mirror/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2026-04-19 21:38:18 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update: [Tue Jan 7 18:00:52 UTC 2025]

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-07 18:00:52 +00:00
parent 565b0c59a6
commit 4c0631f8ff
41 changed files with 3230 additions and 6327 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3048
owasp_rules.json
View File

File diff suppressed because it is too large Load Diff

48
waf_patterns/apache/attack.conf
View File

@@ -1,34 +1,20 @@
# Apache ModSecurity rules for ATTACK
SecRuleEngine On
SecRule REQUEST_URI "!@eq 0" "id:1024,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1025,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1026,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1027,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1028,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1249,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1250,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" "id:1251,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" "id:1252,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:bhttp/d|<(?:html|meta)b)" "id:1253,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1254,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1255,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" "id:1256,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1257,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" "id:1258,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1259,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx unix:[^|]*|" "id:1260,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1261,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1262,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1263,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1264,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1265,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1266,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 0" "id:1267,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ." "id:1268,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 1" "id:1269,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1270,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (][^]]+$|][^]]+[)" "id:1271,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1272,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1273,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [" "id:1274,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1180,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1183,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1142,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1177,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1182,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1176,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1184,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1179,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1181,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1185,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1143,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1186,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1187,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1178,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\." "id:1188,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1189,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1190,phase:1,deny,status:403,log,msg:'attack attack detected'"

27
waf_patterns/apache/correlation.conf
View File

@@ -1,22 +1,11 @@
# Apache ModSecurity rules for CORRELATION
SecRuleEngine On
SecRule REQUEST_URI "@eq 0" "id:1627,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge 5" "id:1628,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1629,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1630,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1631,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1632,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1633,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1634,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1635,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@gt 0" "id:1636,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1637,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1638,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1639,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1640,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1641,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1642,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1643,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1644,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1645,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1318,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1323,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ 5" "id:1317,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1319,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1322,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1316,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1321,phase:1,deny,status:403,log,msg:'correlation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1320,phase:1,deny,status:403,log,msg:'correlation attack detected'"

191
waf_patterns/apache/enforcement.conf
View File

@@ -1,115 +1,82 @@
# Apache ModSecurity rules for ENFORCEMENT
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1210,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1211,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_methods}" "id:1212,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1213,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1214,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1215,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1216,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1217,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1218,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1346,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1347,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$" "id:1348,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$" "id:1349,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^d+$" "id:1350,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1351,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^0?$" "id:1352,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?:GET|HEAD)$" "id:1353,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@eq 0" "id:1354,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" "id:1355,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@streq POST" "id:1356,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1357,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1358,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@eq 0" "id:1359,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@eq 0" "id:1360,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx (d+)-(d+)" "id:1361,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt %{tx.1}" "id:1362,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b" "id:1363,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx x25" "id:1364,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1365,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?i)application/x-www-form-urlencoded" "id:1366,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx x25" "id:1367,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1368,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1369,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUtf8Encoding" "id:1370,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx %u[fF]{2}[0-9a-fA-F]{2}" "id:1371,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 1-255" "id:1372,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1373,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^$" "id:1374,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^$" "id:1375,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^OPTIONS$" "id:1376,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@pm AppleWebKit Android Business Enterprise Entreprise" "id:1377,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^$" "id:1378,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^OPTIONS$" "id:1379,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1380,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^$" "id:1381,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^0$" "id:1382,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1383,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" "id:1384,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1385,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt %{tx.max_num_args}" "id:1386,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1387,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt %{tx.arg_name_length}" "id:1388,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1389,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt %{tx.arg_length}" "id:1390,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1391,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt %{tx.total_arg_length}" "id:1392,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1393,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?i)multipart/form-data" "id:1394,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt %{tx.max_file_size}" "id:1395,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1396,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt %{tx.combined_file_sizes}" "id:1397,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$" "id:1398,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^[^;s]+" "id:1399,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type}" "id:1400,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx charsets*=s*["']?([^;"'s]+)" "id:1401,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_request_content_type_charset}" "id:1402,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx charset.*?charset" "id:1403,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@within %{tx.allowed_http_versions}" "id:1404,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx .([^.]+)$" "id:1405,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within %{tx.restricted_extensions}" "id:1406,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx .[^.~]+~(?:/.*|)$" "id:1407,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^.*$" "id:1408,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within %{tx.restricted_headers_basic}" "id:1409,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt 50" "id:1410,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1411,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@streq JSON" "id:1412,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx (?i)x5cu[0-9a-f]{4}" "id:1413,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@contains #" "id:1414,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt 1" "id:1415,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1416,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1417,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" "id:1418,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@endsWith .pdf" "id:1419,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@endsWith .pdf" "id:1420,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" "id:1421,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx %[0-9a-fA-F]{2}" "id:1422,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 9,10,13,32-126,128-255" "id:1423,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1424,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ['";=]" "id:1425,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^0$" "id:1426,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1427,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^.*$" "id:1428,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within %{tx.restricted_headers_extended}" "id:1429,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1430,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1431,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 32-36,38-126" "id:1432,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1433,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^(?:OPTIONS|CONNECT)$" "id:1434,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@pm AppleWebKit Android" "id:1435,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1436,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^(?i)up" "id:1437,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt 0" "id:1438,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" "id:1439,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" "id:1440,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1441,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1442,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@endsWith .pdf" "id:1443,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" "id:1444,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" "id:1445,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" "id:1446,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx ^(?:?[01])?$" "id:1447,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" "id:1448,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android\ Business\ Enterprise\ Entreprise" "id:1024,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1020,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 1\-255" "id:1019,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.total_arg_length\}" "id:1039,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1032,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 38,44\-46,48\-58,61,65\-90,95,97\-122" "id:1079,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1025,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ 50" "id:1053,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\.\(\[\^\.\]\+\)\$" "id:1048,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1013,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "charsets\*=s\*\["'\]\?\(\[\^;"'s\]\+\)" "id:1046,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1016,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.max_file_size\}" "id:1041,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(\?i\)x5cu\[0\-9a\-f\]\{4\}" "id:1055,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^\(\?:OPTIONS\|CONNECT\)\$" "id:1072,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1026,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@streq\ JSON" "id:1054,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{63\}" "id:1061,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 32,34,38,42\-59,61,65\-90,95,97\-122" "id:1080,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUrlEncoding" "id:1015,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.arg_name_length\}" "id:1035,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1066,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@streq\ POST" "id:1007,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1008,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^0\$" "id:1029,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1058,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^\[w/\.\+\*\-\]\+\(\?:s\?;s\?\(\?:action\|boundary\|charset\|component\|start\(\?:\-info\)\?\|type\|version\)s\?=s\?\['"w\.\(\)\+,/:=\?<>@\#\*\-\]\+\)\*\$" "id:1044,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1075,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.max_num_args\}" "id:1033,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.arg_length\}" "id:1037,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@endsWith\ \.pdf" "id:1059,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(\?:\^\(\[d\.\]\+\|\[\[da\-f:\]\+\]\|\[da\-f:\]\+\)\(:\[d\]\+\)\?\$\)" "id:1031,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@pm\ AppleWebKit\ Android" "id:1073,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1022,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\.\[\^\.\~\]\+\~\(\?:/\.\*\|\)\$" "id:1050,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^\(\?:\(\?:max\-age=\[0\-9\]\+\|min\-fresh=\[0\-9\]\+\|no\-cache\|no\-store\|no\-transform\|only\-if\-cached\|max\-stale\(\?:=\[0\-9\]\+\)\?\)\(\?:s\*,s\*\|\$\)\)\{1,7\}\$" "id:1076,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^d\+\$" "id:1003,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 9,10,13,32\-126,128\-255" "id:1063,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1057,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "b\(\?:keep\-alive\|close\),s\?\(\?:keep\-alive\|close\)b" "id:1011,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@gt\ %\{tx\.combined_file_sizes\}" "id:1043,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "%u\[fF\]\{2\}\[0\-9a\-fA\-F\]\{2\}" "id:1018,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_extended\}" "id:1069,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^bytes=\(\?:\(\?:d\+\)\?\-\(\?:d\+\)\?s\*,\?s\*\)\{6\}" "id:1078,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@contains\ \#" "id:1056,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1034,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1074,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1067,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(\?:\^\|\[\^x5c\]\)x5c\[cdeghijklmpqwxyz123456789\]" "id:1081,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1030,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within\ %\{tx\.restricted_extensions\}" "id:1049,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1036,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\.\*\$" "id:1068,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateByteRange\ 32\-36,38\-126" "id:1070,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1077,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1004,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1038,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1071,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\[\^;s\]\+" "id:1045,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\['";=\]" "id:1065,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1064,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1009,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\(\?:GET\|HEAD\)\$" "id:1006,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1040,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^OPTIONS\$" "id:1023,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "x25" "id:1012,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@validateUtf8Encoding" "id:1017,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1042,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "x25" "id:1014,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "%\[0\-9a\-fA\-F\]\{2\}" "id:1062,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\(d\+\)\-\(d\+\)" "id:1010,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1028,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "!@rx\ \^0\?\$" "id:1005,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "charset\.\*\?charset" "id:1047,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\.\*\$" "id:1051,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@endsWith\ \.pdf" "id:1060,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@within\ %\{tx\.restricted_headers_basic\}" "id:1052,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "\^\$" "id:1021,phase:1,deny,status:403,log,msg:'enforcement attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1027,phase:1,deny,status:403,log,msg:'enforcement attack detected'"

