diff --git a/badbots.py b/badbots.py
index e9aef66..6d83727 100644
--- a/badbots.py
+++ b/badbots.py
@@ -24,10 +24,7 @@ OUTPUT_DIRS = {
BOT_LIST_SOURCES = [
"https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list",
"https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt",
- "https://raw.githubusercontent.com/piwik/referrer-spam-blacklist/master/spammers.txt",
- "https://raw.githubusercontent.com/Stevie-Ray/referrer-spam-blocker/master/src/hosts.txt",
- "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/bad-user-agents.txt"
-]
+ "https://raw.githubusercontent.com/piwik/referrer-spam-blacklist/master/spammers.txt"]
RATE_LIMIT_DELAY = 600
RETRY_DELAY = 5
@@ -205,4 +202,4 @@ if __name__ == "__main__":
generate_traefik_conf(bots)
generate_haproxy_conf(bots)
- logging.info("[✔] Bot blocking configurations generated for all platforms.")
+ logging.info("[✔] Bot blocking configurations generated for all platforms.")
\ No newline at end of file
diff --git a/import_apache_waf.py b/import_apache_waf.py
index d9ebd74..83d9310 100644
--- a/import_apache_waf.py
+++ b/import_apache_waf.py
@@ -2,6 +2,7 @@ import os
import subprocess
import logging
from pathlib import Path
+import shutil
# Configure logging
logging.basicConfig(
@@ -11,15 +12,18 @@ logging.basicConfig(
)
# Constants (configurable via environment variables)
-WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/apache")) # Source directory for WAF files
-APACHE_WAF_DIR = Path(os.getenv("APACHE_WAF_DIR", "/etc/modsecurity.d/")) # Target directory
-APACHE_CONF = Path(os.getenv("APACHE_CONF", "/etc/apache2/apache2.conf")) # Apache config file
+WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/apache")).resolve() # Source directory for WAF files
+APACHE_WAF_DIR = Path(os.getenv("APACHE_WAF_DIR", "/etc/modsecurity.d/")).resolve() # Target directory
+APACHE_CONF = Path(os.getenv("APACHE_CONF", "/etc/apache2/apache2.conf")).resolve() # Apache config file
INCLUDE_STATEMENT = "IncludeOptional /etc/modsecurity.d/*.conf" # Include directive
def copy_waf_files():
"""
Copy Apache WAF configuration files to the target directory.
+
+ Raises:
+ Exception: If there is an error copying files.
"""
logging.info("Copying Apache WAF patterns...")
@@ -50,6 +54,9 @@ def copy_waf_files():
def update_apache_conf():
"""
Ensure the WAF include statement is present in the Apache configuration file.
+
+ Raises:
+ Exception: If there is an error updating the Apache configuration.
"""
logging.info("Ensuring WAF patterns are included in apache2.conf...")
@@ -74,6 +81,9 @@ def update_apache_conf():
def reload_apache():
"""
Reload Apache to apply the new WAF rules.
+
+ Raises:
+ Exception: If there is an error reloading Apache.
"""
logging.info("Reloading Apache to apply new WAF rules...")
@@ -111,4 +121,4 @@ def main():
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/import_haproxy_waf.py b/import_haproxy_waf.py
index 894b4ed..744b3d8 100644
--- a/import_haproxy_waf.py
+++ b/import_haproxy_waf.py
@@ -11,9 +11,9 @@ logging.basicConfig(
)
# Constants (configurable via environment variables)
-WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/haproxy")) # Source directory for WAF files
-HAPROXY_WAF_DIR = Path(os.getenv("HAPROXY_WAF_DIR", "/etc/haproxy/waf/")) # Target directory
-HAPROXY_CONF = Path(os.getenv("HAPROXY_CONF", "/etc/haproxy/haproxy.cfg")) # HAProxy config file
+WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/haproxy")).resolve() # Source directory for WAF files
+HAPROXY_WAF_DIR = Path(os.getenv("HAPROXY_WAF_DIR", "/etc/haproxy/waf/")).resolve() # Target directory
+HAPROXY_CONF = Path(os.getenv("HAPROXY_CONF", "/etc/haproxy/haproxy.cfg")).resolve() # HAProxy config file
# HAProxy WAF configuration snippet
WAF_CONFIG_SNIPPET = """
@@ -31,6 +31,9 @@ frontend http-in
def copy_waf_files():
"""
Copy HAProxy WAF ACL files to the target directory.
+
+ Raises:
+ Exception: If there is an error copying files.
"""
logging.info("Copying HAProxy WAF patterns...")
@@ -62,6 +65,9 @@ def copy_waf_files():
def update_haproxy_conf():
"""
Ensure the WAF configuration snippet is included in haproxy.cfg.
+
+ Raises:
+ Exception: If there is an error updating the HAProxy configuration.
"""
logging.info("Ensuring WAF patterns are included in haproxy.cfg...")
@@ -86,6 +92,9 @@ def update_haproxy_conf():
def reload_haproxy():
"""
Reload HAProxy to apply the new WAF rules.
+
+ Raises:
+ Exception: If there is an error reloading HAProxy.
"""
logging.info("Testing HAProxy configuration...")
@@ -123,4 +132,4 @@ def main():
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/import_nginx_waf.py b/import_nginx_waf.py
index adf78f9..6fd5aab 100644
--- a/import_nginx_waf.py
+++ b/import_nginx_waf.py
@@ -11,15 +11,18 @@ logging.basicConfig(
)
# Constants (configurable via environment variables)
-WAF_DIR = Path(os.getenv("WAF_DIR", "/tmp/waf_patterns/nginx")) # Source directory for WAF files
-NGINX_WAF_DIR = Path(os.getenv("NGINX_WAF_DIR", "/etc/nginx/waf/")) # Target directory
-NGINX_CONF = Path(os.getenv("NGINX_CONF", "/etc/nginx/nginx.conf")) # Nginx config file
+WAF_DIR = Path(os.getenv("WAF_DIR", "/tmp/waf_patterns/nginx")).resolve() # Source directory for WAF files
+NGINX_WAF_DIR = Path(os.getenv("NGINX_WAF_DIR", "/etc/nginx/waf/")).resolve() # Target directory
+NGINX_CONF = Path(os.getenv("NGINX_CONF", "/etc/nginx/nginx.conf")).resolve() # Nginx config file
INCLUDE_STATEMENT = "include /etc/nginx/waf/*.conf;" # Include directive
def copy_waf_files():
"""
Copy Nginx WAF configuration files to the target directory.
+
+ Raises:
+ Exception: If there is an error copying files.
"""
logging.info("Copying Nginx WAF patterns...")
@@ -50,6 +53,9 @@ def copy_waf_files():
def update_nginx_conf():
"""
Ensure the WAF include statement is present in the Nginx configuration file.
+
+ Raises:
+ Exception: If there is an error updating the Nginx configuration.
"""
logging.info("Ensuring WAF patterns are included in nginx.conf...")
@@ -74,6 +80,9 @@ def update_nginx_conf():
def reload_nginx():
"""
Reload Nginx to apply the new WAF rules.
+
+ Raises:
+ Exception: If there is an error reloading Nginx.
"""
logging.info("Reloading Nginx to apply new WAF rules...")
@@ -111,4 +120,4 @@ def main():
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/import_traefik_waf.py b/import_traefik_waf.py
index 2aa9c0b..d4cfbd1 100644
--- a/import_traefik_waf.py
+++ b/import_traefik_waf.py
@@ -1,8 +1,8 @@
import os
import subprocess
import logging
-from pathlib import Path # Better path handling
-import shutil # Safer file operations
+from pathlib import Path
+import shutil
# Configure logging
logging.basicConfig(
@@ -12,15 +12,10 @@ logging.basicConfig(
)
# Constants (configurable via environment variables or command-line arguments)
-WAF_DIR = os.getenv("WAF_DIR", "waf_patterns/traefik") # Source directory for WAF files
-TRAEFIK_WAF_DIR = os.getenv("TRAEFIK_WAF_DIR", "/etc/traefik/waf/") # Target directory
-TRAEFIK_DYNAMIC_CONF = os.getenv("TRAEFIK_DYNAMIC_CONF", "/etc/traefik/dynamic_conf.toml") # Dynamic config file
-INCLUDE_STATEMENT = '[[http.routers]]\n rule = "PathPrefix(`/`)' # Configuration to check/append
-
-# Ensure paths are absolute and normalized
-WAF_DIR = Path(WAF_DIR).resolve()
-TRAEFIK_WAF_DIR = Path(TRAEFIK_WAF_DIR).resolve()
-TRAEFIK_DYNAMIC_CONF = Path(TRAEFIK_DYNAMIC_CONF).resolve()
+WAF_DIR = Path(os.getenv("WAF_DIR", "waf_patterns/traefik")).resolve() # Source directory for WAF files
+TRAEFIK_WAF_DIR = Path(os.getenv("TRAEFIK_WAF_DIR", "/etc/traefik/waf/")).resolve() # Target directory
+TRAEFIK_DYNAMIC_CONF = Path(os.getenv("TRAEFIK_DYNAMIC_CONF", "/etc/traefik/dynamic_conf.toml")).resolve() # Dynamic config file
+INCLUDE_STATEMENT = 'middlewares = ["bad_bot_block"]' # Configuration to check/append
def copy_waf_files():
@@ -72,10 +67,10 @@ def update_traefik_conf():
logging.info("Adding WAF middleware to dynamic_conf.toml...")
with TRAEFIK_DYNAMIC_CONF.open("a") as f:
f.write(
- f'\n[[http.routers]]\n'
+ f'\n[http.routers.my_router]\n'
f' rule = "PathPrefix(`/`)"\n'
- f' service = "traefik"\n'
- f' middlewares = ["bad_bot_block"]\n'
+ f' service = "my_service"\n'
+ f' {INCLUDE_STATEMENT}\n'
)
logging.info("[+] WAF middleware added to dynamic_conf.toml.")
else:
@@ -117,4 +112,4 @@ def main():
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/owasp2apache.py b/json2apache.py
similarity index 77%
rename from owasp2apache.py
rename to json2apache.py
index 1cd6581..e065edb 100644
--- a/owasp2apache.py
+++ b/json2apache.py
@@ -4,6 +4,7 @@ import re
from collections import defaultdict
import logging
from pathlib import Path
+from typing import List, Dict, Set, Tuple, Optional
# Configure logging
logging.basicConfig(
@@ -24,12 +25,24 @@ MODSEC_RULE_TEMPLATE = (
'SecRule REQUEST_URI "{pattern}" "id:{rule_id},phase:1,deny,status:403,log,msg:\'{category} attack detected\'"\n'
)
+# Unsupported patterns for ModSecurity
UNSUPPORTED_PATTERNS = ["@pmFromFile", "!@eq", "!@within", "@lt"]
-def load_owasp_rules(file_path):
+def load_owasp_rules(file_path: Path) -> List[Dict]:
"""
Load OWASP rules from a JSON file.
+
+ Args:
+ file_path (Path): Path to the JSON file containing OWASP rules.
+
+ Returns:
+ List[Dict]: List of OWASP rules.
+
+ Raises:
+ FileNotFoundError: If the input file is not found.
+ json.JSONDecodeError: If the JSON file is invalid.
+ Exception: For any other errors during file loading.
"""
try:
with open(file_path, "r") as f:
@@ -45,9 +58,15 @@ def load_owasp_rules(file_path):
raise
-def validate_regex(pattern):
+def validate_regex(pattern: str) -> bool:
"""
Validate regex pattern to ensure it is compatible with ModSecurity.
+
+ Args:
+ pattern (str): Regex pattern to validate.
+
+ Returns:
+ bool: True if the regex is valid, False otherwise.
"""
try:
re.compile(pattern)
@@ -57,10 +76,17 @@ def validate_regex(pattern):
return False
-def sanitize_pattern(pattern):
+def sanitize_pattern(pattern: str) -> Optional[str]:
"""
Sanitize unsupported patterns and directives for ModSecurity.
+
+ Args:
+ pattern (str): The pattern to sanitize.
+
+ Returns:
+ Optional[str]: The sanitized pattern, or None if the pattern is unsupported.
"""
+ # Skip unsupported patterns
if any(directive in pattern for directive in UNSUPPORTED_PATTERNS):
logging.warning(f"[!] Skipping unsupported pattern: {pattern}")
return None
@@ -72,11 +98,17 @@ def sanitize_pattern(pattern):
return pattern
-def generate_apache_waf(rules):
+def generate_apache_waf(rules: List[Dict]) -> None:
"""
Generate Apache ModSecurity configuration files from OWASP rules.
+
+ Args:
+ rules (List[Dict]): List of OWASP rules.
+
+ Raises:
+ IOError: If there is an error writing to the output files.
"""
- categorized_rules = defaultdict(set)
+ categorized_rules: Dict[str, Set[Tuple[str, int]]] = defaultdict(set)
rule_id_counter = 1000 # Starting rule ID
# Group rules by category and ensure deduplication
@@ -117,7 +149,7 @@ def generate_apache_waf(rules):
raise
-def main():
+def main() -> None:
"""
Main function to execute the script.
"""
@@ -135,4 +167,4 @@ def main():
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/owasp2haproxy.py b/json2haproxy.py
similarity index 80%
rename from owasp2haproxy.py
rename to json2haproxy.py
index 70d8b46..48ed6e2 100644
--- a/owasp2haproxy.py
+++ b/json2haproxy.py
@@ -3,6 +3,7 @@ import json
import re
import logging
from pathlib import Path
+from typing import List, Dict, Optional
# Configure logging
logging.basicConfig(
@@ -17,9 +18,20 @@ INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json")) # Input JSON fil
UNSUPPORTED_PATTERNS = ["@pmFromFile", "!@eq", "!@within", "@lt", "@ge", "@gt", "@eq"]
-def load_owasp_rules(file_path):
+def load_owasp_rules(file_path: Path) -> List[Dict]:
"""
Load OWASP rules from a JSON file.
+
+ Args:
+ file_path (Path): Path to the JSON file containing OWASP rules.
+
+ Returns:
+ List[Dict]: List of OWASP rules.
+
+ Raises:
+ FileNotFoundError: If the input file is not found.
+ json.JSONDecodeError: If the JSON file is invalid.
+ Exception: For any other errors during file loading.
"""
try:
with open(file_path, "r") as f:
@@ -34,10 +46,15 @@ def load_owasp_rules(file_path):
logging.error(f"[!] Error loading OWASP rules: {e}")
raise
-
-def validate_regex(pattern):
+def validate_regex(pattern: str) -> bool:
"""
Validate regex pattern for HAProxy.
+
+ Args:
+ pattern (str): Regex pattern to validate.
+
+ Returns:
+ bool: True if the regex is valid, False otherwise.
"""
try:
re.compile(pattern)
@@ -46,10 +63,15 @@ def validate_regex(pattern):
logging.warning(f"[!] Invalid regex: {pattern} - {e}")
return False
-
-def sanitize_pattern(pattern):
+def sanitize_pattern(pattern: str) -> Optional[str]:
"""
Sanitize unsupported patterns and directives for HAProxy ACLs.
+
+ Args:
+ pattern (str): The pattern to sanitize.
+
+ Returns:
+ Optional[str]: The sanitized pattern, or None if the pattern is unsupported.
"""
# Skip unsupported patterns
if any(directive in pattern for directive in UNSUPPORTED_PATTERNS):
@@ -78,11 +100,15 @@ def sanitize_pattern(pattern):
return pattern
-
-
-def generate_haproxy_conf(rules):
+def generate_haproxy_conf(rules: List[Dict]) -> None:
"""
Generate HAProxy ACL rules from OWASP rules.
+
+ Args:
+ rules (List[Dict]): List of OWASP rules.
+
+ Raises:
+ Exception: If there is an error generating the HAProxy configuration.
"""
try:
# Ensure the output directory exists
@@ -118,8 +144,7 @@ def generate_haproxy_conf(rules):
logging.error(f"[!] Error generating HAProxy configuration: {e}")
raise
-
-def main():
+def main() -> None:
"""
Main function to execute the script.
"""
@@ -135,6 +160,5 @@ def main():
logging.critical(f"[!] Script failed: {e}")
exit(1)
-
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/json2traefik.py b/json2traefik.py
new file mode 100644
index 0000000..c9b85ce
--- /dev/null
+++ b/json2traefik.py
@@ -0,0 +1,114 @@
+import os
+import json
+from pathlib import Path
+from typing import List, Dict, Set
+import logging
+
+# Configure logging
+logging.basicConfig(
+ level=logging.INFO,
+ format="%(asctime)s - %(levelname)s - %(message)s",
+ handlers=[logging.StreamHandler()],
+)
+
+# Constants
+OUTPUT_DIR = Path("waf_patterns/traefik/") # Output directory for Traefik configs
+
+
+def load_owasp_rules(file_path: Path) -> List[Dict]:
+ """
+ Load OWASP rules from a JSON file.
+
+ Args:
+ file_path (Path): Path to the JSON file containing OWASP rules.
