|xp_(availablemedia|(cmdshel|servicecontro)l|dirtree|e(numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(_enumdomains)?|reg(addmultistring|delete(key|value)|enum(key|value)s|re(ad|movemultistring)|write)|terminate(_process)?)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){12})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i !^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+\.[-0-9A-Z_a-z]+$
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (?i:b0x[a-fd]{3,})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((is[sv]+not|not[sv]+(like|glob|(betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^([^']*?('[^']*?'[^']*?)*?'|[^"]*?("[^"]*?"[^"]*?)*?"|[^`]*?(`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^(and|or)$
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^\.*?x5c['"`](\.*?['"`])?s*(and|or)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i W+d*?s*?bhavingbs*?[^s-]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sd]*?[^ws]W*?dW*?\.*?["'`d]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){8})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){6})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i W{4}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ';
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){3})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){2})
http-request deny if block_sqli
acl block_attack hdr_sub(User-Agent) -i ^content-types*:s*(\.*)$
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i content-transfer-encoding:(\.*)
http-request deny if block_attack
acl block_exceptions hdr_sub(User-Agent) -i @streq GET / acl block_exceptions hdr_sub(User-Agent) -i @streq GET /
http-request deny if block_exceptions http-request deny if block_exceptions
@ -264,188 +39,14 @@ http-request deny if block_exceptions
acl block_exceptions hdr_sub(User-Agent) -i ^(GET /|OPTIONS *) HTTP/[12]\.[01]$ acl block_exceptions hdr_sub(User-Agent) -i ^(GET /|OPTIONS *) HTTP/[12]\.[01]$
http-request deny if block_exceptions http-request deny if block_exceptions
acl block_generic hdr_sub(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*) acl block_initialization hdr_sub(User-Agent) -i ^\.*$
http-request deny if block_generic http-request deny if block_initialization
acl block_generic hdr_sub(User-Agent) -i [s*constructors*] acl block_initialization hdr_sub(User-Agent) -i !(URLENCODED|MULTIPART|XML|JSON)
http-request deny if block_generic http-request deny if block_initialization
acl block_generic hdr_sub(User-Agent) -i @{\.*} acl block_initialization hdr_sub(User-Agent) -i ^[a-f]*([0-9])[a-f]*([0-9])
http-request deny if block_generic http-request deny if block_initialization
acl block_xss hdr_sub(User-Agent) -i !@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i @detectXSS
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <script[^>]*>[sS]*?
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i \.(b(x(link:href|html|mlns)|data:text/html|formaction|patternb\.*?=)|!ENTITY[sv]+(%[sv]+)?[^sv]+[sv]+(SYSTEM|PUBLIC)|@import|;base64)b
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <[^0-9<>A-Z_a-z]*([^sv"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(s[^0-9A-Z_a-z]*?(c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(<[0-9A-Z_a-z]\.*[sv/]|["'](\.*[sv/])?)(background|formaction|lowsrc|on(a(bort|ctivate|d(apteradded|dtrack)|fter(print|(scriptexecu|upda)te)|lerting|n(imation(cancel|end|iteration|start)|tennastatechange)|ppcommand|u(dio(end|process|start)|xclick))|b(e(fore((((de)?activa|scriptexecu)t|toggl)e|c(opy|ut)|editfocus|input|p(aste|rint)|u(nload|pdate))|gin(Event)?)|l(ocked|ur)|oun(ce|dary)|roadcast|usy)|c(a((ch|llschang)ed|nplay(through)?|rdstatechange)|(ell|fstate)change|h(a(rging(time)?cha)?nge|ecking)|l(ick|ose)|o(m(mand(update)?|p(lete|osition(end|start|update)))|n(nect(ed|ing)|t(extmenu|rolselect))|py)|u(echange|t))|d(ata((availabl|chang)e|error|setc(hanged|omplete))|blclick|e(activate|livery(error|success)|vice(found|light|(mo|orienta)tion|proximity))|i(aling|s(abled|c(hargingtimechange|onnect(ed|ing))))|o(m(a(ctivate|ttrmodified)|(characterdata|subtree)modified|focus(in|out)|mousescroll|node(inserted(intodocument)?|removed(fromdocument)?))|wnloading)|r(ag(drop|e(n(d|ter)|xit)|(gestur|leav)e|over|start)|op)|urationchange)|e(mptied|n(abled|d(ed|Event)?|ter)|rror(update)?|xit)|f(ailed|i(lterchange|nish)|o(cus(in|out)?|rm(change|input))|ullscreenchange)|g(amepad(axismove|button(down|up)|(dis)?connected)|et)|h(ashchange|e(adphoneschange|l[dp])|olding)|i(cc(cardlockerror|infochange)|n(coming|put|valid))|key(down|press|up)|l(evelchange|o(ad(e(d(meta)?data|nd)|start)?|secapture)|y)|m(ark|essage|o(use(down|enter|(lea|mo)ve|o(ut|ver)|up|wheel)|ve(end|start)?|z(a(fterpaint|udioavailable)|(beforeresiz|orientationchang|t(apgestur|imechang))e|(edgeui(c(ancel|omplet)|start)e|network(down|up)loa)d|fullscreen(change|error)|m(agnifygesture(start|update)?|ouse(hittest|pixelscroll))|p(ointerlock(change|error)|resstapgesture)|rotategesture(start|update)?|s(crolledareachanged|wipegesture(end|start|update)?))))|no(match|update)|o((bsolet|(ff|n)lin)e|pen|verflow(changed)?)|p(a(ge(hide|show)|int|(st|us)e)|lay(ing)?|o(inter(down|enter|((lea|mo)v|rawupdat)e|o(ut|ver)|up)|p(state|up(hid(den|ing)|show(ing|n))))|ro(gress|pertychange))|r(atechange|e(adystatechange|ceived|movetrack|peat(Event)?|quest|s(et|ize|u(lt|m(e|ing)))|trieving)|ow(e(nter|xit)|s(delete|inserted)))|s(croll(end)?|e(arch|ek(complete|ed|ing)|lect(ionchange|start)?|n(ding|t)|t)|how|(ound|peech)(end|start)|t(a(lled|rt|t(echange|uschanged))|k(comma|sessione)nd|op)|u(bmit|ccess|spend)|vg(abort|error|(un)?load|resize|scroll|zoom))|t(ext|ime(out|update)|o(ggle|uch(cancel|en(d|ter)|(lea|mo)ve|start))|ransition(cancel|end|run|start))|u(n(derflow|handledrejection|load)|p(dateready|gradeneeded)|s(erproximity|sdreceived))|v(ersion|o(ic|lum)e)change|w(a(it|rn)ing|ebkit(animation(end|iteration|start)|transitionend)|heel)|zoom)|ping|s(rc|tyle))[x08-nf-r ]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<style\.*?>\.*?(@[ix5c]|([:=]|&#x?0*(58|3A|61|3D);?)\.*?([(x5c]|&#x?0*(40|28|92|5C);?)))
