mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 17:55:48 +00:00
333 lines
34 KiB
Plaintext
333 lines
34 KiB
Plaintext
# Nginx WAF Maps Definitions
|
||
# Automatically generated from OWASP rules.
|
||
|
||
http {
|
||
map $request_uri $waf_block_initialization {
|
||
default 0;
|
||
"~*\^\.\*\$" 1;
|
||
"~*@eq\ 1" 1;
|
||
"~*\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" 1;
|
||
"~*!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" 1;
|
||
"~*@eq\ 100" 1;
|
||
"~*@eq\ 0" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_exceptions {
|
||
default 0;
|
||
"~*\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" 1;
|
||
"~*@endsWith\ \(internal\ dummy\ connection\)" 1;
|
||
"~*@ipMatch\ 127\.0\.0\.1,::1" 1;
|
||
"~*@streq\ GET\ /" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_rfi {
|
||
default 0;
|
||
"~*\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" 1;
|
||
"~*!@endsWith\ \.%\{request_headers\.host\}" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_attack {
|
||
default 0;
|
||
"~*\." 1;
|
||
"~*unix:\[\^\|\]\*\|" 1;
|
||
"~*\[nr\]" 1;
|
||
"~*content\-transfer\-encoding:\(\.\*\)" 1;
|
||
"~*@gt\ 1" 1;
|
||
"~*@gt\ 0" 1;
|
||
"~*TX:paramcounter_\(\.\*\)" 1;
|
||
"~*\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" 1;
|
||
"~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" 1;
|
||
"~*\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" 1;
|
||
"~*\^content\-types\*:s\*\(\.\*\)\$" 1;
|
||
"~*\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" 1;
|
||
"~*\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" 1;
|
||
"~*\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_enforcement {
|
||
default 0;
|
||
"~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" 1;
|
||
"~*!@rx\ \^0\$" 1;
|
||
"~*@eq\ 1" 1;
|
||
"~*@endsWith\ \.pdf" 1;
|
||
"~*!@rx\ \^d\+\$" 1;
|
||
"~*!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" 1;
|
||
"~*@validateUrlEncoding" 1;
|
||
"~*@validateByteRange\ 1\-255" 1;
|
||
"~*@streq\ POST" 1;
|
||
"~*!@pm\ AppleWebKit\ Android" 1;
|
||
"~*@validateByteRange\ 32\-36,38\-126" 1;
|
||
"~*!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['\"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" 1;
|
||
"~*\^\[\^;s\]\+" 1;
|
||
"~*@within\ %\{tx\.restricted_headers_extended\}" 1;
|
||
"~*x25" 1;
|
||
"~*@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" 1;
|
||
"~*!@rx\ \^0\?\$" 1;
|
||
"~*@within\ %\{tx\.restricted_headers_basic\}" 1;
|
||
"~*@ge\ 1" 1;
|
||
"~*\.\(\[\^\.\]\+\)\$" 1;
|
||
"~*!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" 1;
|
||
"~*\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" 1;
|
||
"~*@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" 1;
|
||
"~*\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" 1;
|
||
"~*@gt\ %\{tx\.max_file_size\}" 1;
|
||
"~*charset\.\*\?charset" 1;
|
||
"~*@gt\ %\{tx\.max_num_args\}" 1;
|
||
"~*@gt\ %\{tx\.arg_name_length\}" 1;
|
||
"~*!@rx\ \^OPTIONS\$" 1;
|
||
"~*@gt\ 50" 1;
|
||
"~*@contains\ \#" 1;
|
||
"~*charsets\*=s\*\[\"'\]\?\(\[\^;\"'s\]\+\)" 1;
|
||
"~*\^\$" 1;
|
||
"~*@gt\ 1" 1;
|
||
"~*!@streq\ JSON" 1;
|
||
"~*@gt\ 0" 1;
|
||
"~*\(\?i\)x5cu\[0\-9a\-f\]\{4\}" 1;
|
||
"~*@gt\ %\{tx\.total_arg_length\}" 1;
|
||
"~*@validateByteRange\ 9,10,13,32\-126,128\-255" 1;
|
||
"~*@within\ %\{tx\.restricted_extensions\}" 1;
|
||
"~*%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" 1;
