From f1bae07d6cc6f306ef302c60cf59f86a7d78f1ef Mon Sep 17 00:00:00 2001 From: fabriziosalmi Date: Tue, 28 Jan 2025 22:40:56 +0100 Subject: [PATCH] feat: Generate Nginx WAF config with separate map and rule files This commit modifies the script to output two files: - waf_maps.conf (for http block) - waf_rules.conf (for server block) to avoid conflicts and provide more flexibility. This update should fix the bugged nginx rules integration on existing setups: https://github.com/fabriziosalmi/patterns/issues/8 --- json2nginx.py | 103 +++++---- waf_patterns/nginx/README.md | 26 ++- waf_patterns/nginx/detection.conf | 44 ---- waf_patterns/nginx/lfi.conf | 15 -- waf_patterns/nginx/waf_maps.conf | 332 ++++++++++++++++++++++++++++++ waf_patterns/nginx/waf_rules.conf | 119 +++++++++++ 6 files changed, 534 insertions(+), 105 deletions(-) delete mode 100644 waf_patterns/nginx/detection.conf delete mode 100644 waf_patterns/nginx/lfi.conf create mode 100644 waf_patterns/nginx/waf_maps.conf create mode 100644 waf_patterns/nginx/waf_rules.conf diff --git a/json2nginx.py b/json2nginx.py index 4bcd803..83a4d36 100644 --- a/json2nginx.py +++ b/json2nginx.py @@ -15,6 +15,9 @@ logging.basicConfig( # Input and output paths INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json")) OUTPUT_DIR = Path(os.getenv("OUTPUT_DIR", "waf_patterns/nginx")) +MAPS_FILE = OUTPUT_DIR / "waf_maps.conf" +RULES_FILE = OUTPUT_DIR / "waf_rules.conf" + # Create output directory if it doesn't exist OUTPUT_DIR.mkdir(parents=True, exist_ok=True) @@ -52,10 +55,18 @@ def sanitize_pattern(pattern): return None if pattern.startswith("@rx "): - sanitized_pattern = pattern.replace("@rx ", "").strip() - return sanitized_pattern if validate_regex(sanitized_pattern) else None - - return pattern if validate_regex(pattern) else None + sanitized_pattern = pattern.replace("@rx ", "").strip() + if validate_regex(sanitized_pattern): + return re.escape(sanitized_pattern).replace(r'\@', '@') + else: + logging.warning(f"Invalid regex in pattern: {sanitized_pattern}") + return None + + if validate_regex(pattern): + return re.escape(pattern).replace(r'\@', '@') + else: + logging.warning(f"Invalid regex in pattern: {pattern}") + return None def generate_nginx_waf(rules): @@ -73,54 +84,72 @@ def generate_nginx_waf(rules): else: logging.warning(f"Invalid or unsupported pattern skipped: {pattern}") - # Write Nginx rule snippets per category - for category, patterns in categorized_rules.items(): - output_file = OUTPUT_DIR / f"{category}.conf" - try: - with open(output_file, "w") as f: - f.write(f"# Nginx WAF rules for {category.upper()}\n") - f.write("# Automatically generated from OWASP rules.\n") - f.write("# Include this file in your server or location block.\n\n") + # Write map definitions to a dedicated file + try: + with open(MAPS_FILE, "w") as f: + f.write("# Nginx WAF Maps Definitions\n") + f.write("# Automatically generated from OWASP rules.\n\n") + f.write("http {\n") + for category, patterns in categorized_rules.items(): + f.write(f" map $request_uri $waf_block_{category} {{\n") + f.write(" default 0;\n") + for pattern in patterns: + escaped_pattern = pattern.replace('"', '\\"') + f.write(f' "~*{escaped_pattern}" 1;\n') + f.write(" }\n\n") + f.write("}\n") - # Use a map to avoid redundant patterns - f.write("map $request_uri $waf_block_{category} {{\n".format(category=category)) - f.write(" default 0;\n") - for pattern in patterns: - escaped_pattern = pattern.replace('"', '\\"') - f.write(f' "~*{escaped_pattern}" 1;\n') - f.write("}\n\n") + logging.info(f"Generated {MAPS_FILE} containing map definitions") + except IOError as e: + logging.error(f"Failed to write {MAPS_FILE}: {e}") - # Apply the WAF rule - f.write("if ($waf_block_{category}) {{\n".format(category=category)) - f.write(" return 403;\n") - f.write(" # Log the blocked request (optional)\n") - f.write(" # access_log /var/log/nginx/waf_blocked.log;\n") - f.write("}\n\n") - logging.info(f"Generated {output_file} ({len(patterns)} patterns)") - except IOError as e: - logging.error(f"Failed to write {output_file}: {e}") + # Write if blocks to a dedicated file + try: + with open(RULES_FILE, "w") as f: + f.write("# Nginx WAF Rules\n") + f.write("# Automatically generated from OWASP rules.