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<\.*[:]?vmlframe\.*?[s/+]*?src[s/+]*=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <EMBED[s/+]\.*?(src|type)\.*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <[?]?import[s/+S]*?implementation[s/+]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?http-equiv[s/+]*=[s/+]*["'`]?((c|&#x?0*(67|43|99|63);?)|(r|&#x?0*(82|52|114|72);?)|(s|&#x?0*(83|53|115|73);?)))
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?charset[s/+]*=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <LINK[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <BASE[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <APPLET[s/+>]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <OBJECT[s/+]\.*?(type|codetype|classid|code|data)[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i xbc[^xbe>]*[xbe>]|<[^xbe]*xbe
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (xbcs*/s*[^xbe>]*[xbe>])|(<s*/s*[^xbe]*xbe)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (([[^]]*][^\.]*\.)|Reflect[^\.]*\.)\.*(map|sort|apply)[^\.]*\.\.*call[^`]*`\.*`
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i [s"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i b(s(tyle|rc)|href)b[sS]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i @contains -->
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:["'][ ]*([^a-z0-9~_:' ]|in)\.*?((l|x5cu006C)(o|x5cu006F)(c|x5cu0063)(a|x5cu0061)(t|x5cu0074)(i|x5cu0069)(o|x5cu006F)(n|x5cu006E)|(n|x5cu006E)(a|x5cu0061)(m|x5cu006D)(e|x5cu0065)|(o|x5cu006F)(n|x5cu006E)(e|x5cu0065)(r|x5cu0072)(r|x5cu0072)(o|x5cu006F)(r|x5cu0072)|(v|x5cu0076)(a|x5cu0061)(l|x5cu006C)(u|x5cu0075)(e|x5cu0065)(O|x5cu004F)(f|x5cu0066))\.*?=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i ["'][ ]*([^a-z0-9~_:' ]|in)\.+?[\.]\.+?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i {{\.*?}}
http-request deny if block_xss
acl block_shells hdr_sub(User-Agent) -i (<title>r57 Shell Version [0-9\.]+</title>|<title>r57 shell</title>)
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>\.*? - WSO [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i B4TM4N SH3LL</title>\.*<meta name='author' content='k4mpr3t'/>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Mini Shell</title>\.*Developed By LameHacker
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>\.:: \.* ~ Ashiyane V [0-9\.]+ ::\.</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Symlink_Sa [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>CasuS [0-9\.]+ by MafiABoY</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<title>GRP WebShell [0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <small>NGHshell [0-9\.]+ by Cr4sh</body></html>n$
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>SimAttacker - (Version|Vrsion) : [0-9\.]+ -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<!DOCTYPE html>n<html>n<!-- By Artyum \.*<title>Web Shell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>lama's'hell v\. [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<title>Ru24PostWebShell -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>s72 Shell v[0-9\.]+ Codinf by Cr@zy_King</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html>nn<head>nn<title>g00nshell v[0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <title>punkholicshell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n <head>n <title>azrail [0-9\.]+ by C-W-M</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<title>\.*? ~ Shell I</title>n<head>n<style>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html><head><title>:: b374k m1n1 [0-9\.]+ ::</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <h1 style="margin-bottom: 0">webadmin.php</h1>
http-request deny if block_shells
acl block_lfi hdr_sub(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|$))
http-request deny if block_lfi
acl block_leakages hdr_sub(User-Agent) -i (<(TITLE>Index of\.*?<H|title>Index of\.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^#!s?/
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^5d{2}$
http-request deny if block_leakages
acl block_fixation hdr_sub(User-Agent) -i (?i:.cookieb\.*?;W*?(expires|domain)W*?=|bhttp-equivW+set-cookieb)
http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$
http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i ^(ht|f)tps?://(\.*?)/
http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i !@endsWith %{request_headers.host}
http-request deny if block_fixation
acl block_rfi hdr_sub(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3}) acl block_rfi hdr_sub(User-Agent) -i ^(?i:file|ftps?|https?)://(d{1,3}.d{1,3}.d{1,3}.d{1,3})
http-request deny if block_rfi http-request deny if block_rfi
@ -453,45 +54,6 @@ http-request deny if block_rfi