+
+ Returns:
+ List[Dict]: List of OWASP rules.
+
+ Raises:
+ SystemExit: If the file is not found or contains invalid JSON.
+ """
+ try:
+ with open(file_path, "r") as f:
+ return json.load(f)
+ except FileNotFoundError:
+ logging.error(f"[-] Error: File '{file_path}' not found.")
+ exit(1)
+ except json.JSONDecodeError:
+ logging.error(f"[-] Error: Invalid JSON in '{file_path}'.")
+ exit(1)
+ except Exception as e:
+ logging.error(f"[-] Unexpected error loading OWASP rules: {e}")
+ exit(1)
+
+
+def generate_traefik_conf(rules: List[Dict]) -> None:
+ """
+ Generate Traefik middleware configuration from OWASP rules.
+
+ Args:
+ rules (List[Dict]): List of OWASP rules.
+
+ Raises:
+ SystemExit: If there is an error writing to the output file.
+ """
+ try:
+ # Ensure the output directory exists
+ OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
+ config_file = OUTPUT_DIR / "middleware.toml"
+
+ with open(config_file, "w") as f:
+ f.write("[http.middlewares]\n\n")
+
+ # Group rules by category
+ grouped_rules: Dict[str, List[Dict]] = {}
+ for rule in rules:
+ category = rule.get("category", "default")
+ if category not in grouped_rules:
+ grouped_rules[category] = []
+ grouped_rules[category].append(rule)
+
+ # Write grouped rules to the TOML file
+ for category, rules_in_category in grouped_rules.items():
+ f.write(f"[http.middlewares.bad_bot_block_{category}]\n")
+ f.write(f" [http.middlewares.bad_bot_block_{category}.plugin.badbot]\n")
+ f.write(" userAgent = [\n")
+
+ # Use a set to deduplicate rules
+ unique_rules: Set[str] = set()
+ for rule in rules_in_category:
+ # Escape special characters in the pattern
+ pattern = rule["pattern"].replace('"', '\\"').replace("\\", "\\\\")
+ unique_rules.add(f' "{pattern}"')
+
+ f.write(",\n".join(unique_rules) + "\n")
+ f.write(" ]\n\n")
+
+ logging.info(f"[+] Traefik WAF rules generated at {config_file}")
+ except IOError as e:
+ logging.error(f"[-] Error writing to file: {e}")
+ exit(1)
+ except Exception as e:
+ logging.error(f"[-] Unexpected error generating Traefik config: {e}")
+ exit(1)
+
+
+def main() -> None:
+ """
+ Main function to execute the script.
+ """
+ try:
+ logging.info("[*] Loading OWASP rules...")
+ owasp_rules = load_owasp_rules(Path("owasp_rules.json"))
+
+ logging.info(f"[*] Generating Traefik WAF configs from {len(owasp_rules)} rules...")
+ generate_traefik_conf(owasp_rules)
+
+ logging.info("[✔] Traefik WAF configurations generated successfully.")
+ except Exception as e:
+ logging.critical(f"[!] Script failed: {e}")
+ exit(1)
+
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/owasp2json.py b/owasp2json.py
index 1780b14..7ead530 100644
--- a/owasp2json.py
+++ b/owasp2json.py
@@ -156,6 +156,37 @@ def verify_blob_sha(file_sha: str, blob_content_b64: str) -> bool:
return True
+def extract_sec_rules(raw_text: str) -> List[str]:
+ """
+ Extracts SecRule patterns from the raw text.
+ """
+ return re.findall(r'SecRule\s+.*?"((?:[^"\\]|\\.)+?)"', raw_text, re.DOTALL)
+
+
+def process_rule_file(file: Dict[str, str], session: requests.Session) -> List[Dict[str, str]]:
+ """
+ Processes a single rule file, fetching its content and extracting SecRule patterns.
+ """
+ rules = []
+ blob_b64 = fetch_github_blob(session, file["sha"])
+ if not blob_b64:
+ logger.warning(f"Skipping file {file['name']} due to empty blob content.")
+ return rules
+
+ # Verify SHA (non-blocking)
+ verify_blob_sha(file["sha"], blob_b64)
+
+ raw_text = base64.b64decode(blob_b64).decode("utf-8")
+ sec_rules = extract_sec_rules(raw_text)
+ category = file["name"].split("-")[-1].replace(".conf", "")
+ for rule in sec_rules:
+ pattern = rule.strip().replace("\\", "")
+ if pattern:
+ rules.append({"category": category, "pattern": pattern})
+
+ return rules
+
+
def fetch_owasp_rules(session: requests.Session, rule_files: List[Dict[str, str]]) -> List[Dict[str, str]]:
"""
Fetches the OWASP rule content for each rule file, extracts SecRule patterns,
@@ -164,28 +195,13 @@ def fetch_owasp_rules(session: requests.Session, rule_files: List[Dict[str, str]
rules = []
with ThreadPoolExecutor(max_workers=CONNECTION_POOL_SIZE) as executor:
futures = {
- executor.submit(fetch_github_blob, session, file["sha"]): file for file in rule_files
+ executor.submit(process_rule_file, file, session): file for file in rule_files
}
for future in tqdm(as_completed(futures), total=len(rule_files), desc="Fetching rule files"):
- file = futures[future]
try:
- blob_b64 = future.result()
- if not blob_b64:
- logger.warning(f"Skipping file {file['name']} due to empty blob content.")
- continue
-
- # Verify SHA (non-blocking)
- verify_blob_sha(file["sha"], blob_b64)
-
- raw_text = base64.b64decode(blob_b64).decode("utf-8")
- sec_rules = re.findall(r'SecRule\s+.*?"((?:[^"\\]|\\.)+?)"', raw_text, re.DOTALL)
- category = file["name"].split("-")[-1].replace(".conf", "")
- for rule in sec_rules:
- pattern = rule.strip().replace("\\", "")
- if pattern:
- rules.append({"category": category, "pattern": pattern})
+ rules.extend(future.result())
except Exception as e:
- logger.error(f"Failed to process file {file['name']}. Reason: {e}")
+ logger.error(f"Failed to process file. Reason: {e}")
logger.info(f"Fetched {len(rules)} rules.")
return rules
@@ -239,4 +255,4 @@ def main():
if __name__ == "__main__":
- main()
+ main()
\ No newline at end of file
diff --git a/owasp2traefik.py b/owasp2traefik.py
deleted file mode 100644
index 011de72..0000000
--- a/owasp2traefik.py
+++ /dev/null
@@ -1,54 +0,0 @@
-import os
-import json
-
-OUTPUT_DIR = "waf_patterns/traefik/"
-
-def load_owasp_rules(file_path):
- try:
- with open(file_path, "r") as f:
- return json.load(f)
- except FileNotFoundError:
- print(f"[-] Error: File '{file_path}' not found.")
- exit(1)
- except json.JSONDecodeError:
- print(f"[-] Error: Invalid JSON in '{file_path}'.")
- exit(1)
-
-def generate_traefik_conf(rules):
- os.makedirs(OUTPUT_DIR, exist_ok=True)
- config_file = os.path.join(OUTPUT_DIR, "middleware.toml")
-
- try:
- with open(config_file, "w") as f:
- f.write("[http.middlewares]\n\n")
- rule_counter = 1 # Unique identifier for each middleware
-
- # Group rules by category
- grouped_rules = {}
- for rule in rules:
- category = rule.get("category", "default")
- if category not in grouped_rules:
- grouped_rules[category] = []
- grouped_rules[category].append(rule)
-
- # Write grouped rules to the TOML file
- for category, rules_in_category in grouped_rules.items():
- f.write(f"[http.middlewares.bad_bot_block_{category}]\n")
- f.write(f" [http.middlewares.bad_bot_block_{category}.plugin.badbot]\n")
- f.write(" userAgent = [\n")
- unique_rules = set() # Use a set to deduplicate rules
- for rule in rules_in_category:
- # Escape special characters in the pattern
- pattern = rule['pattern'].replace('"', '\\"').replace("\\", "\\\\")
- unique_rules.add(f' "{pattern}"')
- f.write(",\n".join(unique_rules) + "\n")
- f.write(" ]\n\n")
-
- print(f"[+] Traefik WAF rules generated at {config_file}")
- except IOError as e:
- print(f"[-] Error writing to file: {e}")
- exit(1)
-
-if __name__ == "__main__":
- owasp_rules = load_owasp_rules("owasp_rules.json")
- generate_traefik_conf(owasp_rules)
diff --git a/owasp_rules.json b/owasp_rules.json
index 315e564..e34dbb8 100644
--- a/owasp_rules.json
+++ b/owasp_rules.json
@@ -1,4 +1,24 @@
[
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@streq GET /"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@ipMatch 127.0.0.1,::1"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@ipMatch 127.0.0.1,::1"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@endsWith (internal dummy connection)"
+ },
+ {
+ "category": "EXCEPTIONS",
+ "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$"
+ },
{
"category": "INITIALIZATION",
"pattern": "@eq 0"
@@ -139,198 +159,6 @@
"category": "ATTACK",
"pattern": "@rx content-transfer-encoding:(.*)"
},
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 1"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "!@within %{tx.allowed_methods}"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 2"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 2"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 3"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 3"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 4"
- },
- {
- "category": "ENFORCEMENT",
- "pattern": "@lt 4"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 1"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 1"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx unix:[^|]*|"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 2"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 2"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx [nr]"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 3"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 3"
- },
- {
- "category": "ATTACK",
- "pattern": "@gt 0"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ."
- },
- {
- "category": "ATTACK",
- "pattern": "@gt 1"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx TX:paramcounter_(.*)"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx (][^]]+$|][^]]+[)"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 4"
- },
- {
- "category": "ATTACK",
- "pattern": "@lt 4"
- },
- {
- "category": "ATTACK",
- "pattern": "@rx ["
- },
- {
- "category": "LFI",
- "pattern": "@lt 1"
- },
- {
- "category": "LFI",
- "pattern": "@lt 1"
- },
- {
- "category": "LFI",
- "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))"
- },
- {
- "category": "LFI",
- "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))"
- },
- {
- "category": "LFI",
- "pattern": "@pmFromFile lfi-os-files.data"
- },
- {
- "category": "LFI",
- "pattern": "@pmFromFile restricted-files.data"
- },
- {
- "category": "LFI",
- "pattern": "@lt 2"
- },
- {
- "category": "LFI",
- "pattern": "@lt 2"
- },
- {
- "category": "LFI",
- "pattern": "@pmFromFile lfi-os-files.data"
- },
- {
- "category": "LFI",
- "pattern": "@lt 3"
- },
- {
- "category": "LFI",
- "pattern": "@lt 3"
- },
- {
- "category": "LFI",
- "pattern": "@lt 4"
- },
- {
- "category": "LFI",
- "pattern": "@lt 4"
- },
{
"category": "DETECTION",
"pattern": "@lt 1"
@@ -368,407 +196,39 @@
"pattern": "@lt 4"
},
{
- "category": "GENERIC",
+ "category": "ENFORCEMENT",
"pattern": "@lt 1"
},
{
- "category": "GENERIC",
+ "category": "ENFORCEMENT",
"pattern": "@lt 1"
},
{
- "category": "GENERIC",
- "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])"
+ "category": "ENFORCEMENT",
+ "pattern": "!@within %{tx.allowed_methods}"
},
{
- "category": "GENERIC",
- "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*("
- },
- {
- "category": "GENERIC",
- "pattern": "@pmFromFile ssrf.data"
- },
- {
- "category": "GENERIC",
- "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)"
- },
- {
- "category": "GENERIC",
- "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*("
- },
- {
- "category": "GENERIC",
- "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)"
- },
- {
- "category": "GENERIC",
- "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*"
- },
- {
- "category": "GENERIC",
+ "category": "ENFORCEMENT",
"pattern": "@lt 2"
},
{
- "category": "GENERIC",
+ "category": "ENFORCEMENT",
"pattern": "@lt 2"
},
{
- "category": "GENERIC",
- "pattern": "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))"
- },
- {
- "category": "GENERIC",
- "pattern": "@rx [s*constructors*]"
- },
- {
- "category": "GENERIC",
- "pattern": "@rx @{.*}"
- },
- {
- "category": "GENERIC",
+ "category": "ENFORCEMENT",
"pattern": "@lt 3"
},
{
- "category": "GENERIC",
+ "category": "ENFORCEMENT",
"pattern": "@lt 3"
},
{
- "category": "GENERIC",
+ "category": "ENFORCEMENT",
"pattern": "@lt 4"
},
{
- "category": "GENERIC",
- "pattern": "@lt 4"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 1"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 1"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx ^(?:ht|f)tps?://(.*?)/"
- },
- {
- "category": "FIXATION",
- "pattern": "!@endsWith %{request_headers.host}"
- },
- {
- "category": "FIXATION",
- "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
- },
- {
- "category": "FIXATION",
- "pattern": "@eq 0"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 2"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 2"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 3"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 3"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 4"
- },
- {
- "category": "FIXATION",
- "pattern": "@lt 4"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 2"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 2"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 3"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 3"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 4"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 4"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 2"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 2"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 3"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 3"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 4"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge 4"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
- },
- {
- "category": "EVALUATION",
- "pattern": "@eq 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 1"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 2"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 2"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 3"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 3"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 4"
- },
- {
- "category": "EVALUATION",
- "pattern": "@lt 4"
- },
- {
- "category": "RFI",
- "pattern": "@lt 1"
- },
- {
- "category": "RFI",
- "pattern": "@lt 1"
- },
- {
- "category": "RFI",
- "pattern": "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})"
- },
- {
- "category": "RFI",
- "pattern": "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://"
- },
- {
- "category": "RFI",
- "pattern": "@rx ^(?i:file|ftps?|https?).*??+$"
- },
- {
- "category": "RFI",
- "pattern": "@lt 2"
- },
- {
- "category": "RFI",
- "pattern": "@lt 2"
- },
- {
- "category": "RFI",
- "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
- },
- {
- "category": "RFI",
- "pattern": "!@endsWith .%{request_headers.host}"
- },
- {
- "category": "RFI",
- "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
- },
- {
- "category": "RFI",
- "pattern": "!@endsWith .%{request_headers.host}"
- },
- {
- "category": "RFI",
- "pattern": "@lt 3"
- },
- {
- "category": "RFI",
- "pattern": "@lt 3"
- },
- {
- "category": "RFI",
- "pattern": "@lt 4"
- },
- {
- "category": "RFI",
- "pattern": "@lt 4"
- },
- {
- "category": "PHP",
- "pattern": "@lt 1"
- },
- {
- "category": "PHP",
- "pattern": "@lt 1"
- },
- {
- "category": "PHP",
- "pattern": "@rx (?:"
- },
- {
- "category": "PHP",
- "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?"
- },
- {
- "category": "PHP",
- "pattern": "@lt 4"
- },
- {
- "category": "PHP",
+ "category": "ENFORCEMENT",
"pattern": "@lt 4"
},
{
@@ -1183,6 +643,190 @@
"category": "ENFORCEMENT",
"pattern": "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]"
},
+ {
+ "category": "LFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@pmFromFile lfi-os-files.data"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@pmFromFile restricted-files.data"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@pmFromFile lfi-os-files.data"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "LFI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[[\"'`](?:debug|error|info|trace|warn)[\"'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]])"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*("
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@pmFromFile ssrf.data"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx (?:__proto__|constructors*(?:.|[)s*prototype)"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx Process[sv]*.[sv]*spawn[sv]*("
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx ^data:(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-\"(-),/:-?[-]{}]+)/(?:*|[^!-\"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*\"?(?:iso-8859-15?|utf-8|windows-1252)b\"?|(?:[^sv -\"(-),/:-?[-]c{}]|c(?:[^!-\"(-),/:-?[-]h{}]|h(?:[^!-\"(-),/:-?[-]a{}]|a(?:[^!-\"(-),/:-?[-]r{}]|r(?:[^!-\"(-),/:-?[-]s{}]|s(?:[^!-\"(-),/:-?[-]e{}]|e[^!-\"(-),/:-?[-]t{}]))))))[^!-\"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx [s*constructors*]"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@rx @{.*}"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "GENERIC",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx ^(?i:file|ftps?|https?).*??+$"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
+ },
+ {
+ "category": "RFI",
+ "pattern": "!@endsWith .%{request_headers.host}"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)"
+ },
+ {
+ "category": "RFI",
+ "pattern": "!@endsWith .%{request_headers.host}"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "RFI",
+ "pattern": "@lt 4"
+ },
{
"category": "JAVA",
"pattern": "@lt 1"
@@ -1279,6 +923,166 @@
"category": "JAVA",
"pattern": "@rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)"
},
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:ht|f)tps?://(.*?)/"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "!@endsWith %{request_headers.host}"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "FIXATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx (?:bhttp/d|<(?:html|meta)b)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx unix:[^|]*|"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx [nr]"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@gt 0"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ."
