diff --git a/json2nginx.py b/json2nginx.py
index 4bcd803..83a4d36 100644
--- a/json2nginx.py
+++ b/json2nginx.py
@@ -15,6 +15,9 @@ logging.basicConfig(
# Input and output paths
INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json"))
OUTPUT_DIR = Path(os.getenv("OUTPUT_DIR", "waf_patterns/nginx"))
+MAPS_FILE = OUTPUT_DIR / "waf_maps.conf"
+RULES_FILE = OUTPUT_DIR / "waf_rules.conf"
+
# Create output directory if it doesn't exist
OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
@@ -52,10 +55,18 @@ def sanitize_pattern(pattern):
return None
if pattern.startswith("@rx "):
- sanitized_pattern = pattern.replace("@rx ", "").strip()
- return sanitized_pattern if validate_regex(sanitized_pattern) else None
-
- return pattern if validate_regex(pattern) else None
+ sanitized_pattern = pattern.replace("@rx ", "").strip()
+ if validate_regex(sanitized_pattern):
+ return re.escape(sanitized_pattern).replace(r'\@', '@')
+ else:
+ logging.warning(f"Invalid regex in pattern: {sanitized_pattern}")
+ return None
+
+ if validate_regex(pattern):
+ return re.escape(pattern).replace(r'\@', '@')
+ else:
+ logging.warning(f"Invalid regex in pattern: {pattern}")
+ return None
def generate_nginx_waf(rules):
@@ -73,54 +84,72 @@ def generate_nginx_waf(rules):
else:
logging.warning(f"Invalid or unsupported pattern skipped: {pattern}")
- # Write Nginx rule snippets per category
- for category, patterns in categorized_rules.items():
- output_file = OUTPUT_DIR / f"{category}.conf"
- try:
- with open(output_file, "w") as f:
- f.write(f"# Nginx WAF rules for {category.upper()}\n")
- f.write("# Automatically generated from OWASP rules.\n")
- f.write("# Include this file in your server or location block.\n\n")
+ # Write map definitions to a dedicated file
+ try:
+ with open(MAPS_FILE, "w") as f:
+ f.write("# Nginx WAF Maps Definitions\n")
+ f.write("# Automatically generated from OWASP rules.\n\n")
+ f.write("http {\n")
+ for category, patterns in categorized_rules.items():
+ f.write(f" map $request_uri $waf_block_{category} {{\n")
+ f.write(" default 0;\n")
+ for pattern in patterns:
+ escaped_pattern = pattern.replace('"', '\\"')
+ f.write(f' "~*{escaped_pattern}" 1;\n')
+ f.write(" }\n\n")
+ f.write("}\n")
- # Use a map to avoid redundant patterns
- f.write("map $request_uri $waf_block_{category} {{\n".format(category=category))
- f.write(" default 0;\n")
- for pattern in patterns:
- escaped_pattern = pattern.replace('"', '\\"')
- f.write(f' "~*{escaped_pattern}" 1;\n')
- f.write("}\n\n")
+ logging.info(f"Generated {MAPS_FILE} containing map definitions")
+ except IOError as e:
+ logging.error(f"Failed to write {MAPS_FILE}: {e}")
- # Apply the WAF rule
- f.write("if ($waf_block_{category}) {{\n".format(category=category))
- f.write(" return 403;\n")
- f.write(" # Log the blocked request (optional)\n")
- f.write(" # access_log /var/log/nginx/waf_blocked.log;\n")
- f.write("}\n\n")
- logging.info(f"Generated {output_file} ({len(patterns)} patterns)")
- except IOError as e:
- logging.error(f"Failed to write {output_file}: {e}")
+ # Write if blocks to a dedicated file
+ try:
+ with open(RULES_FILE, "w") as f:
+ f.write("# Nginx WAF Rules\n")
+ f.write("# Automatically generated from OWASP rules.\n")
+ f.write("# Include this file inside server block\n\n")
+ f.write(" # WAF rules\n")
+ for category in categorized_rules.keys():
+ f.write(f" if ($waf_block_{category}) {{\n")
+ f.write(" return 403;\n")
+ f.write(" # Log the blocked request (optional)\n")
+ f.write(" # access_log /var/log/nginx/waf_blocked.log;\n")
+ f.write(" }\n\n")
+
+ logging.info(f"Generated {RULES_FILE} containing rules")
+ except IOError as e:
+ logging.error(f"Failed to write {RULES_FILE}: {e}")