92
waf_patterns/apache/evaluation.conf
View File

@@ -1,57 +1,41 @@
# Apache ModSecurity rules for EVALUATION
SecRuleEngine On
SecRule REQUEST_URI "@ge 1" "id:1275,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1276,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1277,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1278,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1279,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1280,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1281,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1282,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1283,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1284,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1285,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1286,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1287,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1288,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1289,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1290,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1291,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1292,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.inbound_anomaly_score_threshold}" "id:1293,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1294,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1295,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1296,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1297,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1298,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1299,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1300,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1301,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1600,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1601,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1602,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1603,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1604,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1605,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1606,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1607,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1608,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 1" "id:1609,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1610,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 2" "id:1611,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1612,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 3" "id:1613,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1614,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge 4" "id:1615,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1616,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1617,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge %{tx.outbound_anomaly_score_threshold}" "id:1618,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1619,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1620,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1621,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1622,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1623,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1624,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1625,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1626,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1088,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1094,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1082,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1338,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1097,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1341,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1332,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1091,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1085,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1087,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1342,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.outbound_anomaly_score_threshold\}" "id:1340,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1326,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1328,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1335,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1337,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1331,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1099,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1096,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1325,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1098,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1090,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1084,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1086,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1334,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1093,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1095,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1336,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1330,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1089,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1324,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1083,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 4" "id:1339,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 1" "id:1333,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ %\{tx\.inbound_anomaly_score_threshold\}" "id:1100,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1327,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 3" "id:1329,phase:1,deny,status:403,log,msg:'evaluation attack detected'"
SecRule REQUEST_URI "@ge\ 2" "id:1092,phase:1,deny,status:403,log,msg:'evaluation attack detected'"

10
waf_patterns/apache/exceptions.conf
View File

@@ -1,8 +1,8 @@
# Apache ModSecurity rules for EXCEPTIONS
SecRuleEngine On
SecRule REQUEST_URI "@streq GET /" "id:1219,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@ipMatch 127.0.0.1,::1" "id:1220,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@ipMatch 127.0.0.1,::1" "id:1221,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@endsWith (internal dummy connection)" "id:1222,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$" "id:1223,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@endsWith\ \(internal\ dummy\ connection\)" "id:1104,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1102,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "\^\(\?:GET\ /\|OPTIONS\ \*\)\ HTTP/\[12\]\.\[01\]\$" "id:1105,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@streq\ GET\ /" "id:1101,phase:1,deny,status:403,log,msg:'exceptions attack detected'"
SecRule REQUEST_URI "@ipMatch\ 127\.0\.0\.1,::1" "id:1103,phase:1,deny,status:403,log,msg:'exceptions attack detected'"

20
waf_patterns/apache/fixation.conf
View File

@@ -1,17 +1,9 @@
# Apache ModSecurity rules for FIXATION
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1302,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1303,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)" "id:1304,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:1305,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@rx ^(?:ht|f)tps?://(.*?)/" "id:1306,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "!@endsWith %{request_headers.host}" "id:1307,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:1308,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1309,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1310,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1311,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1312,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1313,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1314,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1315,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "\(\?i:\.cookieb\.\*\?;W\*\?\(\?:expires\|domain\)W\*\?=\|bhttp\-equivW\+set\-cookieb\)" "id:1244,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "!@endsWith\ %\{request_headers\.host\}" "id:1247,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1249,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1245,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "\^\(\?:jsessionid\|aspsessionid\|asp\.net_sessionid\|phpsession\|phpsessid\|weblogicsession\|session_id\|session\-id\|cfid\|cftoken\|cfsid\|jservsession\|jwsession\)\$" "id:1248,phase:1,deny,status:403,log,msg:'fixation attack detected'"
SecRule REQUEST_URI "\^\(\?:ht\|f\)tps\?://\(\.\*\?\)/" "id:1246,phase:1,deny,status:403,log,msg:'fixation attack detected'"

21
waf_patterns/apache/generic.conf
View File

@@ -1,21 +1,6 @@
# Apache ModSecurity rules for GENERIC
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1158,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1159,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])" "id:1160,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(" "id:1161,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@pmFromFile ssrf.data" "id:1162,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx (?:__proto__|constructors*(?:.|[)s*prototype)" "id:1163,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx Process[sv]*.[sv]*spawn[sv]*(" "id:1164,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)" "id:1165,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*" "id:1166,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1167,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1168,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))" "id:1169,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx [s*constructors*]" "id:1170,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@rx @{.*}" "id:1171,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1172,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1173,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1174,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1175,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "@\{\.\*\}" "id:1208,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "while\[sv\]\*\(\[sv\(\]\*\(\?:!\+\(\?:false\|null\|undefined\|NaN\|\[\+\-\]\?0\|"\{2\}\|'\{2\}\|`\{2\}\)\|\(\?:!!\)\*\(\?:\(\?:t\(\?:rue\|his\)\|\[\+\-\]\?\(\?:Infinity\|\[1\-9\]\[0\-9\]\*\)\|new\ \[A\-Za\-z\]\[0\-9A\-Z_a\-z\]\*\|window\|String\|\(\?:Boolea\|Functio\)n\|Object\|Array\)b\|\{\.\*\}\|\[\.\*\]\|"\[\^"\]\+"\|'\[\^'\]\+'\|`\[\^`\]\+`\)\)\.\*\)" "id:1206,phase:1,deny,status:403,log,msg:'generic attack detected'"
SecRule REQUEST_URI "\[s\*constructors\*\]" "id:1207,phase:1,deny,status:403,log,msg:'generic attack detected'"

17
waf_patterns/apache/iis.conf
View File

@@ -1,16 +1,7 @@
# Apache ModSecurity rules for IIS
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1533,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1534,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@rx [a-z]:x5cinetpubb" "id:1535,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)" "id:1536,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@pmFromFile iis-errors.data" "id:1537,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "!@rx ^404$" "id:1538,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@rx bServer Error in.{0,50}?bApplicationb" "id:1539,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1540,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1541,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1542,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1543,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1544,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1545,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "bServer\ Error\ in\.\{0,50\}\?bApplicationb" "id:1346,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "!@rx\ \^404\$" "id:1345,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "\[a\-z\]:x5cinetpubb" "id:1343,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "\(\?:Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\(\?:</font>\.\{1,20\}\?error\ '800\(\?:04005\|40e31\)'\.\{1,40\}\?Timeout\ expired\|\ \(0x80040e31\)<br>Timeout\ expired<br>\)\|<h1>internal\ server\ error</h1>\.\*\?<h2>part\ of\ the\ server\ has\ crashed\ or\ it\ has\ a\ configuration\ error\.</h2>\|cannot\ connect\ to\ the\ server:\ timed\ out\)" "id:1344,phase:1,deny,status:403,log,msg:'iis attack detected'"

58
waf_patterns/apache/initialization.conf
View File

@@ -1,33 +1,31 @@
# Apache ModSecurity rules for INITIALIZATION
SecRuleEngine On
SecRule REQUEST_URI "@eq 0" "id:1316,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1317,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1318,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1319,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1320,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1321,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1322,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1323,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1324,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1325,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1326,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1327,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1328,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1329,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1330,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1331,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1332,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1333,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1334,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1335,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 0" "id:1336,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1337,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@rx ^.*$" "id:1338,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "id:1339,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 1" "id:1340,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "id:1341,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq 100" "id:1342,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@rx ^[a-f]*([0-9])[a-f]*([0-9])" "id:1343,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@lt %{tx.sampling_percentage}" "id:1344,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@lt %{tx.blocking_paranoia_level}" "id:1345,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "\^\.\*\$" "id:1166,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1145,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1151,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1148,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1154,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1160,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1169,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1157,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1163,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 100" "id:1170,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1144,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1147,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1153,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1150,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1156,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1159,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1162,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "\^\[a\-f\]\*\(\[0\-9\]\)\[a\-f\]\*\(\[0\-9\]\)" "id:1171,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1165,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 1" "id:1168,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1146,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1149,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1152,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1158,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "!@rx\ \(\?:URLENCODED\|MULTIPART\|XML\|JSON\)" "id:1167,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1155,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1161,phase:1,deny,status:403,log,msg:'initialization attack detected'"
SecRule REQUEST_URI "@eq\ 0" "id:1164,phase:1,deny,status:403,log,msg:'initialization attack detected'"

49
waf_patterns/apache/java.conf
View File

@@ -1,37 +1,18 @@
# Apache ModSecurity rules for JAVA
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1001,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx java.lang.(?:runtime|processbuilder)" "id:1002,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1003,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:unmarshaller|base64data|java.)" "id:1004,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1005,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:runtime|processbuilder)" "id:1006,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@pmFromFile java-classes.data" "id:1007,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx .*.(?:jsp|jspx).*$" "id:1008,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1009,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1010,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1011,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)" "id:1012,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx xacxedx00x05" "id:1013,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" "id:1014,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:1015,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx javab.+(?:runtime|processbuilder)" "id:1016,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)" "id:1017,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1018,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1019,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" "id:1020,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1021,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1022,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)" "id:1023,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1185,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1186,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@pmFromFile java-code-leakages.data" "id:1187,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@pmFromFile java-errors.data" "id:1188,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1189,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1190,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1191,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1192,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1193,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1194,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "xacxedx00x05" "id:1199,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1201,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)" "id:1205,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:rO0ABQ\|KztAAU\|Cs7QAF\)" "id:1200,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:clonetransformer\|forclosure\|instantiatefactory\|instantiatetransformer\|invokertransformer\|prototypeclonefactory\|prototypeserializationfactory\|whileclosure\|getproperty\|filewriter\|xmldecoder\)" "id:1194,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "java\.lang\.\(\?:runtime\|processbuilder\)" "id:1191,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:unmarshaller\|base64data\|java\.\)" "id:1193,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\{0,15\}\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1197,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\(\?:\[\^\}\]\*\(\?:\$\|\&dollar;\?\)\(\?:\{\|\&l\(\?:brace\|cub\);\?\)\|jndi\|ctx\)" "id:1198,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:class\.module\.classLoader\.resources\.context\.parent\.pipeline\|springframework\.context\.support\.FileSystemXmlApplicationContext\)" "id:1203,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:cnVudGltZQ\|HJ1bnRpbWU\|BydW50aW1l\|cHJvY2Vzc2J1aWxkZXI\|HByb2Nlc3NidWlsZGVy\|Bwcm9jZXNzYnVpbGRlcg\|Y2xvbmV0cmFuc2Zvcm1lcg\|GNsb25ldHJhbnNmb3JtZXI\|BjbG9uZXRyYW5zZm9ybWVy\|Zm9yY2xvc3VyZQ\|GZvcmNsb3N1cmU\|Bmb3JjbG9zdXJl\|aW5zdGFudGlhdGVmYWN0b3J5\|Gluc3RhbnRpYXRlZmFjdG9yeQ\|BpbnN0YW50aWF0ZWZhY3Rvcnk\|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg\|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI\|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy\|aW52b2tlcnRyYW5zZm9ybWVy\|Gludm9rZXJ0cmFuc2Zvcm1lcg\|BpbnZva2VydHJhbnNmb3JtZXI\|cHJvdG90eXBlY2xvbmVmYWN0b3J5\|HByb3RvdHlwZWNsb25lZmFjdG9yeQ\|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk\|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk\|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5\|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ\|d2hpbGVjbG9zdXJl\|HdoaWxlY2xvc3VyZQ\|B3aGlsZWNsb3N1cmU\)" "id:1204,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1192,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "javab\.\+\(\?:runtime\|processbuilder\)" "id:1202,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\(\?:runtime\|processbuilder\)" "id:1195,phase:1,deny,status:403,log,msg:'java attack detected'"
SecRule REQUEST_URI "\.\*\.\(\?:jsp\|jspx\)\.\*\$" "id:1196,phase:1,deny,status:403,log,msg:'java attack detected'"