acl block_rfi hdr_sub(User-Agent) -i !@endsWith \.%{request_headers.host} acl block_rfi hdr_sub(User-Agent) -i !@endsWith \.%{request_headers.host}
http-request deny if block_rfi http-request deny if block_rfi
acl block_sql hdr_sub(User-Agent) -i (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle\.*Driver|Warning\.*oci_\.*|Warning\.*ora_\.*)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i Dynamic SQL Error
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i Exception (condition )?d+\. Transaction rollback\.
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i org.hsqldb.jdbc
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception\.*Informix)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:Warning\.*ingres_|Ingres SQLSTATE|IngresW\.*Driver)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:SQL error\.*POS[0-9]+\.*|Warning\.*maxdb\.*)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function \.* expects parameter|Unclosed quotation mark before the character string|Syntax error \.* in query expression|Data type mismatch in criteria expression\.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB\.*SQL Server|Warning\.*mssql_\.*|Driver\.*SQL[ _-]*Server|SQL Server\.*Driver|SQL Server\.*[0-9a-fA-F]{8}|Exception\.*WSystem.Data.SqlClient\.|Conversion failed when converting the varchar value \.*? to data type int\.)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (Warning\.*sqlite_\.*|Warning\.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (Sybase message:|Warning\.{2,20}sybase|Sybase\.*Server message\.*)
http-request deny if block_sql
acl block_attack hdr_sub(User-Agent) -i (get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d acl block_attack hdr_sub(User-Agent) -i (get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d
http-request deny if block_attack http-request deny if block_attack
@ -663,6 +225,369 @@ http-request deny if block_enforcement
acl block_enforcement hdr_sub(User-Agent) -i (^|[^x5c])x5c[cdeghijklmpqwxyz123456789] acl block_enforcement hdr_sub(User-Agent) -i (^|[^x5c])x5c[cdeghijklmpqwxyz123456789]
http-request deny if block_enforcement http-request deny if block_enforcement
acl block_fixation hdr_sub(User-Agent) -i (?i:.cookieb\.*?;W*?(expires|domain)W*?=|bhttp-equivW+set-cookieb)
http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$
http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i ^(ht|f)tps?://(\.*?)/
http-request deny if block_fixation
acl block_fixation hdr_sub(User-Agent) -i !@endsWith %{request_headers.host}
http-request deny if block_fixation
acl block_xss hdr_sub(User-Agent) -i !@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i @detectXSS
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <script[^>]*>[sS]*?
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i \.(b(x(link:href|html|mlns)|data:text/html|formaction|patternb\.*?=)|!ENTITY[sv]+(%[sv]+)?[^sv]+[sv]+(SYSTEM|PUBLIC)|@import|;base64)b
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <[^0-9<>A-Z_a-z]*([^sv"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(s[^0-9A-Z_a-z]*?(c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(<[0-9A-Z_a-z]\.*[sv/]|["'](\.*[sv/])?)(background|formaction|lowsrc|on(a(bort|ctivate|d(apteradded|dtrack)|fter(print|(scriptexecu|upda)te)|lerting|n(imation(cancel|end|iteration|start)|tennastatechange)|ppcommand|u(dio(end|process|start)|xclick))|b(e(fore((((de)?activa|scriptexecu)t|toggl)e|c(opy|ut)|editfocus|input|p(aste|rint)|u(nload|pdate))|gin(Event)?)|l(ocked|ur)|oun(ce|dary)|roadcast|usy)|c(a((ch|llschang)ed|nplay(through)?|rdstatechange)|(ell|fstate)change|h(a(rging(time)?cha)?nge|ecking)|l(ick|ose)|o(m(mand(update)?|p(lete|osition(end|start|update)))|n(nect(ed|ing)|t(extmenu|rolselect))|py)|u(echange|t))|d(ata((availabl|chang)e|error|setc(hanged|omplete))|blclick|e(activate|livery(error|success)|vice(found|light|(mo|orienta)tion|proximity))|i(aling|s(abled|c(hargingtimechange|onnect(ed|ing))))|o(m(a(ctivate|ttrmodified)|(characterdata|subtree)modified|focus(in|out)|mousescroll|node(inserted(intodocument)?|removed(fromdocument)?))|wnloading)|r(ag(drop|e(n(d|ter)|xit)|(gestur|leav)e|over|start)|op)|urationchange)|e(mptied|n(abled|d(ed|Event)?|ter)|rror(update)?|xit)|f(ailed|i(lterchange|nish)|o(cus(in|out)?|rm(change|input))|ullscreenchange)|g(amepad(axismove|button(down|up)|(dis)?connected)|et)|h(ashchange|e(adphoneschange|l[dp])|olding)|i(cc(cardlockerror|infochange)|n(coming|put|valid))|key(down|press|up)|l(evelchange|o(ad(e(d(meta)?data|nd)|start)?|secapture)|y)|m(ark|essage|o(use(down|enter|(lea|mo)ve|o(ut|ver)|up|wheel)|ve(end|start)?|z(a(fterpaint|udioavailable)|(beforeresiz|orientationchang|t(apgestur|imechang))e|(edgeui(c(ancel|omplet)|start)e|network(down|up)loa)d|fullscreen(change|error)|m(agnifygesture(start|update)?|ouse(hittest|pixelscroll))|p(ointerlock(change|error)|resstapgesture)|rotategesture(start|update)?|s(crolledareachanged|wipegesture(end|start|update)?))))|no(match|update)|o((bsolet|(ff|n)lin)e|pen|verflow(changed)?)|p(a(ge(hide|show)|int|(st|us)e)|lay(ing)?|o(inter(down|enter|((lea|mo)v|rawupdat)e|o(ut|ver)|up)|p(state|up(hid(den|ing)|show(ing|n))))|ro(gress|pertychange))|r(atechange|e(adystatechange|ceived|movetrack|peat(Event)?|quest|s(et|ize|u(lt|m(e|ing)))|trieving)|ow(e(nter|xit)|s(delete|inserted)))|s(croll(end)?|e(arch|ek(complete|ed|ing)|lect(ionchange|start)?|n(ding|t)|t)|how|(ound|peech)(end|start)|t(a(lled|rt|t(echange|uschanged))|k(comma|sessione)nd|op)|u(bmit|ccess|spend)|vg(abort|error|(un)?load|resize|scroll|zoom))|t(ext|ime(out|update)|o(ggle|uch(cancel|en(d|ter)|(lea|mo)ve|start))|ransition(cancel|end|run|start))|u(n(derflow|handledrejection|load)|p(dateready|gradeneeded)|s(erproximity|sdreceived))|v(ersion|o(ic|lum)e)change|w(a(it|rn)ing|ebkit(animation(end|iteration|start)|transitionend)|heel)|zoom)|ping|s(rc|tyle))[x08-nf-r ]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<style\.*?>\.*?(@[ix5c]|([:=]|&#x?0*(58|3A|61|3D);?)\.*?([(x5c]|&#x?0*(40|28|92|5C);?)))