# Generate a README file with usage instructions
readme_file = OUTPUT_DIR / "README.md"
with open(readme_file, "w") as f:
- f.write("# Nginx WAF Rule Snippets\n\n")
- f.write("This directory contains Nginx WAF rule snippets generated from OWASP rules.\n")
- f.write("You can include these snippets in your existing Nginx configuration to enhance security.\n\n")
+ f.write("# Nginx WAF Configuration\n\n")
+ f.write("This directory contains Nginx WAF configuration files generated from OWASP rules.\n")
+ f.write("You can include these files in your existing Nginx configuration to enhance security.\n\n")
f.write("## Usage\n")
- f.write("1. Include the rule snippets in your `server` or `location` block:\n")
+ f.write("1. Include the `waf_maps.conf` file in your `nginx.conf` *inside the `http` block*:\n")
f.write(" ```nginx\n")
- f.write(" server {\n")
- f.write(" # Your existing configuration\n")
- f.write(" include /path/to/waf_patterns/nginx/*.conf;\n")
+ f.write(" http {\n")
+ f.write(" include /path/to/waf_patterns/nginx/waf_maps.conf;\n")
+ f.write(" # ... other http configurations ...\n")
f.write(" }\n")
f.write(" ```\n")
- f.write("2. Reload Nginx to apply the changes:\n")
+ f.write("2. Include the `waf_rules.conf` file in your `server` block:\n")
+ f.write(" ```nginx\n")
+ f.write(" server {\n")
+ f.write(" # ... other server configurations ...\n")
+ f.write(" include /path/to/waf_patterns/nginx/waf_rules.conf;\n")
+ f.write(" }\n")
+ f.write(" ```\n")
+ f.write("3. Reload Nginx to apply the changes:\n")
f.write(" ```bash\n")
f.write(" sudo nginx -t && sudo systemctl reload nginx\n")
f.write(" ```\n")
f.write("\n## Notes\n")
- f.write("- The rules use `map` directives for efficient pattern matching.\n")
+ f.write("- The rules use `map` directives for efficient pattern matching. The maps are defined in the `waf_maps.conf` file.\n")
+ f.write("- The rules (if statements) are defined in the `waf_rules.conf` file.\n")
f.write("- Blocked requests return a `403 Forbidden` response by default.\n")
f.write("- You can enable logging for blocked requests by uncommenting the `access_log` line.\n")
diff --git a/waf_patterns/nginx/README.md b/waf_patterns/nginx/README.md
index da8247d..befaff5 100644
--- a/waf_patterns/nginx/README.md
+++ b/waf_patterns/nginx/README.md
@@ -1,22 +1,30 @@
-# Nginx WAF Rule Snippets
+# Nginx WAF Configuration
-This directory contains Nginx WAF rule snippets generated from OWASP rules.
-You can include these snippets in your existing Nginx configuration to enhance security.
+This directory contains Nginx WAF configuration files generated from OWASP rules.
+You can include these files in your existing Nginx configuration to enhance security.
## Usage
-1. Include the rule snippets in your `server` or `location` block:
+1. Include the `waf_maps.conf` file in your `nginx.conf` *inside the `http` block*:
```nginx
- server {
- # Your existing configuration
- include /path/to/waf_patterns/nginx/*.conf;
+ http {
+ include /path/to/waf_patterns/nginx/waf_maps.conf;
+ # ... other http configurations ...
}
```
-2. Reload Nginx to apply the changes:
+2. Include the `waf_rules.conf` file in your `server` block:
+ ```nginx
+ server {
+ # ... other server configurations ...
+ include /path/to/waf_patterns/nginx/waf_rules.conf;
+ }
+ ```
+3. Reload Nginx to apply the changes:
```bash
sudo nginx -t && sudo systemctl reload nginx
```
## Notes
-- The rules use `map` directives for efficient pattern matching.
+- The rules use `map` directives for efficient pattern matching. The maps are defined in the `waf_maps.conf` file.
+- The rules (if statements) are defined in the `waf_rules.conf` file.
- Blocked requests return a `403 Forbidden` response by default.