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@gt 1"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx TX:paramcounter_(.*)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx (][^]]+$|][^]]+[)"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "ATTACK",
+ "pattern": "@rx ["
+ },
{
"category": "JAVA",
"pattern": "@lt 1"
@@ -1319,6 +1123,366 @@
"category": "JAVA",
"pattern": "@lt 4"
},
+ {
+ "category": "SQL",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "SQL",
+ "pattern": "!@pmFromFile sql-errors.data"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)Dynamic SQL Error"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)Exception (?:condition )?d+. Transaction rollback."
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)org.hsqldb.jdbc"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:Warning: ibase_|Unexpected end of command in statement)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "SQL",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@rx (?:"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@rx (?:((?:.+)(?:[\"'][-0-9A-Z_a-z]+[\"'])?(.+|[^)]*string[^)]*)[sv\"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|[\"'][-0-9A-Zx5c_a-z]+[\"'])(.+))(?:;|$)?"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "PHP",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@rx ^#!s?/"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@rx ^5d{2}$"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "LEAKAGES",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 1"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 2"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 3"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge 4"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@eq 1"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "EVALUATION",
+ "pattern": "@lt 4"
+ },
{
"category": "XSS",
"pattern": "@lt 1"
@@ -1491,386 +1655,6 @@
"category": "XSS",
"pattern": "@lt 4"
},
- {
- "category": "LEAKAGES",
- "pattern": "@lt 1"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 1"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
)"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@rx ^#!s?/"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 2"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 2"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@rx ^5d{2}$"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 3"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 3"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 4"
- },
- {
- "category": "LEAKAGES",
- "pattern": "@lt 4"
- },
- {
- "category": "SQL",
- "pattern": "@lt 1"
- },
- {
- "category": "SQL",
- "pattern": "@lt 1"
- },
- {
- "category": "SQL",
- "pattern": "!@pmFromFile sql-errors.data"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)Dynamic SQL Error"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)Exception (?:condition )?d+. Transaction rollback."
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)org.hsqldb.jdbc"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:Warning: ibase_|Unexpected end of command in statement)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)"
- },
- {
- "category": "SQL",
- "pattern": "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)"
- },
- {
- "category": "SQL",
- "pattern": "@lt 2"
- },
- {
- "category": "SQL",
- "pattern": "@lt 2"
- },
- {
- "category": "SQL",
- "pattern": "@lt 3"
- },
- {
- "category": "SQL",
- "pattern": "@lt 3"
- },
- {
- "category": "SQL",
- "pattern": "@lt 4"
- },
- {
- "category": "SQL",
- "pattern": "@lt 4"
- },
- {
- "category": "RCE",
- "pattern": "@lt 1"
- },
- {
- "category": "RCE",
- "pattern": "@lt 1"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z][\"'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[sv&)<>|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[sv&)<>|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[sv&)<>|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[sv&)<>|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r)))|f(?:acter|(?:etch|lock|unction)[sv&)<>|]|grep|i(?:le(?:[sv&)<>|]|test)|(?:n(?:d|ger)|sh)[sv&)<>|])|o(?:ld[sv&)<>|]|reach)|ping|tp(?:stats|who))|g(?:awk[sv&)<>|]|core|e(?:ni(?:e[sv&)<>|]|soimage)|tfacl[sv&)<>|])|hci|i(?:mp[sv&)<>|]|nsh)|r(?:ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[sv&)<>|]|onice|p(?:6?tables|config)|spell)|j(?:ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:ill(?:[sv&)<>|]|all)|nife[sv&)<>|]|sshell)|l(?:a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|dconfig|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[sv&)<>|]|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[sv&)<>q|]|x[sv&)<>|])|ke[sv&)<>|]|ster.passwd|wk)|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[sv&)<>|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[sv&)<>|]|sm|wk)|c(?:.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[sv&)<>|]|map|o(?:de[sv&)<>|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[sv&)<>|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[sv&)<>|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[sv&)<>|]|shd)|wd.db|ython[^sv])|r(?:ak(?:e[sv&)<>|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[sv&)<>|]|stic)|l(?:ogin|wrap)|m(?:dir[sv&)<>|]|user)|nano|oute[sv&)<>|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[sv&)<>|]|c(?:hed|r(?:een|ipt)[sv&)<>|])|diff|e(?:(?:lf|rvice)[sv&)<>|]|ndmail|t(?:arch|env|facl[sv&)<>|]|sid))|ftp|h(?:.distrib|(?:adow|ells)[sv&)<>|]|u(?:f|tdown[sv&)<>|]))|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[sv&)<>|]|datectl)|mux|ouch[sv&)<>|]|r(?:aceroute6?|off)|shark)|u(?:limit[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[sv&)<>|]|gr|mdiff|pw|rsh)|olatility[sv&)<>|])|w(?:a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile windows-powershell-commands.data"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:(?:a[\"^]*(?:c|s[\"^]*n[\"^]*p)|e[\"^]*(?:b[\"^]*p|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|s[\"^]*n)|[tx][\"^]*s[\"^]*n)|f[\"^]*(?:[cltw]|o[\"^]*r[\"^]*e[\"^]*a[\"^]*c[\"^]*h)|i[\"^]*(?:[cr][\"^]*m|e[\"^]*x|h[\"^]*y|i|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|m[\"^]*o|s[\"^]*n)|s[\"^]*e|w[\"^]*(?:m[\"^]*i|r))|m[\"^]*(?:a[\"^]*n|[dipv]|o[\"^]*u[\"^]*n[\"^]*t)|o[\"^]*g[\"^]*v|p[\"^]*(?:o[\"^]*p|u[\"^]*s[\"^]*h)[\"^]*d|t[\"^]*r[\"^]*c[\"^]*m|w[\"^]*j[\"^]*b)[\"^]*[sv,.-/;-<>].*|c[\"^]*(?:(?:(?:d|h[\"^]*d[\"^]*i[\"^]*r|v[\"^]*p[\"^]*a)[\"^]*|p[\"^]*(?:[ip][\"^]*)?)[sv,.-/;-<>].*|l[\"^]*(?:(?:[cipv]|h[\"^]*y)[\"^]*[sv,.-/;-<>].*|s)|n[\"^]*s[\"^]*n)|d[\"^]*(?:(?:b[\"^]*p|e[\"^]*l|i[\"^]*(?:f[\"^]*f|r))[\"^]*[sv,.-/;-<>].*|n[\"^]*s[\"^]*n)|g[\"^]*(?:(?:(?:(?:a[\"^]*)?l|b[\"^]*p|d[\"^]*r|h[\"^]*y|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|[u-v])[\"^]*|c[\"^]*(?:[ims][\"^]*)?|m[\"^]*(?:o[\"^]*)?|s[\"^]*(?:n[\"^]*(?:p[\"^]*)?|v[\"^]*))[sv,.-/;-<>].*|e[\"^]*r[\"^]*r|p[\"^]*(?:(?:s[\"^]*)?[sv,.-/;-<>].*|v))|l[\"^]*s|n[\"^]*(?:(?:a[\"^]*l|d[\"^]*r|[iv]|m[\"^]*o|s[\"^]*n)[\"^]*[sv,.-/;-<>].*|p[\"^]*s[\"^]*s[\"^]*c)|r[\"^]*(?:(?:(?:(?:b[\"^]*)?p|e[\"^]*n|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|n[\"^]*[ip])[\"^]*|d[\"^]*(?:r[\"^]*)?|m[\"^]*(?:(?:d[\"^]*i[\"^]*r|o)[\"^]*)?|s[\"^]*n[\"^]*(?:p[\"^]*)?|v[\"^]*(?:p[\"^]*a[\"^]*)?)[sv,.-/;-<>].*|c[\"^]*(?:j[\"^]*b[\"^]*[sv,.-/;-<>].*|s[\"^]*n)|u[\"^]*j[\"^]*b)|s[\"^]*(?:(?:(?:a[\"^]*(?:j[\"^]*b|l|p[\"^]*s|s[\"^]*v)|b[\"^]*p|[civ]|w[\"^]*m[\"^]*i)[\"^]*|l[\"^]*(?:s[\"^]*)?|p[\"^]*(?:(?:j[\"^]*b|p[\"^]*s|s[\"^]*v)[\"^]*)?)[sv,.-/;-<>].*|h[\"^]*c[\"^]*m|u[\"^]*j[\"^]*b))(?:.[\"^]*[0-9A-Z_a-z]+)?b"
- },
- {
- "category": "RCE",
- "pattern": "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]"
- },
- {
- "category": "RCE",
- "pattern": "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))"
- },
- {
- "category": "RCE",
- "pattern": "!@rx [0-9]s*'s*[0-9]"
- },
- {
- "category": "RCE",
- "pattern": "@rx !-d"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile unix-shell.data"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^(s*)s+{"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^(s*)s+{"
- },
- {
- "category": "RCE",
- "pattern": "@rx ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile restricted-upload.data"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:c[\"^]*c[\"^]*c[\"^]*h[\"^]*e[\"^]*c[\"^]*k[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e|d[\"^]*(?:p[\"^]*l[\"^]*u[\"^]*s|v[\"^]*p[\"^]*a[\"^]*c[\"^]*k)|(?:g[\"^]*e[\"^]*n[\"^]*t[\"^]*e[\"^]*x[\"^]*e[\"^]*c[\"^]*u[\"^]*t[\"^]*o|s[\"^]*p[\"^]*n[\"^]*e[\"^]*t[\"^]*_[\"^]*c[\"^]*o[\"^]*m[\"^]*p[\"^]*i[\"^]*l[\"^]*e)[\"^]*r|p[\"^]*p[\"^]*(?:i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*e[\"^]*r|v[\"^]*l[\"^]*p)|t[\"^]*(?:[sv,.-/;-<>].*|b[\"^]*r[\"^]*o[\"^]*k[\"^]*e[\"^]*r))|b[\"^]*(?:a[\"^]*s[\"^]*h|g[\"^]*i[\"^]*n[\"^]*f[\"^]*o|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:d[\"^]*b|e[\"^]*r[\"^]*t[\"^]*(?:o[\"^]*c|r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|l[\"^]*_[\"^]*(?:i[\"^]*n[\"^]*v[\"^]*o[\"^]*c[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n|l[\"^]*o[\"^]*a[\"^]*d[\"^]*a[\"^]*s[\"^]*s[\"^]*e[\"^]*m[\"^]*b[\"^]*l[\"^]*y|m[\"^]*u[\"^]*t[\"^]*e[\"^]*x[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*i[\"^]*e[\"^]*r[\"^]*s)|m[\"^]*(?:d(?:[\"^]*(?:k[\"^]*e[\"^]*y|l[\"^]*3[\"^]*2))?|s[\"^]*t[\"^]*p)|o[\"^]*(?:m[\"^]*s[\"^]*v[\"^]*c[\"^]*s|n[\"^]*(?:f[\"^]*i[\"^]*g[\"^]*s[\"^]*e[\"^]*c[\"^]*u[\"^]*r[\"^]*i[\"^]*t[\"^]*y[\"^]*p[\"^]*o[\"^]*l[\"^]*i[\"^]*c[\"^]*y|h[\"^]*o[\"^]*s[\"^]*t|t[\"^]*r[\"^]*o[\"^]*l)|r[\"^]*e[\"^]*g[\"^]*e[\"^]*n)|r[\"^]*e[\"^]*a[\"^]*t[\"^]*e[\"^]*d[\"^]*u[\"^]*m[\"^]*p|s[\"^]*(?:c(?:[\"^]*r[\"^]*i[\"^]*p[\"^]*t)?|i)|u[\"^]*s[\"^]*t[\"^]*o[\"^]*m[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l[\"^]*h[\"^]*o[\"^]*s[\"^]*t)|d[\"^]*(?:a[\"^]*t[\"^]*a[\"^]*s[\"^]*v[\"^]*c[\"^]*u[\"^]*t[\"^]*i[\"^]*l|e[\"^]*(?:f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|s[\"^]*k(?:[\"^]*t[\"^]*o[\"^]*p[\"^]*i[\"^]*m[\"^]*g[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*d[\"^]*r)?|v[\"^]*(?:i[\"^]*c[\"^]*e[\"^]*c[\"^]*r[\"^]*e[\"^]*d[\"^]*e[\"^]*n[\"^]*t[\"^]*i[\"^]*a[\"^]*l[\"^]*d[\"^]*e[\"^]*p[\"^]*l[\"^]*o[\"^]*y[\"^]*m[\"^]*e[\"^]*n[\"^]*t|t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r))|f[\"^]*s[\"^]*(?:h[\"^]*i[\"^]*m|v[\"^]*c)|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|s[\"^]*k[\"^]*s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|n[\"^]*(?:s[\"^]*c[\"^]*m[\"^]*d|x)|o[\"^]*t[\"^]*n[\"^]*e[\"^]*t|u[\"^]*m[\"^]*p[\"^]*6[\"^]*4|x[\"^]*c[\"^]*a[\"^]*p)|e[\"^]*(?:s[\"^]*e[\"^]*n[\"^]*t[\"^]*u[\"^]*t[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*v[\"^]*w[\"^]*r|x[\"^]*(?:c[\"^]*e[\"^]*l|p[\"^]*(?:a[\"^]*n[\"^]*d|l[\"^]*o[\"^]*r[\"^]*e[\"^]*r)|t[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*r[\"^]*t|r[\"^]*a[\"^]*c[\"^]*3[\"^]*2)))|f[\"^]*(?:i[\"^]*n[\"^]*(?:d[\"^]*s[\"^]*t|g[\"^]*e)[\"^]*r|l[\"^]*t[\"^]*m[\"^]*c|o[\"^]*r[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s|s[\"^]*(?:i(?:[\"^]*a[\"^]*n[\"^]*y[\"^]*c[\"^]*p[\"^]*u)?|u[\"^]*t[\"^]*i[\"^]*l)|t[\"^]*p)|g[\"^]*(?:f[\"^]*x[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*o[\"^]*a[\"^]*d[\"^]*w[\"^]*r[\"^]*a[\"^]*p[\"^]*p[\"^]*e[\"^]*r|p[\"^]*s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|h[\"^]*h|i[\"^]*(?:e[\"^]*(?:4[\"^]*u[\"^]*i[\"^]*n[\"^]*i[\"^]*t|a[\"^]*d[\"^]*v[\"^]*p[\"^]*a[\"^]*c[\"^]*k|e[\"^]*x[\"^]*e[\"^]*c|f[\"^]*r[\"^]*a[\"^]*m[\"^]*e)|l[\"^]*a[\"^]*s[\"^]*m|m[\"^]*e[\"^]*w[\"^]*d[\"^]*b[\"^]*l[\"^]*d|n[\"^]*(?:f[\"^]*d[\"^]*e[\"^]*f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l|s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*u[\"^]*t[\"^]*i)[\"^]*l)|j[\"^]*s[\"^]*c|l[\"^]*(?:a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*-[\"^]*v[\"^]*s[\"^]*d[\"^]*e[\"^]*v[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|d[\"^]*i[\"^]*f[\"^]*d[\"^]*e)|m[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|n[\"^]*a[\"^]*g[\"^]*e[\"^]*-[\"^]*b[\"^]*d[\"^]*e|v[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t)|f[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|i[\"^]*c[\"^]*r[\"^]*o[\"^]*s[\"^]*o[\"^]*f[\"^]*t|m[\"^]*c|p[\"^]*c[\"^]*m[\"^]*d[\"^]*r[\"^]*u[\"^]*n|s[\"^]*(?:(?:b[\"^]*u[\"^]*i[\"^]*l|o[\"^]*h[\"^]*t[\"^]*m[\"^]*e)[\"^]*d|c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|d[\"^]*(?:e[\"^]*p[\"^]*l[\"^]*o[\"^]*y|t)|h[\"^]*t[\"^]*(?:a|m[\"^]*l)|i[\"^]*e[\"^]*x[\"^]*e[\"^]*c|p[\"^]*u[\"^]*b|x[\"^]*s[\"^]*l))|n[\"^]*(?:e[\"^]*t[\"^]*s[\"^]*h|t[\"^]*d[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|o[\"^]*(?:d[\"^]*b[\"^]*c[\"^]*c[\"^]*o[\"^]*n[\"^]*f|f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e[\"^]*s[\"^]*c[\"^]*a[\"^]*n[\"^]*n[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|n[\"^]*e[\"^]*d[\"^]*r[\"^]*i[\"^]*v[\"^]*e[\"^]*s[\"^]*t[\"^]*a[\"^]*n[\"^]*d[\"^]*a[\"^]*l[\"^]*o[\"^]*n[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e[\"^]*r|p[\"^]*e[\"^]*n[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e)|p[\"^]*(?:c[\"^]*(?:a[\"^]*l[\"^]*u[\"^]*a|w[\"^]*(?:r[\"^]*u[\"^]*n|u[\"^]*t[\"^]*l))|(?:e[\"^]*s[\"^]*t[\"^]*e|s)[\"^]*r|(?:k[\"^]*t[\"^]*m[\"^]*o|u[\"^]*b[\"^]*p[\"^]*r)[\"^]*n|n[\"^]*p[\"^]*u[\"^]*t[\"^]*i[\"^]*l|o[\"^]*w[\"^]*e[\"^]*r[\"^]*p[\"^]*n[\"^]*t|r[\"^]*(?:e[\"^]*s[\"^]*e[\"^]*n[\"^]*t[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*h[\"^]*o[\"^]*s[\"^]*t|i[\"^]*n[\"^]*t(?:[\"^]*b[\"^]*r[\"^]*m)?