14
waf_patterns/apache/leakages.conf
View File

@@ -1,14 +1,6 @@
# Apache ModSecurity rules for LEAKAGES
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1510,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1511,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)" "id:1512,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@rx ^#!s?/" "id:1513,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1514,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1515,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@rx ^5d{2}$" "id:1516,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1517,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1518,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1519,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1520,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "\^5d\{2\}\$" "id:1174,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "\(\?:<\(\?:TITLE>Index\ of\.\*\?<H\|title>Index\ of\.\*\?<h\)1>Index\ of\|>\[To\ Parent\ Directory\]</\[Aa\]><br>\)" "id:1172,phase:1,deny,status:403,log,msg:'leakages attack detected'"
SecRule REQUEST_URI "\^\#!s\?/" "id:1173,phase:1,deny,status:403,log,msg:'leakages attack detected'"

14
waf_patterns/apache/lfi.conf
View File

@@ -1,16 +1,4 @@
# Apache ModSecurity rules for LFI
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1029,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1030,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" "id:1031,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))" "id:1032,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@pmFromFile lfi-os-files.data" "id:1033,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@pmFromFile restricted-files.data" "id:1034,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1035,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1036,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@pmFromFile lfi-os-files.data" "id:1037,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1038,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1039,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1040,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1041,phase:1,deny,status:403,log,msg:'lfi attack detected'"
SecRule REQUEST_URI "\(\?:\(\?:\^\|\[x5c/;\]\)\.\{2,3\}\[x5c/;\]\|\[x5c/;\]\.\{2,3\}\(\?:\[x5c/;\]\|\$\)\)" "id:1175,phase:1,deny,status:403,log,msg:'lfi attack detected'"

50
waf_patterns/apache/php.conf
View File

@@ -1,42 +1,14 @@
# Apache ModSecurity rules for PHP
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1449,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1450,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" "id:1451,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$" "id:1452,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-config-directives.data" "id:1453,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm =" "id:1454,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-variables.data" "id:1455,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" "id:1456,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" "id:1457,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-function-names-933150.data" "id:1458,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?["']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:*.**/|/.*)|#.*[sv]|")*["']*)?[sv]*(.*)" "id:1459,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx [oOcC]:d+:".+?":d+:{.*}" "id:1460,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)" "id:1461,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+));" "id:1462,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1463,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1464,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-function-names-933151.data" "id:1465,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm (" "id:1466,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1467,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1468,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" "id:1469,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)" "id:1470,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx .*.(?:phpd*|phtml)..*$" "id:1471,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm ?>" "id:1472,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?" "id:1473,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1474,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1475,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1521,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1522,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-errors.data" "id:1523,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" "id:1524,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@rx (?i)<?(?:=|php)?s+" "id:1525,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1526,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1527,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pmFromFile php-errors-pl2.data" "id:1528,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1529,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1530,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1531,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1532,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1209,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1289,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1290,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1212,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm\ =" "id:1211,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1210,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm\ \?>" "id:1217,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1216,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1214,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1215,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1213,phase:1,deny,status:403,log,msg:'php attack detected'"

80
waf_patterns/apache/rce.conf
View File

File diff suppressed because one or more lines are too long

18
waf_patterns/apache/rfi.conf
View File

@@ -1,18 +1,6 @@
# Apache ModSecurity rules for RFI
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1195,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1196,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" "id:1197,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://" "id:1198,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?).*??+$" "id:1199,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1200,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1201,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1202,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1203,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1204,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1205,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1206,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1207,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1208,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1209,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1002,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "\^\(\?i:file\|ftps\?\|https\?\)://\(\?:d\{1,3\}\.d\{1,3\}\.d\{1,3\}\.d\{1,3\}\)" "id:1000,phase:1,deny,status:403,log,msg:'rfi attack detected'"
SecRule REQUEST_URI "!@endsWith\ \.%\{request_headers\.host\}" "id:1001,phase:1,deny,status:403,log,msg:'rfi attack detected'"

59
waf_patterns/apache/shells.conf
View File

@@ -1,37 +1,28 @@
# Apache ModSecurity rules for SHELLS
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1476,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1477,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@pmFromFile web-shells-php.data" "id:1478,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" "id:1479,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" "id:1480,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" "id:1481,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>Mini Shell</title>.*Developed By LameHacker" "id:1482,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>" "id:1483,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>Symlink_Sa [0-9.]+</title>" "id:1484,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" "id:1485,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+" "id:1486,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$" "id:1487,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -" "id:1488,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>" "id:1489,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>lama's'hell v. [0-9.]+</title>" "id:1490,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -" "id:1491,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->" "id:1492,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">" "id:1493,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<head>n<title>Ru24PostWebShell -" "id:1494,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" "id:1495,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>" "id:1496,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+" "id:1497,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains <title>punkholicshell</title>" "id:1498,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>" "id:1499,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" "id:1500,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>" "id:1501,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" "id:1502,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1503,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1504,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains <h1 style="margin-bottom: 0">webadmin.php</h1>" "id:1505,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1506,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1507,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1508,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1509,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<title>GRP\ WebShell\ \[0\-9\.\]\+" "id:1298,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>lama's'hell\ v\.\ \[0\-9\.\]\+</title>" "id:1302,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html>nn<head>nn<title>g00nshell\ v\[0\-9\.\]\+" "id:1309,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>\.::\ \.\*\ \~\ Ashiyane\ V\ \[0\-9\.\]\+\ ::\.</title>" "id:1295,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n\ \ \ \ \ \ <head>n\ \ \ \ \ \ \ \ \ \ \ \ \ <title>azrail\ \[0\-9\.\]\+\ by\ C\-W\-M</title>" "id:1311,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Mini\ Shell</title>\.\*Developed\ By\ LameHacker" "id:1294,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>CasuS\ \[0\-9\.\]\+\ by\ MafiABoY</title>" "id:1297,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<div\ align="left"><font\ size="1">Input\ command\ :</font></div>n<form\ name="cmd"\ method="POST"\ enctype="multipart/form\-data">" "id:1305,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <title>punkholicshell</title>" "id:1310,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "@contains\ <h1\ style="margin\-bottom:\ 0">webadmin\.php</h1>" "id:1315,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>s72\ Shell\ v\[0\-9\.\]\+\ Codinf\ by\ Cr@zy_King</title>" "id:1307,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\(<title>r57\ Shell\ Version\ \[0\-9\.\]\+</title>\|<title>r57\ shell</title>\)" "id:1291,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "B4TM4N\ SH3LL</title>\.\*<meta\ name='author'\ content='k4mpr3t'/>" "id:1293,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI ">SmEvK_PaThAn\ Shell\ v\[0\-9\]\+\ coded\ by\ <a\ href=" "id:1312,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<small>NGHshell\ \[0\-9\.\]\+\ by\ Cr4sh</body></html>n\$" "id:1299,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html><head><meta\ http\-equiv='Content\-Type'\ content='text/html;\ charset=Windows\-1251'><title>\.\*\?\ \-\ WSO\ \[0\-9\.\]\+</title>" "id:1292,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>SimAttacker\ \-\ \(\?:Version\|Vrsion\)\ :\ \[0\-9\.\]\+\ \-" "id:1300,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "<title>Symlink_Sa\ \[0\-9\.\]\+</title>" "id:1296,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>rn<head>rn<meta\ http\-equiv="Content\-Type"\ content="text/html;\ charset=gb2312">rn<title>PhpSpy\ Ver\ \[0\-9\]\+</title>" "id:1308,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<title>\.\*\?\ \~\ Shell\ I</title>n<head>n<style>" "id:1313,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<title>PHP\ Web\ Shell</title>rn<html>rn<body>rn\ \ \ \ <!\-\-\ Replaces\ command\ with\ Base64\-encoded\ Data\ \-\->" "id:1304,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ \*<html>n\[\ \]\+<head>n\[\ \]\+<title>lostDC\ \-" "id:1303,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<!DOCTYPE\ html>n<html>n<!\-\-\ By\ Artyum\ \.\*<title>Web\ Shell</title>" "id:1301,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^<html>n<head>n<title>Ru24PostWebShell\ \-" "id:1306,phase:1,deny,status:403,log,msg:'shells attack detected'"
SecRule REQUEST_URI "\^\ <html><head><title>::\ b374k\ m1n1\ \[0\-9\.\]\+\ ::</title>" "id:1314,phase:1,deny,status:403,log,msg:'shells attack detected'"