- You can enable logging for blocked requests by uncommenting the `access_log` line.
diff --git a/waf_patterns/nginx/detection.conf b/waf_patterns/nginx/detection.conf
deleted file mode 100644
index b43e001..0000000
--- a/waf_patterns/nginx/detection.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# Nginx WAF rules for DETECTION
-location / {
- set $attack_detected 0;
-
- if ($request_uri ~* "@lt 1") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@lt 1") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@pmFromFile scanners-user-agents.data") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@lt 2") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@lt 2") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@lt 3") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@lt 3") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@lt 4") {
- set $attack_detected 1;
- }
-
- if ($request_uri ~* "@lt 4") {
- set $attack_detected 1;
- }
-
- if ($attack_detected = 1) {
- return 403;
- }
-}
diff --git a/waf_patterns/nginx/lfi.conf b/waf_patterns/nginx/lfi.conf
deleted file mode 100644
index 482d57f..0000000
--- a/waf_patterns/nginx/lfi.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# Nginx WAF rules for LFI
-# Automatically generated from OWASP rules.
-# Include this file in your server or location block.
-
-map $request_uri $waf_block_lfi {
- default 0;
- "~*(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" 1;
-}
-
-if ($waf_block_lfi) {
- return 403;
- # Log the blocked request (optional)
- # access_log /var/log/nginx/waf_blocked.log;
-}
-
diff --git a/waf_patterns/nginx/waf_maps.conf b/waf_patterns/nginx/waf_maps.conf
new file mode 100644
index 0000000..cab250f
--- /dev/null
+++ b/waf_patterns/nginx/waf_maps.conf
@@ -0,0 +1,332 @@
+# Nginx WAF Maps Definitions
+# Automatically generated from OWASP rules.
+
+http {
+ map $request_uri $waf_block_initialization {
+ default 0;
+ "~*\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" 1;
+ "~*@eq\ 1" 1;
+ "~*\^\.\*\$" 1;
+ "~*!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" 1;
+ "~*@eq\ 100" 1;
+ "~*@eq\ 0" 1;
+ }
+
+ map $request_uri $waf_block_attack {
+ default 0;
+ "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" 1;
+ "~*\." 1;
+ "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" 1;
+ "~*@gt\ 0" 1;
+ "~*@gt\ 1" 1;
+ "~*TX:paramcounter_\(\.\*\)" 1;
+ "~*content\-transfer\-encoding:\(\.\*\)" 1;
+ "~*\^content\-types\*:s\*\(\.\*\)\$" 1;
+ "~*\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" 1;
+ "~*\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" 1;
+ "~*unix:\[\^\|\]\*\|" 1;
+ "~*\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" 1;
+ "~*\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" 1;
+ "~*\[nr\]" 1;
+ }
+
+ map $request_uri $waf_block_exceptions {
+ default 0;
+ "~*@streq\ GET\ /" 1;
+ "~*\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" 1;
+ "~*@endsWith\ \(internal\ dummy\ connection\)" 1;
+ "~*@ipMatch\ 127\.0\.0\.1,::1" 1;
+ }
+
+ map $request_uri $waf_block_rfi {
+ default 0;
+ "~*!@endsWith\ \.%\{request_headers\.host\}" 1;
+ "~*\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" 1;
+ }
+
+ map $request_uri $waf_block_lfi {
+ default 0;
+ "~*\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" 1;
+ }
+
+ map $request_uri $waf_block_enforcement {
+ default 0;
+ "~*\(d\+\)\-\(d\+\)" 1;
+ "~*@gt\ %\{tx\.arg_name_length\}" 1;
+ "~*!@rx\ \^0\$" 1;
+ "~*@gt\ 1" 1;
+ "~*!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['\"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" 1;