|o[\"^]*(?:c[\"^]*d[\"^]*u[\"^]*m[\"^]*p|t[\"^]*o[\"^]*c[\"^]*o[\"^]*l[\"^]*h[\"^]*a[\"^]*n[\"^]*d[\"^]*l[\"^]*e[\"^]*r)))|r[\"^]*(?:a[\"^]*s[\"^]*a[\"^]*u[\"^]*t[\"^]*o[\"^]*u|c[\"^]*s[\"^]*i|(?:d[\"^]*r[\"^]*l[\"^]*e[\"^]*a[\"^]*k[\"^]*d[\"^]*i[\"^]*a|p[\"^]*c[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|e[\"^]*(?:g(?:[\"^]*(?:a[\"^]*s[\"^]*m|e[\"^]*d[\"^]*i[\"^]*t|i[\"^]*(?:n[\"^]*i|s[\"^]*t[\"^]*e[\"^]*r[\"^]*-[\"^]*c[\"^]*i[\"^]*m[\"^]*p[\"^]*r[\"^]*o[\"^]*v[\"^]*i[\"^]*d[\"^]*e[\"^]*r)|s[\"^]*v[\"^]*(?:c[\"^]*s|r[\"^]*3[\"^]*2)))?|(?:m[\"^]*o[\"^]*t|p[\"^]*l[\"^]*a[\"^]*c)[\"^]*e)|u[\"^]*n[\"^]*(?:d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|(?:e[\"^]*x[\"^]*e|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)[\"^]*h[\"^]*e[\"^]*l[\"^]*p[\"^]*e[\"^]*r|o[\"^]*n[\"^]*c[\"^]*e))|s[\"^]*(?:c[\"^]*(?:[sv,.-/;-<>].*|h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|r[\"^]*i[\"^]*p[\"^]*t[\"^]*r[\"^]*u[\"^]*n[\"^]*n[\"^]*e[\"^]*r)|e[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*s|t[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*y[\"^]*n[\"^]*c[\"^]*h[\"^]*o[\"^]*s[\"^]*t|u[\"^]*p[\"^]*a[\"^]*p[\"^]*i)|h[\"^]*(?:d[\"^]*o[\"^]*c[\"^]*v[\"^]*w|e[\"^]*l[\"^]*l[\"^]*3[\"^]*2)|q[\"^]*(?:l[\"^]*(?:d[\"^]*u[\"^]*m[\"^]*p[\"^]*e[\"^]*r|(?:t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*)?p[\"^]*s)|u[\"^]*i[\"^]*r[\"^]*r[\"^]*e[\"^]*l)|s[\"^]*h|t[\"^]*o[\"^]*r[\"^]*d[\"^]*i[\"^]*a[\"^]*g|y[\"^]*(?:n[\"^]*c[\"^]*a[\"^]*p[\"^]*p[\"^]*v[\"^]*p[\"^]*u[\"^]*b[\"^]*l[\"^]*i[\"^]*s[\"^]*h[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*e[\"^]*r[\"^]*v[\"^]*e[\"^]*r|s[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p))|t[\"^]*(?:e[\"^]*[sv,.-/;-<>].*|r[\"^]*a[\"^]*c[\"^]*k[\"^]*e[\"^]*r|t[\"^]*(?:d[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t|t[\"^]*r[\"^]*a[\"^]*c[\"^]*e[\"^]*r))|u[\"^]*(?:n[\"^]*r[\"^]*e[\"^]*g[\"^]*m[\"^]*p[\"^]*2|p[\"^]*d[\"^]*a[\"^]*t[\"^]*e|r[\"^]*l|t[\"^]*i[\"^]*l[\"^]*i[\"^]*t[\"^]*y[\"^]*f[\"^]*u[\"^]*n[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s)|v[\"^]*(?:b[\"^]*c|e[\"^]*r[\"^]*c[\"^]*l[\"^]*s[\"^]*i[\"^]*d|i[\"^]*s[\"^]*u[\"^]*a[\"^]*l[\"^]*u[\"^]*i[\"^]*a[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*y[\"^]*n[\"^]*a[\"^]*t[\"^]*i[\"^]*v[\"^]*e|s[\"^]*(?:i[\"^]*i[\"^]*s[\"^]*e[\"^]*x[\"^]*e[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h|j[\"^]*i[\"^]*t[\"^]*d[\"^]*e[\"^]*b[\"^]*u[\"^]*g[\"^]*g)[\"^]*e[\"^]*r)|w[\"^]*(?:a[\"^]*b|(?:f|m[\"^]*i)[\"^]*c|i[\"^]*n[\"^]*(?:g[\"^]*e[\"^]*t|r[\"^]*m|w[\"^]*o[\"^]*r[\"^]*d)|l[\"^]*r[\"^]*m[\"^]*d[\"^]*r|o[\"^]*r[\"^]*k[\"^]*f[\"^]*o[\"^]*l[\"^]*d[\"^]*e[\"^]*r[\"^]*s|s[\"^]*(?:(?:c[\"^]*r[\"^]*i[\"^]*p|r[\"^]*e[\"^]*s[\"^]*e)[\"^]*t|l)|t[\"^]*[sv,.-/;-<>].*|u[\"^]*a[\"^]*u[\"^]*c[\"^]*l[\"^]*t)|x[\"^]*w[\"^]*i[\"^]*z[\"^]*a[\"^]*r[\"^]*d|z[\"^]*i[\"^]*p[\"^]*f[\"^]*l[\"^]*d[\"^]*r)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:s[\"^]*s[\"^]*o[\"^]*c|t[\"^]*(?:m[\"^]*a[\"^]*d[\"^]*m|t[\"^]*r[\"^]*i[\"^]*b)|u[\"^]*(?:d[\"^]*i[\"^]*t[\"^]*p[\"^]*o[\"^]*l|t[\"^]*o[\"^]*(?:c[\"^]*(?:h[\"^]*k|o[\"^]*n[\"^]*v)|(?:f[\"^]*m|m[\"^]*o[\"^]*u[\"^]*n)[\"^]*t)))|b[\"^]*(?:c[\"^]*d[\"^]*(?:b[\"^]*o[\"^]*o|e[\"^]*d[\"^]*i)[\"^]*t|(?:d[\"^]*e[\"^]*h[\"^]*d|o[\"^]*o[\"^]*t)[\"^]*c[\"^]*f[\"^]*g|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:a[\"^]*c[\"^]*l[\"^]*s|e[\"^]*r[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|h[\"^]*(?:c[\"^]*p|d[\"^]*i[\"^]*r|g[\"^]*(?:l[\"^]*o[\"^]*g[\"^]*o[\"^]*n|p[\"^]*o[\"^]*r[\"^]*t|u[\"^]*s[\"^]*r)|k[\"^]*(?:d[\"^]*s[\"^]*k|n[\"^]*t[\"^]*f[\"^]*s))|l[\"^]*e[\"^]*a[\"^]*n[\"^]*m[\"^]*g[\"^]*r|m[\"^]*(?:d(?:[\"^]*k[\"^]*e[\"^]*y)?|s[\"^]*t[\"^]*p)|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|d[\"^]*(?:c[\"^]*(?:d[\"^]*i[\"^]*a[\"^]*g|g[\"^]*p[\"^]*o[\"^]*f[\"^]*i[\"^]*x)|e[\"^]*(?:f[\"^]*r[\"^]*a[\"^]*g|l)|f[\"^]*s[\"^]*(?:d[\"^]*i[\"^]*a|r[\"^]*m[\"^]*i)[\"^]*g|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|r|s[\"^]*(?:k[\"^]*(?:c[\"^]*o[\"^]*(?:m[\"^]*p|p[\"^]*y)|p[\"^]*(?:a[\"^]*r[\"^]*t|e[\"^]*r[\"^]*f)|r[\"^]*a[\"^]*i[\"^]*d|s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|p[\"^]*d[\"^]*i[\"^]*a[\"^]*g))|n[\"^]*s[\"^]*c[\"^]*m[\"^]*d|(?:o[\"^]*s[\"^]*k[\"^]*e|r[\"^]*i[\"^]*v[\"^]*e[\"^]*r[\"^]*q[\"^]*u[\"^]*e[\"^]*r)[\"^]*y)|e[\"^]*(?:n[\"^]*d[\"^]*l[\"^]*o[\"^]*c[\"^]*a[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*c[\"^]*r[\"^]*e[\"^]*a[\"^]*t[\"^]*e)|E[\"^]*v[\"^]*n[\"^]*t[\"^]*c[\"^]*m[\"^]*d|f[\"^]*(?:c|i[\"^]*(?:l[\"^]*e[\"^]*s[\"^]*y[\"^]*s[\"^]*t[\"^]*e[\"^]*m[\"^]*s|n[\"^]*d[\"^]*s[\"^]*t[\"^]*r)|l[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*m[\"^]*p|o[\"^]*r(?:[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)?|r[\"^]*e[\"^]*e[\"^]*d[\"^]*i[\"^]*s[\"^]*k|s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|(?:t[\"^]*y[\"^]*p|v[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t)[\"^]*e)|g[\"^]*(?:e[\"^]*t[\"^]*(?:m[\"^]*a[\"^]*c|t[\"^]*y[\"^]*p[\"^]*e)|o[\"^]*t[\"^]*o|p[\"^]*(?:f[\"^]*i[\"^]*x[\"^]*u[\"^]*p|(?:r[\"^]*e[\"^]*s[\"^]*u[\"^]*l[\"^]*)?t|u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e)|r[\"^]*a[\"^]*f[\"^]*t[\"^]*a[\"^]*b[\"^]*l)|h[\"^]*(?:e[\"^]*l[\"^]*p[\"^]*c[\"^]*t[\"^]*r|o[\"^]*s[\"^]*t[\"^]*n[\"^]*a[\"^]*m[\"^]*e)|i[\"^]*(?:c[\"^]*a[\"^]*c[\"^]*l[\"^]*s|f|p[\"^]*(?:c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|x[\"^]*r[\"^]*o[\"^]*u[\"^]*t[\"^]*e)|r[\"^]*f[\"^]*t[\"^]*p)|j[\"^]*e[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|k[\"^]*(?:l[\"^]*i[\"^]*s[\"^]*t|s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|t[\"^]*(?:m[\"^]*u[\"^]*t[\"^]*i[\"^]*l|p[\"^]*a[\"^]*s[\"^]*s))|l[\"^]*(?:o[\"^]*(?:d[\"^]*c[\"^]*t[\"^]*r|g[\"^]*(?:m[\"^]*a[\"^]*n|o[\"^]*f[\"^]*f))|p[\"^]*[q-r])|m[\"^]*(?:a[\"^]*(?:c[\"^]*f[\"^]*i[\"^]*l[\"^]*e|k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|p[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|k[\"^]*(?:d[\"^]*i[\"^]*r|l[\"^]*i[\"^]*n[\"^]*k)|m[\"^]*c|o[\"^]*u[\"^]*n[\"^]*t[\"^]*v[\"^]*o[\"^]*l|q[\"^]*(?:b[\"^]*k[\"^]*u[\"^]*p|(?:t[\"^]*g[\"^]*)?s[\"^]*v[\"^]*c)|s[\"^]*(?:d[\"^]*t|i[\"^]*(?:e[\"^]*x[\"^]*e[\"^]*c|n[\"^]*f[\"^]*o[\"^]*3[\"^]*2)|t[\"^]*s[\"^]*c))|n[\"^]*(?:b[\"^]*t[\"^]*s[\"^]*t[\"^]*a[\"^]*t|e[\"^]*t[\"^]*(?:c[\"^]*f[\"^]*g|d[\"^]*o[\"^]*m|s[\"^]*(?:h|t[\"^]*a[\"^]*t))|f[\"^]*s[\"^]*(?:a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|s[\"^]*(?:h[\"^]*a[\"^]*r[\"^]*e|t[\"^]*a[\"^]*t))|l[\"^]*(?:b[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*s[\"^]*t)|s[\"^]*l[\"^]*o[\"^]*o[\"^]*k[\"^]*u[\"^]*p|t[\"^]*(?:b[\"^]*a[\"^]*c[\"^]*k[\"^]*u[\"^]*p|c[\"^]*m[\"^]*d[\"^]*p[\"^]*r[\"^]*o[\"^]*m[\"^]*p[\"^]*t|f[\"^]*r[\"^]*s[\"^]*u[\"^]*t[\"^]*l))|o[\"^]*(?:f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e|p[\"^]*e[\"^]*n[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)|p[\"^]*(?:a[\"^]*(?:g[\"^]*e[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*c[\"^]*o[\"^]*n[\"^]*f[\"^]*i|t[\"^]*h[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|(?:b[\"^]*a[\"^]*d[\"^]*m[\"^]*i|k[\"^]*t[\"^]*m[\"^]*o)[\"^]*n|e[\"^]*(?:n[\"^]*t[\"^]*n[\"^]*t|r[\"^]*f[\"^]*m[\"^]*o[\"^]*n)|n[\"^]*p[\"^]*u[\"^]*(?:n[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*n[\"^]*d|t[\"^]*i[\"^]*l)|o[\"^]*(?:p[\"^]*d|w[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l)|r[\"^]*n[\"^]*(?:c[\"^]*n[\"^]*f[\"^]*g|(?:d[\"^]*r[\"^]*v|m[\"^]*n[\"^]*g)[\"^]*r|j[\"^]*o[\"^]*b[\"^]*s|p[\"^]*o[\"^]*r[\"^]*t|q[\"^]*c[\"^]*t[\"^]*l)|u[\"^]*(?:b[\"^]*p[\"^]*r[\"^]*n|s[\"^]*h[\"^]*(?:d|p[\"^]*r[\"^]*i[\"^]*n[\"^]*t[\"^]*e[\"^]*r[\"^]*c[\"^]*o[\"^]*n[\"^]*n[\"^]*e[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s))|w[\"^]*(?:l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r|s[\"^]*h))|q[\"^]*(?:a[\"^]*p[\"^]*p[\"^]*s[\"^]*r[\"^]*v|p[\"^]*r[\"^]*o[\"^]*c[\"^]*e[\"^]*s[\"^]*s|u[\"^]*s[\"^]*e[\"^]*r|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|r[\"^]*(?:d(?:[\"^]*p[\"^]*s[\"^]*i[\"^]*g[\"^]*n)?|e[\"^]*(?:f[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|g(?:[\"^]*(?:i[\"^]*n[\"^]*i|s[\"^]*v[\"^]*r[\"^]*3[\"^]*2))?|l[\"^]*o[\"^]*g|(?:(?:p[\"^]*a[\"^]*d[\"^]*m[\"^]*i|s[\"^]*c[\"^]*a)[\"^]*)?n|x[\"^]*e[\"^]*c)|i[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|m[\"^]*d[\"^]*i[\"^]*r|o[\"^]*b[\"^]*o[\"^]*c[\"^]*o[\"^]*p[\"^]*y|p[\"^]*c[\"^]*(?:i[\"^]*n[\"^]*f[\"^]*o|p[\"^]*i[\"^]*n[\"^]*g)|s[\"^]*h|u[\"^]*n[\"^]*d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|s[\"^]*(?:a[\"^]*n|c[\"^]*(?:h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|w[\"^]*c[\"^]*m[\"^]*d)|e[\"^]*(?:c[\"^]*e[\"^]*d[\"^]*i[\"^]*t|r[\"^]*v[\"^]*e[\"^]*r[\"^]*(?:(?:c[\"^]*e[\"^]*i[\"^]*p|w[\"^]*e[\"^]*r)[\"^]*o[\"^]*p[\"^]*t[\"^]*i[\"^]*n|m[\"^]*a[\"^]*n[\"^]*a[\"^]*g[\"^]*e[\"^]*r[\"^]*c[\"^]*m[\"^]*d)|t[\"^]*x)|f[\"^]*c|(?:h[\"^]*o[\"^]*w[\"^]*m[\"^]*o[\"^]*u[\"^]*n|u[\"^]*b[\"^]*s)[\"^]*t|x[\"^]*s[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|y[\"^]*s[\"^]*(?:o[\"^]*c[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*m[\"^]*i[\"^]*n[\"^]*f[\"^]*o))|t[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*o[\"^]*w[\"^]*n|p[\"^]*i[\"^]*c[\"^]*f[\"^]*g|s[\"^]*k[\"^]*(?:k[\"^]*i[\"^]*l[\"^]*l|l[\"^]*i[\"^]*s[\"^]*t))|(?:c[\"^]*m[\"^]*s[\"^]*e[\"^]*t[\"^]*u|f[\"^]*t)[\"^]*p|(?:(?:e[\"^]*l[\"^]*n[\"^]*e|i[\"^]*m[\"^]*e[\"^]*o[\"^]*u)[\"^]*|r[\"^]*a[\"^]*c[\"^]*e[\"^]*r[\"^]*(?:p[\"^]*)?)t|l[\"^]*n[\"^]*t[\"^]*a[\"^]*d[\"^]*m[\"^]*n|p[\"^]*m[\"^]*(?:t[\"^]*o[\"^]*o[\"^]*l|v[\"^]*s[\"^]*c[\"^]*m[\"^]*g[\"^]*r)|s[\"^]*(?:(?:d[\"^]*i[\"^]*s[\"^]*)?c[\"^]*o[\"^]*n|e[\"^]*c[\"^]*i[\"^]*m[\"^]*p|k[\"^]*i[\"^]*l[\"^]*l|p[\"^]*r[\"^]*o[\"^]*f)|y[\"^]*p[\"^]*e[\"^]*p[\"^]*e[\"^]*r[\"^]*f|z[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|u[\"^]*n[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*s[\"^]*e|i[\"^]*q[\"^]*u[\"^]*e[\"^]*i[\"^]*d|l[\"^]*o[\"^]*d[\"^]*c[\"^]*t[\"^]*r)|v[\"^]*(?:o[\"^]*l|s[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|w[\"^]*(?:a[\"^]*i[\"^]*t[\"^]*f[\"^]*o[\"^]*r|b[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|(?:d[\"^]*s|e[\"^]*(?:c|v[\"^]*t))[\"^]*u[\"^]*t[\"^]*i[\"^]*l|h[\"^]*(?:e[\"^]*r[\"^]*e|o[\"^]*a[\"^]*m[\"^]*i)|i[\"^]*n[\"^]*(?:n[\"^]*t(?:[\"^]*3[\"^]*2)?|r[\"^]*s)|m[\"^]*i[\"^]*c|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|x[\"^]*c[\"^]*o[\"^]*p[\"^]*y)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
- },
- {
- "category": "RCE",
- "pattern": "@lt 2"
- },
- {
- "category": "RCE",
- "pattern": "@lt 2"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*.[sv].*b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])"
- },
- {
- "category": "RCE",
- "pattern": "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])"
- },
- {
- "category": "RCE",
- "pattern": "@rx /"
- },
- {
- "category": "RCE",
- "pattern": "@rx s"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i).|(?:[sv]*|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)[-0-9_a-z]+(?:[\"'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+"
- },
- {
- "category": "RCE",
- "pattern": "!@rx [0-9]s*'s*[0-9]"
- },
- {
- "category": "RCE",
- "pattern": "@rx ;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\"-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}\"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:[\"-#*.-9A-Z_a-z~]+)? (?:[\"%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:[\"%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:[\"%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:[\"%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&*--9A-Zx5c_a-z]+)?)"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
- },
- {
- "category": "RCE",
- "pattern": "@pmFromFile unix-shell.data"
- },
- {
- "category": "RCE",
- "pattern": "@lt 3"
- },
- {
- "category": "RCE",
- "pattern": "@lt 3"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))"
- },
- {
- "category": "RCE",
- "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)"
- },
- {
- "category": "RCE",
- "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)"
- },
- {
- "category": "RCE",
- "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)"
- },
- {
- "category": "RCE",
- "pattern": "@rx !(?:d|!)"