38
waf_patterns/apache/sql.conf
View File

@@ -1,28 +1,16 @@
# Apache ModSecurity rules for SQL
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1224,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1225,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "!@pmFromFile sql-errors.data" "id:1226,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])" "id:1227,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" "id:1228,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()" "id:1229,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)" "id:1230,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)Dynamic SQL Error" "id:1231,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)Exception (?:condition )?d+. Transaction rollback." "id:1232,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)org.hsqldb.jdbc" "id:1233,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)" "id:1234,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)" "id:1235,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" "id:1236,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" "id:1237,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)" "id:1238,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):" "id:1239,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" "id:1240,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)" "id:1241,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" "id:1242,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1243,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1244,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1245,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1246,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1247,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1248,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:Sybase\ message:\|Warning\.\{2,20\}sybase\|Sybase\.\*Server\ message\.\*\)" "id:1288,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:\[DM_QUERY_E_SYNTAX\]\|has\ occurred\ in\ the\ vicinity\ of:\)" "id:1278,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)org\.hsqldb\.jdbc" "id:1281,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)Exception\ \(\?:condition\ \)\?d\+\.\ Transaction\ rollback\." "id:1280,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:<b>Warning</b>:\ ibase_\|Unexpected\ end\ of\ command\ in\ statement\)" "id:1284,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:Warning\.\*sqlite_\.\*\|Warning\.\*SQLite3::\|SQLite/JDBCDriver\|SQLite\.Exception\|System\.Data\.SQLite\.SQLiteException\)" "id:1287,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)\(\?:System\.Data\.OleDb\.OleDbException\|\[Microsoft\]\[ODBC\ SQL\ Server\ Driver\]\|\[Macromedia\]\[SQLServer\ JDBC\ Driver\]\|\[SqlException\|System\.Data\.SqlClient\.SqlException\|Unclosed\ quotation\ mark\ after\ the\ character\ string\|'80040e14'\|mssql_query\(\)\|Microsoft\ OLE\ DB\ Provider\ for\ ODBC\ Drivers\|Microsoft\ OLE\ DB\ Provider\ for\ SQL\ Server\|Incorrect\ syntax\ near\|Sintaxis\ incorrecta\ cerca\ de\|Syntax\ error\ in\ string\ in\ query\ expression\|Procedure\ or\ function\ \.\*\ expects\ parameter\|Unclosed\ quotation\ mark\ before\ the\ character\ string\|Syntax\ error\ \.\*\ in\ query\ expression\|Data\ type\ mismatch\ in\ criteria\ expression\.\|ADODB\.Field\ \(0x800A0BCD\)\|the\ used\ select\ statements\ have\ different\ number\ of\ columns\|OLE\ DB\.\*SQL\ Server\|Warning\.\*mssql_\.\*\|Driver\.\*SQL\[\ _\-\]\*Server\|SQL\ Server\.\*Driver\|SQL\ Server\.\*\[0\-9a\-fA\-F\]\{8\}\|Exception\.\*WSystem\.Data\.SqlClient\.\|Conversion\ failed\ when\ converting\ the\ varchar\ value\ \.\*\?\ to\ data\ type\ int\.\)" "id:1286,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:An\ illegal\ character\ has\ been\ found\ in\ the\ statement\|com\.informix\.jdbc\|Exception\.\*Informix\)" "id:1282,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:SQL\ error\.\*POS\[0\-9\]\+\.\*\|Warning\.\*maxdb\.\*\)" "id:1285,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:Warning\.\*ingres_\|Ingres\ SQLSTATE\|IngresW\.\*Driver\)" "id:1283,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:ORA\-\[0\-9\]\[0\-9\]\[0\-9\]\[0\-9\]\|java\.sql\.SQLException\|Oracle\ error\|Oracle\.\*Driver\|Warning\.\*oci_\.\*\|Warning\.\*ora_\.\*\)" "id:1277,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i:JET\ Database\ Engine\|Access\ Database\ Engine\|\[Microsoft\]\[ODBC\ Microsoft\ Access\ Driver\]\)" "id:1276,phase:1,deny,status:403,log,msg:'sql attack detected'"
SecRule REQUEST_URI "\(\?i\)Dynamic\ SQL\ Error" "id:1279,phase:1,deny,status:403,log,msg:'sql attack detected'"