\n") + f.write("# Include this file inside server block\n\n") + f.write(" # WAF rules\n") + for category in categorized_rules.keys(): + f.write(f" if ($waf_block_{category}) {{\n") + f.write(" return 403;\n") + f.write(" # Log the blocked request (optional)\n") + f.write(" # access_log /var/log/nginx/waf_blocked.log;\n") + f.write(" }\n\n") + + logging.info(f"Generated {RULES_FILE} containing rules") + except IOError as e: + logging.error(f"Failed to write {RULES_FILE}: {e}") # Generate a README file with usage instructions readme_file = OUTPUT_DIR / "README.md" with open(readme_file, "w") as f: - f.write("# Nginx WAF Rule Snippets\n\n") - f.write("This directory contains Nginx WAF rule snippets generated from OWASP rules.\n") - f.write("You can include these snippets in your existing Nginx configuration to enhance security.\n\n") + f.write("# Nginx WAF Configuration\n\n") + f.write("This directory contains Nginx WAF configuration files generated from OWASP rules.\n") + f.write("You can include these files in your existing Nginx configuration to enhance security.\n\n") f.write("## Usage\n") - f.write("1. Include the rule snippets in your `server` or `location` block:\n") + f.write("1. Include the `waf_maps.conf` file in your `nginx.conf` *inside the `http` block*:\n") f.write(" ```nginx\n") - f.write(" server {\n") - f.write(" # Your existing configuration\n") - f.write(" include /path/to/waf_patterns/nginx/*.conf;\n") + f.write(" http {\n") + f.write(" include /path/to/waf_patterns/nginx/waf_maps.conf;\n") + f.write(" # ... other http configurations ...\n") f.write(" }\n") f.write(" ```\n") - f.write("2. Reload Nginx to apply the changes:\n") + f.write("2. Include the `waf_rules.conf` file in your `server` block:\n") + f.write(" ```nginx\n") + f.write(" server {\n") + f.write(" # ... other server configurations ...\n") + f.write(" include /path/to/waf_patterns/nginx/waf_rules.conf;\n") + f.write(" }\n") + f.write(" ```\n") + f.write("3. Reload Nginx to apply the changes:\n") f.write(" ```bash\n") f.write(" sudo nginx -t && sudo systemctl reload nginx\n") f.write(" ```\n") f.write("\n## Notes\n") - f.write("- The rules use `map` directives for efficient pattern matching.\n") + f.write("- The rules use `map` directives for efficient pattern matching. The maps are defined in the `waf_maps.conf` file.\n") + f.write("- The rules (if statements) are defined in the `waf_rules.conf` file.\n") f.write("- Blocked requests return a `403 Forbidden` response by default.\n") f.write("- You can enable logging for blocked requests by uncommenting the `access_log` line.\n") diff --git a/waf_patterns/nginx/README.md b/waf_patterns/nginx/README.md index da8247d..befaff5 100644 --- a/waf_patterns/nginx/README.md +++ b/waf_patterns/nginx/README.md @@ -1,22 +1,30 @@ -# Nginx WAF Rule Snippets +# Nginx WAF Configuration -This directory contains Nginx WAF rule snippets generated from OWASP rules. -You can include these snippets in your existing Nginx configuration to enhance security. +This directory contains Nginx WAF configuration files generated from OWASP rules. +You can include these files in your existing Nginx configuration to enhance security. ## Usage -1. Include the