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<\.*[:]?vmlframe\.*?[s/+]*?src[s/+]*=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <EMBED[s/+]\.*?(src|type)\.*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <[?]?import[s/+S]*?implementation[s/+]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?http-equiv[s/+]*=[s/+]*["'`]?((c|&#x?0*(67|43|99|63);?)|(r|&#x?0*(82|52|114|72);?)|(s|&#x?0*(83|53|115|73);?)))
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:<META[s/+]\.*?charset[s/+]*=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <LINK[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <BASE[s/+]\.*?href[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <APPLET[s/+>]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <OBJECT[s/+]\.*?(type|codetype|classid|code|data)[s/+]*=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i xbc[^xbe>]*[xbe>]|<[^xbe]*xbe
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (xbcs*/s*[^xbe>]*[xbe>])|(<s*/s*[^xbe]*xbe)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (([[^]]*][^\.]*\.)|Reflect[^\.]*\.)\.*(map|sort|apply)[^\.]*\.\.*call[^`]*`\.*`
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i [s"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i b(s(tyle|rc)|href)b[sS]*?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i @contains -->
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i <(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i (?i:["'][ ]*([^a-z0-9~_:' ]|in)\.*?((l|x5cu006C)(o|x5cu006F)(c|x5cu0063)(a|x5cu0061)(t|x5cu0074)(i|x5cu0069)(o|x5cu006F)(n|x5cu006E)|(n|x5cu006E)(a|x5cu0061)(m|x5cu006D)(e|x5cu0065)|(o|x5cu006F)(n|x5cu006E)(e|x5cu0065)(r|x5cu0072)(r|x5cu0072)(o|x5cu006F)(r|x5cu0072)|(v|x5cu0076)(a|x5cu0061)(l|x5cu006C)(u|x5cu0075)(e|x5cu0065)(O|x5cu004F)(f|x5cu0066))\.*?=)
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i ["'][ ]*([^a-z0-9~_:' ]|in)\.+?[\.]\.+?=
http-request deny if block_xss
acl block_xss hdr_sub(User-Agent) -i {{\.*?}}
http-request deny if block_xss
acl block_leakages hdr_sub(User-Agent) -i (<(TITLE>Index of\.*?<H|title>Index of\.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^#!s?/
http-request deny if block_leakages
acl block_leakages hdr_sub(User-Agent) -i ^5d{2}$
http-request deny if block_leakages
acl block_generic hdr_sub(User-Agent) -i while[sv]*([sv(]*(!+(false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(!!)*((t(rue|his)|[+-]?(Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(Boolea|Functio)n|Object|Array)b|{\.*}|[\.*]|"[^"]+"|'[^']+'|`[^`]+`))\.*)
http-request deny if block_generic
acl block_generic hdr_sub(User-Agent) -i [s*constructors*]
http-request deny if block_generic
acl block_generic hdr_sub(User-Agent) -i @{\.*}
http-request deny if block_generic
acl block_attack hdr_sub(User-Agent) -i ^content-types*:s*(\.*)$
http-request deny if block_attack
acl block_attack hdr_sub(User-Agent) -i content-transfer-encoding:(\.*)
http-request deny if block_attack
acl block_sql hdr_sub(User-Agent) -i (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle\.*Driver|Warning\.*oci_\.*|Warning\.*ora_\.*)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i Dynamic SQL Error
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i Exception (condition )?d+\. Transaction rollback\.
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i org.hsqldb.jdbc
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception\.*Informix)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:Warning\.*ingres_|Ingres SQLSTATE|IngresW\.*Driver)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (?i:SQL error\.*POS[0-9]+\.*|Warning\.*maxdb\.*)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function \.* expects parameter|Unclosed quotation mark before the character string|Syntax error \.* in query expression|Data type mismatch in criteria expression\.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB\.*SQL Server|Warning\.*mssql_\.*|Driver\.*SQL[ _-]*Server|SQL Server\.*Driver|SQL Server\.*[0-9a-fA-F]{8}|Exception\.*WSystem.Data.SqlClient\.|Conversion failed when converting the varchar value \.*? to data type int\.)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (Warning\.*sqlite_\.*|Warning\.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)
http-request deny if block_sql
acl block_sql hdr_sub(User-Agent) -i (Sybase message:|Warning\.{2,20}sybase|Sybase\.*Server message\.*)
http-request deny if block_sql
acl block_java hdr_sub(User-Agent) -i java.lang\.(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (unmarshaller|base64data|java\.)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i \.*\.(jsp|jspx)\.*$
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]{0,15}($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)([^}]*($|\$?)({|&l(brace|cub);?)|jndi|ctx)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i xacxedx00x05