+ "~*!@rx\ \^OPTIONS\$" 1;
+ "~*@gt\ 50" 1;
+ "~*%\[0\-9a\-fA\-F\]\{2\}" 1;
+ "~*!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" 1;
+ "~*@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" 1;
+ "~*%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" 1;
+ "~*\^\.\*\$" 1;
+ "~*@validateUrlEncoding" 1;
+ "~*@gt\ %\{tx\.total_arg_length\}" 1;
+ "~*\^\[\^;s\]\+" 1;
+ "~*!@pm\ AppleWebKit\ Android" 1;
+ "~*!@rx\ \^0\?\$" 1;
+ "~*@endsWith\ \.pdf" 1;
+ "~*!@streq\ JSON" 1;
+ "~*@validateByteRange\ 1\-255" 1;
+ "~*charset\.\*\?charset" 1;
+ "~*@within\ %\{tx\.restricted_headers_extended\}" 1;
+ "~*\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" 1;
+ "~*\^\(\?:GET\|HEAD\)\$" 1;
+ "~*b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" 1;
+ "~*@gt\ %\{tx\.max_file_size\}" 1;
+ "~*!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" 1;
+ "~*@within\ %\{tx\.restricted_headers_basic\}" 1;
+ "~*@validateByteRange\ 32\-36,38\-126" 1;
+ "~*!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" 1;
+ "~*\^\$" 1;
+ "~*@gt\ %\{tx\.arg_length\}" 1;
+ "~*@gt\ 0" 1;
+ "~*\['\";=\]" 1;
+ "~*@gt\ %\{tx\.max_num_args\}" 1;
+ "~*\.\(\[\^\.\]\+\)\$" 1;
+ "~*!@rx\ \^d\+\$" 1;
+ "~*@validateUtf8Encoding" 1;
+ "~*@streq\ POST" 1;
+ "~*@eq\ 1" 1;
+ "~*\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" 1;
+ "~*@gt\ %\{tx\.combined_file_sizes\}" 1;
+ "~*!@endsWith\ \.pdf" 1;
+ "~*@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" 1;
+ "~*x25" 1;
+ "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" 1;
+ "~*@contains\ \#" 1;
+ "~*\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" 1;
+ "~*charsets\*=s\*\[\"'\]\?\(\[\^;\"'s\]\+\)" 1;
+ "~*\(\?i\)x5cu\[0\-9a\-f\]\{4\}" 1;
+ "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" 1;
+ "~*@ge\ 1" 1;
+ "~*@validateByteRange\ 9,10,13,32\-126,128\-255" 1;
+ "~*@within\ %\{tx\.restricted_extensions\}" 1;
+ "~*@eq\ 0" 1;
+ }
+
+ map $request_uri $waf_block_php {
+ default 0;
+ "~*@pm\ =" 1;
+ "~*\(\?i\)<\?\(\?:=\|php\)\?s\+" 1;
+ "~*\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" 1;
+ "~*\[oOcC\]:d\+:\"\.\+\?\":d\+:\{\.\*\}" 1;
+ "~*\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" 1;
+ "~*AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" 1;
+ "~*\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" 1;
+ "~*\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" 1;
+ "~*\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" 1;
+ "~*\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" 1;
+ "~*@pm\ \?>" 1;
+ }
+
+ map $request_uri $waf_block_fixation {
+ default 0;
+ "~*\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" 1;
+ "~*\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" 1;
+ "~*!@endsWith\ %\{request_headers\.host\}" 1;
+ "~*\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" 1;
+ "~*@eq\ 0" 1;
+ }
+
+ map $request_uri $waf_block_evaluation {
+ default 0;
+ "~*@ge\ 3" 1;
+ "~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
+ "~*@eq\ 1" 1;
+ "~*@ge\ 4" 1;
+ "~*@ge\ 1" 1;
+ "~*@ge\ 2" 1;
+ "~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
+ }
+
+ map $request_uri $waf_block_sql {
+ default 0;
+ "~*\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" 1;
+ "~*\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" 1;
+ "~*\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" 1;
+ "~*\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." 1;
+ "~*\(\?i\)org\.hsqldb\.jdbc" 1;
+ "~*\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" 1;