109
waf_patterns/apache/sqli.conf
View File

@@ -1,76 +1,39 @@
# Apache ModSecurity rules for SQLI
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1042,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1043,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@detectSQLi" "id:1044,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))" "id:1045,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(" "id:1046,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))" "id:1047,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:select|;)[sv]+(?:benchmark|if|sleep)[sv]*?([sv]*?(?[sv]*?[0-9A-Z_a-z]+" "id:1048,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)["'`](?:[sv]*![sv]*["'0-9A-Z_-z]|;?[sv]*(?:having|select|unionb[sv]*(?:all|(?:distin|sele)ct))b[sv]*[^sv])|b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[sv]*?|select.*?[0-9A-Z_a-z]?user)(|exec(?:ute)?[sv]+master.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[sv+]+(?:dump|out)file[sv]*?["'`]|union(?:[sv]select[sv]@|[sv(0-9A-Z_a-z]*?select))|[sv]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[sv]*?(" "id:1049,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" "id:1050,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)[sv(-)]case[sv]+when.*?then|)[sv]*?like[sv]*?(|select.*?having[sv]*?[^sv]+[sv]*?[^sv0-9A-Z_a-z]|if[sv]?([0-9A-Z_a-z]+[sv]*?[<->~]" "id:1051,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|["'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+["'`]|;.*?:[sv]*?goto)" "id:1052,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i:merge.*?usings*?(|executes*?immediates*?["'`]|matchs*?[w(),+-]+s*?againsts*?()" "id:1053,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)union.*?select.*?from" "id:1054,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?["'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)" "id:1055,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?" "id:1056,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" "id:1057,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}" "id:1058,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|["'0-9A-Z_-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)" "id:1059,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)" "id:1060,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ^(?:[^']*'|[^"]*"|[^`]*`)[sv]*;" "id:1061,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)1.e[(-),]" "id:1062,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ["'`][[{].*[]}]["'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)["'`][[{].*[]}]["'`]|json_extract.*(.*)" "id:1063,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1064,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1065,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?:^s*["'`;]+|["'`]+s*$)" "id:1066,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?["'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|"[^"]*")[sv]+and[sv]+(?:'[^']*'|"[^"]*"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb" "id:1067,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b" "id:1068,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@streq %{TX.2}" "id:1069,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b" "id:1070,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "!@streq %{TX.2}" "id:1071,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(" "id:1072,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:/*)+["'`]+[sv]?(?:--|[#{]|/*)?|["'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*["'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?["'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)["'`])|[0-9]["'`][sv]+["'`][sv]+[0-9]|^admin[sv]*?["'`]|[sv"'-(`][sv]*?glob[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]=" "id:1073,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i),.*?["')0-9`-f]["'`](?:["'`].*?["'`]|(?:r?n)?z|[^"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?(" "id:1074,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?["'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+" "id:1075,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)["'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+" "id:1076,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|["'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+(" "id:1077,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z]["'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+["'`][0-9A-Z_a-z]|["'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]" "id:1078,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)["'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?["'`]$|["'x5c`]*?(?:["'0-9`]+|[^"'`]+["'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" "id:1079,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?["'`]|[0-9=]+x)|["'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+["'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?["'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)["'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()" "id:1080,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i:^[Wd]+s*?(?:alter|union)b)" "id:1081,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)" "id:1082,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)["'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?["'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?["'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^["'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+["'`][^,]" "id:1083,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|["'][^=]{1,10}[ "'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')" "id:1084,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]" "id:1085,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)" "id:1086,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?(" "id:1087,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" "id:1088,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'" "id:1089,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){12})" "id:1090,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00" "id:1091,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$" "id:1092,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i:b0x[a-fd]{3,})" "id:1093,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" "id:1094,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)["'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])" "id:1095,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^"]*?(?:"[^"]*?"[^"]*?)*?"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b" "id:1096,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ^(?:and|or)$" "id:1097,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ^.*?x5c['"`](?:.*?['"`])?s*(?:and|or)b" "id:1098,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@detectSQLi" "id:1099,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(" "id:1100,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" "id:1101,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1102,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1103,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?i)W+d*?s*?bhavingbs*?[^s-]" "id:1104,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ["'`][sd]*?[^ws]W*?dW*?.*?["'`d]" "id:1105,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){8})" "id:1106,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){6})" "id:1107,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx W{4}" "id:1108,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" "id:1109,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ';" "id:1110,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1111,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1112,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){3})" "id:1113,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){2})" "id:1114,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)bandb\(\?:\[sv\]\+\(\?:\[0\-9\]\{1,10\}\[sv\]\*\?\[<\->\]\|'\[\^=\]\{1,10\}'\)\|\ \?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\ \?\[<\->\]\+\)" "id:1124,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\^\(\?:\[\^'\]\*\?\(\?:'\[\^'\]\*\?'\[\^'\]\*\?\)\*\?'\|\[\^"\]\*\?\(\?:"\[\^"\]\*\?"\[\^"\]\*\?\)\*\?"\|\[\^`\]\*\?\(\?:`\[\^`\]\*\?`\[\^`\]\*\?\)\*\?`\)\[sv\]\*\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1130,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\(\?:and\|or\)\$" "id:1131,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i:\^\[Wd\]\+s\*\?\(\?:alter\|union\)b\)" "id:1122,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:!\[<\->\]\|<\[=\->\]\?\|>=\?\|\^\|is\[sv\]\+not\|not\[sv\]\+\(\?:like\|r\(\?:like\|egexp\)\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1118,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)1\.e\[\(\-\),\]" "id:1114,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?:\^s\*\["'`;\]\+\|\["'`\]\+s\*\$\)" "id:1115,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "!@rx\ \^ey\[\-0\-9A\-Z_a\-z\]\+\.ey\[\-0\-9A\-Z_a\-z\]\+\.\[\-0\-9A\-Z_a\-z\]\+\$" "id:1127,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\(\?i:\-0000023456\|4294967295\|4294967296\|2147483648\|2147483647\|0000012345\|\-2147483648\|\-2147483649\|0000023456\|2\.2250738585072007e\-308\|2\.2250738585072011e\-308\|1e309\)\$" "id:1108,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "';" "id:1139,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)\[sv\]\+\[sv0\-9A\-Z_a\-z\]\+=\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?having\[sv\]\+\|like\[\^0\-9A\-Z_a\-z\]\*\?\["'0\-9`\]\)\|\[0\-9A\-Z_a\-z\]\[sv\]\+like\[sv\]\+\["'`\]\|like\[sv\]\*\?\["'`\]%\|select\[sv\]\+\?\[sv"'\-\),\-\.0\-9A\-\[\]_\-z\]\+from\[sv\]\+" "id:1120,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i:b0x\[a\-fd\]\{3,\}\)" "id:1128,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{6\}\)" "id:1137,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@detectSQLi" "id:1106,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\.\*\?x5c\['"`\]\(\?:\.\*\?\['"`\]\)\?s\*\(\?:and\|or\)b" "id:1132,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{3\}\)" "id:1140,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)union\.\*\?select\.\*\?from" "id:1110,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?\(\?:\(\?:is\[sv\]\+not\|not\[sv\]\+\(\?:like\|glob\|\(\?:betwee\|i\)n\|null\|regexp\|match\)\|mod\|div\|sounds\[sv\]\+like\)b\|\[%\-\&\*\-\+\-/<\->\^\|\]\)" "id:1129,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i:sleep\(s\*\?d\*\?s\*\?\)\|benchmark\(\.\*\?,\.\*\?\)\)" "id:1107,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\["'`\]\[sv\]\*\?b\(\?:x\?or\|div\|like\|between\|and\)b\[sv\]\*\?\["'`\]\?\[0\-9\]\|x5cx\(\?:2\[37\]\|3d\)\|\^\(\?:\.\?\["'`\]\$\|\["'x5c`\]\*\?\(\?:\["'0\-9`\]\+\|\[\^"'`\]\+\["'`\]\)\[sv\]\*\?b\(\?:and\|n\(\?:and\|ot\)\|\(\?:xx\?\)\?or\|div\|like\|between\|\|\|\|\&\&\)b\[sv\]\*\?\["'0\-9A\-Z_\-z\]\[!\&\(\-\)\+\-\.@\]\)\|\[\^sv0\-9A\-Z_a\-z\]\[0\-9A\-Z_a\-z\]\+\[sv\]\*\?\[\-\|\]\[sv\]\*\?\["'`\]\[sv\]\*\?\[0\-9A\-Z_a\-z\]\|@\(\?:\[0\-9A\-Z_a\-z\]\+\[sv\]\+\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\["'0\-9`\]\+\|\[\-0\-9A\-Z_a\-z\]\+\[sv\]\(\?:and\|x\?or\|div\|like\|between\)b\[sv\]\*\?\[\^sv0\-9A\-Z_a\-z\]\)\|\[\^sv0\-:A\-Z_a\-z\]\[sv\]\*\?\[0\-9\]\[\^0\-9A\-Z_a\-z\]\+\[\^sv0\-9A\-Z_a\-z\]\[sv\]\*\?\["'`\]\.\|\[\^0\-9A\-Z_a\-z\]information_schema\|table_name\[\^0\-9A\-Z_a\-z\]" "id:1121,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@detectSQLi" "id:1133,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{2\}\)" "id:1141,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{8\}\)" "id:1136,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "!@streq\ %\{TX\.2\}" "id:1119,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)W\+d\*\?s\*\?bhavingbs\*\?\[\^s\-\]" "id:1134,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b\[sv"'\-\)`\]\*\?\(\?:=\|<=>\|\(\?:sounds\[sv\]\+\)\?like\|glob\|r\(\?:like\|egexp\)\)\[sv"'\-\)`\]\*\?b\(\[0\-9A\-Z_a\-z\]\+\)b" "id:1116,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)b\(\?:orb\(\?:\[sv\]\?\(\?:\[0\-9\]\{1,10\}\|\["'\]\[\^=\]\{1,10\}\["'\]\)\[sv\]\?\[<\->\]\+\|\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|xorb\[sv\]\+\(\?:\[0\-9\]\{1,10\}\|'\[\^=\]\{1,10\}'\)\(\?:\[sv\]\*\?\[<\->\]\)\?\)\|'\[sv\]\+x\?or\[sv\]\+\.\{1,20\}\[!\+\-<\->\]" "id:1123,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)select\[sv\]\*\?pg_sleep\|waitfor\[sv\]\*\?delay\[sv\]\?\["'`\]\+\[sv\]\?\[0\-9\]\|;\[sv\]\*\?shutdown\[sv\]\*\?\(\?:\[\#;\{\]\|/\*\|\-\-\)" "id:1111,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)create\[sv\]\+function\[sv\]\.\+\[sv\]returns\|;\[sv\]\*\?\(\?:alter\|\(\?:\(\?:cre\|trunc\|upd\)at\|renam\)e\|d\(\?:e\(\?:lete\|sc\)\|rop\)\|\(\?:inser\|selec\)t\|load\)b\[sv\]\*\?\[\(\[\]\?\[0\-9A\-Z_a\-z\]\{2,\}" "id:1112,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "@streq\ %\{TX\.2\}" "id:1117,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "W\{4\}" "id:1138,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)autonomous_transaction\|\(\?:current_use\|n\?varcha\|tbcreato\)r\|db\(\?:a_users\|ms_java\)\|open\(\?:owa_util\|query\|rowset\)\|s\(\?:p_\(\?:\(\?:addextendedpro\|sqlexe\)c\|execute\(\?:sql\)\?\|help\|is_srvrolemember\|makewebtask\|oacreate\|p\(\?:assword\|repare\)\|replwritetovarbin\)\|ql_\(\?:longvarchar\|variant\)\)\|utl_\(\?:file\|http\)\|xp_\(\?:availablemedia\|\(\?:cmdshel\|servicecontro\)l\|dirtree\|e\(\?:numdsn\|xecresultset\)\|filelist\|loginconfig\|makecab\|ntsec\(\?:_enumdomains\)\?\|reg\(\?:addmultistring\|delete\(\?:key\|value\)\|enum\(\?:key\|value\)s\|re\(\?:ad\|movemultistring\)\|write\)\|terminate\(\?:_process\)\?\)" "id:1125,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\(\?:\[\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\[\^\~!@\#\$%\^\&\*\(\)\-\+=\{\}\[\]\|:;"'´`<>\]\*\?\)\{12\}\)" "id:1126,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\^\(\?:\[\^'\]\*'\|\[\^"\]\*"\|\[\^`\]\*`\)\[sv\]\*;" "id:1113,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\(\?i\)alter\[sv\]\*\?\[0\-9A\-Z_a\-z\]\+\.\*\?char\(\?:acter\)\?\[sv\]\+set\[sv\]\+\[0\-9A\-Z_a\-z\]\+\|\["'`\]\(\?:;\*\?\[sv\]\*\?waitfor\[sv\]\+\(\?:time\|delay\)\[sv\]\+\["'`\]\|;\.\*\?:\[sv\]\*\?goto\)" "id:1109,phase:1,deny,status:403,log,msg:'sqli attack detected'"
SecRule REQUEST_URI "\["'`\]\[sd\]\*\?\[\^ws\]W\*\?dW\*\?\.\*\?\["'`d\]" "id:1135,phase:1,deny,status:403,log,msg:'sqli attack detected'"

69
waf_patterns/apache/xss.conf
View File

File diff suppressed because one or more lines are too long

2163
waf_patterns/haproxy/waf.acl
View File

File diff suppressed because one or more lines are too long

104
waf_patterns/nginx/attack.conf
View File

@@ -2,95 +2,35 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "!@eq 0") {
if ($request_uri ~* "content-transfer-encoding:(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within |%{tx.allowed_request_content_type_charset}|") {
if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^content-types*:s*(.*)$") {
if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx content-transfer-encoding:(.*)") {
if ($request_uri ~* ".") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "[nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "TX:paramcounter_(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx unix:[^|]*|") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "unix:[^|]*|") {
set $attack_detected 1;
}
@@ -98,7 +38,15 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .") {
if ($request_uri ~* "^content-types*:s*(.*)$") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
set $attack_detected 1;
}
if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
set $attack_detected 1;
}
@@ -106,23 +54,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx TX:paramcounter_(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (][^]]+$|][^]]+[)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [") {
if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
set $attack_detected 1;
}

66
waf_patterns/nginx/correlation.conf
View File

@@ -2,79 +2,23 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 5") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}