|
||
"~*@gt\ %\{tx\.arg_length\}" 1;
|
||
"~*b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" 1;
|
||
"~*@validateUtf8Encoding" 1;
|
||
"~*\^\.\*\$" 1;
|
||
"~*\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" 1;
|
||
"~*\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" 1;
|
||
"~*!@endsWith\ \.pdf" 1;
|
||
"~*\(d\+\)\-\(d\+\)" 1;
|
||
"~*\^\(\?:GET\|HEAD\)\$" 1;
|
||
"~*%\[0\-9a\-fA\-F\]\{2\}" 1;
|
||
"~*\['\";=\]" 1;
|
||
"~*!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" 1;
|
||
"~*@gt\ %\{tx\.combined_file_sizes\}" 1;
|
||
"~*@eq\ 0" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_lfi {
|
||
default 0;
|
||
"~*\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_xss {
|
||
default 0;
|
||
"~*@contains\ \-\->" 1;
|
||
"~*\(\?i\)<LINK\[s/\+\]\.\*\?href\[s/\+\]\*=" 1;
|
||
"~*<\[\?\]\?import\[s/\+S\]\*\?implementation\[s/\+\]\*\?=" 1;
|
||
"~*\(\?i:<\.\*\[:\]\?vmlframe\.\*\?\[s/\+\]\*\?src\[s/\+\]\*=\)" 1;
|
||
"~*\(\?i\)<script\[\^>\]\*>\[sS\]\*\?" 1;
|
||
"~*\(\?:xbcs\*/s\*\[\^xbe>\]\*\[xbe>\]\)\|\(\?:<s\*/s\*\[\^xbe\]\*xbe\)" 1;
|
||
"~*\(\?i:<META\[s/\+\]\.\*\?http\-equiv\[s/\+\]\*=\[s/\+\]\*\[\"'`\]\?\(\?:\(\?:c\|\&\#x\?0\*\(\?:67\|43\|99\|63\);\?\)\|\(\?:r\|\&\#x\?0\*\(\?:82\|52\|114\|72\);\?\)\|\(\?:s\|\&\#x\?0\*\(\?:83\|53\|115\|73\);\?\)\)\)" 1;
|
||
"~*\(\?i:<META\[s/\+\]\.\*\?charset\[s/\+\]\*=\)" 1;
|
||
"~*\(\?i\)<BASE\[s/\+\]\.\*\?href\[s/\+\]\*=" 1;
|
||
"~*\(\?i\)\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\+\?\[\.\]\.\+\?=" 1;
|
||
"~*\{\{\.\*\?\}\}" 1;
|
||
"~*\(\?i\)\[s\"'`;/0\-9=x0Bx09x0Cx3Bx2Cx28x3B\]on\[a\-zA\-Z\]\{3,25\}\[sx0Bx09x0Cx3Bx2Cx28x3B\]\*\?=\[\^=\]" 1;
|
||
"~*\(\?i\)b\(\?:s\(\?:tyle\|rc\)\|href\)b\[sS\]\*\?=" 1;
|
||
"~*\(\?i:\[\"'\]\[\ \]\*\(\?:\[\^a\-z0\-9\~_:'\ \]\|in\)\.\*\?\(\?:\(\?:l\|x5cu006C\)\(\?:o\|x5cu006F\)\(\?:c\|x5cu0063\)\(\?:a\|x5cu0061\)\(\?:t\|x5cu0074\)\(\?:i\|x5cu0069\)\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\|\(\?:n\|x5cu006E\)\(\?:a\|x5cu0061\)\(\?:m\|x5cu006D\)\(\?:e\|x5cu0065\)\|\(\?:o\|x5cu006F\)\(\?:n\|x5cu006E\)\(\?:e\|x5cu0065\)\(\?:r\|x5cu0072\)\(\?:r\|x5cu0072\)\(\?:o\|x5cu006F\)\(\?:r\|x5cu0072\)\|\(\?:v\|x5cu0076\)\(\?:a\|x5cu0061\)\(\?:l\|x5cu006C\)\(\?:u\|x5cu0075\)\(\?:e\|x5cu0065\)\(\?:O\|x5cu004F\)\(\?:f\|x5cu0066\)\)\.\*\?=\)" 1;
|
||
"~*\(\?i\)<\[\^0\-9<>A\-Z_a\-z\]\*\(\?:\[\^sv\"'<>\]\*:\)\?\[\^0\-9<>A\-Z_a\-z\]\*\[\^0\-9A\-Z_a\-z\]\*\?\(\?:s\[\^0\-9A\-Z_a\-z\]\*\?\(\?:c\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?t\|t\[\^0\-9A\-Z_a\-z\]\*\?y\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\|v\[\^0\-9A\-Z_a\-z\]\*\?g\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9>A\-Z_a\-z\]\)\|f\[\^0\-9A\-Z_a\-z\]\*\?o\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?m\|m\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?q\[\^0\-9A\-Z_a\-z\]\*\?u\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?e\|e\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:l\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?k\|o\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?j\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?c\[\^0\-9A\-Z_a\-z\]\*\?t\|e\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?b\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?d\|a\[\^0\-9A\-Z_a\-z\]\*\?