+ "~*\(\?i:Warning:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" 1;
+ "~*\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" 1;
+ "~*\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" 1;
+ "~*\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" 1;
+ "~*\(\?i\)Dynamic\ SQL\ Error" 1;
+ "~*\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" 1;
+ "~*\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" 1;
+ }
+
+ map $request_uri $waf_block_generic {
+ default 0;
+ "~*@\{\.\*\}" 1;
+ "~*while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|\"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|\"\[\^\"\]\+\"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" 1;
+ "~*\[s\*constructors\*\]" 1;
+ }
+
+ map $request_uri $waf_block_leakages {
+ default 0;
+ "~*\(\?:<\(\?:TITLE>Index\ of\.\*\?Index\ of\.\*\?Index\ of\|>\[To\ Parent\ Directory\]
\)" 1;
+ "~*\^5d\{2\}\$" 1;
+ "~*\^\#!s\?/" 1;
+ }
+
+ map $request_uri $waf_block_java {
+ default 0;
+ "~*\.\*\.\(\?:jsp\|jspx\)\.\*\$" 1;
+ "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
+ "~*\(\?:unmarshaller\|base64data\|java\.\)" 1;
+ "~*\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" 1;
+ "~*java\.lang\.\(\?:runtime\|processbuilder\)" 1;
+ "~*\(\?:runtime\|processbuilder\)" 1;
+ "~*\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" 1;
+ "~*javab\.\+\(\?:runtime\|processbuilder\)" 1;
+ "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
+ "~*\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" 1;
+ "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" 1;
+ "~*\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" 1;
+ "~*xacxedx00x05" 1;
+ }
+
+ map $request_uri $waf_block_xss {
+ default 0;
+ "~*\(\?i\)b\(\?:s\(\?:tyle\|rc\)\|href\)b\[sS\]\*\?=" 1;
+ "~*\(\?i:\]" 1;
+ "~*\(\?i\)\]\*\[xbe>\]\|<\[\^xbe\]\*xbe" 1;
+ "~*@contains\ \-\->" 1;
+ "~*\(\?i:\.\*\?\(\?:@\[ix5c\]\|\(\?:\[:=\]\|\&\#x\?0\*\(\?:58\|3A\|61\|3D\);\?\)\.\*\?\(\?:\[\(x5c\]\|\&\#x\?0\*\(\?:40\|28\|92\|5C\);\?\)\)\)" 1;
+ "~*!@validateByteRange\ 20,\ 45\-47,\ 48\-57,\ 65\-90,\ 95,\ 97\-122" 1;
+ "~*\(\?i:\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\*\?\(\?:\(\?:l\|x5cu006C\)\(\?:o\|x5cu006F\)\(\?:c\|x5cu0063\)\(\?:a\|x5cu0061\)\(\?:t\|x5cu0074\)\(\?:i\|x5cu0069\)\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\|\(\?:n\|x5cu006E\)\(\?:a\|x5cu0061\)\(\?:m\|x5cu006D\)\(\?:e\|x5cu0065\)\|\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\(\?:e\|x5cu0065\)\(\?:r\|x5cu0072\)\(\?:r\|x5cu0072\)\(\?:o\|x5cu006F\)\(\?:r\|x5cu0072\)\|\(\?:v\|x5cu0076\)\(\?:a\|x5cu0061\)\(\?:l\|x5cu006C\)\(\?:u\|x5cu0075\)\(\?:e\|x5cu0065\)\(\?:O\|x5cu004F\)\(\?:f\|x5cu0066\)\)\.\*\?=\)" 1;
+ "~*\(\?i\)\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\+\?\[\.\]\.\+\?=" 1;
+ "~*\(\?i\)\]\*>\[sS\]\*\?" 1;
+ "~*\(\?i\)\[s\"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" 1;
+ "~*\(\?:xbcs\*/s\*\[\^xbe>\]\*\[xbe>\]\)\|\(\?:A\-Z_a\-z\]\*\(\?:\[\^sv\"'<>\]\*:\)\?\[\^0\-9<>A\-Z_a\-z\]\*\[\^0\-9A\-Z_a\-z\]\*\?\(\?:s\[\^0\-9A\-Z_a\-z\]\*\?\(\?:c\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?t\|t\[\^0\-9A\-Z_a\-z\]\*\?y\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\|v\[\^0\-9A\-Z_a\-z\]\*\?g\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9>A\-Z_a\-z\]\)\|f\[\^0\-9A\-Z_a\-z\]\*\?o\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?m\|m\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?q\[\^0\-9A\-Z_a\-z\]\*\?u\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?e\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:l\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?k\|o\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?j\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?c\[\^0\-9A\-Z_a\-z\]\*\?t\|e\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?d\|a\[\^0\-9A\-Z_a\-z\]\*\?