606
waf_patterns/nginx/enforcement.conf
View File

@@ -2,383 +2,15 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_methods}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^d+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0?$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq POST") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (d+)-(d+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt %{tx.1}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx x25") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)application/x-www-form-urlencoded") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx x25") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUtf8Encoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx %u[fF]{2}[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 1-255") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_num_args}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)multipart/form-data") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_file_size}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.combined_file_sizes}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$") {
if ($request_uri ~* "b(?:keep-alive|close),s?(?:keep-alive|close)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^;s]+") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx charsets*=s*["']?([^;"'s]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type_charset}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx charset.*?charset") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_http_versions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .([^.]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .[^.~]+~(?:/.*|)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 50") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq JSON") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)x5cu[0-9a-f]{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains #") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx %[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ['";=]") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
set $attack_detected 1;
}
@@ -386,51 +18,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)up") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
if ($request_uri ~* "@validateByteRange 1-255") {
set $attack_detected 1;
}
@@ -438,15 +26,199 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android") {
set $attack_detected 1;
}
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
set $attack_detected 1;
}
if ($request_uri ~* "^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:?[01])?$") {
if ($request_uri ~* "^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_num_args}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq POST") {
set $attack_detected 1;
}
if ($request_uri ~* "(d+)-(d+)") {
set $attack_detected 1;
}
if ($request_uri ~* ".[^.~]+~(?:/.*|)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq JSON") {
set $attack_detected 1;
}
if ($request_uri ~* "x25") {
set $attack_detected 1;
}
if ($request_uri ~* "['\";=]") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
set $attack_detected 1;
}
if ($request_uri ~* "%u[fF]{2}[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "^$") {
set $attack_detected 1;
}
if ($request_uri ~* "charset.*?charset") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^d+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 50") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)x5cu[0-9a-f]{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUtf8Encoding") {
set $attack_detected 1;
}
if ($request_uri ~* "charsets*=s*[\"']?([^;\"'s]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "%[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* ".([^.]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0?$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains #") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^;s]+") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_file_size}") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
set $attack_detected 1;
}

190
waf_patterns/nginx/evaluation.conf
View File

@@ -2,70 +2,14 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
@@ -74,102 +18,6 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.inbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 4") {
set $attack_detected 1;
}
@@ -178,43 +26,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge %{tx.outbound_anomaly_score_threshold}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}

14
waf_patterns/nginx/exceptions.conf
View File

@@ -6,19 +6,15 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith (internal dummy connection)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$") {
if ($request_uri ~* "^(?:GET /|OPTIONS *) HTTP/[12].[01]$") {
set $attack_detected 1;
}
if ($request_uri ~* "@ipMatch 127.0.0.1,::1") {
set $attack_detected 1;
}

42
waf_patterns/nginx/fixation.conf
View File

@@ -2,23 +2,7 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:ht|f)tps?://(.*?)/") {
if ($request_uri ~* "^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
set $attack_detected 1;
}
@@ -26,35 +10,15 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
if ($request_uri ~* "^(?:ht|f)tps?://(.*?)/") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb)") {
set $attack_detected 1;
}

66
waf_patterns/nginx/generic.conf
View File

@@ -2,75 +2,15 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "[s*constructors*]") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "@{.*}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sv]+Function[sv]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sv]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sv]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[["'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)["'`]])|(?:binding|constructor|env|global|main(?:Module)?|process|require)[|console(?:.(?:debug|error|info|trace|warn)(?:.call)?(|[["'`](?:debug|error|info|trace|warn)["'`]])|require(?:.(?:resolve(?:.call)?(|main|extensions|cache)|[["'`](?:(?:resolv|cach)e|main|extensions)["'`]])") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sv]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile ssrf.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:__proto__|constructors*(?:.|[)s*prototype)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx Process[sv]*.[sv]*spawn[sv]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|"[^"]+"|'[^']+'|`[^`]+`)).*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^data:(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][--.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sv]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][--.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [s*constructors*]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx @{.*}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "while[sv]*([sv(]*(?:!+(?:false|null|undefined|NaN|[+-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[+-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)b|{.*}|[.*]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*)") {
set $attack_detected 1;
}

42
waf_patterns/nginx/iis.conf
View File

@@ -2,23 +2,11 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [a-z]:x5cinetpubb") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error.</h2>|cannot connect to the server: timed out)") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile iis-errors.data") {
if ($request_uri ~* "[a-z]:x5cinetpubb") {
set $attack_detected 1;
}
@@ -26,31 +14,7 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx bServer Error in.{0,50}?bApplicationb") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "bServer Error in.{0,50}?bApplicationb") {
set $attack_detected 1;
}

110
waf_patterns/nginx/initialization.conf
View File

@@ -2,106 +2,6 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?:URLENCODED|MULTIPART|XML|JSON)") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?:URLENCODED|MULTIPART|XML|JSON)") {
set $attack_detected 1;
}
@@ -110,15 +10,19 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[a-f]*([0-9])[a-f]*([0-9])") {
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@lt %{tx.sampling_percentage}") {
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt %{tx.blocking_paranoia_level}") {
if ($request_uri ~* "^[a-f]*([0-9])[a-f]*([0-9])") {
set $attack_detected 1;
}
if ($request_uri ~* "^.*$") {
set $attack_detected 1;
}

110
waf_patterns/nginx/java.conf
View File

@@ -2,139 +2,55 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx java.lang.(?:runtime|processbuilder)") {
if ($request_uri ~* "javab.+(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:runtime|processbuilder)") {
if ($request_uri ~* "(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:unmarshaller|base64data|java.)") {
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") {
if ($request_uri ~* "(?:unmarshaller|base64data|java.)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:runtime|processbuilder)") {
if ($request_uri ~* "(?:rO0ABQ|KztAAU|Cs7QAF)") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile java-classes.data") {
if ($request_uri ~* "(?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .*.(?:jsp|jspx).*$") {
if ($request_uri ~* "(?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
if ($request_uri ~* ".*.(?:jsp|jspx).*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
if ($request_uri ~* "(?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
if ($request_uri ~* "xacxedx00x05") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)|jndi|ctx)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx xacxedx00x05") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:rO0ABQ|KztAAU|Cs7QAF)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx javab.+(?:runtime|processbuilder)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:$|&dollar;?)(?:{|&l(?:brace|cub);?)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile java-code-leakages.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile java-errors.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "java.lang.(?:runtime|processbuilder)") {
set $attack_detected 1;
}

38
waf_patterns/nginx/leakages.conf
View File

@@ -2,47 +2,15 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "^5d{2}$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]</[Aa]><br>)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^#!s?/") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^5d{2}$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "^#!s?/") {
set $attack_detected 1;
}

50
waf_patterns/nginx/lfi.conf
View File

@@ -2,55 +2,7 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[0-1]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile lfi-os-files.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile restricted-files.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile lfi-os-files.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$))") {
set $attack_detected 1;
}

130
waf_patterns/nginx/php.conf
View File

@@ -2,23 +2,15 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-config-directives.data") {
if ($request_uri ~* "[oOcC]:d+:\".+?\":d+:{.*}") {
set $attack_detected 1;
}
@@ -26,71 +18,11 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-variables.data") {
if ($request_uri ~* "(?i)<?(?:=|php)?s+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-function-names-933150.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?["']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:*.**/|/.*)|#.*[sv]|")*["']*)?[sv]*(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx [oOcC]:d+:".+?":d+:{.*}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx $+(?:[a-zA-Z_x7f-xff][a-zA-Z0-9_x7f-xff]*|s*{.+})(?:s|[.+]|{.+}|/*.**/|//.*|#.*)*(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+));") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-function-names-933151.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm (") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[sv]|/*.**/|(?:#|//).*)*(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .*.(?:phpd*|phtml)..*$") {
if ($request_uri ~* "(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])") {
set $attack_detected 1;
}
@@ -98,63 +30,19 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:((?:.+)(?:["'][-0-9A-Z_a-z]+["'])?(.+|[^)]*string[^)]*)[sv"'--.0-9A-[]_a-{}]+([^)]*)|(?:[[0-9]+]|{[0-9]+}|$[^(-),.-/;x5c]+|["'][-0-9A-Zx5c_a-z]+["'])(.+))(?:;|$)?") {
if ($request_uri ~* "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* ".*.(?:phpd*|phtml)..*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-errors.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<?(?:=|php)?s+") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile php-errors-pl2.data") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
set $attack_detected 1;
}

174
waf_patterns/nginx/rce.conf
View File

File diff suppressed because one or more lines are too long

54
waf_patterns/nginx/rfi.conf
View File

@@ -2,35 +2,7 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i:file|ftps?|https?).*??+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)") {
if ($request_uri ~* "^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})") {
set $attack_detected 1;
}
@@ -38,30 +10,6 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .%{request_headers.host}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}

108
waf_patterns/nginx/shells.conf
View File

@@ -2,91 +2,39 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "<title>Mini Shell</title>.*Developed By LameHacker") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "^<html>rn<head>rn<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">rn<title>PhpSpy Ver [0-9]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@pmFromFile web-shells-php.data") {
if ($request_uri ~* "^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") {
if ($request_uri ~* "^<html>n<head>n<div align=\"left\"><font size=\"1\">Input command :</font></div>n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
if ($request_uri ~* "^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
if ($request_uri ~* "^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>Mini Shell</title>.*Developed By LameHacker") {
if ($request_uri ~* "^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
if ($request_uri ~* ">SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>Symlink_Sa [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ *<html>n[ ]+<head>n[ ]+<title>lostDC -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<title>PHP Web Shell</title>rn<html>rn<body>rn <!-- Replaces command with Base64-encoded Data -->") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<head>n<div align="left"><font size="1">Input command :</font></div>n<form name="cmd" method="POST" enctype="multipart/form-data">") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>rn<head>rn<meta http-equiv="Content-Type" content="text/html; charset=gb2312">rn<title>PhpSpy Ver [0-9]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
if ($request_uri ~* "^<html>n<head>n<title>Ru24PostWebShell -") {
set $attack_detected 1;
}
@@ -94,47 +42,63 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") {
if ($request_uri ~* "<title>.:: .* ~ Ashiyane V [0-9.]+ ::.</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=") {
if ($request_uri ~* "<title>CasuS [0-9.]+ by MafiABoY</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^<html>n<title>.*? ~ Shell I</title>n<head>n<style>") {
if ($request_uri ~* "<title>lama's'hell v. [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
if ($request_uri ~* "<title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ -") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
if ($request_uri ~* "^ <html>nn<head>nn<title>g00nshell v[0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
if ($request_uri ~* "<small>NGHshell [0-9.]+ by Cr4sh</body></html>n$") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style="margin-bottom: 0">webadmin.php</h1>") {
if ($request_uri ~* "^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "^<html>n <head>n <title>azrail [0-9.]+ by C-W-M</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "<title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<html>rn<head>rn<title>GRP WebShell [0-9.]+") {
set $attack_detected 1;
}
if ($request_uri ~* "<title>Symlink_Sa [0-9.]+</title>") {
set $attack_detected 1;
}
if ($request_uri ~* "^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell</title>") {
set $attack_detected 1;
}