- },
- {
- "category": "RCE",
- "pattern": "@lt 4"
- },
- {
- "category": "RCE",
- "pattern": "@lt 4"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@streq GET /"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@ipMatch 127.0.0.1,::1"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@ipMatch 127.0.0.1,::1"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@endsWith (internal dummy connection)"
- },
- {
- "category": "EXCEPTIONS",
- "pattern": "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$"
- },
{
"category": "SQLI",
"pattern": "@lt 1"
@@ -2163,6 +1947,222 @@
"category": "SQLI",
"pattern": "@rx ((?:[~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>][^~!@#$%^&*()-+={}[]|:;\"'\u00b4\u2019\u2018`<>]*?){2})"
},
+ {
+ "category": "RCE",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z][\"'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[sv&)<>|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[sv&)<>|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[sv&)<>|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[sv&)<>|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r)))|f(?:acter|(?:etch|lock|unction)[sv&)<>|]|grep|i(?:le(?:[sv&)<>|]|test)|(?:n(?:d|ger)|sh)[sv&)<>|])|o(?:ld[sv&)<>|]|reach)|ping|tp(?:stats|who))|g(?:awk[sv&)<>|]|core|e(?:ni(?:e[sv&)<>|]|soimage)|tfacl[sv&)<>|])|hci|i(?:mp[sv&)<>|]|nsh)|r(?:ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[sv&)<>|]|onice|p(?:6?tables|config)|spell)|j(?:ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:ill(?:[sv&)<>|]|all)|nife[sv&)<>|]|sshell)|l(?:a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|dconfig|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[sv&)<>|]|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[sv&)<>q|]|x[sv&)<>|])|ke[sv&)<>|]|ster.passwd|wk)|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[sv&)<>|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[sv&)<>|]|sm|wk)|c(?:.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[sv&)<>|]|map|o(?:de[sv&)<>|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:f(?:la)?tex|ksh)|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[sv&)<>|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[sv&)<>|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[sv&)<>|]|shd)|wd.db|ython[^sv])|r(?:ak(?:e[sv&)<>|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[sv&)<>|]|stic)|l(?:ogin|wrap)|m(?:dir[sv&)<>|]|user)|nano|oute[sv&)<>|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[sv&)<>|]|c(?:hed|r(?:een|ipt)[sv&)<>|])|diff|e(?:(?:lf|rvice)[sv&)<>|]|ndmail|t(?:arch|env|facl[sv&)<>|]|sid))|ftp|h(?:.distrib|(?:adow|ells)[sv&)<>|]|u(?:f|tdown[sv&)<>|]))|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[sv&)<>|]|datectl)|mux|ouch[sv&)<>|]|r(?:aceroute6?|off)|shark)|u(?:limit[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[sv&)<>|]|gr|mdiff|pw|rsh)|olatility[sv&)<>|])|w(?:a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile windows-powershell-commands.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:(?:a[\"^]*(?:c|s[\"^]*n[\"^]*p)|e[\"^]*(?:b[\"^]*p|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|s[\"^]*n)|[tx][\"^]*s[\"^]*n)|f[\"^]*(?:[cltw]|o[\"^]*r[\"^]*e[\"^]*a[\"^]*c[\"^]*h)|i[\"^]*(?:[cr][\"^]*m|e[\"^]*x|h[\"^]*y|i|p[\"^]*(?:a[\"^]*l|c[\"^]*s[\"^]*v|m[\"^]*o|s[\"^]*n)|s[\"^]*e|w[\"^]*(?:m[\"^]*i|r))|m[\"^]*(?:a[\"^]*n|[dipv]|o[\"^]*u[\"^]*n[\"^]*t)|o[\"^]*g[\"^]*v|p[\"^]*(?:o[\"^]*p|u[\"^]*s[\"^]*h)[\"^]*d|t[\"^]*r[\"^]*c[\"^]*m|w[\"^]*j[\"^]*b)[\"^]*[sv,.-/;-<>].*|c[\"^]*(?:(?:(?:d|h[\"^]*d[\"^]*i[\"^]*r|v[\"^]*p[\"^]*a)[\"^]*|p[\"^]*(?:[ip][\"^]*)?)[sv,.-/;-<>].*|l[\"^]*(?:(?:[cipv]|h[\"^]*y)[\"^]*[sv,.-/;-<>].*|s)|n[\"^]*s[\"^]*n)|d[\"^]*(?:(?:b[\"^]*p|e[\"^]*l|i[\"^]*(?:f[\"^]*f|r))[\"^]*[sv,.-/;-<>].*|n[\"^]*s[\"^]*n)|g[\"^]*(?:(?:(?:(?:a[\"^]*)?l|b[\"^]*p|d[\"^]*r|h[\"^]*y|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|[u-v])[\"^]*|c[\"^]*(?:[ims][\"^]*)?|m[\"^]*(?:o[\"^]*)?|s[\"^]*(?:n[\"^]*(?:p[\"^]*)?|v[\"^]*))[sv,.-/;-<>].*|e[\"^]*r[\"^]*r|p[\"^]*(?:(?:s[\"^]*)?[sv,.-/;-<>].*|v))|l[\"^]*s|n[\"^]*(?:(?:a[\"^]*l|d[\"^]*r|[iv]|m[\"^]*o|s[\"^]*n)[\"^]*[sv,.-/;-<>].*|p[\"^]*s[\"^]*s[\"^]*c)|r[\"^]*(?:(?:(?:(?:b[\"^]*)?p|e[\"^]*n|(?:w[\"^]*m[\"^]*)?i|j[\"^]*b|n[\"^]*[ip])[\"^]*|d[\"^]*(?:r[\"^]*)?|m[\"^]*(?:(?:d[\"^]*i[\"^]*r|o)[\"^]*)?|s[\"^]*n[\"^]*(?:p[\"^]*)?|v[\"^]*(?:p[\"^]*a[\"^]*)?)[sv,.-/;-<>].*|c[\"^]*(?:j[\"^]*b[\"^]*[sv,.-/;-<>].*|s[\"^]*n)|u[\"^]*j[\"^]*b)|s[\"^]*(?:(?:(?:a[\"^]*(?:j[\"^]*b|l|p[\"^]*s|s[\"^]*v)|b[\"^]*p|[civ]|w[\"^]*m[\"^]*i)[\"^]*|l[\"^]*(?:s[\"^]*)?|p[\"^]*(?:(?:j[\"^]*b|p[\"^]*s|s[\"^]*v)[\"^]*)?)[sv,.-/;-<>].*|h[\"^]*c[\"^]*m|u[\"^]*j[\"^]*b))(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx $(?:((?:.*|(.*)))|{.*})|[<>](.*)|/[0-9A-Z_a-z]*[!?.+]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sv]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==)))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|[ckz][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)[sv&)<>|]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:a(?:ddgroup|xel)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang++|oproc|ron)|d(?:iff[sv&)<>|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[sv&)<>|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|erl5?|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[sv&)<>|])|tar(?:diff|grep)?|wd.db|ython[2-3])|r(?:(?:bas|ealpat)h|m(?:dir[sv&)<>|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h.distri|pwd.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[sv&)<>|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "!@rx [0-9]s*'s*[0-9]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx !-d"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile unix-shell.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^(s*)s+{"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^(s*)s+{"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ba[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?sb[sv]+[!-\"%',0-9@-Z_a-z]+=[^sv]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile restricted-upload.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:c[\"^]*c[\"^]*c[\"^]*h[\"^]*e[\"^]*c[\"^]*k[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e|d[\"^]*(?:p[\"^]*l[\"^]*u[\"^]*s|v[\"^]*p[\"^]*a[\"^]*c[\"^]*k)|(?:g[\"^]*e[\"^]*n[\"^]*t[\"^]*e[\"^]*x[\"^]*e[\"^]*c[\"^]*u[\"^]*t[\"^]*o|s[\"^]*p[\"^]*n[\"^]*e[\"^]*t[\"^]*_[\"^]*c[\"^]*o[\"^]*m[\"^]*p[\"^]*i[\"^]*l[\"^]*e)[\"^]*r|p[\"^]*p[\"^]*(?:i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*e[\"^]*r|v[\"^]*l[\"^]*p)|t[\"^]*(?:[sv,.-/;-<>].*|b[\"^]*r[\"^]*o[\"^]*k[\"^]*e[\"^]*r))|b[\"^]*(?:a[\"^]*s[\"^]*h|g[\"^]*i[\"^]*n[\"^]*f[\"^]*o|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:d[\"^]*b|e[\"^]*r[\"^]*t[\"^]*(?:o[\"^]*c|r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|l[\"^]*_[\"^]*(?:i[\"^]*n[\"^]*v[\"^]*o[\"^]*c[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n|l[\"^]*o[\"^]*a[\"^]*d[\"^]*a[\"^]*s[\"^]*s[\"^]*e[\"^]*m[\"^]*b[\"^]*l[\"^]*y|m[\"^]*u[\"^]*t[\"^]*e[\"^]*x[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*i[\"^]*e[\"^]*r[\"^]*s)|m[\"^]*(?:d(?:[\"^]*(?:k[\"^]*e[\"^]*y|l[\"^]*3[\"^]*2))?|s[\"^]*t[\"^]*p)|o[\"^]*(?:m[\"^]*s[\"^]*v[\"^]*c[\"^]*s|n[\"^]*(?:f[\"^]*i[\"^]*g[\"^]*s[\"^]*e[\"^]*c[\"^]*u[\"^]*r[\"^]*i[\"^]*t[\"^]*y[\"^]*p[\"^]*o[\"^]*l[\"^]*i[\"^]*c[\"^]*y|h[\"^]*o[\"^]*s[\"^]*t|t[\"^]*r[\"^]*o[\"^]*l)|r[\"^]*e[\"^]*g[\"^]*e[\"^]*n)|r[\"^]*e[\"^]*a[\"^]*t[\"^]*e[\"^]*d[\"^]*u[\"^]*m[\"^]*p|s[\"^]*(?:c(?:[\"^]*r[\"^]*i[\"^]*p[\"^]*t)?|i)|u[\"^]*s[\"^]*t[\"^]*o[\"^]*m[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l[\"^]*h[\"^]*o[\"^]*s[\"^]*t)|d[\"^]*(?:a[\"^]*t[\"^]*a[\"^]*s[\"^]*v[\"^]*c[\"^]*u[\"^]*t[\"^]*i[\"^]*l|e[\"^]*(?:f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|s[\"^]*k(?:[\"^]*t[\"^]*o[\"^]*p[\"^]*i[\"^]*m[\"^]*g[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*d[\"^]*r)?|v[\"^]*(?:i[\"^]*c[\"^]*e[\"^]*c[\"^]*r[\"^]*e[\"^]*d[\"^]*e[\"^]*n[\"^]*t[\"^]*i[\"^]*a[\"^]*l[\"^]*d[\"^]*e[\"^]*p[\"^]*l[\"^]*o[\"^]*y[\"^]*m[\"^]*e[\"^]*n[\"^]*t|t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r))|f[\"^]*s[\"^]*(?:h[\"^]*i[\"^]*m|v[\"^]*c)|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|s[\"^]*k[\"^]*s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|n[\"^]*(?:s[\"^]*c[\"^]*m[\"^]*d|x)|o[\"^]*t[\"^]*n[\"^]*e[\"^]*t|u[\"^]*m[\"^]*p[\"^]*6[\"^]*4|x[\"^]*c[\"^]*a[\"^]*p)|e[\"^]*(?:s[\"^]*e[\"^]*n[\"^]*t[\"^]*u[\"^]*t[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*v[\"^]*w[\"^]*r|x[\"^]*(?:c[\"^]*e[\"^]*l|p[\"^]*(?:a[\"^]*n[\"^]*d|l[\"^]*o[\"^]*r[\"^]*e[\"^]*r)|t[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*r[\"^]*t|r[\"^]*a[\"^]*c[\"^]*3[\"^]*2)))|f[\"^]*(?:i[\"^]*n[\"^]*(?:d[\"^]*s[\"^]*t|g[\"^]*e)[\"^]*r|l[\"^]*t[\"^]*m[\"^]*c|o[\"^]*r[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s|s[\"^]*(?:i(?:[\"^]*a[\"^]*n[\"^]*y[\"^]*c[\"^]*p[\"^]*u)?|u[\"^]*t[\"^]*i[\"^]*l)|t[\"^]*p)|g[\"^]*(?:f[\"^]*x[\"^]*d[\"^]*o[\"^]*w[\"^]*n[\"^]*l[\"^]*o[\"^]*a[\"^]*d[\"^]*w[\"^]*r[\"^]*a[\"^]*p[\"^]*p[\"^]*e[\"^]*r|p[\"^]*s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|h[\"^]*h|i[\"^]*(?:e[\"^]*(?:4[\"^]*u[\"^]*i[\"^]*n[\"^]*i[\"^]*t|a[\"^]*d[\"^]*v[\"^]*p[\"^]*a[\"^]*c[\"^]*k|e[\"^]*x[\"^]*e[\"^]*c|f[\"^]*r[\"^]*a[\"^]*m[\"^]*e)|l[\"^]*a[\"^]*s[\"^]*m|m[\"^]*e[\"^]*w[\"^]*d[\"^]*b[\"^]*l[\"^]*d|n[\"^]*(?:f[\"^]*d[\"^]*e[\"^]*f[\"^]*a[\"^]*u[\"^]*l[\"^]*t[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a[\"^]*l|s[\"^]*t[\"^]*a[\"^]*l[\"^]*l[\"^]*u[\"^]*t[\"^]*i)[\"^]*l)|j[\"^]*s[\"^]*c|l[\"^]*(?:a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*-[\"^]*v[\"^]*s[\"^]*d[\"^]*e[\"^]*v[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|d[\"^]*i[\"^]*f[\"^]*d[\"^]*e)|m[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|n[\"^]*a[\"^]*g[\"^]*e[\"^]*-[\"^]*b[\"^]*d[\"^]*e|v[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t)|f[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|i[\"^]*c[\"^]*r[\"^]*o[\"^]*s[\"^]*o[\"^]*f[\"^]*t|m[\"^]*c|p[\"^]*c[\"^]*m[\"^]*d[\"^]*r[\"^]*u[\"^]*n|s[\"^]*(?:(?:b[\"^]*u[\"^]*i[\"^]*l|o[\"^]*h[\"^]*t[\"^]*m[\"^]*e)[\"^]*d|c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|d[\"^]*(?:e[\"^]*p[\"^]*l[\"^]*o[\"^]*y|t)|h[\"^]*t[\"^]*(?:a|m[\"^]*l)|i[\"^]*e[\"^]*x[\"^]*e[\"^]*c|p[\"^]*u[\"^]*b|x[\"^]*s[\"^]*l))|n[\"^]*(?:e[\"^]*t[\"^]*s[\"^]*h|t[\"^]*d[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|o[\"^]*(?:d[\"^]*b[\"^]*c[\"^]*c[\"^]*o[\"^]*n[\"^]*f|f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e[\"^]*s[\"^]*c[\"^]*a[\"^]*n[\"^]*n[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l|n[\"^]*e[\"^]*d[\"^]*r[\"^]*i[\"^]*v[\"^]*e[\"^]*s[\"^]*t[\"^]*a[\"^]*n[\"^]*d[\"^]*a[\"^]*l[\"^]*o[\"^]*n[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e[\"^]*r|p[\"^]*e[\"^]*n[\"^]*c[\"^]*o[\"^]*n[\"^]*s[\"^]*o[\"^]*l[\"^]*e)|p[\"^]*(?:c[\"^]*(?:a[\"^]*l[\"^]*u[\"^]*a|w[\"^]*(?:r[\"^]*u[\"^]*n|u[\"^]*t[\"^]*l))|(?:e[\"^]*s[\"^]*t[\"^]*e|s)[\"^]*r|(?:k[\"^]*t[\"^]*m[\"^]*o|u[\"^]*b[\"^]*p[\"^]*r)[\"^]*n|n[\"^]*p[\"^]*u[\"^]*t[\"^]*i[\"^]*l|o[\"^]*w[\"^]*e[\"^]*r[\"^]*p[\"^]*n[\"^]*t|r[\"^]*(?:e[\"^]*s[\"^]*e[\"^]*n[\"^]*t[\"^]*a[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*h[\"^]*o[\"^]*s[\"^]*t|i[\"^]*n[\"^]*t(?:[\"^]*b[\"^]*r[\"^]*m)?|o[\"^]*(?:c[\"^]*d[\"^]*u[\"^]*m[\"^]*p|t[\"^]*o[\"^]*c[\"^]*o[\"^]*l[\"^]*h[\"^]*a[\"^]*n[\"^]*d[\"^]*l[\"^]*e[\"^]*r)))|r[\"^]*(?:a[\"^]*s[\"^]*a[\"^]*u[\"^]*t[\"^]*o[\"^]*u|c[\"^]*s[\"^]*i|(?:d[\"^]*r[\"^]*l[\"^]*e[\"^]*a[\"^]*k[\"^]*d[\"^]*i[\"^]*a|p[\"^]*c[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|e[\"^]*(?:g(?:[\"^]*(?:a[\"^]*s[\"^]*m|e[\"^]*d[\"^]*i[\"^]*t|i[\"^]*(?:n[\"^]*i|s[\"^]*t[\"^]*e[\"^]*r[\"^]*-[\"^]*c[\"^]*i[\"^]*m[\"^]*p[\"^]*r[\"^]*o[\"^]*v[\"^]*i[\"^]*d[\"^]*e[\"^]*r)|s[\"^]*v[\"^]*(?:c[\"^]*s|r[\"^]*3[\"^]*2)))?|(?:m[\"^]*o[\"^]*t|p[\"^]*l[\"^]*a[\"^]*c)[\"^]*e)|u[\"^]*n[\"^]*(?:d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|(?:e[\"^]*x[\"^]*e|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)[\"^]*h[\"^]*e[\"^]*l[\"^]*p[\"^]*e[\"^]*r|o[\"^]*n[\"^]*c[\"^]*e))|s[\"^]*(?:c[\"^]*(?:[sv,.-/;-<>].*|h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|r[\"^]*i[\"^]*p[\"^]*t[\"^]*r[\"^]*u[\"^]*n[\"^]*n[\"^]*e[\"^]*r)|e[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*s|t[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*y[\"^]*n[\"^]*c[\"^]*h[\"^]*o[\"^]*s[\"^]*t|u[\"^]*p[\"^]*a[\"^]*p[\"^]*i)|h[\"^]*(?:d[\"^]*o[\"^]*c[\"^]*v[\"^]*w|e[\"^]*l[\"^]*l[\"^]*3[\"^]*2)|q[\"^]*(?:l[\"^]*(?:d[\"^]*u[\"^]*m[\"^]*p[\"^]*e[\"^]*r|(?:t[\"^]*o[\"^]*o[\"^]*l[\"^]*s[\"^]*)?p[\"^]*s)|u[\"^]*i[\"^]*r[\"^]*r[\"^]*e[\"^]*l)|s[\"^]*h|t[\"^]*o[\"^]*r[\"^]*d[\"^]*i[\"^]*a[\"^]*g|y[\"^]*(?:n[\"^]*c[\"^]*a[\"^]*p[\"^]*p[\"^]*v[\"^]*p[\"^]*u[\"^]*b[\"^]*l[\"^]*i[\"^]*s[\"^]*h[\"^]*i[\"^]*n[\"^]*g[\"^]*s[\"^]*e[\"^]*r[\"^]*v[\"^]*e[\"^]*r|s[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p))|t[\"^]*(?:e[\"^]*[sv,.-/;-<>].*|r[\"^]*a[\"^]*c[\"^]*k[\"^]*e[\"^]*r|t[\"^]*(?:d[\"^]*i[\"^]*n[\"^]*j[\"^]*e[\"^]*c[\"^]*t|t[\"^]*r[\"^]*a[\"^]*c[\"^]*e[\"^]*r))|u[\"^]*(?:n[\"^]*r[\"^]*e[\"^]*g[\"^]*m[\"^]*p[\"^]*2|p[\"^]*d[\"^]*a[\"^]*t[\"^]*e|r[\"^]*l|t[\"^]*i[\"^]*l[\"^]*i[\"^]*t[\"^]*y[\"^]*f[\"^]*u[\"^]*n[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s)|v[\"^]*(?:b[\"^]*c|e[\"^]*r[\"^]*c[\"^]*l[\"^]*s[\"^]*i[\"^]*d|i[\"^]*s[\"^]*u[\"^]*a[\"^]*l[\"^]*u[\"^]*i[\"^]*a[\"^]*v[\"^]*e[\"^]*r[\"^]*i[\"^]*f[\"^]*y[\"^]*n[\"^]*a[\"^]*t[\"^]*i[\"^]*v[\"^]*e|s[\"^]*(?:i[\"^]*i[\"^]*s[\"^]*e[\"^]*x[\"^]*e[\"^]*l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h|j[\"^]*i[\"^]*t[\"^]*d[\"^]*e[\"^]*b[\"^]*u[\"^]*g[\"^]*g)[\"^]*e[\"^]*r)|w[\"^]*(?:a[\"^]*b|(?:f|m[\"^]*i)[\"^]*c|i[\"^]*n[\"^]*(?:g[\"^]*e[\"^]*t|r[\"^]*m|w[\"^]*o[\"^]*r[\"^]*d)|l[\"^]*r[\"^]*m[\"^]*d[\"^]*r|o[\"^]*r[\"^]*k[\"^]*f[\"^]*o[\"^]*l[\"^]*d[\"^]*e[\"^]*r[\"^]*s|s[\"^]*(?:(?:c[\"^]*r[\"^]*i[\"^]*p|r[\"^]*e[\"^]*s[\"^]*e)[\"^]*t|l)|t[\"^]*[sv,.-/;-<>].*|u[\"^]*a[\"^]*u[\"^]*c[\"^]*l[\"^]*t)|x[\"^]*w[\"^]*i[\"^]*z[\"^]*a[\"^]*r[\"^]*d|z[\"^]*i[\"^]*p[\"^]*f[\"^]*l[\"^]*d[\"^]*r)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:t[\"^]*i[\"^]*m[\"^]*e|[nr;`{]|||?|&&?)[sv]*[sv\"'-(,@]*(?:[\"'.-9A-Z_a-z]+/|(?:[\"'x5c^]*[0-9A-Z_a-z][\"'x5c^]*:.*|[ \"'.-9A-Zx5c^-_a-z]*)x5c)?[\"^]*(?:a[\"^]*(?:s[\"^]*s[\"^]*o[\"^]*c|t[\"^]*(?:m[\"^]*a[\"^]*d[\"^]*m|t[\"^]*r[\"^]*i[\"^]*b)|u[\"^]*(?:d[\"^]*i[\"^]*t[\"^]*p[\"^]*o[\"^]*l|t[\"^]*o[\"^]*(?:c[\"^]*(?:h[\"^]*k|o[\"^]*n[\"^]*v)|(?:f[\"^]*m|m[\"^]*o[\"^]*u[\"^]*n)[\"^]*t)))|b[\"^]*(?:c[\"^]*d[\"^]*(?:b[\"^]*o[\"^]*o|e[\"^]*d[\"^]*i)[\"^]*t|(?:d[\"^]*e[\"^]*h[\"^]*d|o[\"^]*o[\"^]*t)[\"^]*c[\"^]*f[\"^]*g|i[\"^]*t[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|c[\"^]*(?:a[\"^]*c[\"^]*l[\"^]*s|e[\"^]*r[\"^]*t[\"^]*(?:r[\"^]*e[\"^]*q|u[\"^]*t[\"^]*i[\"^]*l)|h[\"^]*(?:c[\"^]*p|d[\"^]*i[\"^]*r|g[\"^]*(?:l[\"^]*o[\"^]*g[\"^]*o[\"^]*n|p[\"^]*o[\"^]*r[\"^]*t|u[\"^]*s[\"^]*r)|k[\"^]*(?:d[\"^]*s[\"^]*k|n[\"^]*t[\"^]*f[\"^]*s))|l[\"^]*e[\"^]*a[\"^]*n[\"^]*m[\"^]*g[\"^]*r|m[\"^]*(?:d(?:[\"^]*k[\"^]*e[\"^]*y)?|s[\"^]*t[\"^]*p)|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|d[\"^]*(?:c[\"^]*(?:d[\"^]*i[\"^]*a[\"^]*g|g[\"^]*p[\"^]*o[\"^]*f[\"^]*i[\"^]*x)|e[\"^]*(?:f[\"^]*r[\"^]*a[\"^]*g|l)|f[\"^]*s[\"^]*(?:d[\"^]*i[\"^]*a|r[\"^]*m[\"^]*i)[\"^]*g|i[\"^]*(?:a[\"^]*n[\"^]*t[\"^]*z|r|s[\"^]*(?:k[\"^]*(?:c[\"^]*o[\"^]*(?:m[\"^]*p|p[\"^]*y)|p[\"^]*(?:a[\"^]*r[\"^]*t|e[\"^]*r[\"^]*f)|r[\"^]*a[\"^]*i[\"^]*d|s[\"^]*h[\"^]*a[\"^]*d[\"^]*o[\"^]*w)|p[\"^]*d[\"^]*i[\"^]*a[\"^]*g))|n[\"^]*s[\"^]*c[\"^]*m[\"^]*d|(?:o[\"^]*s[\"^]*k[\"^]*e|r[\"^]*i[\"^]*v[\"^]*e[\"^]*r[\"^]*q[\"^]*u[\"^]*e[\"^]*r)[\"^]*y)|e[\"^]*(?:n[\"^]*d[\"^]*l[\"^]*o[\"^]*c[\"^]*a[\"^]*l|v[\"^]*e[\"^]*n[\"^]*t[\"^]*c[\"^]*r[\"^]*e[\"^]*a[\"^]*t[\"^]*e)|E[\"^]*v[\"^]*n[\"^]*t[\"^]*c[\"^]*m[\"^]*d|f[\"^]*(?:c|i[\"^]*(?:l[\"^]*e[\"^]*s[\"^]*y[\"^]*s[\"^]*t[\"^]*e[\"^]*m[\"^]*s|n[\"^]*d[\"^]*s[\"^]*t[\"^]*r)|l[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*m[\"^]*p|o[\"^]*r(?:[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)?