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (rO0ABQ|KztAAU|Cs7QAF)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i javab\.+(runtime|processbuilder)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i (cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)
http-request deny if block_java
acl block_java hdr_sub(User-Agent) -i ($|\$?)({|&l(brace|cub);?)
http-request deny if block_java
acl block_lfi hdr_sub(User-Agent) -i ((^|[x5c/;])\.{2,3}[x5c/;]|[x5c/;]\.{2,3}([x5c/;]|$))
http-request deny if block_lfi
acl block_sqli hdr_sub(User-Agent) -i @detectSQLi
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (?i:sleep(s*?d*?s*?)|benchmark(\.*?,\.*?))
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i alter[sv]*?[0-9A-Z_a-z]+\.*?char(acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|["'`](;*?[sv]*?waitfor[sv]+(time|delay)[sv]+["'`]|;\.*?:[sv]*?goto)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i union\.*?select\.*?from
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?["'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?([#;{]|/*|--)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i create[sv]+function[sv]\.+[sv]returns|;[sv]*?(alter|((cre|trunc|upd)at|renam)e|d(e(lete|sc)|rop)|(inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^([^']*'|[^"]*"|[^`]*`)[sv]*;
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i 1.e[(-),]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (^s*["'`;]+|["'`]+s*$)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i [sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(=|<=>|(sounds[sv]+)?like|glob|r(like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i @streq %{TX.2}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i [sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(like|r(like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i !@streq %{TX.2}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((and|n(and|ot)|(xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?b(x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(2[37]|3d)|^(\.?["'`]$|["'x5c`]*?(["'0-9`]+|[^"'`]+["'`])[sv]*?b(and|n(and|ot)|(xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-\.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@([0-9A-Z_a-z]+[sv]+(and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`]\.|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (?i:^[Wd]+s*?(alter|union)b)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i b(orb([sv]?([0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|xorb[sv]+([0-9]{1,10}|'[^=]{1,10}')([sv]*?[<->])?)|'[sv]+x?or[sv]+\.{1,20}[!+-<->]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i bandb([sv]+([0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?([0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i autonomous_transaction|(current_use|n?varcha|tbcreato)r|db(a_users|ms_java)|open(owa_util|query|rowset)|s(p_((addextendedpro|sqlexe)c|execute(sql)?|help|is_srvrolemember|makewebtask|oacreate|p(assword|repare)|replwritetovarbin)|ql_(longvarchar|variant))|utl_(file|http)|xp_(availablemedia|(cmdshel|servicecontro)l|dirtree|e(numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(_enumdomains)?|reg(addmultistring|delete(key|value)|enum(key|value)s|re(ad|movemultistring)|write)|terminate(_process)?)
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){12})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i !^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+\.[-0-9A-Z_a-z]+$
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (?i:b0x[a-fd]{3,})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sv]*?((is[sv]+not|not[sv]+(like|glob|(betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^([^']*?('[^']*?'[^']*?)*?'|[^"]*?("[^"]*?"[^"]*?)*?"|[^`]*?(`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^(and|or)$
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ^\.*?x5c['"`](\.*?['"`])?s*(and|or)b
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i W+d*?s*?bhavingbs*?[^s-]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ["'`][sd]*?[^ws]W*?dW*?\.*?["'`d]
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){8})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){6})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i W{4}
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i ';
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){3})
http-request deny if block_sqli
acl block_sqli hdr_sub(User-Agent) -i (([~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){2})
http-request deny if block_sqli
acl block_rce hdr_sub(User-Agent) -i $(((\.*|(\.*)))|{\.*})|[<>](\.*)|/[0-9A-Z_a-z]*[!?\.+]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i b(for(/[dflr]\.*)? %+[^ ]+ in(\.*)[sv]?do|if(/i)?( not)?( (e(xist|rrorlevel)|defined|cmdextversion)b|[ (]\.*(b(g(eq|tr)|equ|neq|l(eq|ss))b|==)))
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ![0-9]s*'s*[0-9]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i !-d
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ^(s*)s+{
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ba["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a["')[-x5c]*(((|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-"%',0-9@-Z_a-z]+=[^sv]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ($((((\.*)|\.*))|{\.*})|[<>](\.*)|[!?\.+])
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i /