rule snippets in your `server` or `location` block: +1. Include the `waf_maps.conf` file in your `nginx.conf` *inside the `http` block*: ```nginx - server { - # Your existing configuration - include /path/to/waf_patterns/nginx/*.conf; + http { + include /path/to/waf_patterns/nginx/waf_maps.conf; + # ... other http configurations ... } ``` -2. Reload Nginx to apply the changes: +2. Include the `waf_rules.conf` file in your `server` block: + ```nginx + server { + # ... other server configurations ... + include /path/to/waf_patterns/nginx/waf_rules.conf; + } + ``` +3. Reload Nginx to apply the changes: ```bash sudo nginx -t && sudo systemctl reload nginx ``` ## Notes -- The rules use `map` directives for efficient pattern matching. +- The rules use `map` directives for efficient pattern matching. The maps are defined in the `waf_maps.conf` file. +- The rules (if statements) are defined in the `waf_rules.conf` file. - Blocked requests return a `403 Forbidden` response by default. - You can enable logging for blocked requests by uncommenting the `access_log` line. diff --git a/waf_patterns/nginx/detection.conf b/waf_patterns/nginx/detection.conf deleted file mode 100644 index b43e001..0000000 --- a/waf_patterns/nginx/detection.conf +++ /dev/null @@ -1,44 +0,0 @@ -# Nginx WAF rules for DETECTION -location / { - set $attack_detected 0; - - if ($request_uri ~* "@lt 1") { - set $attack_detected 1; - } - - if ($request_uri ~* "@lt 1") { - set $attack_detected 1; - } - - if ($request_uri ~* "@pmFromFile scanners-user-agents.data") { - set $attack_detected 1; - } - - if ($request_uri ~* "@lt 2") { - set $attack_detected 1; - } - - if ($request_uri ~* "@lt 2") { - set $attack_detected 1; - } - - if ($request_uri ~* "@lt 3") { - set $attack_detected 1; - } - - if ($request_uri ~* "@lt 3") { - set $attack_detected 1; - } - - if ($request_uri ~* "@lt 4") { - set $attack_detected 1; - } - - if ($request_uri ~* "@lt 4") { - set $attack_detected 1; - } - - if ($attack_detected = 1) { - return 403; - } -} diff --git a/waf_patterns/nginx/lfi.conf b/waf_patterns/nginx/lfi.conf deleted file mode 100644 index 482d57f..0000000 --- a/waf_patterns/nginx/lfi.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Nginx WAF rules for LFI -# Automatically generated from OWASP rules. -# Include this file in your server or location block. - -map $request_uri $waf_block_lfi { - default 0; - "~*(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" 1; -} - -if ($waf_block_lfi) { - return 403; - # Log the blocked request (optional) - # access_log /var/log/nginx/waf_blocked.log; -} - diff --git a/waf_patterns/nginx/waf_maps.conf b/waf_patterns/nginx/waf_maps.conf new file mode 100644 index 0000000..cab250f --- /dev/null +++ b/waf_patterns/nginx/waf_maps.conf @@ -0,0 +1,332 @@ +# Nginx WAF Maps Definitions +# Automatically generated from OWASP rules. + +http { + map $request_uri $waf_block_initialization { + default 0; + "~*\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" 1; + "~*@eq\ 1" 1; + "~*\^\.\*\$" 1; + "~*!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" 1; + "~*@eq\ 100" 1; + "~*@eq\ 0" 1; + } + + map $request_uri $waf_block_attack { + default 0; + "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" 1; + "~*\." 1; + "~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" 1; + "~*@gt\ 0" 1; + "~*@gt\ 1" 1; + "~*TX:paramcounter_\(\.\*\)" 1; + "~*content\-transfer\-encoding:\(\.\*\)" 1; + "~*\^content\-types\*:s\*\(\.