\(\?:p\[\^0\-9A\-Z_a\-z\]\*\?p\[\^0\-9A\-Z_a\-z\]\*\?l\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?t\|u\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?o\|n\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?t\[\^0\-9A\-Z_a\-z\]\*\?e\)\|p\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\|i\?\[\^0\-9A\-Z_a\-z\]\*\?f\[\^0\-9A\-Z_a\-z\]\*\?r\[\^0\-9A\-Z_a\-z\]\*\?a\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?e\|b\[\^0\-9A\-Z_a\-z\]\*\?\(\?:a\[\^0\-9A\-Z_a\-z\]\*\?s\[\^0\-9A\-Z_a\-z\]\*\?e\|o\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?y\|i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?n\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?s\)\|i\[\^0\-9A\-Z_a\-z\]\*\?m\[\^0\-9A\-Z_a\-z\]\*\?a\?\[\^0\-9A\-Z_a\-z\]\*\?g\[\^0\-9A\-Z_a\-z\]\*\?e\?\|v\[\^0\-9A\-Z_a\-z\]\*\?i\[\^0\-9A\-Z_a\-z\]\*\?d\[\^0\-9A\-Z_a\-z\]\*\?e\[\^0\-9A\-Z_a\-z\]\*\?o\)\[\^0\-9>A\-Z_a\-z\]\)\|\(\?:<\[0\-9A\-Z_a\-z\]\.\*\[sv/\]\|\[\"'\]\(\?:\.\*\[sv/\]\)\?\)\(\?:background\|formaction\|lowsrc\|on\(\?:a\(\?:bort\|ctivate\|d\(\?:apteradded\|dtrack\)\|fter\(\?:print\|\(\?:scriptexecu\|upda\)te\)\|lerting\|n\(\?:imation\(\?:cancel\|end\|iteration\|start\)\|tennastatechange\)\|ppcommand\|u\(\?:dio\(\?:end\|process\|start\)\|xclick\)\)\|b\(\?:e\(\?:fore\(\?:\(\?:\(\?:\(\?:de\)\?activa\|scriptexecu\)t\|toggl\)e\|c\(\?:opy\|ut\)\|editfocus\|input\|p\(\?:aste\|rint\)\|u\(\?:nload\|pdate\)\)\|gin\(\?:Event\)\?\)\|l\(\?:ocked\|ur\)\|oun\(\?:ce\|dary\)\|roadcast\|usy\)\|c\(\?:a\(\?:\(\?:ch\|llschang\)ed\|nplay\(\?:through\)\?\|rdstatechange\)\|\(\?:ell\|fstate\)change\|h\(\?:a\(\?:rging\(\?:time\)\?cha\)\?nge\|ecking\)\|l\(\?:ick\|ose\)\|o\(\?:m\(\?:mand\(\?:update\)\?\|p\(\?:lete\|osition\(\?:end\|start\|update\)\)\)\|n\(\?:nect\(\?:ed\|ing\)\|t\(\?:extmenu\|rolselect\)\)\|py\)\|u\(\?:echange\|t\)\)\|d\(\?:ata\(\?:\(\?:availabl\|chang\)e\|error\|setc\(\?:hanged\|omplete\)\)\|blclick\|e\(\?:activate\|livery\(\?:error\|success\)\|vice\(\?:found\|light\|\(\?:mo\|orienta\)tion\|proximity\)\)\|i\(\?:aling\|s\(\?:abled\|c\(\?:hargingtimechange\|onnect\(\?:ed\|ing\)\)\)\)\|o\(\?:m\(\?:a\(\?:ctivate\|ttrmodified\)\|\(\?:characterdata\|subtree\)modified\|focus\(\?:in\|out\)\|mousescroll\|node\(\?:inserted\(\?:intodocument\)\?\|removed\(\?:fromdocument\)\?\)\)\|wnloading\)\|r\(\?:ag\(\?:drop\|e\(\?:n\(\?:d\|ter\)\|xit\)\|\(\?:gestur\|leav\)e\|over\|start\)\|op\)\|urationchange\)\|e\(\?:mptied\|n\(\?:abled\|d\(\?:ed\|Event\)\?\|ter\)\|rror\(\?:update\)\?\|xit\)\|f\(\?:ailed\|i\(\?:lterchange\|nish\)\|o\(\?:cus\(\?:in\|out\)\?\|rm\(\?:change\|input\)\)\|ullscreenchange\)\|g\(\?:amepad\(\?:axismove\|button\(\?:down\|up\)\|\(\?:dis\)\?connected\)\|et\)\|h\(\?:ashchange\|e\(\?:adphoneschange\|l\[dp\]\)\|olding\)\|i\(\?:cc\(\?:cardlockerror\|infochange\)\|n\(\?:coming\|put\|valid\)\)\|key\(\?:down\|press\|up\)\|l\(\?:evelchange\|o\(\?:ad\(\?:e\(\?:d\(\?:meta\)\?data\|nd\)\|start\)\?\|secapture\)\|y\)\|m\(\?:ark\|essage\|o\(\?:use\(\?:down\|enter\|\(\?:lea\|mo\)ve\|o\(\?:ut\|ver\)\|up\|wheel\)\|ve\(\?:end\|start\)\?\|z\(\?:a\(\?:fterpaint\|udioavailable\)\|\(\?:beforeresiz\|orientationchang\|t\(\?:apgestur\|imechang\)\)e\|\(\?:edgeui\(\?:c\(\?:ancel\|omplet\)\|start\)e\|network\(\?:down\|up\)loa\)d\|fullscreen\(\?:change\|error\)\|m\(\?:agnifygesture\(\?:start\|update\)\?\|ouse\(\?:hittest\|pixelscroll\)\)\|p\(\?:ointerlock\(\?:change\|error\)\|resstapgesture\)\|rotategesture\(\?:start\|update\)\?\|s\(\?:crolledareachanged\|wipegesture\(\?:end\|start\|update\)\?