|r[\"^]*e[\"^]*e[\"^]*d[\"^]*i[\"^]*s[\"^]*k|s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|(?:t[\"^]*y[\"^]*p|v[\"^]*e[\"^]*u[\"^]*p[\"^]*d[\"^]*a[\"^]*t)[\"^]*e)|g[\"^]*(?:e[\"^]*t[\"^]*(?:m[\"^]*a[\"^]*c|t[\"^]*y[\"^]*p[\"^]*e)|o[\"^]*t[\"^]*o|p[\"^]*(?:f[\"^]*i[\"^]*x[\"^]*u[\"^]*p|(?:r[\"^]*e[\"^]*s[\"^]*u[\"^]*l[\"^]*)?t|u[\"^]*p[\"^]*d[\"^]*a[\"^]*t[\"^]*e)|r[\"^]*a[\"^]*f[\"^]*t[\"^]*a[\"^]*b[\"^]*l)|h[\"^]*(?:e[\"^]*l[\"^]*p[\"^]*c[\"^]*t[\"^]*r|o[\"^]*s[\"^]*t[\"^]*n[\"^]*a[\"^]*m[\"^]*e)|i[\"^]*(?:c[\"^]*a[\"^]*c[\"^]*l[\"^]*s|f|p[\"^]*(?:c[\"^]*o[\"^]*n[\"^]*f[\"^]*i[\"^]*g|x[\"^]*r[\"^]*o[\"^]*u[\"^]*t[\"^]*e)|r[\"^]*f[\"^]*t[\"^]*p)|j[\"^]*e[\"^]*t[\"^]*p[\"^]*a[\"^]*c[\"^]*k|k[\"^]*(?:l[\"^]*i[\"^]*s[\"^]*t|s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|t[\"^]*(?:m[\"^]*u[\"^]*t[\"^]*i[\"^]*l|p[\"^]*a[\"^]*s[\"^]*s))|l[\"^]*(?:o[\"^]*(?:d[\"^]*c[\"^]*t[\"^]*r|g[\"^]*(?:m[\"^]*a[\"^]*n|o[\"^]*f[\"^]*f))|p[\"^]*[q-r])|m[\"^]*(?:a[\"^]*(?:c[\"^]*f[\"^]*i[\"^]*l[\"^]*e|k[\"^]*e[\"^]*c[\"^]*a[\"^]*b|p[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|k[\"^]*(?:d[\"^]*i[\"^]*r|l[\"^]*i[\"^]*n[\"^]*k)|m[\"^]*c|o[\"^]*u[\"^]*n[\"^]*t[\"^]*v[\"^]*o[\"^]*l|q[\"^]*(?:b[\"^]*k[\"^]*u[\"^]*p|(?:t[\"^]*g[\"^]*)?s[\"^]*v[\"^]*c)|s[\"^]*(?:d[\"^]*t|i[\"^]*(?:e[\"^]*x[\"^]*e[\"^]*c|n[\"^]*f[\"^]*o[\"^]*3[\"^]*2)|t[\"^]*s[\"^]*c))|n[\"^]*(?:b[\"^]*t[\"^]*s[\"^]*t[\"^]*a[\"^]*t|e[\"^]*t[\"^]*(?:c[\"^]*f[\"^]*g|d[\"^]*o[\"^]*m|s[\"^]*(?:h|t[\"^]*a[\"^]*t))|f[\"^]*s[\"^]*(?:a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|s[\"^]*(?:h[\"^]*a[\"^]*r[\"^]*e|t[\"^]*a[\"^]*t))|l[\"^]*(?:b[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*s[\"^]*t)|s[\"^]*l[\"^]*o[\"^]*o[\"^]*k[\"^]*u[\"^]*p|t[\"^]*(?:b[\"^]*a[\"^]*c[\"^]*k[\"^]*u[\"^]*p|c[\"^]*m[\"^]*d[\"^]*p[\"^]*r[\"^]*o[\"^]*m[\"^]*p[\"^]*t|f[\"^]*r[\"^]*s[\"^]*u[\"^]*t[\"^]*l))|o[\"^]*(?:f[\"^]*f[\"^]*l[\"^]*i[\"^]*n[\"^]*e|p[\"^]*e[\"^]*n[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*s)|p[\"^]*(?:a[\"^]*(?:g[\"^]*e[\"^]*f[\"^]*i[\"^]*l[\"^]*e[\"^]*c[\"^]*o[\"^]*n[\"^]*f[\"^]*i|t[\"^]*h[\"^]*p[\"^]*i[\"^]*n)[\"^]*g|(?:b[\"^]*a[\"^]*d[\"^]*m[\"^]*i|k[\"^]*t[\"^]*m[\"^]*o)[\"^]*n|e[\"^]*(?:n[\"^]*t[\"^]*n[\"^]*t|r[\"^]*f[\"^]*m[\"^]*o[\"^]*n)|n[\"^]*p[\"^]*u[\"^]*(?:n[\"^]*a[\"^]*t[\"^]*t[\"^]*e[\"^]*n[\"^]*d|t[\"^]*i[\"^]*l)|o[\"^]*(?:p[\"^]*d|w[\"^]*e[\"^]*r[\"^]*s[\"^]*h[\"^]*e[\"^]*l[\"^]*l)|r[\"^]*n[\"^]*(?:c[\"^]*n[\"^]*f[\"^]*g|(?:d[\"^]*r[\"^]*v|m[\"^]*n[\"^]*g)[\"^]*r|j[\"^]*o[\"^]*b[\"^]*s|p[\"^]*o[\"^]*r[\"^]*t|q[\"^]*c[\"^]*t[\"^]*l)|u[\"^]*(?:b[\"^]*p[\"^]*r[\"^]*n|s[\"^]*h[\"^]*(?:d|p[\"^]*r[\"^]*i[\"^]*n[\"^]*t[\"^]*e[\"^]*r[\"^]*c[\"^]*o[\"^]*n[\"^]*n[\"^]*e[\"^]*c[\"^]*t[\"^]*i[\"^]*o[\"^]*n[\"^]*s))|w[\"^]*(?:l[\"^]*a[\"^]*u[\"^]*n[\"^]*c[\"^]*h[\"^]*e[\"^]*r|s[\"^]*h))|q[\"^]*(?:a[\"^]*p[\"^]*p[\"^]*s[\"^]*r[\"^]*v|p[\"^]*r[\"^]*o[\"^]*c[\"^]*e[\"^]*s[\"^]*s|u[\"^]*s[\"^]*e[\"^]*r|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|r[\"^]*(?:d(?:[\"^]*p[\"^]*s[\"^]*i[\"^]*g[\"^]*n)?|e[\"^]*(?:f[\"^]*s[\"^]*u[\"^]*t[\"^]*i[\"^]*l|g(?:[\"^]*(?:i[\"^]*n[\"^]*i|s[\"^]*v[\"^]*r[\"^]*3[\"^]*2))?|l[\"^]*o[\"^]*g|(?:(?:p[\"^]*a[\"^]*d[\"^]*m[\"^]*i|s[\"^]*c[\"^]*a)[\"^]*)?n|x[\"^]*e[\"^]*c)|i[\"^]*s[\"^]*e[\"^]*t[\"^]*u[\"^]*p|m[\"^]*d[\"^]*i[\"^]*r|o[\"^]*b[\"^]*o[\"^]*c[\"^]*o[\"^]*p[\"^]*y|p[\"^]*c[\"^]*(?:i[\"^]*n[\"^]*f[\"^]*o|p[\"^]*i[\"^]*n[\"^]*g)|s[\"^]*h|u[\"^]*n[\"^]*d[\"^]*l[\"^]*l[\"^]*3[\"^]*2|w[\"^]*i[\"^]*n[\"^]*s[\"^]*t[\"^]*a)|s[\"^]*(?:a[\"^]*n|c[\"^]*(?:h[\"^]*t[\"^]*a[\"^]*s[\"^]*k[\"^]*s|w[\"^]*c[\"^]*m[\"^]*d)|e[\"^]*(?:c[\"^]*e[\"^]*d[\"^]*i[\"^]*t|r[\"^]*v[\"^]*e[\"^]*r[\"^]*(?:(?:c[\"^]*e[\"^]*i[\"^]*p|w[\"^]*e[\"^]*r)[\"^]*o[\"^]*p[\"^]*t[\"^]*i[\"^]*n|m[\"^]*a[\"^]*n[\"^]*a[\"^]*g[\"^]*e[\"^]*r[\"^]*c[\"^]*m[\"^]*d)|t[\"^]*x)|f[\"^]*c|(?:h[\"^]*o[\"^]*w[\"^]*m[\"^]*o[\"^]*u[\"^]*n|u[\"^]*b[\"^]*s)[\"^]*t|x[\"^]*s[\"^]*t[\"^]*r[\"^]*a[\"^]*c[\"^]*e|y[\"^]*s[\"^]*(?:o[\"^]*c[\"^]*m[\"^]*g[\"^]*r|t[\"^]*e[\"^]*m[\"^]*i[\"^]*n[\"^]*f[\"^]*o))|t[\"^]*(?:a[\"^]*(?:k[\"^]*e[\"^]*o[\"^]*w[\"^]*n|p[\"^]*i[\"^]*c[\"^]*f[\"^]*g|s[\"^]*k[\"^]*(?:k[\"^]*i[\"^]*l[\"^]*l|l[\"^]*i[\"^]*s[\"^]*t))|(?:c[\"^]*m[\"^]*s[\"^]*e[\"^]*t[\"^]*u|f[\"^]*t)[\"^]*p|(?:(?:e[\"^]*l[\"^]*n[\"^]*e|i[\"^]*m[\"^]*e[\"^]*o[\"^]*u)[\"^]*|r[\"^]*a[\"^]*c[\"^]*e[\"^]*r[\"^]*(?:p[\"^]*)?)t|l[\"^]*n[\"^]*t[\"^]*a[\"^]*d[\"^]*m[\"^]*n|p[\"^]*m[\"^]*(?:t[\"^]*o[\"^]*o[\"^]*l|v[\"^]*s[\"^]*c[\"^]*m[\"^]*g[\"^]*r)|s[\"^]*(?:(?:d[\"^]*i[\"^]*s[\"^]*)?c[\"^]*o[\"^]*n|e[\"^]*c[\"^]*i[\"^]*m[\"^]*p|k[\"^]*i[\"^]*l[\"^]*l|p[\"^]*r[\"^]*o[\"^]*f)|y[\"^]*p[\"^]*e[\"^]*p[\"^]*e[\"^]*r[\"^]*f|z[\"^]*u[\"^]*t[\"^]*i[\"^]*l)|u[\"^]*n[\"^]*(?:e[\"^]*x[\"^]*p[\"^]*o[\"^]*s[\"^]*e|i[\"^]*q[\"^]*u[\"^]*e[\"^]*i[\"^]*d|l[\"^]*o[\"^]*d[\"^]*c[\"^]*t[\"^]*r)|v[\"^]*(?:o[\"^]*l|s[\"^]*s[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n)|w[\"^]*(?:a[\"^]*i[\"^]*t[\"^]*f[\"^]*o[\"^]*r|b[\"^]*a[\"^]*d[\"^]*m[\"^]*i[\"^]*n|(?:d[\"^]*s|e[\"^]*(?:c|v[\"^]*t))[\"^]*u[\"^]*t[\"^]*i[\"^]*l|h[\"^]*(?:e[\"^]*r[\"^]*e|o[\"^]*a[\"^]*m[\"^]*i)|i[\"^]*n[\"^]*(?:n[\"^]*t(?:[\"^]*3[\"^]*2)?|r[\"^]*s)|m[\"^]*i[\"^]*c|s[\"^]*c[\"^]*r[\"^]*i[\"^]*p[\"^]*t)|x[\"^]*c[\"^]*o[\"^]*p[\"^]*y)(?:.[\"^]*[0-9A-Z_a-z]+)?b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*.[sv].*b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?:$(?:((?:(.*)|.*))|{.*})|[<>](.*)|[!?.+])"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx s"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{]))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx s"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#-$(*-0-9?-[_a-{])"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx s"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i).|(?:[sv]*|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|G[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?E[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?T|a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:b|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?t|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[jp])?|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ks])|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[8-9][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?9|[au][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|c|(?:m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dfu]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[gr])|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[bdx]|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|q[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?)|f[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[c-dgi]|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|g[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[chr][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|o|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[dp]|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b)|j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:j[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|q)|k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|l[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d)?|[nps]|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a|z(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?4)?)|m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|v)|n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[cl]|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|o[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[at][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?x|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|f|(?:k[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?g|h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cp]|r(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?y)?|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r|c(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)?|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dv]|(?:p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?m)|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dt]|[g-hu]|s(?:[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)?|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[cr]|b[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?l|[co][\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[ex]|i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c)|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|l)|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:3[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m|c)|x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:x[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|z)|y[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:e[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)|z[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|s[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)[-0-9_a-z]+(?:[\"'[-]]+|$+[!#*-0-9?-@x5c_a-{]+|``|[$<>]())[sv]*[-0-9_a-z]+"
+ },
+ {
+ "category": "RCE",
+ "pattern": "!@rx [0-9]s*'s*[0-9]"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx ;[sv]*.[sv]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:(?i:E)(?:HLO [--.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [--.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SETb)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20}(?i: )(?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}(?i:=)|[+/-9A-Z_a-zx17fx212a]{3}))?(?i:=)|STARTTLSb|NOOPb(?:(?i: ).{1,255})?)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[\"-#%-&*--9A-Zx5c_a-z]+)?(?: ([ x5ca-z]+))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [+-][0-9]{4}\"?)? {[0-9]{1,20}+?}|UTHENTICATE [-0-9_a-z]{1,20}rn)|L(?:SUB (?:[\"-#*.-9A-Z_a-z~]+)? (?:[\"%-&*.-9A-Zx5c_a-z]+)?|ISTRIGHTS (?:[\"%-&*--9A-Zx5c_a-z]+)?)|S(?:TATUS (?:[\"%-&*--9A-Zx5c_a-z]+)? ((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+)|ETACL (?:[\"%-&*--9A-Zx5c_a-z]+)? [+-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&*--9A-Zx5c_a-z]+)?)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9A-Z_]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|inks|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[^sv])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash|nap)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:3m|c|a(?:ll|tch)[sv&)<>|]|get|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|s(?:ed|ftp|ql)|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[sv&)<>|]|diff)|ew[sv&)<>|]|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:c|a(?:ll|tch)[sv&)<>|]|h(?:iptail[sv&)<>|]|o(?:ami|is))|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@pmFromFile unix-shell.data"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sv&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine))[sv&)<>|]|pt(?:(?:itude)?[sv&)<>|]|-get)|r(?:[sv&)<>j|]|(?:p|ch)[sv&)<>|]|ia2c)|s(?:h?[sv&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sv&)<>|]|obm)|dd(?:group|user)|getty|nsible-playbook|xel)|b(?:z(?:z[sv&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[sv&)<>|]|mp|p(?:[sv&)<>|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[sv&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|ress)[sv&)<>|])|w(?:say|think))|r(?:ash[sv&)<>|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sv&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sv&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sv&)<>|]|n(?:v(?:-update)?|d(?:if|sw))|qn|s(?:[sv&)<>h|]|ac)|x(?:(?:ec)?[sv&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sv&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sv&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sv&)<>|]|le(?:[sv&)<>|]|test))|mt|tp(?:[sv&)<>|]|stats|who)|acter|o(?:ld[sv&)<>|]|reach)|ping)|g(?:c(?:c[^sv]|ore)|db|e(?:(?:m|tfacl)[sv&)<>|]|ni(?:e[sv&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sv&)<>|]|nsh)|(?:o|awk)[sv&)<>|]|pg|r(?:c|ep[sv&)<>|]|oup(?:[sv&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sv&)<>|]|e(?:ad[sv&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sv&)<>|]|onice|spell)|j(?:js|q|ava[sv&)<>|]|exec|o(?:(?:bs|in)[sv&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sv&)<>|]|all)|nife[sv&)<>|])|l(?:d(?:d?[sv&)<>|]|config)|(?:[np]|ynx)[sv&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sv&)<>|]|(?:la)?tex)|z(?:[sv&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sv&)<>|]|comm|log(?:in)?)|tex[sv&)<>|])|ess(?:[sv&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sv&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sv&)<>|]|il(?:[sv&)<>q|]|x[sv&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sv&)<>|]|k(?:dir[sv&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sv&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sv&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sv&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sv&)<>|]|m(?:[sv&)<>|]|ap)|p(?:m[sv&)<>|]|ing)|a(?:no[sv&)<>|]|sm|wk)|o(?:de[sv&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sv&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sv&)<>|]|s(?:swd|te[sv&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sv&)<>|]|tp)|g(?:rep)?|hp(?:[sv&)57<>|]|-cgi)|i(?:(?:co?|ng)[sv&)<>|]|p[^sv]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sv&)<>|]|int(?:env|f[sv&)<>|]))|s(?:[sv&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:f|l(?:5|sh)?|ms[sv&)<>|])|opd|u(?:ppet[sv&)<>|]|shd)|ython[2-3])|r(?:a(?:r[sv&)<>|]|k(?:e[sv&)<>|]|u))|c(?:p[sv&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sv&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sv&)<>|]|user)|pm(?:[sv&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sv&)<>|]|sync|u(?:by[^sv]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[sv&)<>|])|e(?:(?:d|lf|rvice)[sv&)<>|]|t(?:arch|env|facl[sv&)<>|]|sid)?|ndmail)|(?:g|ash)[sv&)<>|]|h(?:(?:adow|ells)?[sv&)<>|]|.distrib|u(?:f|tdown[sv&)<>|]))|s(?:[sv&)<>|]|h(?:[sv&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sv&)<>|]|do)|vn|diff|ftp|l(?:eep[sv&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sv&)<>|])|p(?:lit[sv&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sv&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sv&)<>|]|il[sv&)<>f|]|sk(?:[sv&)<>|]|set))|bl|c(?:p(?:[sv&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sv&)<>|]|lnet)|i(?:c[sv&)<>|]|me(?:(?:out)?[sv&)<>|]|datectl))|o(?:p|uch[sv&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sv&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sv&)<>|]|expand|iq|l(?:ink[sv&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sv&)<>|]|std))|p(?:2date[sv&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sv&)<>|]|m(?:[sv&)<>|]|diff)|gr|pw|rsh)|algrind|olatility[sv&)<>|])|w(?:[sv&)<>c|]|h(?:o(?:[sv&)<>|]|ami|is)?|iptail[sv&)<>|])|a(?:ll|tch)[sv&)<>|]|i(?:reshark|sh[sv&)<>|]))|x(?:(?:x|pa)d|z(?:[sv&)<>|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sv&)<>|]|um)|z(?:ip(?:[sv&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sv&)<>|])|f?grep|less|more|run|ypper))b"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?i)(?:(?:^|=)[sv]*(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*|(?:t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|\".*\")[sv]+)*)[sv]*[\"']*(?:[\"'-+--9?A-]_a-z|]+/)?[\"'x5c]*(?:(?:(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|u[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?2[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?t)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|v[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i)[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|d[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|p[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?a[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|s)|w[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h[\"')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?o|[sv&),<>|].*))"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:DATA|QUIT|HELP(?: .{1,255})?)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [\"-#%-&*--9A-Zx5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&*--.0-9A-Zx5c_a-z]+|EX(?:AMINE [\"-#%-&*--.0-9A-Zx5c_a-z]+|PUNGE)|FETCH [*,0-:]+|L(?:IST [\"-#*--9A-Zx5c_a-z~]+? [\"-#%-&*--9A-Zx5c_a-z]+|OG(?:IN [--.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&*--9A-Zx5c_a-z]+? [\"-#%-&*--9A-Zx5c_a-z]+|S(?:E(?:LECT [\"-#%-&*--9A-Zx5c_a-z]+|ARCH(?: CHARSET [--.0-9A-Z_a-z]{1,40})? (?:(KEYWORD x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [*,0-:]+?|NKEYWORD x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [*,0-:]+? [+-]?FLAGS(?:.SILENT)? (?:(x5c[a-z]{1,20}))?|ARTTLS)|UBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&*--9A-Zx5c_a-z]+|AUTHENTICATE)|NOOP)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx rn(?s:.)*?b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@rx !(?:d|!)"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "RCE",
+ "pattern": "@lt 4"
+ },
{
"category": "PHP",
"pattern": "@lt 1"
@@ -2399,82 +2399,6 @@
"category": "SHELLS",
"pattern": "@lt 4"
},
- {
- "category": "CORRELATION",
- "pattern": "@eq 0"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge 5"
- },
- {
- "category": "CORRELATION",
- "pattern": "@eq 0"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 2"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 3"
- },
- {
- "category": "CORRELATION",
- "pattern": "@gt 0"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 4"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 1"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 1"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 2"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 2"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 3"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 3"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 4"
- },
- {
- "category": "CORRELATION",
- "pattern": "@lt 4"
- },
{
"category": "EVALUATION",
"pattern": "@ge 1"
@@ -2582,5 +2506,81 @@
{
"category": "EVALUATION",