\*\)\$" 1; + "~*\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" 1; + "~*\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" 1; + "~*unix:\[\^\|\]\*\|" 1; + "~*\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" 1; + "~*\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" 1; + "~*\[nr\]" 1; + } + + map $request_uri $waf_block_exceptions { + default 0; + "~*@streq\ GET\ /" 1; + "~*\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" 1; + "~*@endsWith\ \(internal\ dummy\ connection\)" 1; + "~*@ipMatch\ 127\.0\.0\.1,::1" 1; + } + + map $request_uri $waf_block_rfi { + default 0; + "~*!@endsWith\ \.%\{request_headers\.host\}" 1; + "~*\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" 1; + } + + map $request_uri $waf_block_lfi { + default 0; + "~*\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" 1; + } + + map $request_uri $waf_block_enforcement { + default 0; + "~*\(d\+\)\-\(d\+\)" 1; + "~*@gt\ %\{tx\.arg_name_length\}" 1; + "~*!@rx\ \^0\$" 1; + "~*@gt\ 1" 1; + "~*!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['\"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" 1; + "~*!@rx\ \^OPTIONS\$" 1; + "~*@gt\ 50" 1; + "~*%\[0\-9a\-fA\-F\]\{2\}" 1; + "~*!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" 1; + "~*@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" 1; + "~*%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" 1; + "~*\^\.\*\$" 1; + "~*@validateUrlEncoding" 1; + "~*@gt\ %\{tx\.total_arg_length\}" 1; + "~*\^\[\^;s\]\+" 1; + "~*!@pm\ AppleWebKit\ Android" 1; + "~*!@rx\ \^0\?\$" 1; + "~*@endsWith\ \.pdf" 1; + "~*!@streq\ JSON" 1; + "~*@validateByteRange\ 1\-255" 1; + "~*charset\.\*\?charset" 1; + "~*@within\ %\{tx\.restricted_headers_extended\}" 1; + "~*\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" 1; + "~*\^\(\?:GET\|HEAD\)\$" 1; + "~*b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" 1; + "~*@gt\ %\{tx\.max_file_size\}" 1; + "~*!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" 1; + "~*@within\ %\{tx\.restricted_headers_basic\}" 1; + "~*@validateByteRange\ 32\-36,38\-126" 1; + "~*!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" 1; + "~*\^\$" 1; + "~*@gt\ %\{tx\.arg_length\}" 1; + "~*@gt\ 0" 1; + "~*\['\";=\]" 1; + "~*@gt\ %\{tx\.max_num_args\}" 1; + "~*\.\(\[\^\.\]\+\)\$" 1; + "~*!@rx\ \^d\+\$" 1; + "~*@validateUtf8Encoding" 1; + "~*@streq\ POST" 1; + "~*@eq\ 1" 1; + "~*\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" 1; + "~*@gt\ %\{tx\.combined_file_sizes\}" 1; + "~*!@endsWith\ \.pdf" 1; + "~*@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" 1; + "~*x25" 1; + "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" 1; + "~*@contains\ \#" 1; + "~*\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" 1; + "~*charsets\*=s\*\[\"'\]\?\(\[\^;\"'s\]\+\)" 1; + "~*\(\?i\)x5cu\[0\-9a\-f\]\{4\}" 1; + "~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" 1; + "~*@ge\ 1" 1; + "~*@validateByteRange\ 9,10,13,32\-126,128\-255" 1; + "~*@within\ %\{tx\.restricted_extensions\}" 1; + "~*@eq\ 0" 1; + } + + map $request_uri $waf_block_php { + default 0; + "~*@pm\ =" 1; + "~*\(\?i\)<\?\(\?:=\|php\)\?s\+" 1; + "~*\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" 1; + "~*\[oOcC\]:d\+:\"\.\+\?\":d\+:\{\.\*\}" 1; + "~*\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" 1; + "~*AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" 1; + "~*\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" 1; + "~*\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" 1; + "~*\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" 1; + "~*\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" 1; + "~*@pm\ \?>" 1; + } + + map $request_uri $waf_block_fixation { + default 0; + "~*\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" 1; + "~*\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" 1; + "~*!