\(\?:p\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?t\|u\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?o\|n\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?e\)\|p\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\|i\?\[\^0\-9A\-Z_a\-z\]\*\?f\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?e\|b\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?s\[\^0\-9A\-Z_a\-z\]\*\?e\|o\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?y\|i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?s\)\|i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\?\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?e\?\|v\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?o\)\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:<\[0\-9A\-Z_a\-z\]\.\*\[sv/\]\|\[\"'\]\(\?:\.\*\[sv/\]\)\?\)\(\?:background\|formaction\|lowsrc\|on\(\?:a\(\?:bort\|ctivate\|d\(\?:apteradded\|dtrack\)\|fter\(\?:print\|\(\?:scriptexecu\|upda\)te\)\|lerting\|n\(\?:imation\(\?:cancel\|end\|iteration\|start\)\|tennastatechange\)\|ppcommand\|u\(\?:dio\(\?:end\|process\|start\)\|xclick\)\)\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\|scriptexecu\)t\|toggl\)e\|c\(\?:opy\|ut\)\|editfocus\|input\|p\(\?:aste\|rint\)\|u\(\?:nload\|pdate\)\)\|gin\(\?:Event\)\?\)\|l\(\?:ocked\|ur\)\|oun\(\?:ce\|dary\)\|roadcast\|usy\)\|c\(\?:a\(\?:\(\?:ch\|llschang\)ed\|nplay\(\?:through\)\?\|rdstatechange\)\|\(\?:ell\|fstate\)change\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\|ecking\)\|l\(\?:ick\|ose\)\|o\(\?:m\(\?:mand\(\?:update\)\?\|p\(\?:lete\|osition\(\?:end\|start\|update\)\)\)\|n\(\?:nect\(\?:ed\|ing\)\|t\(\?:extmenu\|rolselect\)\)\|py\)\|u\(\?:echange\|t\)\)\|d\(\?:ata\(\?:\(\?:availabl\|chang\)e\|error\|setc\(\?:hanged\|omplete\)\)\|blclick\|e\(\?:activate\|livery\(\?:error\|success\)\|vice\(\?:found\|light\|\(\?:mo\|orienta\)tion\|proximity\)\)\|i\(\?:aling\|s\(\?:abled\|c\(\?:hargingtimechange\|onnect\(\?:ed\|ing\)\)\)\)\|o\(\?:m\(\?:a\(\?:ctivate\|ttrmodified\)\|\(\?:characterdata\|subtree\)modified\|focus\(\?:in\|out\)\|mousescroll\|node\(\?:inserted\(\?:intodocument\)\?\|removed\(\?:fromdocument\)\?\)\)\|wnloading\)\|r\(\?:ag\(\?:drop\|e\(\?:n\(\?:d\|ter\)\|xit\)\|\(\?:gestur\|leav\)e\|over\|start\)\|op\)\|urationchange\)\|e\(\?:mptied\|n\(\?:abled\|d\(\?:ed\|Event\)\?\|ter\)\|rror\(\?:update\)\?\|xit\)\|f\(\?:ailed\|i\(\?:lterchange\|nish\)\|o\(\?:cus\(\?:in\|out\)\?\|rm\(\?:change\|input\)\)\|ullscreenchange\)\|g\(\?:amepad\(\?:axismove\|button\(\?:down\|up\)\|\(\?:dis\)\?connected\)\|et\)\|h\(\?:ashchange\|e\(\?:adphoneschange\|l\[dp\]\)\|olding\)\|i\(\?:cc\(\?:cardlockerror\|infochange\)\|n\(\?:coming\|put\|valid\)\)\|key\(\?:down\|press\|up\)\|l\(\?:evelchange\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\|nd\)\|start\)\?\|secapture\)\|y\)\|m\(\?:ark\|essage\|o\(\?:use\(\?:down\|enter\|\(\?:lea\|mo\)ve\|o\(\?:ut\|ver\)\|up\|wheel\)\|ve\(\?:end\|start\)\?\|z\(\?:a\(\?:fterpaint\|udioavailable\)\|\(\?:beforeresiz\|orientationchang\|t\(\?:apgestur\|imechang\)\)e\|\(\?:edgeui\(\?:c\(\?:ancel\|omplet\)\|start\)e\|network\(\?:down\|up\)loa\)d\|fullscreen\(\?:change\|error\)\|m\(\?:agnifygesture\(\?:start\|update\)\?\|ouse\(\?:hittest\|pixelscroll\)\)\|p\(\?:ointerlock\(\?:change\|error\)\|resstapgesture\)\|rotategesture\(\?:start\|update\)\?