patterns/waf_patterns/nginx/iis.conf

# Nginx WAF rules for IIS
location / {
    set $attack_detected 0;

    if ($request_uri ~* "@lt 1") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 1") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx [a-z]:x5cinetpubb") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@pmFromFile iis-errors.data") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "!@rx ^404$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx bServer Error in.{0,50}?bApplicationb") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 2") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 2") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 3") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 3") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 4") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 4") {
        set $attack_detected 1;
    }

    if ($attack_detected = 1) {
        return 403;
    }
}