@endsWith\ %\{request_headers\.host\}" 1; + "~*\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" 1; + "~*@eq\ 0" 1; + } + + map $request_uri $waf_block_evaluation { + default 0; + "~*@ge\ 3" 1; + "~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1; + "~*@eq\ 1" 1; + "~*@ge\ 4" 1; + "~*@ge\ 1" 1; + "~*@ge\ 2" 1; + "~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1; + } + + map $request_uri $waf_block_sql { + default 0; + "~*\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" 1; + "~*\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" 1; + "~*\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" 1; + "~*\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." 1; + "~*\(\?i\)org\.hsqldb\.jdbc" 1; + "~*\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" 1; + "~*\(\?i:Warning:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" 1; + "~*\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" 1; + "~*\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" 1; + "~*\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" 1; + "~*\(\?i\)Dynamic\ SQL\ Error" 1; + "~*\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" 1; + "~*\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" 1; + } + + map $request_uri $waf_block_generic { + default 0; + "~*@\{\.\*\}" 1; + "~*while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|\"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|\"\[\^\"\]\+\"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" 1; + "~*\[s\*constructors\*\]" 1; + } + + map $request_uri $waf_block_leakages { + default 0; + "~*\(\?:<\(\?:TITLE>Index\ of\.\*\?Index\ of\.\*\?Index\ of\|>\[To\ Parent\ Directory\]
\)" 1; + "~*\^5d\{2\}\$" 1; + "~*\^\#!s\?/" 1; + } + + map $request_uri $waf_block_java { + default 0; + "~*\.\*\.\(\?:jsp\|jspx\)\.\*\$" 1; + "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1; + "~*\(\?:unmarshaller\|base64data\|java\.\)" 1; + "~*\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" 1; + "~*java\.lang\.\(\?:runtime\|processbuilder\)" 1; + "~*\(\?:runtime\|processbuilder\)" 1; + "~*\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" 1; + "~*javab\.\+\(\?:runtime\|processbuilder\)" 1; + "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1; + "~*\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" 1; + "~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" 1; + "~*\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" 1; + "~*xacxedx00x05" 1; + } + + map $request_uri $waf_block_xss { + default 0; + "~*\(\?i\)b\(\?:s\(\?:tyle\|rc\)\|href\)b\[sS\]\*\?=" 1; + "~*\(\?i:\]" 1; + "~*\(\?i\)\]\*\[xbe>\]\|<\[\^xbe\]\*xbe" 1; + "~*@contains\ \-\->" 1; + "~*\(\?i:\.\*\?\(\?:@\[ix5c\]\|\(\?:\[:=\]\|\&\#x\?0\*\(\?:58\|3A\|61\|3D\);\?\)\.\*\?\(\?:\[\(x5c\]\|\&\#x\?0\*\(\?:40\|28\|92\|5C\);\?\)\)\)" 1; + "~*!@validateByteRange\ 20,\ 45\-47,\ 48\-57,\ 65\-90,\ 95,\ 97\-122" 1; + "~*\(\?i:\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\*\?\(\?:\(\?:l\|x5cu006C\)\(\?:o\|x5cu006F\)\(\?:c\|x5cu0063\)\(\?:a\|x5cu0061\)\(\?:t\|x5cu0074\)\(\?:i\|x5cu0069\)\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\|\(\?:n\|x5cu006E\)\(\?:a\|x5cu0061\)\(\?:m\|x5cu006D\)\(\?:e\|x5cu0065\)\|\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\(\?:e\|x5cu0065\)\(\?:r\|x5cu0072\)\(\?:r\|x5cu0072\)\(\?:o\|x5cu006F\)\(\?:r\|x5cu0072\)\|\(\?:v\|x5cu0076\)\(\?:a\|x5cu0061\)\(\?:l\|x5cu006C\)\(\?:u\|x5cu0075\)\(\?:e\|x5cu0065\)\(\?:O\|x5cu004F\)\(\?:f\|x5cu0066\)\)\.\*\?=\)" 1; + "~*\(\?i\)\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\+\?\[\.\]\.\+\?=" 1; + "~*\(\?i\)\]\*>\[sS\]\*\?" 1; + "~*\(\?i\)\[s\"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" 1; + "~*\(\?:xbcs\*/s\*\[\^xbe>\]\*\[xbe>\]\)\|\(\?:A\-Z_a\-z\]\*\(\?:\[\^sv\"'<>\]\*:\)\?\[\^0\-9<>A\-Z_a\-z\]\*\[\^0\-9A\-Z_a\-z\]\*\?\(\?:s\[\^0\-9A\-Z_a\-z\]\*\?