\)\)\)\)\|no\(\?:match\|update\)\|o\(\?:\(\?:bsolet\|\(\?:ff\|n\)lin\)e\|pen\|verflow\(\?:changed\)\?\)\|p\(\?:a\(\?:ge\(\?:hide\|show\)\|int\|\(\?:st\|us\)e\)\|lay\(\?:ing\)\?\|o\(\?:inter\(\?:down\|enter\|\(\?:\(\?:lea\|mo\)v\|rawupdat\)e\|o\(\?:ut\|ver\)\|up\)\|p\(\?:state\|up\(\?:hid\(\?:den\|ing\)\|show\(\?:ing\|n\)\)\)\)\|ro\(\?:gress\|pertychange\)\)\|r\(\?:atechange\|e\(\?:adystatechange\|ceived\|movetrack\|peat\(\?:Event\)\?\|quest\|s\(\?:et\|ize\|u\(\?:lt\|m\(\?:e\|ing\)\)\)\|trieving\)\|ow\(\?:e\(\?:nter\|xit\)\|s\(\?:delete\|inserted\)\)\)\|s\(\?:croll\(\?:end\)\?\|e\(\?:arch\|ek\(\?:complete\|ed\|ing\)\|lect\(\?:ionchange\|start\)\?\|n\(\?:ding\|t\)\|t\)\|how\|\(\?:ound\|peech\)\(\?:end\|start\)\|t\(\?:a\(\?:lled\|rt\|t\(\?:echange\|uschanged\)\)\|k\(\?:comma\|sessione\)nd\|op\)\|u\(\?:bmit\|ccess\|spend\)\|vg\(\?:abort\|error\|\(\?:un\)\?load\|resize\|scroll\|zoom\)\)\|t\(\?:ext\|ime\(\?:out\|update\)\|o\(\?:ggle\|uch\(\?:cancel\|en\(\?:d\|ter\)\|\(\?:lea\|mo\)ve\|start\)\)\|ransition\(\?:cancel\|end\|run\|start\)\)\|u\(\?:n\(\?:derflow\|handledrejection\|load\)\|p\(\?:dateready\|gradeneeded\)\|s\(\?:erproximity\|sdreceived\)\)\|v\(\?:ersion\|o\(\?:ic\|lum\)e\)change\|w\(\?:a\(\?:it\|rn\)ing\|ebkit\(\?:animation\(\?:end\|iteration\|start\)\|transitionend\)\|heel\)\|zoom\)\|ping\|s\(\?:rc\|tyle\)\)\[x08\-nf\-r\ \]\*\?=" 1;
|
||
"~*xbc\[\^xbe>\]\*\[xbe>\]\|<\[\^xbe\]\*xbe" 1;
|
||
"~*@detectXSS" 1;
|
||
"~*\(\?i\)<OBJECT\[s/\+\]\.\*\?\(\?:type\|codetype\|classid\|code\|data\)\[s/\+\]\*=" 1;
|
||
"~*\(\?i:<style\.\*\?>\.\*\?\(\?:@\[ix5c\]\|\(\?:\[:=\]\|\&\#x\?0\*\(\?:58\|3A\|61\|3D\);\?\)\.\*\?\(\?:\[\(x5c\]\|\&\#x\?0\*\(\?:40\|28\|92\|5C\);\?\)\)\)" 1;
|
||
"~*\(\?i\)<APPLET\[s/\+>\]" 1;
|
||
"~*!@validateByteRange\ 20,\ 45\-47,\ 48\-57,\ 65\-90,\ 95,\ 97\-122" 1;
|
||
"~*\(\(\?:\[\[\^\]\]\*\]\[\^\.\]\*\.\)\|Reflect\[\^\.\]\*\.\)\.\*\(\?:map\|sort\|apply\)\[\^\.\]\*\.\.\*call\[\^`\]\*`\.\*`" 1;
|
||
"~*\(\?i\)<EMBED\[s/\+\]\.\*\?\(\?:src\|type\)\.\*\?=" 1;
|
||
"~*<\(\?:a\|abbr\|acronym\|address\|applet\|area\|audioscope\|b\|base\|basefront\|bdo\|bgsound\|big\|blackface\|blink\|blockquote\|body\|bq\|br\|button\|caption\|center\|cite\|code\|col\|colgroup\|comment\|dd\|del\|dfn\|dir\|div\|dl\|dt\|em\|embed\|fieldset\|fn\|font\|form\|frame\|frameset\|h1\|head\|hr\|html\|i\|iframe\|ilayer\|img\|input\|ins\|isindex\|kdb\|keygen\|label\|layer\|legend\|li\|limittext\|link\|listing\|map\|marquee\|menu\|meta\|multicol\|nobr\|noembed\|noframes\|noscript\|nosmartquotes\|object\|ol\|optgroup\|option\|p\|param\|plaintext\|pre\|q\|rt\|ruby\|s\|samp\|script\|select\|server\|shadow\|sidebar\|small\|spacer\|span\|strike\|strong\|style\|sub\|sup\|table\|tbody\|td\|textarea\|tfoot\|th\|thead\|title\|tr\|tt\|u\|ul\|var\|wbr\|xml\|xmp\)W" 1;
|
||
"~*\(\?i\)\.\(\?:b\(\?:x\(\?:link:href\|html\|mlns\)\|data:text/html\|formaction\|patternb\.\*\?=\)\|!ENTITY\[sv\]\+\(\?:%\[sv\]\+\)\?\[\^sv\]\+\[sv\]\+\(\?:SYSTEM\|PUBLIC\)\|@import\|;base64\)b" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_fixation {
|
||
default 0;
|
||
"~*!@endsWith\ %\{request_headers\.host\}" 1;
|
||
"~*\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" 1;
|
||
"~*\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" 1;
|
||
"~*\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" 1;
|
||
"~*@eq\ 0" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_evaluation {