"pattern": "@lt 4"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge 5"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@eq 0"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.inbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@ge %{tx.outbound_anomaly_score_threshold}"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@gt 0"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 1"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 2"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 3"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 4"
+ },
+ {
+ "category": "CORRELATION",
+ "pattern": "@lt 4"
}
]
\ No newline at end of file
diff --git a/waf_patterns/apache/attack.conf b/waf_patterns/apache/attack.conf
index f2078f4..43b341c 100644
--- a/waf_patterns/apache/attack.conf
+++ b/waf_patterns/apache/attack.conf
@@ -1,20 +1,19 @@
# Apache ModSecurity rules for ATTACK
SecRuleEngine On
-SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1037,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1035,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\[nr\]" "id:1033,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@gt\ 1" "id:1043,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\[nr\]" "id:1036,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1038,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\." "id:1042,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\[nr\]" "id:1039,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1031,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1044,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1030,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1032,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1029,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "@gt\ 0" "id:1041,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\[nr\]" "id:1034,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1040,phase:1,deny,status:403,log,msg:'attack attack detected'"
-SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1028,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1151,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1148,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@gt\ 1" "id:1158,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\[nr\]" "id:1154,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1034,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\[nr\]" "id:1150,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1155,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1147,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "@gt\ 0" "id:1156,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\." "id:1157,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\[nr\]" "id:1152,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\[nr\]" "id:1149,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1146,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1033,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1153,phase:1,deny,status:403,log,msg:'attack attack detected'"
+SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1159,phase:1,deny,status:403,log,msg:'attack attack detected'"
diff --git a/waf_patterns/apache/correlation.conf b/waf_patterns/apache/correlation.conf
index c374e7a..4050e9a 100644
--- a/waf_patterns/apache/correlation.conf
+++ b/waf_patterns/apache/correlation.conf
@@ -1,11 +1,11 @@
# Apache ModSecurity rules for CORRELATION
SecRuleEngine On
-SecRule REQUEST_URI "@gt\ 0" "id:1327,phase:1,deny,status:403,log,msg:'correlation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1324,phase:1,deny,status:403,log,msg:'correlation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1325,phase:1,deny,status:403,log,msg:'correlation attack detected'"
-SecRule REQUEST_URI "@ge\ 5" "id:1321,phase:1,deny,status:403,log,msg:'correlation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1326,phase:1,deny,status:403,log,msg:'correlation attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1320,phase:1,deny,status:403,log,msg:'correlation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1323,phase:1,deny,status:403,log,msg:'correlation attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1322,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@ge\ 5" "id:1343,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1347,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1344,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@gt\ 0" "id:1349,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1346,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1345,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1348,phase:1,deny,status:403,log,msg:'correlation attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1342,phase:1,deny,status:403,log,msg:'correlation attack detected'"
diff --git a/waf_patterns/apache/enforcement.conf b/waf_patterns/apache/enforcement.conf
index 96a9fac..c14d11e 100644
--- a/waf_patterns/apache/enforcement.conf
+++ b/waf_patterns/apache/enforcement.conf
@@ -1,82 +1,86 @@
# Apache ModSecurity rules for ENFORCEMENT
SecRuleEngine On
-SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1153,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\$" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\['";=\]" "id:1148,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "x25" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1119,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1155,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1142,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1150,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1157,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "x25" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1132,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1121,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^0\$" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1127,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1123,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1118,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\.\*\$" "id:1134,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1135,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1154,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1164,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@streq\ POST" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1146,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1147,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1124,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUrlEncoding" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1133,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1144,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1163,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ 0" "id:1158,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1160,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUrlEncoding" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1126,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\$" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1145,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1128,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1141,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "charset\.\*\?charset" "id:1130,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1156,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\$" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1120,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1138,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1125,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1122,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1162,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@validateUtf8Encoding" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@contains\ \#" "id:1139,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1152,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\$" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1159,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1131,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1143,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ 50" "id:1136,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1161,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1129,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@streq\ JSON" "id:1137,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "\^\.\*\$" "id:1151,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "!@rx\ \^0\$" "id:1149,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
-SecRule REQUEST_URI "@gt\ 1" "id:1140,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1097,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ 1" "id:1092,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \(\?i\)\^\(\?:\&\(\?:\(\?:\[acegiln\-or\-suz\]acut\|\[aeiou\]grav\|\[ain\-o\]tild\)e\|\[c\-elnr\-tz\]caron\|\(\?:\[cgk\-lnr\-t\]cedi\|\[aeiouy\]um\)l\|\[aceg\-josuwy\]circ\|\[au\]ring\|a\(\?:mp\|pos\)\|nbsp\|oslash\);\|\[\^"';=\]\)\*\$" "id:1035,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1114,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1107,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1042,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1106,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1037,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1044,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1087,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1052,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ 0" "id:1111,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUrlEncoding" "id:1049,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1099,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1116,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1039,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "x25" "id:1048,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\(\?i\)application/x\-www\-form\-urlencoded" "id:1047,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1115,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1050,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1093,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1084,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\.\*\$" "id:1103,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^0\$" "id:1101,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1095,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\['";=\]" "id:1100,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1043,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1085,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1036,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUrlEncoding" "id:1046,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1041,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1108,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@contains\ \#" "id:1091,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1117,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\(\?i\)up" "id:1110,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1113,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1105,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@streq\ POST" "id:1040,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1053,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1102,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1083,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\.\*\$" "id:1086,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "x25" "id:1045,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\(\?i\)multipart/form\-data" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1038,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1090,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateUtf8Encoding" "id:1051,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "charset\.\*\?charset" "id:1082,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1112,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@gt\ 50" "id:1088,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1104,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@rx\ \^0\$" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1109,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1094,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^\$" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "!@streq\ JSON" "id:1089,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1098,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
+SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1096,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
diff --git a/waf_patterns/apache/evaluation.conf b/waf_patterns/apache/evaluation.conf
index 7877c2e..ded99a5 100644
--- a/waf_patterns/apache/evaluation.conf
+++ b/waf_patterns/apache/evaluation.conf
@@ -1,41 +1,41 @@
# Apache ModSecurity rules for EVALUATION
SecRuleEngine On
-SecRule REQUEST_URI "@ge\ 1" "id:1056,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1066,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1071,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1343,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1072,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1062,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1344,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1060,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1055,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1065,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1064,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1342,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1073,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1061,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1059,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1070,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1346,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1068,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1058,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1345,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1063,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 4" "id:1069,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 1" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 3" "id:1067,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
-SecRule REQUEST_URI "@ge\ 2" "id:1057,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1195,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1190,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1326,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1193,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1327,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1324,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1202,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1191,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1200,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1188,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1189,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1186,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1325,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1198,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1323,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1201,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1199,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1187,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 4" "id:1192,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1196,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1185,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1197,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1194,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 2" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 3" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ 1" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
+SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1203,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
diff --git a/waf_patterns/apache/exceptions.conf b/waf_patterns/apache/exceptions.conf
index 72fe303..0114a0d 100644
--- a/waf_patterns/apache/exceptions.conf
+++ b/waf_patterns/apache/exceptions.conf
@@ -1,8 +1,8 @@
# Apache ModSecurity rules for EXCEPTIONS
SecRuleEngine On
-SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1250,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1252,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "@streq\ GET\ /" "id:1248,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1249,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
-SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1251,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1004,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@streq\ GET\ /" "id:1000,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1002,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1001,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
+SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1003,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
diff --git a/waf_patterns/apache/fixation.conf b/waf_patterns/apache/fixation.conf
index 3ac10d8..d3a2a60 100644
--- a/waf_patterns/apache/fixation.conf
+++ b/waf_patterns/apache/fixation.conf
@@ -1,9 +1,9 @@
# Apache ModSecurity rules for FIXATION
SecRuleEngine On
-SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1053,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1054,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1052,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1049,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1051,phase:1,deny,status:403,log,msg:'fixation attack detected'"
-SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1050,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1144,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1145,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1140,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1142,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1143,phase:1,deny,status:403,log,msg:'fixation attack detected'"
+SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1141,phase:1,deny,status:403,log,msg:'fixation attack detected'"
diff --git a/waf_patterns/apache/generic.conf b/waf_patterns/apache/generic.conf
index 9c881f9..558d9f7 100644
--- a/waf_patterns/apache/generic.conf
+++ b/waf_patterns/apache/generic.conf
@@ -1,6 +1,6 @@
# Apache ModSecurity rules for GENERIC
SecRuleEngine On
-SecRule REQUEST_URI "@\{\.\*\}" "id:1048,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1046,phase:1,deny,status:403,log,msg:'generic attack detected'"
-SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1047,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1119,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1120,phase:1,deny,status:403,log,msg:'generic attack detected'"
+SecRule REQUEST_URI "@\{\.\*\}" "id:1121,phase:1,deny,status:403,log,msg:'generic attack detected'"
diff --git a/waf_patterns/apache/iis.conf b/waf_patterns/apache/iis.conf
index 69bdc55..c6476fb 100644
--- a/waf_patterns/apache/iis.conf
+++ b/waf_patterns/apache/iis.conf
@@ -1,7 +1,7 @@
# Apache ModSecurity rules for IIS
SecRuleEngine On
-SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1291,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "!@rx\ \^404\$" "id:1293,phase:1,deny,status:403,log,msg:'iis attack detected'"
-SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|internal\ server\ error
\.\*\?part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.
\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1292,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1297,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "!@rx\ \^404\$" "id:1296,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1294,phase:1,deny,status:403,log,msg:'iis attack detected'"
+SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|internal\ server\ error
\.\*\?part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.
\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1295,phase:1,deny,status:403,log,msg:'iis attack detected'"
diff --git a/waf_patterns/apache/initialization.conf b/waf_patterns/apache/initialization.conf
index b3e7980..a0cbd38 100644
--- a/waf_patterns/apache/initialization.conf
+++ b/waf_patterns/apache/initialization.conf
@@ -1,31 +1,31 @@
# Apache ModSecurity rules for INITIALIZATION
SecRuleEngine On
-SecRule REQUEST_URI "@eq\ 0" "id:1000,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "\^\.\*\$" "id:1027,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1006,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1003,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1009,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1012,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1018,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1023,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1009,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1015,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "\^\.\*\$" "id:1022,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1002,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1008,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1018,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1024,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1030,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1021,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1005,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1008,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1011,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1017,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1014,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1020,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1025,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 100" "id:1026,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1017,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1027,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1001,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1004,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1023,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1010,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1007,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1013,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1010,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 0" "id:1016,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1019,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1021,phase:1,deny,status:403,log,msg:'initialization attack detected'"
-SecRule REQUEST_URI "@eq\ 1" "id:1024,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1032,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1016,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1022,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1028,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 100" "id:1031,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 0" "id:1025,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1026,phase:1,deny,status:403,log,msg:'initialization attack detected'"
+SecRule REQUEST_URI "@eq\ 1" "id:1029,phase:1,deny,status:403,log,msg:'initialization attack detected'"
diff --git a/waf_patterns/apache/java.conf b/waf_patterns/apache/java.conf
index d38aa25..f93e182 100644
--- a/waf_patterns/apache/java.conf
+++ b/waf_patterns/apache/java.conf
@@ -1,18 +1,18 @@
# Apache ModSecurity rules for JAVA
SecRuleEngine On
-SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1172,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1175,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1167,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1170,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1177,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1168,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1165,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1174,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "xacxedx00x05" "id:1173,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1171,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1176,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1179,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1166,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1178,phase:1,deny,status:403,log,msg:'java attack detected'"
-SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1169,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1131,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1126,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1125,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1129,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1132,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1136,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "xacxedx00x05" "id:1133,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1134,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1130,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1135,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1138,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1127,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1128,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1137,phase:1,deny,status:403,log,msg:'java attack detected'"
+SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1139,phase:1,deny,status:403,log,msg:'java attack detected'"
diff --git a/waf_patterns/apache/leakages.conf b/waf_patterns/apache/leakages.conf
index 7877f18..d58bc56 100644
--- a/waf_patterns/apache/leakages.conf
+++ b/waf_patterns/apache/leakages.conf
@@ -1,6 +1,6 @@
# Apache ModSecurity rules for LEAKAGES
SecRuleEngine On
-SecRule REQUEST_URI "\^5d\{2\}\$" "id:1208,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?Index\ of\.\*\?Index\ of\|>\[To\ Parent\ Directory\]
\)" "id:1206,phase:1,deny,status:403,log,msg:'leakages attack detected'"
-SecRule REQUEST_URI "\^\#!s\?/" "id:1207,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?Index\ of\.\*\?Index\ of\|>\[To\ Parent\ Directory\]
\)" "id:1182,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "\^5d\{2\}\$" "id:1184,phase:1,deny,status:403,log,msg:'leakages attack detected'"
+SecRule REQUEST_URI "\^\#!s\?/" "id:1183,phase:1,deny,status:403,log,msg:'leakages attack detected'"
diff --git a/waf_patterns/apache/lfi.conf b/waf_patterns/apache/lfi.conf
index 2c6d55f..6a087bf 100644
--- a/waf_patterns/apache/lfi.conf
+++ b/waf_patterns/apache/lfi.conf
@@ -1,4 +1,4 @@
# Apache ModSecurity rules for LFI
SecRuleEngine On
-SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1045,phase:1,deny,status:403,log,msg:'lfi attack detected'"
+SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1118,phase:1,deny,status:403,log,msg:'lfi attack detected'"
diff --git a/waf_patterns/apache/php.conf b/waf_patterns/apache/php.conf
index b42529c..02acb17 100644
--- a/waf_patterns/apache/php.conf
+++ b/waf_patterns/apache/php.conf
@@ -1,14 +1,14 @@
# Apache ModSecurity rules for PHP
SecRuleEngine On
-SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1289,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1083,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1084,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@pm\ =" "id:1079,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1081,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1080,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1290,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1078,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1077,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1082,phase:1,deny,status:403,log,msg:'php attack detected'"
-SecRule REQUEST_URI "@pm\ \?>" "id:1085,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1292,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1177,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@pm\ =" "id:1175,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1176,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1179,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1180,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1174,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1173,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1178,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "@pm\ \?>" "id:1181,phase:1,deny,status:403,log,msg:'php attack detected'"
+SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1293,phase:1,deny,status:403,log,msg:'php attack detected'"
diff --git a/waf_patterns/apache/rce.conf b/waf_patterns/apache/rce.conf
index 5cd2822..8a0e190 100644
--- a/waf_patterns/apache/rce.conf
+++ b/waf_patterns/apache/rce.conf
@@ -1,29 +1,29 @@
# Apache ModSecurity rules for RCE
SecRuleEngine On
-SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1227,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1243,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1247,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "!\-d" "id:1225,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1224,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1239,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1226,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1241,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1230,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1242,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1244,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1246,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1233,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "/" "id:1231,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1222,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "/" "id:1234,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1240,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "/" "id:1237,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "s" "id:1232,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "s" "id:1235,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "s" "id:1238,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1236,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1223,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1229,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1228,phase:1,deny,status:403,log,msg:'rce attack detected'"
-SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1245,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" "id:1273,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1271,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "/" "id:1275,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "/" "id:1281,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "/" "id:1278,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" "id:1288,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" "id:1286,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" "id:1274,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" "id:1290,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" "id:1285,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" "id:1277,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \["\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \["\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ "\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \["\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" "id:1289,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1268,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\^\(s\*\)s\+\{" "id:1270,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" "id:1283,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" "id:1266,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI ";\[sv\]\*\.\[sv\]\*\["'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" "id:1284,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" "id:1287,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" "id:1267,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" "id:1280,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "s" "id:1276,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "s" "id:1279,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "ba\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\["'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" "id:1272,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "s" "id:1282,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "!\(\?:d\|!\)" "id:1291,phase:1,deny,status:403,log,msg:'rce attack detected'"
+SecRule REQUEST_URI "!\-d" "id:1269,phase:1,deny,status:403,log,msg:'rce attack detected'"
diff --git a/waf_patterns/apache/rfi.conf b/waf_patterns/apache/rfi.conf
index 79467df..504994f 100644
--- a/waf_patterns/apache/rfi.conf
+++ b/waf_patterns/apache/rfi.conf
@@ -1,6 +1,6 @@
# Apache ModSecurity rules for RFI
SecRuleEngine On
-SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1076,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1075,phase:1,deny,status:403,log,msg:'rfi attack detected'"
-SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1074,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1123,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1124,phase:1,deny,status:403,log,msg:'rfi attack detected'"
+SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1122,phase:1,deny,status:403,log,msg:'rfi attack detected'"
diff --git a/waf_patterns/apache/shells.conf b/waf_patterns/apache/shells.conf
index 19bce54..3be4eba 100644
--- a/waf_patterns/apache/shells.conf
+++ b/waf_patterns/apache/shells.conf
@@ -1,28 +1,28 @@
# Apache ModSecurity rules for SHELLS
SecRuleEngine On
-SecRule REQUEST_URI "\^\ \*n\[\ \]\+n\[\ \]\+lostDC\ \-" "id:1307,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "@contains\ <title>punkholicshell" "id:1314,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ \.\*\?\ \-\ WSO\ \[0\-9\.\]\+" "id:1296,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1304,phase:1,deny,status:403,log,msg:'shells attack detected'"
-SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ Inn