\(\?:c\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?t\|t\[\^0\-9A\-Z_a\-z\]\*\?y\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\|v\[\^0\-9A\-Z_a\-z\]\*\?g\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9>A\-Z_a\-z\]\)\|f\[\^0\-9A\-Z_a\-z\]\*\?o\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?m\|m\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?q\[\^0\-9A\-Z_a\-z\]\*\?u\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?e\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:l\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?k\|o\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?j\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?c\[\^0\-9A\-Z_a\-z\]\*\?t\|e\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?d\|a\[\^0\-9A\-Z_a\-z\]\*\?\(\?:p\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?t\|u\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?o\|n\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?e\)\|p\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\|i\?\[\^0\-9A\-Z_a\-z\]\*\?f\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?e\|b\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?s\[\^0\-9A\-Z_a\-z\]\*\?e\|o\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?y\|i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?s\)\|i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\?\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?e\?\|v\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?o\)\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:<\[0\-9A\-Z_a\-z\]\.\*\[sv/\]\|\[\"'\]\(\?:\.\*\[sv/\]\)\?\)\(\?:background\|formaction\|lowsrc\|on\(\?:a\(\?:bort\|ctivate\|d\(\?:apteradded\|dtrack\)\|fter\(\?:print\|\(\?:scriptexecu\|upda\)te\)\|lerting\|n\(\?:imation\(\?:cancel\|end\|iteration\|start\)\|tennastatechange\)\|ppcommand\|u\(\?:dio\(\?:end\|process\|start\)\|xclick\)\)\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\|scriptexecu\)t\|toggl\)e\|c\(\?:opy\|ut\)\|editfocus\|input\|p\(\?:aste\|rint\)\|u\(\?:nload\|pdate\)\)\|gin\(\?:Event\)\?\)\|l\(\?:ocked\|ur\)\|oun\(\?:ce\|dary\)\|roadcast\|usy\)\|c\(\?:a\(\?:\(\?:ch\|llschang\)ed\|nplay\(\?:through\)\?\|rdstatechange\)\|\(\?:ell\|fstate\)change\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\|ecking\)\|l\(\?:ick\|ose\)\|o\(\?:m\(\?:mand\(\?:update\)\?\|p\(\?:lete\|osition\(\?:end\|start\|update\)\)\)\|n\(\?:nect\(\?:ed\|ing\)\|t\(\?:extmenu\|rolselect\)\)\|py\)\|u\(\?:echange\|t\)\)\|d\(\?:ata\(\?:\(\?:availabl\|chang\)e\|error\|setc\(\?:hanged\|omplete\)\)\|blclick\|e\(\?:activate\|livery\(\?:error\|success\)\|vice\(\?:found\|light\|\(\?:mo\|orienta\)tion\|proximity\)\)\|i\(\?:aling\|s\(\?:abled\|c\(\?:hargingtimechange\|onnect\(\?:ed\|ing\)\)\)\)\|o\(\?:m\(\?:a\(\?:ctivate\|ttrmodified\)\|\(\?:characterdata\|subtree\)modified\|focus\(\?:in\|out\)\|mousescroll\|node\(\?:inserted\(\?:intodocument\)\?\|removed\(\?:fromdocument\)\?\)\)\|wnloading\)\|r\(\?:ag\(\?:drop\|e\(\?:n\(\?:d\|ter\)\|xit\)\|\(\?:gestur\|leav\)e\|over\|start\)\|op\)\|urationchange\)\|e\(\?:mptied\|n\(\?:abled\|d\(\?:ed\|Event\)\?\|ter\)\|rror\(\?:update\)\?\|xit\)\|f\(\?:ailed\|i\(\?:lterchange\|nish\)\|o\(\?:cus\(\?:in\|out\)\?\|rm\(\?:change\|input\)\)\|ullscreenchange\)\|g\(\?:amepad\(\?:axismove\|button\(\?:down\|up\)\|\(\?:dis\)\?connected\)\|et\)\|h\(\?:ashchange\|e\(\?:adphoneschange\|l\[dp\]\)\|olding\)\|i\(\?:cc\(\?:cardlockerror\|infochange\)\|n\(\?:coming\|put\|valid\)\)\|key\(\?:down\|press\|up\)\|l\(\?:evelchange\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\|nd\)\|start\)\?\|secapture\)\|y\)\|m\(\?:ark\|essage\|o\(\?:use\(\?:down\|enter\|\(\?:lea\|mo\)ve\|o\(\?:ut\|ver\)\|up\|wheel\)\|ve\(\?:end\|start\)\?