|
||
default 0;
|
||
"~*@eq\ 1" 1;
|
||
"~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
|
||
"~*@ge\ 1" 1;
|
||
"~*@ge\ 3" 1;
|
||
"~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
|
||
"~*@ge\ 4" 1;
|
||
"~*@ge\ 2" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_java {
|
||
default 0;
|
||
"~*\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" 1;
|
||
"~*\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" 1;
|
||
"~*\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" 1;
|
||
"~*\(\?:runtime\|processbuilder\)" 1;
|
||
"~*xacxedx00x05" 1;
|
||
"~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
|
||
"~*\.\*\.\(\?:jsp\|jspx\)\.\*\$" 1;
|
||
"~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" 1;
|
||
"~*\(\?:unmarshaller\|base64data\|java\.\)" 1;
|
||
"~*\(\?i\)\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\$\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" 1;
|
||
"~*java\.lang\.\(\?:runtime\|processbuilder\)" 1;
|
||
"~*javab\.\+\(\?:runtime\|processbuilder\)" 1;
|
||
"~*\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_generic {
|
||
default 0;
|
||
"~*@\{\.\*\}" 1;
|
||
"~*while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|\"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|\"\[\^\"\]\+\"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" 1;
|
||
"~*\[s\*constructors\*\]" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_sqli {
|
||
default 0;
|
||
"~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
|
||
"~*\^\(\?:and\|or\)\$" 1;
|
||
"~*\^\.\*\?x5c\['\"`\]\(\?:\.\*\?\['\"`\]\)\?s\*\(\?:and\|or\)b" 1;
|
||
"~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" 1;
|
||
"~*W\{4\}" 1;
|
||
"~*\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\ \?\[<\->\]\+\)" 1;
|
||
"~*\(\?i\)\[\"'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\[\"'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\[\"'`\]\$\|\[\"'x5c`\]\*\?\(\?:\[\"'0\-9`\]\+\|\[\^\"'`\]\+\[\"'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\[\"'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\[\"'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\"'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\[\"'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" 1;
|
||
"~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{2\}\)" 1;
|
||
"~*\^\(\?:\[\^'\]\*'\|\[\^\"\]\*\"\|\[\^`\]\*`\)\[sv\]\*;" 1;
|
||
"~*\(\?i\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv\"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv\"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
|
||
"~*!@streq\ %\{TX\.2\}" 1;
|
||
"~*\(\?:\^s\*\[\"'`;\]\+\|\[\"'`\]\+s\*\$\)" 1;
|
||
"~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{8\}\)" 1;
|
||
"~*\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" 1;
|
||
"~*@streq\ %\{TX\.2\}" 1;
|
||
"~*\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" 1;
|
||
"~*';" 1;
|
||
"~*\(\?i\)union\.\*\?select\.\*\?from" 1;
|
||
"~*@detectSQLi" 1;
|
||
"~*\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^\"\]\*\?\(\?:\"\[\^\"\]\*\?\"\[\^\"\]\*\?\)\*\?\"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" 1;
|
||
"~*\[\"'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\[\"'`d\]" 1;
|
||
"~*\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" 1;
|
||