74
waf_patterns/nginx/sql.conf
View File

@@ -2,103 +2,55 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?i)Exception (?:condition )?d+. Transaction rollback.") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pmFromFile sql-errors.data") {
if ($request_uri ~* "(?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])") {
if ($request_uri ~* "(?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)") {
if ($request_uri ~* "(?i)org.hsqldb.jdbc") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+()") {
if ($request_uri ~* "(?i)Dynamic SQL Error") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)") {
if ($request_uri ~* "(?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)Dynamic SQL Error") {
if ($request_uri ~* "(?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver])") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)Exception (?:condition )?d+. Transaction rollback.") {
if ($request_uri ~* "(?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)org.hsqldb.jdbc") {
if ($request_uri ~* "(?i:ORA-[0-9][0-9][0-9][0-9]|java.sql.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix)") {
if ($request_uri ~* "(?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver)") {
if ($request_uri ~* "(?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[(-)_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error):") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)() [:|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException)") {
set $attack_detected 1;
}

278
waf_patterns/nginx/sqli.conf
View File

@@ -2,11 +2,51 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:b0x[a-fd]{3,})") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?:[^']*'|[^\"]*\"|[^`]*`)[sv]*;") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+[\"'`]|like[sv]*?[\"'`]%|select[sv]+?[sv\"'-),-.0-9A-[]_-z]+from[sv]+") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?[\"'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:^[Wd]+s*?(?:alter|union)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$") {
set $attack_detected 1;
}
if ($request_uri ~* "W{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){8})") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}") {
set $attack_detected 1;
}
@@ -14,283 +54,91 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:select|;)[sv]+(?:benchmark|if|sleep)[sv]*?([sv]*?(?[sv]*?[0-9A-Z_a-z]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)["'`](?:[sv]*![sv]*["'0-9A-Z_-z]|;?[sv]*(?:having|select|unionb[sv]*(?:all|(?:distin|sele)ct))b[sv]*[^sv])|b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[sv]*?|select.*?[0-9A-Z_a-z]?user)(|exec(?:ute)?[sv]+master.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[sv+]+(?:dump|out)file[sv]*?["'`]|union(?:[sv]select[sv]@|[sv(0-9A-Z_a-z]*?select))|[sv]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[sv]*?(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[sv(-)]case[sv]+when.*?then|)[sv]*?like[sv]*?(|select.*?having[sv]*?[^sv]+[sv]*?[^sv0-9A-Z_a-z]|if[sv]?([0-9A-Z_a-z]+[sv]*?[<->~]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|["'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+["'`]|;.*?:[sv]*?goto)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:merge.*?usings*?(|executes*?immediates*?["'`]|matchs*?[w(),+-]+s*?againsts*?()") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)union.*?select.*?from") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)select[sv]*?pg_sleep|waitfor[sv]*?delay[sv]?["'`]+[sv]?[0-9]|;[sv]*?shutdown[sv]*?(?:[#;{]|/*|--)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]?") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)create[sv]+function[sv].+[sv]returns|;[sv]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sv]*?[([]?[0-9A-Z_a-z]{2,}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)b[sv]*(?|end[sv]*?);)|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|["'0-9A-Z_-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]+[0-9A-Z_a-z]+|u(?:pdate[sv]+[0-9A-Z_a-z]+|nion[sv]*(?:all|(?:sele|distin)ct)b)|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject))b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:/*[!+](?:[ws=_-()]+)?*/)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:[^']*'|[^"]*"|[^`]*`)[sv]*;") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)1.e[(-),]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ["'`][[{].*[]}]["'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|?[&|]?|#>>?|[<>]|<-)["'`][[{].*[]}]["'`]|json_extract.*(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:^s*["'`;]+|["'`]+s*$)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)!=|&&||||>[=->]|<(?:<|=>?|>(?:[sv]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?["'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[sv]*()|r(?:egexp|like)[sv]+binary|not[sv]+between[sv]+(?:0[sv]+and|(?:'[^']*'|"[^"]*")[sv]+and[sv]+(?:'[^']*'|"[^"]*"))|is[sv]+null|like[sv]+(?:null|[0-9A-Z_a-z]+[sv]+escapeb)|(?:^|[^0-9A-Z_a-z])in[sv+]*([sv"0-9]+[^(-)]*)|[!<->]{1,2}[sv]*allb") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:=|<=>|(?:sounds[sv]+)?like|glob|r(?:like|egexp))[sv"'-)`]*?b([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[sv"'-)`]*?b([0-9A-Z_a-z]+)b[sv"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv"'-)`]*?b([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:/*)+["'`]+[sv]?(?:--|[#{]|/*)?|["'`](?:[sv]*(?:(?:x?or|and|div|like|between)[sv-0-9A-Z_a-z]+[(-)+--<->][sv]*["'0-9`]|[!=|](?:[sv -!+-0-9=]+.*?["'-(`].*?|[sv -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|;)|(?:[<>~]+|[sv]*[^sv0-9A-Z_a-z]?=[sv]*|[^0-9A-Z_a-z]*?[+=]+[^0-9A-Z_a-z]*?)["'`])|[0-9]["'`][sv]+["'`][sv]+[0-9]|^admin[sv]*?["'`]|[sv"'-(`][sv]*?glob[^0-9A-Z_a-z]+["'-(0-9A-Z_-z]|[sv]is[sv]*?0[^0-9A-Z_a-z]|where[sv][sv,-.0-9A-Z_a-z]+[sv]=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i),.*?["')0-9`-f]["'`](?:["'`].*?["'`]|(?:r?n)?z|[^"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[sv]*?([sv]*?space[sv]*?(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sv(]+[0-9A-Z_a-z]+[sv)]*?[!+=]+[sv0-9]*?["'-)=`]|[0-9](?:[sv]*?(?:and|between|div|like|x?or)[sv]*?[0-9]+[sv]*?[+-]|[sv]+group[sv]+by.+()|/[0-9A-Z_a-z]+;?[sv]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[sv]*?(?:alter|drop|(?:insert|update)[sv]*?[0-9A-Z_a-z]{2,})|@.+=[sv]*?([sv]*?select|[^0-9A-Z_a-z]SET[sv]*?@[0-9A-Z_a-z]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)["'`][sv]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)[sv]+[sv0-9A-Z_a-z]+=[sv]*?[0-9A-Z_a-z]+[sv]*?having[sv]+|like[^0-9A-Z_a-z]*?["'0-9`])|[0-9A-Z_a-z][sv]+like[sv]+["'`]|like[sv]*?["'`]%|select[sv]+?[sv"'-),-.0-9A-[]_-z]+from[sv]+") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i))[sv]*?when[sv]*?[0-9]+[sv]*?then|["'`][sv]*?(?:[#{]|--)|/*![sv]?[0-9]+|b(?:(?:binary|cha?r)[sv]*?([sv]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[sv]+[0-9A-Z_a-z]+()|(?:|||&&)[sv]*?[0-9A-Z_a-z]+(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:([sv]*?select[sv]*?[0-9A-Z_a-z]+|coalesce|order[sv]+by[sv]+if[0-9A-Z_a-z]*?)[sv]*?(|*/from|+[sv]*?[0-9]+[sv]*?+[sv]*?@|[0-9A-Z_a-z]["'`][sv]*?(?:(?:[+-=@|]+[sv]+?)+|[+-=@|]+)[(0-9]|@@[0-9A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]|[^0-9A-Z_a-z]!+["'`][0-9A-Z_a-z]|["'`](?:;[sv]*?(?:if|while|begin)|[sv0-9]+=[sv]*?[0-9])|[sv(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[sv(]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)["'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?["'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?["'`]$|["'x5c`]*?(?:["'0-9`]+|[^"'`]+["'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?["'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?["'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?["'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?["'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)in[sv]*?(+[sv]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)[sv+0-9A-Z_a-z]+(?:regexp[sv]*?(|sounds[sv]+like[sv]*?["'`]|[0-9=]+x)|["'`](?:[sv]*?(?:[0-9][sv]*?(?:--|#)|is[sv]*?(?:[0-9].+["'`]?[0-9A-Z_a-z]|[.0-9]+[sv]*?[^0-9A-Z_a-z].*?["'`]))|[%-&<->^]+[0-9][sv]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[+-0-9A-Z_a-z]+[sv]*?=[sv]*?[0-9][^0-9A-Z_a-z]+||?[-0-9A-Z_a-z]{3,}[^sv,.0-9A-Z_a-z]+)["'`]|[sv]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[sv]+|(?:|||&&)[sv]*)(?:array[sv]*[|[0-9A-Z_a-z]+(?:[sv]*!?~|[sv]+(?:not[sv]+)?similar[sv]+to[sv]+)|(?:tru|fals)eb))|bexcept[sv]+(?:selectb|values[sv]*?()") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:^[Wd]+s*?(?:alter|union)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sv]+(?:char|group_concat|load_file)[sv]?(?|end[sv]*?);|[sv(]load_file[sv]*?(|["'`][sv]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][sv]+asb[sv]*["'0-9A-Z_-z]+[sv]*bfrom|^[^A-Z_a-z]+[sv]*?(?:create[sv]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[sv]*(?:all|(?:sele|distin)ct))|alter[sv]*(?:a(?:(?:ggregat|pplication[sv]*rol)e|s(?:sembl|ymmetric[sv]*ke)y|u(?:dit|thorization)|vailability[sv]*group)|b(?:roker[sv]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[sv]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[sv]*group|in)))|m(?:a(?:s(?:k|ter[sv]*key)|terialized)|e(?:ssage[sv]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[sv]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[sv]*schema|srobject)))b)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)["'`](?:[sv]*?(?:(?:*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?["'`]|(?:x?or|div|like|between|and)[sv][^0-9]+[-0-9A-Z_a-z]+.*?)[0-9]|[^sv0-9?A-Z_a-z]+[sv]*?[^sv0-9A-Z_a-z]+[sv]*?["'`]|[^sv0-9A-Z_a-z]+[sv]*?[^A-Z_a-z].*?(?:#|--))|.*?*[sv]*?[0-9])|^["'`]|[%(-+-<>][-0-9A-Z_a-z]+[^sv0-9A-Z_a-z]+["'`][^,]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:havingb(?:[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')[sv]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|["'][^=]{1,10}[ "'<-?[]+))|ex(?:ecute(?:(|[sv]{1,5}[$.0-9A-Z_a-z]{1,5}[sv]{0,3})|ists[sv]*?([sv]*?selectb)|(?:create[sv]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)()|select.*?case|from.*?limit|order[sv]by|exists[sv](?:[sv]select|s(?:elect[^sv](?:if(?:null)?[sv](|top|concat)|ystem[sv]()|bhavingb[sv]+[0-9]{1,10}|'[^=]{1,10}')") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|["'][^=]{1,10}["'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|["'][^=]{1,10}["']) ?[<->]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))'") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){12})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx /*!?|*/|[';]--|--(?:[sv]|[^-]*?-)|[^&-]#.*?[sv]|;?x00") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:b0x[a-fd]{3,})") {
if ($request_uri ~* "(?i)W+d*?s*?bhavingbs*?[^s-]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)") {
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){3})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)["'`][sv]*?(?:(?:is[sv]+not|not[sv]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[sv]+like)b|[%-&*-+-/<->^|])") {
if ($request_uri ~* "(?i)b(?:orb(?:[sv]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[sv]?[<->]+|[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|xorb[sv]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[sv]*?[<->])?)|'[sv]+x?or[sv]+.{1,20}[!+-<->]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^"]*?(?:"[^"]*?"[^"]*?)*?"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[sv]*([0-9A-Z_a-z]+)b") {
if ($request_uri ~* "(?i)union.*?select.*?from") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:and|or)$") {
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){2})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*?x5c['"`](?:.*?['"`])?s*(?:and|or)b") {
if ($request_uri ~* "(?i)alter[sv]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sv]+set[sv]+[0-9A-Z_a-z]+|[\"'`](?:;*?[sv]*?waitfor[sv]+(?:time|delay)[sv]+[\"'`]|;.*?:[sv]*?goto)") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectSQLi") {
if ($request_uri ~* "@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*(") {
if ($request_uri ~* "(?:^s*[\"'`;]+|[\"'`]+s*$)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)create[sv]+(?:function|procedure)[sv]*?[0-9A-Z_a-z]+[sv]*?([sv]*?)[sv]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sv]*?[0-9A-Z_a-z]+|iv[sv]*?([+-]*[sv.0-9]+,[+-]*[sv.0-9]+))|exec[sv]*?([sv]*?@|(?:lo_(?:impor|ge)t|procedure[sv]+analyse)[sv]*?(|;[sv]*?(?:declare|open)[sv]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sv]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)") {
if ($request_uri ~* "';") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "^(?:and|or)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){12})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)W+d*?s*?bhavingbs*?[^s-]") {
if ($request_uri ~* "(?i)[sv\"'-)`]*?b([0-9A-Z_a-z]+)b[sv\"'-)`]*?(?:![<->]|<[=->]?|>=?|^|is[sv]+not|not[sv]+(?:like|r(?:like|egexp)))[sv\"'-)`]*?b([0-9A-Z_a-z]+)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ["'`][sd]*?[^ws]W*?dW*?.*?["'`d]") {
if ($request_uri ~* "[\"'`][sd]*?[^ws]W*?dW*?.*?[\"'`d]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){8})") {
if ($request_uri ~* "(?i)[\"'`][sv]*?b(?:x?or|div|like|between|and)b[sv]*?[\"'`]?[0-9]|x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[sv]*?b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between||||&&)b[sv]*?[\"'0-9A-Z_-z][!&(-)+-.@])|[^sv0-9A-Z_a-z][0-9A-Z_a-z]+[sv]*?[-|][sv]*?[\"'`][sv]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[sv]+(?:and|x?or|div|like|between)b[sv]*?[\"'0-9`]+|[-0-9A-Z_a-z]+[sv](?:and|x?or|div|like|between)b[sv]*?[^sv0-9A-Z_a-z])|[^sv0-:A-Z_a-z][sv]*?[0-9][^0-9A-Z_a-z]+[^sv0-9A-Z_a-z][sv]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){6})") {
if ($request_uri ~* "(?i)1.e[(-),]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx W{4}") {
if ($request_uri ~* "((?:[~!@#$%^&*()-+={}[]|:;\"'´`<>][^~!@#$%^&*()-+={}[]|:;\"'´`<>]*?){6})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')") {
if ($request_uri ~* "!@streq %{TX.2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ';") {
if ($request_uri ~* "^.*?x5c['\"`](?:.*?['\"`])?s*(?:and|or)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?))") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){3})") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[~!@#$%^&*()-+={}[]|:;"'´`<>][^~!@#$%^&*()-+={}[]|:;"'´`<>]*?){2})") {
if ($request_uri ~* "(?i)bandb(?:[sv]+(?:[0-9]{1,10}[sv]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)") {
set $attack_detected 1;
}