\|s\(\?:crolledareachanged\|wipegesture\(\?:end\|start\|update\)\?\)\)\)\)\|no\(\?:match\|update\)\|o\(\?:\(\?:bsolet\|\(\?:ff\|n\)lin\)e\|pen\|verflow\(\?:changed\)\?\)\|p\(\?:a\(\?:ge\(\?:hide\|show\)\|int\|\(\?:st\|us\)e\)\|lay\(\?:ing\)\?\|o\(\?:inter\(\?:down\|enter\|\(\?:\(\?:lea\|mo\)v\|rawupdat\)e\|o\(\?:ut\|ver\)\|up\)\|p\(\?:state\|up\(\?:hid\(\?:den\|ing\)\|show\(\?:ing\|n\)\)\)\)\|ro\(\?:gress\|pertychange\)\)\|r\(\?:atechange\|e\(\?:adystatechange\|ceived\|movetrack\|peat\(\?:Event\)\?\|quest\|s\(\?:et\|ize\|u\(\?:lt\|m\(\?:e\|ing\)\)\)\|trieving\)\|ow\(\?:e\(\?:nter\|xit\)\|s\(\?:delete\|inserted\)\)\)\|s\(\?:croll\(\?:end\)\?\|e\(\?:arch\|ek\(\?:complete\|ed\|ing\)\|lect\(\?:ionchange\|start\)\?\|n\(\?:ding\|t\)\|t\)\|how\|\(\?:ound\|peech\)\(\?:end\|start\)\|t\(\?:a\(\?:lled\|rt\|t\(\?:echange\|uschanged\)\)\|k\(\?:comma\|sessione\)nd\|op\)\|u\(\?:bmit\|ccess\|spend\)\|vg\(\?:abort\|error\|\(\?:un\)\?load\|resize\|scroll\|zoom\)\)\|t\(\?:ext\|ime\(\?:out\|update\)\|o\(\?:ggle\|uch\(\?:cancel\|en\(\?:d\|ter\)\|\(\?:lea\|mo\)ve\|start\)\)\|ransition\(\?:cancel\|end\|run\|start\)\)\|u\(\?:n\(\?:derflow\|handledrejection\|load\)\|p\(\?:dateready\|gradeneeded\)\|s\(\?:erproximity\|sdreceived\)\)\|v\(\?:ersion\|o\(\?:ic\|lum\)e\)change\|w\(\?:a\(\?:it\|rn\)ing\|ebkit\(\?:animation\(\?:end\|iteration\|start\)\|transitionend\)\|heel\)\|zoom\)\|ping\|s\(\?:rc\|tyle\)\)\[x08\-nf\-r\ \]\*\?=" 1;
+ }
+
+ map $request_uri $waf_block_rce {
+ default 0;
+ "~*;\[sv\]\*\.\[sv\]\*\[\"'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" 1;
+ "~*\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" 1;
+ "~*rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" 1;
+ "~*/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" 1;
+ "~*\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" 1;
+ "~*\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" 1;
+ "~*\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" 1;
+ "~*/" 1;
+ "~*\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \[\"\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ \"\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}\"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" 1;
+ "~*!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" 1;
+ "~*rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" 1;
+ "~*b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" 1;
+ "~*s" 1;
+ "~*!\-d" 1;
+ "~*\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" 1;
+ "~*\^\(s\*\)s\+\{" 1;
+ "~*ba\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-\"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" 1;
+ "~*rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" 1;
+ "~*\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" 1;
+ "~*!\(\?:d\|!\)" 1;
+ }
+
+ map $request_uri $waf_block_sqli {
+ default 0;
+ "~*\^\(\?:and\|or\)\$" 1;
+ "~*\[\"'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\[\"'`d\]" 1;
+ "~*\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\[\"'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" 1;
+ "~*\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" 1;
+ "~*\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" 1;
+ "~*\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" 1;
+ "~*\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" 1;
+ "~*\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\[\"'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\[\"'`\]\|;\.\*\?:\[sv\]\*\?goto\)" 1;
+ "~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