\|z\(\?:a\(\?:fterpaint\|udioavailable\)\|\(\?:beforeresiz\|orientationchang\|t\(\?:apgestur\|imechang\)\)e\|\(\?:edgeui\(\?:c\(\?:ancel\|omplet\)\|start\)e\|network\(\?:down\|up\)loa\)d\|fullscreen\(\?:change\|error\)\|m\(\?:agnifygesture\(\?:start\|update\)\?\|ouse\(\?:hittest\|pixelscroll\)\)\|p\(\?:ointerlock\(\?:change\|error\)\|resstapgesture\)\|rotategesture\(\?:start\|update\)\?\|s\(\?:crolledareachanged\|wipegesture\(\?:end\|start\|update\)\?\)\)\)\)\|no\(\?:match\|update\)\|o\(\?:\(\?:bsolet\|\(\?:ff\|n\)lin\)e\|pen\|verflow\(\?:changed\)\?\)\|p\(\?:a\(\?:ge\(\?:hide\|show\)\|int\|\(\?:st\|us\)e\)\|lay\(\?:ing\)\?\|o\(\?:inter\(\?:down\|enter\|\(\?:\(\?:lea\|mo\)v\|rawupdat\)e\|o\(\?:ut\|ver\)\|up\)\|p\(\?:state\|up\(\?:hid\(\?:den\|ing\)\|show\(\?:ing\|n\)\)\)\)\|ro\(\?:gress\|pertychange\)\)\|r\(\?:atechange\|e\(\?:adystatechange\|ceived\|movetrack\|peat\(\?:Event\)\?\|quest\|s\(\?:et\|ize\|u\(\?:lt\|m\(\?:e\|ing\)\)\)\|trieving\)\|ow\(\?:e\(\?:nter\|xit\)\|s\(\?:delete\|inserted\)\)\)\|s\(\?:croll\(\?:end\)\?\|e\(\?:arch\|ek\(\?:complete\|ed\|ing\)\|lect\(\?:ionchange\|start\)\?\|n\(\?:ding\|t\)\|t\)\|how\|\(\?:ound\|peech\)\(\?:end\|start\)\|t\(\?:a\(\?:lled\|rt\|t\(\?:echange\|uschanged\)\)\|k\(\?:comma\|sessione\)nd\|op\)\|u\(\?:bmit\|ccess\|spend\)\|vg\(\?:abort\|error\|\(\?:un\)\?load\|resize\|scroll\|zoom\)\)\|t\(\?:ext\|ime\(\?:out\|update\)\|o\(\?:ggle\|uch\(\?:cancel\|en\(\?:d\|ter\)\|\(\?:lea\|mo\)ve\|start\)\)\|ransition\(\?:cancel\|end\|run\|start\)\)\|u\(\?:n\(\?:derflow\|handledrejection\|load\)\|p\(\?:dateready\|gradeneeded\)\|s\(\?:erproximity\|sdreceived\)\)\|v\(\?:ersion\|o\(\?:ic\|lum\)e\)change\|w\(\?:a\(\?:it\|rn\)ing\|ebkit\(\?:animation\(\?:end\|iteration\|start\)\|transitionend\)\|heel\)\|zoom\)\|ping\|s\(\?:rc\|tyle\)\)\[x08\-nf\-r\ \]\*\?=" 1; + } + + map $request_uri $waf_block_rce { + default 0; + "~*;\[sv\]\*\.\[sv\]\*\[\"'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" 1; + "~*\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" 1; + "~*rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" 1; + "~*/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" 1; + "~*\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" 1; + "~*\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" 1; + "~*\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" 1; + "~*/" 1; + "~*\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \[\"\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ \"\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}\"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" 1; + "~*!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" 1; + "~*rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" 1; + "~*b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" 1; + "~*s" 1; + "~*!\-d" 1; + "~*\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" 1; + "~*\^\(s\*\)s\+\{" 1; + "~*ba\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-\"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" 1; + "~*rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" 1; + "~*\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" 1; + "~*!\(\?:d\|!\)" 1; + } + + map $request_uri $waf_block_sqli { + default 0; + "~*\^\(\?:and\|or\)\$" 1; + "~*\[\"'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\[\"'`d\]" 1; + "~*\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\[\"'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" 1; + "~*\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" 1; + "~*\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" 1; + "~*\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" 1; + "~*\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" 1; + "~*\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\[\"'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\[\"'`\]\|;\.