184
waf_patterns/nginx/xss.conf
View File

@@ -2,11 +2,39 @@
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "{{.*?}}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
if ($request_uri ~* "(?i)<APPLET[s/+>]") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<script[^>]*>[sS]*?") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)[\"'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "<[?]?import[s/+S]*?implementation[s/+]*?=") {
set $attack_detected 1;
}
@@ -14,127 +42,11 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@detectXSS") {
if ($request_uri ~* "((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<script[^>]*>[sS]*?") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sv"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|["'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:["']|W*?uW*?rW*?l[sS]*?()|[^-]*?-W*?mW*?oW*?zW*?-W*?bW*?iW*?nW*?dW*?iW*?nW*?g[^:]*?:W*?uW*?rW*?l[sS]*?(") {
set $attack_detected 1;
}
if ($request_uri ~* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<.*[:]?vmlframe.*?[s/+]*?src[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)(?:v|&#(?:0*8|x0*5)[36];)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*6[26]|x0*(?:98|42));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[t-nr]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;)).") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <[?]?import[s/+S]*?implementation[s/+]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*["'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:<META[s/+].*?charset[s/+]*=)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<LINK[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<APPLET[s/+>]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)<OBJECT[s/+].*?(?:type|codetype|classid|code|data)[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx +ADw-.*(?:+AD4-|>)|<.*+AD4-") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ![!+ ][]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:self|document|this|top|window)s*(?:/*|[[)]).+?(?:]|*/)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:eval|set(?:timeout|interval)|new[sv]+Function|a(?:lert|tob)|btoa)[sv]*(") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ((?:[[^]]*][^.]*.)|Reflect[^.]*.).*(?:map|sort|apply)[^.]*..*call[^`]*`.*`") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectXSS") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)[s"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
if ($request_uri ~* "(?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sv]+(?:%[sv]+)?[^sv]+[sv]+(?:SYSTEM|PUBLIC)|@import|;base64)b") {
set $attack_detected 1;
}
@@ -142,35 +54,51 @@ location / {
set $attack_detected 1;
}
if ($request_uri ~* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W") {
if ($request_uri ~* "(?:xbcs*/s*[^xbe>]*[xbe>])|(?:<s*/s*[^xbe]*xbe)") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i:["'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|x5cu006C)(?:o|x5cu006F)(?:c|x5cu0063)(?:a|x5cu0061)(?:t|x5cu0074)(?:i|x5cu0069)(?:o|x5cu006F)(?:n|x5cu006E)|(?:n|x5cu006E)(?:a|x5cu0061)(?:m|x5cu006D)(?:e|x5cu0065)|(?:o|x5cu006F)(?:n|x5cu006E)(?:e|x5cu0065)(?:r|x5cu0072)(?:r|x5cu0072)(?:o|x5cu006F)(?:r|x5cu0072)|(?:v|x5cu0076)(?:a|x5cu0061)(?:l|x5cu006C)(?:u|x5cu0075)(?:e|x5cu0065)(?:O|x5cu004F)(?:f|x5cu0066)).*?=)") {
if ($request_uri ~* "(?i)<LINK[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)["'][ ]*(?:[^a-z0-9~_:' ]|in).+?[.].+?=") {
if ($request_uri ~* "(?i)<EMBED[s/+].*?(?:src|type).*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx {{.*?}}") {
if ($request_uri ~* "(?i)<[^0-9<>A-Z_a-z]*(?:[^sv\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[sv/]|[\"'](?:.*[sv/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[x08-nf-r ]*?=") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "(?i)[s\"'`;/0-9=x0Bx09x0Cx3Bx2Cx28x3B]on[a-zA-Z]{3,25}[sx0Bx09x0Cx3Bx2Cx28x3B]*?=[^=]") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
if ($request_uri ~* "(?i)<BASE[s/+].*?href[s/+]*=") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "xbc[^xbe>]*[xbe>]|<[^xbe]*xbe") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
if ($request_uri ~* "(?i:<style.*?>.*?(?:@[ix5c]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(x5c]|&#x?0*(?:40|28|92|5C);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "@detectXSS") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i:<META[s/+].*?http-equiv[s/+]*=[s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))") {
set $attack_detected 1;
}
if ($request_uri ~* "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W") {
set $attack_detected 1;
}
if ($request_uri ~* "(?i)b(?:s(?:tyle|rc)|href)b[sS]*?=") {
set $attack_detected 1;
}

922
waf_patterns/traefik/middleware.toml
View File

File diff suppressed because one or more lines are too long