+ "~*\(\?i\)1\.e\[\(\-\),\]" 1;
+ "~*';" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{8\}\)" 1;
+ "~*\(\?i\)\[\"'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\[\"'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\[\"'`\]\$\|\[\"'x5c`\]\*\?\(\?:\[\"'0\-9`\]\+\|\[\^\"'`\]\+\[\"'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\[\"'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\[\"'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\"'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\[\"'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" 1;
+ "~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" 1;
+ "~*\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" 1;
+ "~*\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^\"\]\*\?\(\?:\"\[\^\"\]\*\?\"\[\^\"\]\*\?\)\*\?\"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
+ "~*\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\ \?\[<\->\]\+\)" 1;
+ "~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
+ "~*\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" 1;
+ "~*\(\?i\)union\.\*\?select\.\*\?from" 1;
+ "~*\(\?:\^s\*\[\"'`;\]\+\|\[\"'`\]\+s\*\$\)" 1;
+ "~*@streq\ %\{TX\.2\}" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{12\}\)" 1;
+ "~*!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" 1;
+ "~*W\{4\}" 1;
+ "~*\(\?i:b0x\[a\-fd\]\{3,\}\)" 1;
+ "~*\^\(\?:\[\^'\]\*'\|\[\^\"\]\*\"\|\[\^`\]\*`\)\[sv\]\*;" 1;
+ "~*\^\.\*\?x5c\['\"`\]\(\?:\.\*\?\['\"`\]\)\?s\*\(\?:and\|or\)b" 1;
+ "~*\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" 1;
+ "~*!@streq\ %\{TX\.2\}" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{6\}\)" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{2\}\)" 1;
+ "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{3\}\)" 1;
+ "~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\[\"'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\[\"'`\]\|like\[sv\]\*\?\[\"'`\]%\|select\[sv\]\+\?\[sv\"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" 1;
+ "~*@detectSQLi" 1;
+ }
+
+ map $request_uri $waf_block_iis {
+ default 0;
+ "~*bServer\ Error\ in\.\{0,50\}\?bApplicationb" 1;
+ "~*\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|internal\ server\ error
\.\*\?part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.
\|cannot\ connect\ to\ the\ server:\ timed\ out\)" 1;
+ "~*\[a\-z\]:x5cinetpubb" 1;
+ "~*!@rx\ \^404\$" 1;
+ }
+
+ map $request_uri $waf_block_shells {
+ default 0;
+ "~*CasuS\ \[0\-9\.\]\+\ by\ MafiABoY" 1;
+ "~*SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" 1;
+ "~*\^<title>PHP\ Web\ Shellrnrnrn\ \ \ \ " 1;
+ "~*\^rnrnGRP\ WebShell\ \[0\-9\.\]\+" 1;
+ "~*\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::" 1;
+ "~*lama's'hell\ v\.\ \[0\-9\.\]\+" 1;
+ "~*s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King" 1;
+ "~*\^rnrnrnPhpSpy\ Ver\ \[0\-9\]\+" 1;
+ "~*Symlink_Sa\ \[0\-9\.\]\+" 1;
+ "~*\^nnWeb\ Shell" 1;
+ "~*\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\." 1;
+ "~*\^nnInput\ command\ :n" 1;
+ "~*\^n\ \ \ \ \ \ n\ \ \ \ \ \ \ \ \ \ \ \ \ azrail\ \[0\-9\.\]\+\ by\ C\-W\-M" 1;
+ "~*\^\ nnnng00nshell\ v\[0\-9\.\]\+" 1;
+ "~*<title>Mini\ Shell\.\*Developed\ By\ LameHacker" 1;
+ "~*NGHshell\ \[0\-9\.\]\+\ by\ Cr4shn\$" 1;
+ "~*B4TM4N\ SH3LL\.\*" 1;
+ "~*\^\ \*n\[\ \]\+n\[\ \]\+lostDC\ \-" 1;
+ "~*\^<html>n<head>n<title>Ru24PostWebShell\ \-" 1;
+ "~*\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+" 1;
+ "~*@contains\ webadmin\.php" 1;
+ "~*>SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ n\.\*\?\ \~\ Shell\ Inn