\*\?:\[sv\]\*\?goto\)" 1; + "~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1; + "~*\(\?i\)1\.e\[\(\-\),\]" 1; + "~*';" 1; + "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{8\}\)" 1; + "~*\(\?i\)\[\"'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\[\"'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\[\"'`\]\$\|\[\"'x5c`\]\*\?\(\?:\[\"'0\-9`\]\+\|\[\^\"'`\]\+\[\"'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\[\"'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\[\"'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\"'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\[\"'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" 1; + "~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" 1; + "~*\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" 1; + "~*\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^\"\]\*\?\(\?:\"\[\^\"\]\*\?\"\[\^\"\]\*\?\)\*\?\"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" 1; + "~*\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\ \?\[<\->\]\+\)" 1; + "~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1; + "~*\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" 1; + "~*\(\?i\)union\.\*\?select\.\*\?from" 1; + "~*\(\?:\^s\*\[\"'`;\]\+\|\[\"'`\]\+s\*\$\)" 1; + "~*@streq\ %\{TX\.2\}" 1; + "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{12\}\)" 1; + "~*!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" 1; + "~*W\{4\}" 1; + "~*\(\?i:b0x\[a\-fd\]\{3,\}\)" 1; + "~*\^\(\?:\[\^'\]\*'\|\[\^\"\]\*\"\|\[\^`\]\*`\)\[sv\]\*;" 1; + "~*\^\.\*\?x5c\['\"`\]\(\?:\.\*\?\['\"`\]\)\?s\*\(\?:and\|or\)b" 1; + "~*\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" 1; + "~*!@streq\ %\{TX\.2\}" 1; + "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{6\}\)" 1; + "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{2\}\)" 1; + "~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{3\}\)" 1; + "~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\[\"'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\[\"'`\]\|like\[sv\]\*\?\[\"'`\]%\|select\[sv\]\+\?\[sv\"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" 1; + "~*@detectSQLi" 1; + } + + map $request_uri $waf_block_iis { + default 0; + "~*bServer\ Error\ in\.\{0,50\}\?bApplicationb" 1; + "~*\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)
Timeout\ expired
\)\|

internal\ server\ error

\.\*\?

part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.

\|cannot\ connect\ to\ the\ server:\ timed\ out\)" 1; + "~*\[a\-z\]:x5cinetpubb" 1; + "~*!@rx\ \^404\$" 1; + } + + map $request_uri $waf_block_shells { + default 0; + "~*CasuS\ \[0\-9\.\]\+\ by\ MafiABoY" 1; + "~*SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" 1; + "~*\^<title>PHP\ Web\ Shellrnrnrn\ \ \ \ " 1; + "~*\^rnrnGRP\ WebShell\ \[0\-9\.\]\+" 1; + "~*\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::" 1; + "~*lama's'hell\ v\.\ \[0\-9\.\]\+" 1; + "~*s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King" 1; + "~*\^rnrnrnPhpSpy\ Ver\ \[0\-9\]\+" 1; + "~*Symlink_Sa\ \[0\-9\.\]\+" 1; + "~*\^nnWeb\ Shell" 1; + "~*\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\." 1; + "~*\^nnInput\ command\ :n" 1; + "~*\^n\ \ \ \ \ \ n\ \ \ \ \ \ \ \ \ \ \ \ \ azrail\ \[0\-9\.\]\+\ by\ C\-W\-M" 1; + "~*\^\ nnnng00nshell\ v\[0\-9\.\]\+" 1; + "~*<title>Mini\ Shell\.\*Developed\ By\ LameHacker" 1; + "~*NGHshell\ \[0\-9\.\]\+\ by\ Cr4shn\$" 1; + "~*B4TM4N\ SH3LL\.\*" 1; + "~*\^\ \*n\[\ \]\+n\[\ \]\+lostDC\ \-" 1; + "~*\^<html>n<head>n<title>Ru24PostWebShell\ \-" 1; + "~*\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+" 1; + "~*@contains\ webadmin\.php" 1; + "~*>SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ n\.\*\?\ \~\ Shell\ Inn