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i s
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ^[^\.]+\.[^;?]+[;?](\.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ^[^\.]*?(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i ;[sv]*\.[sv]*["']?(a(rchive|uth)|b(a(ckup|il)|inary)|c(d|h(anges|eck)|lone|onnection)|d(atabases|b(config|info)|ump)|e(cho|qp|x(cel|it|p(ert|lain)))|f(ilectrl|ullschema)|he(aders|lp)|i(mpo(rt|ster)|ndexes|otrace)|l(i(mi|n)t|o(ad|g))|(mod|n(onc|ullvalu)|unmodul)e|o(nce|pen|utput)|p(arameter|r(int|o(gress|mpt)))|quit|re(ad|cover|store)|s(ave|c(anstats|hema)|e(lftest|parator|ssion)|h(a3sum|ell|ow)?|tats|ystem)|t(ables|estc(ase|trl)|ime(out|r)|race)|vfs(info|list|name)|width)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((?i:E)(HLO [--.A-Za-zx17fx212a]{1,255}|XPN \.{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:R)(CPT TO:((?i:<)\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i: ))?(?i:<)\.{1,64}(?i:>)|SETb)|VRFY \.{1,64}( <\.{1,64}(?i:@)\.{1,255}(?i:>)|(?i:@)\.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(([+/-9A-Z_a-zx17fx212a]{4})*([+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb((?i: )\.{1,255})?)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i (?is)rn\.*?b((LIST|TOP [0-9]+)( [0-9]+)?|U(SER \.+?|IDL( [0-9]+)?)|PASS \.+?|(RETR|DELE) [0-9]+?|A(POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (([+/-9A-Z_a-z]{4})*([+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i /([?*]+[a-z/]+|[a-z/]+[?*]+)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b(DATA|QUIT|HELP( \.{1,255})?)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i (?is)rn[0-9A-Z_a-z]{1,50}b (C((REATE|OPY [*,0-:]+) ["-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE ["-#%-&*--.0-9A-Zx5c_a-z]+|EX(AMINE ["-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(IST ["-#*--9A-Zx5c_a-z~]+? ["-#%-&*--9A-Zx5c_a-z]+|OG(IN [--.0-9@_a-z]{1,40} \.*?|OUT))|RENAME ["-#%-&*--9A-Zx5c_a-z]+? ["-#%-&*--9A-Zx5c_a-z]+|S(E(LECT ["-#%-&*--9A-Zx5c_a-z]+|ARCH( CHARSET [--.0-9A-Z_a-z]{1,40})? ((KEYWORD x5c)?(A(LL|NSWERED)|BCC|D(ELETED|RAFT)|(FLAGGE|OL)D|RECENT|SEEN|UN((ANSWER|FLAGG)ED|D(ELETED|RAFT)|SEEN)|NEW)|(BODY|CC|FROM|HEADER \.{1,100}|NOT|OR \.{1,255}|T(EXT|O)) \.{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(BEFORE|ON|S(ENT((BEFOR|SINC)E|ON)|INCE)) "?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}"?|S(MALLER [0-9]{1,20}|UBJECT \.{1,255})|U(ID [*,0-:]+?|NKEYWORD x5c(Seen|(Answer|Flagg)ed|D(eleted|raft)|Recent))))|T(ORE [*,0-:]+? [+-]?FLAGS(.SILENT)? ((x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+)|UN(SUBSCRIBE ["-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i rn(?s:\.)*?b((QUI|STA|RSE)(?i:T)|NOOP|CAPA)
http-request deny if block_rce
acl block_rce hdr_sub(User-Agent) -i !(d|!)
http-request deny if block_rce
acl block_php hdr_sub(User-Agent) -i (b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open|call_user_func)|$_((pos|ge)t|session))b
http-request deny if block_php
acl block_php hdr_sub(User-Agent) -i <?(=|php)?s+
http-request deny if block_php
acl block_iis hdr_sub(User-Agent) -i [a-z]:x5cinetpubb acl block_iis hdr_sub(User-Agent) -i [a-z]:x5cinetpubb
http-request deny if block_iis http-request deny if block_iis
@ -675,3 +600,78 @@ http-request deny if block_iis
acl block_iis hdr_sub(User-Agent) -i bServer Error in\.{0,50}?bApplicationb acl block_iis hdr_sub(User-Agent) -i bServer Error in\.{0,50}?bApplicationb
http-request deny if block_iis http-request deny if block_iis
acl block_shells hdr_sub(User-Agent) -i (<title>r57 Shell Version [0-9\.]+</title>|<title>r57 shell</title>)
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>\.*? - WSO [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i B4TM4N SH3LL</title>\.*<meta name='author' content='k4mpr3t'/>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Mini Shell</title>\.*Developed By LameHacker
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>\.:: \.* ~ Ashiyane V [0-9\.]+ ::\.</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>Symlink_Sa [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>CasuS [0-9\.]+ by MafiABoY</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<title>GRP WebShell [0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <small>NGHshell [0-9\.]+ by Cr4sh</body></html>n$
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>SimAttacker - (Version|Vrsion) : [0-9\.]+ -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<!DOCTYPE html>n<html>n<!-- By Artyum \.*<title>Web Shell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>lama's'hell v\. [0-9\.]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<head>n<title>Ru24PostWebShell -
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i <title>s72 Shell v[0-9\.]+ Codinf by Cr@zy_King</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html>nn<head>nn<title>g00nshell v[0-9\.]+
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <title>punkholicshell</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n <head>n <title>azrail [0-9\.]+ by C-W-M</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^<html>n<title>\.*? ~ Shell I</title>n<head>n<style>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i ^ <html><head><title>:: b374k m1n1 [0-9\.]+ ::</title>
http-request deny if block_shells
acl block_shells hdr_sub(User-Agent) -i @contains <h1 style="margin-bottom: 0">webadmin.php</h1>
http-request deny if block_shells

