patterns/waf_patterns/apache/php.conf

# Apache ModSecurity rules for PHP
SecRuleEngine On

SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-config-directives.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm =" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-variables.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-function-names-933150.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?["']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:*.**/|/.*)|#.*[sv]|")*["']*)?[sv]*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx [oOcC]:d+:".+?":d+:{.*}" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+));" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-function-names-933151.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm (" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx .*.(?:phpd*|phtml)..*$" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm ?>" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-errors.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)<?(?:=|php)?s+" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-errors-pl2.data" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1000,phase:1,deny,status:403,log,msg:'php attack detected'"