"~*\(\?i\)\[\"'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\[\"'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\[\"'`\]\|like\[sv\]\*\?\[\"'`\]%\|select\[sv\]\+\?\[sv\"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" 1;
|
||
"~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{3\}\)" 1;
|
||
"~*\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" 1;
|
||
"~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{12\}\)" 1;
|
||
"~*\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>\]\*\?\)\{6\}\)" 1;
|
||
"~*\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\[\"'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" 1;
|
||
"~*\(\?i\)1\.e\[\(\-\),\]" 1;
|
||
"~*\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" 1;
|
||
"~*\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\[\"'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\[\"'`\]\|;\.\*\?:\[sv\]\*\?goto\)" 1;
|
||
"~*\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\[\"'\]\[\^=\]\{1,10\}\[\"'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" 1;
|
||
"~*\(\?i:b0x\[a\-fd\]\{3,\}\)" 1;
|
||
"~*\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" 1;
|
||
"~*!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_rce {
|
||
default 0;
|
||
"~*rn\(\?s:\.\)\*\?b\(\?:\(\?:QUI\|STA\|RSE\)\(\?i:T\)\|NOOP\|CAPA\)" 1;
|
||
"~*;\[sv\]\*\.\[sv\]\*\[\"'\]\?\(\?:a\(\?:rchive\|uth\)\|b\(\?:a\(\?:ckup\|il\)\|inary\)\|c\(\?:d\|h\(\?:anges\|eck\)\|lone\|onnection\)\|d\(\?:atabases\|b\(\?:config\|info\)\|ump\)\|e\(\?:cho\|qp\|x\(\?:cel\|it\|p\(\?:ert\|lain\)\)\)\|f\(\?:ilectrl\|ullschema\)\|he\(\?:aders\|lp\)\|i\(\?:mpo\(\?:rt\|ster\)\|ndexes\|otrace\)\|l\(\?:i\(\?:mi\|n\)t\|o\(\?:ad\|g\)\)\|\(\?:mod\|n\(\?:onc\|ullvalu\)\|unmodul\)e\|o\(\?:nce\|pen\|utput\)\|p\(\?:arameter\|r\(\?:int\|o\(\?:gress\|mpt\)\)\)\|quit\|re\(\?:ad\|cover\|store\)\|s\(\?:ave\|c\(\?:anstats\|hema\)\|e\(\?:lftest\|parator\|ssion\)\|h\(\?:a3sum\|ell\|ow\)\?\|tats\|ystem\)\|t\(\?:ables\|estc\(\?:ase\|trl\)\|ime\(\?:out\|r\)\|race\)\|vfs\(\?:info\|list\|name\)\|width\)" 1;
|
||
"~*\(\?is\)rn\.\*\?b\(\?:\(\?:LIST\|TOP\ \[0\-9\]\+\)\(\?:\ \[0\-9\]\+\)\?\|U\(\?:SER\ \.\+\?\|IDL\(\?:\ \[0\-9\]\+\)\?\)\|PASS\ \.\+\?\|\(\?:RETR\|DELE\)\ \[0\-9\]\+\?\|A\(\?:POP\ \[0\-9A\-Z_a\-z\]\+\ \[0\-9a\-f\]\{32\}\|UTH\ \[\-0\-9A\-Z_\]\{1,20\}\ \(\?:\(\?:\[\+/\-9A\-Z_a\-z\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-z\]\{2\}=\|\[\+/\-9A\-Z_a\-z\]\{3\}\)\)\?=\)\)" 1;
|
||
"~*\$\(\?:\(\(\?:\.\*\|\(\.\*\)\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|/\[0\-9A\-Z_a\-z\]\*\[!\?\.\+\]" 1;
|
||
"~*!@rx\ \[0\-9\]s\*'s\*\[0\-9\]" 1;
|
||
"~*\^\[\^\.\]\+\.\[\^;\?\]\+\[;\?\]\(\.\*\(\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)\)" 1;
|
||
"~*\(\?is\)rn\[0\-9A\-Z_a\-z\]\{1,50\}b\ \(\?:C\(\?:\(\?:REATE\|OPY\ \[\*,0\-:\]\+\)\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|APABILITY\|HECK\|LOSE\)\|DELETE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|EX\(\?:AMINE\ \[\"\-\#%\-\&\*\-\-\.0\-9A\-Zx5c_a\-z\]\+\|PUNGE\)\|FETCH\ \[\*,0\-:\]\+\|L\(\?:IST\ \[\"\-\#\*\-\-9A\-Zx5c_a\-z\~\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|OG\(\?:IN\ \[\-\-\.0\-9@_a\-z\]\{1,40\}\ \.\*\?\|OUT\)\)\|RENAME\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\?\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|S\(\?:E\(\?:LECT\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|ARCH\(\?:\ CHARSET\ \[\-\-\.0\-9A\-Z_a\-z\]\{1,40\}\)\?\ \(\?:\(KEYWORD\ x5c\)\?