64
waf_patterns/nginx/attack.conf
View File

@ -2,19 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "TX:paramcounter_(.*)") { if ($request_uri ~* "content-transfer-encoding:(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* ".") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -22,27 +10,19 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") { if ($request_uri ~* "@gt 0") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") { if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "content-transfer-encoding:(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
set $attack_detected 1;
}
if ($request_uri ~* "^content-types*:s*(.*)$") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -50,11 +30,31 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "unix:[^|]*|") { if ($request_uri ~* "^content-types*:s*(.*)$") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") { if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
set $attack_detected 1;
}
if ($request_uri ~* ".") {
set $attack_detected 1;
}
if ($request_uri ~* "TX:paramcounter_(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
set $attack_detected 1;
}
if ($request_uri ~* "unix:[^|]*|") {
set $attack_detected 1; set $attack_detected 1;
} }

12
waf_patterns/nginx/correlation.conf
View File

@ -2,11 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "@eq 0") { if ($request_uri ~* "@ge 5") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -18,7 +14,11 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@ge 5") { if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1; set $attack_detected 1;
} }

376
waf_patterns/nginx/enforcement.conf
View File

@ -2,211 +2,27 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^d+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq POST") {
set $attack_detected 1;
}
if ($request_uri ~* "charsets*=s*[\"']?([^;\"'s]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
set $attack_detected 1;
}
if ($request_uri ~* ".[^.~]+~(?:/.*|)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0?$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "charset.*?charset") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)x5cu[0-9a-f]{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "['\";=]") {
set $attack_detected 1;
}
if ($request_uri ~* "^$") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
set $attack_detected 1;
}
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.combined_file_sizes}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_file_size}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122") { if ($request_uri ~* "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^[^;s]+") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32-36,38-126") {
set $attack_detected 1;
}
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUtf8Encoding") {
set $attack_detected 1;
}
if ($request_uri ~* "x25") {
set $attack_detected 1;
}
if ($request_uri ~* "%u[fF]{2}[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* ".([^.]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:keep-alive|close),s?(?:keep-alive|close)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains #") {
set $attack_detected 1;
}
if ($request_uri ~* "%[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_num_args}") { if ($request_uri ~* "@gt %{tx.max_num_args}") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@eq 1") { if ($request_uri ~* "@gt %{tx.combined_file_sizes}") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(d+)-(d+)") { if ($request_uri ~* ".([^.]+)$") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") { if ($request_uri ~* "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") { if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 50") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -214,14 +30,198 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@gt %{tx.max_file_size}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "['\";=]") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^d+$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "charset.*?charset") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 1-255") { if ($request_uri ~* "@validateByteRange 1-255") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "%u[fF]{2}[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "%[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq JSON") { if ($request_uri ~* "!@streq JSON") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)x5cu[0-9a-f]{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:keep-alive|close),s?(?:keep-alive|close)b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "(d+)-(d+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32-36,38-126") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq POST") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUtf8Encoding") {
set $attack_detected 1;
}
if ($request_uri ~* ".[^.~]+~(?:/.*|)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 50") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^;s]+") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0?$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
set $attack_detected 1;
}
if ($request_uri ~* "x25") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains #") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "^$") {
set $attack_detected 1;
}
if ($request_uri ~* "charsets*=s*[\"']?([^;\"'s]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") {
set $attack_detected 1;
}
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
set $attack_detected 1;
}
if ($attack_detected = 1) { if ($attack_detected = 1) {
return 403; return 403;
} }

32
waf_patterns/nginx/evaluation.conf
View File

@ -2,6 +2,18 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") { if ($request_uri ~* "@ge 3") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -10,26 +22,14 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") { if ($request_uri ~* "@ge 4") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($attack_detected = 1) { if ($attack_detected = 1) {
return 403; return 403;
} }

16
waf_patterns/nginx/exceptions.conf
View File

@ -2,22 +2,22 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "@endsWith (internal dummy connection)") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:GET /|OPTIONS *) HTTP/[12].[01]$") { if ($request_uri ~* "^(?:GET /|OPTIONS *) HTTP/[12].[01]$") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq GET /") { if ($request_uri ~* "@streq GET /") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith (internal dummy connection)") {
set $attack_detected 1;
}
if ($attack_detected = 1) { if ($attack_detected = 1) {
return 403; return 403;
} }

10
waf_patterns/nginx/fixation.conf
View File

@ -2,7 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "@eq 0") { if ($request_uri ~* "^(?:ht|f)tps?://(.*?)/") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -10,10 +10,6 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^(?:ht|f)tps?://(.*?)/") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") { if ($request_uri ~* "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -22,6 +18,10 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($attack_detected = 1) { if ($attack_detected = 1) {
return 403; return 403;
} }

4
waf_patterns/nginx/generic.conf
View File

@ -2,7 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)") { if ($request_uri ~* "[s*constructors*]") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -10,7 +10,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "[s*constructors*]") { if ($request_uri ~* "while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)") {
set $attack_detected 1; set $attack_detected 1;
} }

4
waf_patterns/nginx/iis.conf
View File

@ -6,7 +6,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "[a-z]:x5cinetpubb") { if ($request_uri ~* "bServer Error in.{0,50}?bApplicationb") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -14,7 +14,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "bServer Error in.{0,50}?bApplicationb") { if ($request_uri ~* "[a-z]:x5cinetpubb") {
set $attack_detected 1; set $attack_detected 1;
} }

8
waf_patterns/nginx/initialization.conf
View File

@ -2,7 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "@eq 0") { if ($request_uri ~* "^.*$") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -10,11 +10,11 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@eq 1") { if ($request_uri ~* "@eq 100") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@eq 100") { if ($request_uri ~* "@eq 1") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -22,7 +22,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^.*$") { if ($request_uri ~* "@eq 0") {
set $attack_detected 1; set $attack_detected 1;
} }

56
waf_patterns/nginx/java.conf
View File

@ -2,31 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)") { if ($request_uri ~* "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "javab.+(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "java.lang.(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:runtime|processbuilder)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -34,11 +10,23 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)") { if ($request_uri ~* "(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?:rO0ABQ|KztAAU|Cs7QAF)") { if ($request_uri ~* "(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "javab.+(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -46,7 +34,15 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") { if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:rO0ABQ|KztAAU|Cs7QAF)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -54,6 +50,10 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "java.lang.(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($attack_detected = 1) { if ($attack_detected = 1) {
return 403; return 403;
} }

4
waf_patterns/nginx/leakages.conf
View File

@ -2,11 +2,11 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "^5d{2}$") { if ($request_uri ~* "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)") { if ($request_uri ~* "^5d{2}$") {
set $attack_detected 1; set $attack_detected 1;
} }

24
waf_patterns/nginx/php.conf
View File

@ -10,11 +10,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") { if ($request_uri ~* "@pm =") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -22,7 +18,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@pm =") { if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -30,11 +26,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") { if ($request_uri ~* "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
set $attack_detected 1;
}
if ($request_uri ~* "[oOcC]:d+:\".+?\":d+:{.*}") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -42,7 +34,15 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") { if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
set $attack_detected 1;
}
if ($request_uri ~* "[oOcC]:d+:\".+?\":d+:{.*}") {
set $attack_detected 1; set $attack_detected 1;
} }