\(\?:A\(\?:LL\|NSWERED\)\|BCC\|D\(\?:ELETED\|RAFT\)\|\(\?:FLAGGE\|OL\)D\|RECENT\|SEEN\|UN\(\?:\(\?:ANSWER\|FLAGG\)ED\|D\(\?:ELETED\|RAFT\)\|SEEN\)\|NEW\)\|\(\?:BODY\|CC\|FROM\|HEADER\ \.\{1,100\}\|NOT\|OR\ \.\{1,255\}\|T\(\?:EXT\|O\)\)\ \.\{1,255\}\|LARGER\ \[0\-9\]\{1,20\}\|\[\*,0\-:\]\+\|\(\?:BEFORE\|ON\|S\(\?:ENT\(\?:\(\?:BEFOR\|SINC\)E\|ON\)\|INCE\)\)\ \"\?\[0\-9\]\{1,2\}\-\[0\-9A\-Z_a\-z\]\{3\}\-\[0\-9\]\{4\}\"\?\|S\(\?:MALLER\ \[0\-9\]\{1,20\}\|UBJECT\ \.\{1,255\}\)\|U\(\?:ID\ \[\*,0\-:\]\+\?\|NKEYWORD\ x5c\(Seen\|\(\?:Answer\|Flagg\)ed\|D\(\?:eleted\|raft\)\|Recent\)\)\)\)\|T\(\?:ORE\ \[\*,0\-:\]\+\?\ \[\+\-\]\?FLAGS\(\?:\.SILENT\)\?\ \(\?:\(x5c\[a\-z\]\{1,20\}\)\)\?\|ARTTLS\)\|UBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\)\|UN\(\?:SUBSCRIBE\ \[\"\-\#%\-\&\*\-\-9A\-Zx5c_a\-z\]\+\|AUTHENTICATE\)\|NOOP\)" 1;
|
||
"~*rn\(\?s:\.\)\*\?b\(\?:DATA\|QUIT\|HELP\(\?:\ \.\{1,255\}\)\?\)" 1;
|
||
"~*/" 1;
|
||
"~*\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]" 1;
|
||
"~*!\(\?:d\|!\)" 1;
|
||
"~*/\(\?:\[\?\*\]\+\[a\-z/\]\+\|\[a\-z/\]\+\[\?\*\]\+\)" 1;
|
||
"~*b\(\?:for\(\?:/\[dflr\]\.\*\)\?\ %\+\[\^\ \]\+\ in\(\.\*\)\[sv\]\?do\|if\(\?:/i\)\?\(\?:\ not\)\?\(\?:\ \(\?:e\(\?:xist\|rrorlevel\)\|defined\|cmdextversion\)b\|\[\ \(\]\.\*\(\?:b\(\?:g\(\?:eq\|tr\)\|equ\|neq\|l\(\?:eq\|ss\)\)b\|==\)\)\)" 1;
|
||
"~*ba\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?l\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?i\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?a\[\"'\)\[\-x5c\]\*\(\?:\(\?:\(\?:\|\|\|\&\&\)\[sv\]\*\)\?\$\[!\#\(\*\-0\-9\?\-@_a\-\{\]\*\)\?x5c\?sb\[sv\]\+\[!\-\"%',0\-9@\-Z_a\-z\]\+=\[\^sv\]" 1;
|
||
"~*rn\(\?s:\.\)\*\?b\(\?:\(\?i:E\)\(\?:HLO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|XPN\ \.\{1,64\}\)\|HELO\ \[\-\-\.A\-Za\-zx17fx212a\]\{1,255\}\|MAIL\ FROM:<\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:R\)\(\?:CPT\ TO:\(\?:\(\?i:<\)\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:\ \)\)\?\(\?i:<\)\.\{1,64\}\(\?i:>\)\|SETb\)\|VRFY\ \.\{1,64\}\(\?:\ <\.\{1,64\}\(\?i:@\)\.\{1,255\}\(\?i:>\)\|\(\?i:@\)\.\{1,255\}\)\|AUTH\ \[\-0\-9A\-Z_a\-zx17fx212a\]\{1,20\}\(\?i:\ \)\(\?:\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{4\}\)\*\(\?:\[\+/\-9A\-Z_a\-zx17fx212a\]\{2\}\(\?i:=\)\|\[\+/\-9A\-Z_a\-zx17fx212a\]\{3\}\)\)\?\(\?i:=\)\|STARTTLSb\|NOOPb\(\?:\(\?i:\ \)\.\{1,255\}\)\?\)" 1;
|
||
"~*s" 1;
|
||
"~*\^\(s\*\)s\+\{" 1;
|
||
"~*!\-d" 1;
|
||
"~*\^\[\^\.\]\*\?\(\?:\['\*\?x5c`\]\[\^n/\]\+/\|/\[\^/\]\+\?\['\*\?x5c`\]\|\$\[!\#\-\$\(\*\-0\-9\?\-\[_a\-\{\]\)" 1;
|
||
"~*\(\?:\$\(\?:\(\(\?:\(\.\*\)\|\.\*\)\)\|\{\.\*\}\)\|\[<>\]\(\.\*\)\|\[!\?\.\+\]\)" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_leakages {
|
||
default 0;
|
||
"~*\^\#!s\?/" 1;
|
||
"~*\(\?:<\(\?:TITLE>Index\ of\.\*\?<H\|title>Index\ of\.\*\?<h\)1>Index\ of\|>\[To\ Parent\ Directory\]</\[Aa\]><br>\)" 1;
|
||
"~*\^5d\{2\}\$" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_php {
|
||
default 0;
|
||
"~*\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" 1;
|
||
"~*@pm\ =" 1;
|
||
"~*\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" 1;
|
||
"~*\[oOcC\]:d\+:\"\.\+\?\":d\+:\{\.\*\}" 1;
|
||
"~*\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" 1;
|
||
"~*\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" 1;
|
||
"~*\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" 1;
|
||