122
waf_patterns/nginx/rce.conf
View File

@ -2,75 +2,15 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "!(?:d|!)") {
set $attack_detected 1;
}
if ($request_uri ~* "ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]") {
set $attack_detected 1;
}
if ($request_uri ~* "^(s*)s+{") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)") {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))") {
set $attack_detected 1;
}
if ($request_uri ~* ";[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)") {
set $attack_detected 1;
}
if ($request_uri ~* "/") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])") {
set $attack_detected 1;
}
if ($request_uri ~* "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))") {
set $attack_detected 1;
}
if ($request_uri ~* "!-d") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])") {
set $attack_detected 1;
}
if ($request_uri ~* "$(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]") { if ($request_uri ~* "$(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx [0-9]s*'s*[0-9]") {
set $attack_detected 1;
}
if ($request_uri ~* "s") {
set $attack_detected 1;
}
if ($request_uri ~* "/(?:[?*]+[a-z/]+|[a-z/]+[?*]+)") { if ($request_uri ~* "/(?:[?*]+[a-z/]+|[a-z/]+[?*]+)") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)") { if ($request_uri ~* "!@rx [0-9]s*'s*[0-9]") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -78,10 +18,70 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "s") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))") { if ($request_uri ~* "^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "!-d") {
set $attack_detected 1;
}
if ($request_uri ~* "(?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))") {
set $attack_detected 1;
}
if ($request_uri ~* "/") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)") {
set $attack_detected 1;
}
if ($request_uri ~* ";[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)") {
set $attack_detected 1;
}
if ($request_uri ~* "ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])") {
set $attack_detected 1;
}
if ($request_uri ~* "^(s*)s+{") {
set $attack_detected 1;
}
if ($request_uri ~* "b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)") {
set $attack_detected 1;
}
if ($request_uri ~* "!(?:d|!)") {
set $attack_detected 1;
}
if ($request_uri ~* "rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)") {
set $attack_detected 1;
}
if ($attack_detected = 1) { if ($attack_detected = 1) {
return 403; return 403;
} }

4
waf_patterns/nginx/rfi.conf
View File

@ -2,11 +2,11 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})") { if ($request_uri ~* "!@endsWith .%{request_headers.host}") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "!@endsWith .%{request_headers.host}") { if ($request_uri ~* "^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})") {
set $attack_detected 1; set $attack_detected 1;
} }

136
waf_patterns/nginx/shells.conf
View File

@ -2,11 +2,31 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "^<html>rn<head>rn<title>GRP WebShell [0-9.]+") { if ($request_uri ~* "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>") { if ($request_uri ~* "^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Mini Shell</title>.*Developed By LameHacker") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -14,7 +34,15 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@contains <title>punkholicshell</title>") { if ($request_uri ~* "^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -22,6 +50,42 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <title>punkholicshell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") { if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -30,43 +94,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") { if ($request_uri ~* "^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1;
}
if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Mini Shell</title>.*Developed By LameHacker") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">") {
set $attack_detected 1;
}
if ($request_uri ~* "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -74,34 +102,6 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($attack_detected = 1) { if ($attack_detected = 1) {
return 403; return 403;
} }

48
waf_patterns/nginx/sql.conf
View File

@ -2,7 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "(?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)") { if ($request_uri ~* "(?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -10,7 +10,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)") { if ($request_uri ~* "(?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -18,31 +18,11 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)org.hsqldb.jdbc") { if ($request_uri ~* "(?i)org.hsqldb.jdbc") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)Dynamic SQL Error") { if ($request_uri ~* "(?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -50,7 +30,27 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)") { if ($request_uri ~* "(?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)Dynamic SQL Error") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)") {
set $attack_detected 1; set $attack_detected 1;
} }

144
waf_patterns/nginx/sqli.conf
View File

@ -2,7 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "(?i)W+d*?s*?bhavingbs*?[^s-]") { if ($request_uri ~* "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -10,63 +10,11 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "!@streq %{TX.2}") { if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i:^[Wd]+s*?(?:alter|union)b)") { if ($request_uri ~* "(?i)W+d*?s*?bhavingbs*?[^s-]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){2})") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)1.e[(-),]") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectSQLi") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;") {
set $attack_detected 1;
}
if ($request_uri ~* "[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]") {
set $attack_detected 1;
}
if ($request_uri ~* "';") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){8})") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -74,19 +22,47 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@streq %{TX.2}") { if ($request_uri ~* "(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b") { if ($request_uri ~* "(?i:^[Wd]+s*?(?:alter|union)b)") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b") { if ($request_uri ~* "@detectSQLi") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){3})") { if ($request_uri ~* "';") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){12})") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -94,15 +70,23 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i:b0x[a-fd]{3,})") { if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){2})") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+") { if ($request_uri ~* "@streq %{TX.2}") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){6})") { if ($request_uri ~* "(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)1.e[(-),]") {
set $attack_detected 1;
}
if ($request_uri ~* "^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -110,7 +94,11 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)") { if ($request_uri ~* "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){6})") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -118,6 +106,26 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){3})") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)") {
set $attack_detected 1;
}
if ($request_uri ~* "[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){8})") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)") { if ($request_uri ~* "(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -130,15 +138,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") { if ($request_uri ~* "(?i:b0x[a-fd]{3,})") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){12})") {
set $attack_detected 1; set $attack_detected 1;
} }

112
waf_patterns/nginx/xss.conf
View File

@ -2,19 +2,7 @@
location / { location / {
set $attack_detected 0; set $attack_detected 0;
if ($request_uri ~* "{{.*?}}") { if ($request_uri ~* "(?i)<APPLET[s/+>]") {
set $attack_detected 1;
}
if ($request_uri ~* "xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<script[^>]*>[sS]*?") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -22,11 +10,23 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") { if ($request_uri ~* "@contains -->") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122") { if ($request_uri ~* "(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<script[^>]*>[sS]*?") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -34,7 +34,43 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") { if ($request_uri ~* "(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<LINK[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "<[?]?import[s/+S]*?implementation[s/+]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "{{.*?}}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -46,11 +82,7 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "<[?]?import[s/+S]*?implementation[s/+]*?=") { if ($request_uri ~* "(?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
set $attack_detected 1; set $attack_detected 1;
} }
@ -58,47 +90,15 @@ location / {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") { if ($request_uri ~* "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") { if ($request_uri ~* "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122") {
set $attack_detected 1; set $attack_detected 1;
} }
if ($request_uri ~* "@contains -->") { if ($request_uri ~* "xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<APPLET[s/+>]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<LINK[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
set $attack_detected 1; set $attack_detected 1;
} }

952
waf_patterns/traefik/middleware.toml
View File

File diff suppressed because one or more lines are too long