"~*\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" 1;
|
||
"~*\(\?i\)<\?\(\?:=\|php\)\?s\+" 1;
|
||
"~*@pm\ \?>" 1;
|
||
"~*AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_iis {
|
||
default 0;
|
||
"~*\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" 1;
|
||
"~*!@rx\ \^404\$" 1;
|
||
"~*\[a\-z\]:x5cinetpubb" 1;
|
||
"~*bServer\ Error\ in\.\{0,50\}\?bApplicationb" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_sql {
|
||
default 0;
|
||
"~*\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." 1;
|
||
"~*\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" 1;
|
||
"~*\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" 1;
|
||
"~*\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" 1;
|
||
"~*\(\?i\)org\.hsqldb\.jdbc" 1;
|
||
"~*\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" 1;
|
||
"~*\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" 1;
|
||
"~*\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" 1;
|
||
"~*\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" 1;
|
||
"~*\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" 1;
|
||
"~*\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" 1;
|
||
"~*\(\?i\)Dynamic\ SQL\ Error" 1;
|
||
"~*\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_correlation {
|
||
default 0;
|
||
"~*@ge\ 5" 1;
|
||
"~*@ge\ %\{tx\.inbound_anomaly_score_threshold\}" 1;
|
||
"~*@gt\ 0" 1;
|
||
"~*@ge\ %\{tx\.outbound_anomaly_score_threshold\}" 1;
|
||
"~*@eq\ 0" 1;
|
||
}
|
||
|
||
map $request_uri $waf_block_shells {
|
||
default 0;
|
||
"~*\^<html>n<head>n<title>Ru24PostWebShell\ \-" 1;
|
||
"~*<title>Symlink_Sa\ \[0\-9\.\]\+</title>" 1;
|
||
"~*@contains\ <title>punkholicshell</title>" 1;
|
||
"~*\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" 1;
|
||
"~*B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" 1;
|
||
"~*<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" 1;
|
||
"~*\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" 1;
|
||
"~*\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" 1;
|
||
"~*@contains\ <h1\ style=\"margin\-bottom:\ 0\">webadmin\.php</h1>" 1;
|
||
"~*\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" 1;
|
||
"~*\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" 1;
|
||
"~*\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" 1;
|
||
"~*<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" 1;
|
||
"~*\^<html>n<head>n<div\ align=\"left\"><font\ size=\"1\">Input\ command\ :</font></div>n<form\ name=\"cmd\"\ method=\"POST\"\ enctype=\"multipart/form\-data\">" 1;
|
||
"~*>SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" 1;
|
||
"~*<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" 1;
|
||
"~*\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" 1;
|
||
"~*<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" 1;
|
||
"~*<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" 1;
|
||
"~*\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" 1;
|
||
"~*\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" 1;
|
||
"~*\^<html>rn<head>rn<meta\ http\-equiv=\"Content\-Type\"\ content=\"text/html;\ charset=gb2312\">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" 1;
|
||
"~*\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" 1;
|
||
"~*<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" 1;
|
||
"~*<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" 1;
|
||
}
|
||
|
||
}
|