From 5852b0ab4def7a137c25a291d07fa1e5c0108f65 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 21 Dec 2024 01:02:14 +0000 Subject: [PATCH] Update: [Sat Dec 21 01:02:14 UTC 2024] --- owasp_rules.json | 2 +- waf_patterns/haproxy/bots.acl | 670 +++++++++ waf_patterns/haproxy/waf.acl | 1327 +++++++++++++++++ waf_patterns/traefik/bots.toml | 673 +++++++++ waf_patterns/traefik/middleware.toml | 1990 ++++++++++++++++++++++++++ 5 files changed, 4661 insertions(+), 1 deletion(-) create mode 100644 waf_patterns/haproxy/bots.acl create mode 100644 waf_patterns/haproxy/waf.acl create mode 100644 waf_patterns/traefik/bots.toml create mode 100644 waf_patterns/traefik/middleware.toml diff --git a/owasp_rules.json b/owasp_rules.json index 91112dc..3a6e288 100644 --- a/owasp_rules.json +++ b/owasp_rules.json @@ -2651,4 +2651,4 @@ "category": "CORRELATION", "pattern": "@lt 4" } -] +] \ No newline at end of file diff --git a/waf_patterns/haproxy/bots.acl b/waf_patterns/haproxy/bots.acl new file mode 100644 index 0000000..3e02958 --- /dev/null +++ b/waf_patterns/haproxy/bots.acl @@ -0,0 +1,670 @@ +# HAProxy WAF - Bad Bot Blocker +acl bad_bot hdr_sub(User-Agent) -i 01h4x.com +acl bad_bot hdr_sub(User-Agent) -i 360Spider +acl bad_bot hdr_sub(User-Agent) -i 404checker +acl bad_bot hdr_sub(User-Agent) -i 404enemy +acl bad_bot hdr_sub(User-Agent) -i 80legs +acl bad_bot hdr_sub(User-Agent) -i ADmantX +acl bad_bot hdr_sub(User-Agent) -i AIBOT +acl bad_bot hdr_sub(User-Agent) -i ALittle\ Client +acl bad_bot hdr_sub(User-Agent) -i ASPSeek +acl bad_bot hdr_sub(User-Agent) -i Abonti +acl bad_bot hdr_sub(User-Agent) -i Aboundex +acl bad_bot hdr_sub(User-Agent) -i Aboundexbot +acl bad_bot hdr_sub(User-Agent) -i Acunetix +acl bad_bot hdr_sub(User-Agent) -i AdsTxtCrawlerTP +acl bad_bot hdr_sub(User-Agent) -i AfD-Verbotsverfahren +acl bad_bot hdr_sub(User-Agent) -i AhrefsBot +acl bad_bot hdr_sub(User-Agent) -i AiHitBot +acl bad_bot hdr_sub(User-Agent) -i Aipbot +acl bad_bot hdr_sub(User-Agent) -i Alexibot +acl bad_bot hdr_sub(User-Agent) -i AllSubmitter +acl bad_bot hdr_sub(User-Agent) -i Alligator +acl bad_bot hdr_sub(User-Agent) -i AlphaBot +acl bad_bot hdr_sub(User-Agent) -i Anarchie +acl bad_bot hdr_sub(User-Agent) -i Anarchy +acl bad_bot hdr_sub(User-Agent) -i Anarchy99 +acl bad_bot hdr_sub(User-Agent) -i Ankit +acl bad_bot hdr_sub(User-Agent) -i Anthill +acl bad_bot hdr_sub(User-Agent) -i Apexoo +acl bad_bot hdr_sub(User-Agent) -i Aspiegel +acl bad_bot hdr_sub(User-Agent) -i Asterias +acl bad_bot hdr_sub(User-Agent) -i Atomseobot +acl bad_bot hdr_sub(User-Agent) -i Attach +acl bad_bot hdr_sub(User-Agent) -i AwarioBot +acl bad_bot hdr_sub(User-Agent) -i AwarioRssBot +acl bad_bot hdr_sub(User-Agent) -i AwarioSmartBot +acl bad_bot hdr_sub(User-Agent) -i BBBike +acl bad_bot hdr_sub(User-Agent) -i BDCbot +acl bad_bot hdr_sub(User-Agent) -i BDFetch +acl bad_bot hdr_sub(User-Agent) -i BLEXBot +acl bad_bot hdr_sub(User-Agent) -i BackDoorBot +acl bad_bot hdr_sub(User-Agent) -i BackStreet +acl bad_bot hdr_sub(User-Agent) -i BackWeb +acl bad_bot hdr_sub(User-Agent) -i Backlink-Ceck +acl bad_bot hdr_sub(User-Agent) -i BacklinkCrawler +acl bad_bot hdr_sub(User-Agent) -i BacklinksExtendedBot +acl bad_bot hdr_sub(User-Agent) -i Badass +acl bad_bot hdr_sub(User-Agent) -i Bandit +acl bad_bot hdr_sub(User-Agent) -i Barkrowler +acl bad_bot hdr_sub(User-Agent) -i BatchFTP +acl bad_bot hdr_sub(User-Agent) -i Battleztar\ Bazinga +acl bad_bot hdr_sub(User-Agent) -i BetaBot +acl bad_bot hdr_sub(User-Agent) -i Bigfoot +acl bad_bot hdr_sub(User-Agent) -i Bitacle +acl bad_bot hdr_sub(User-Agent) -i BlackWidow +acl bad_bot hdr_sub(User-Agent) -i Black\ Hole +acl bad_bot hdr_sub(User-Agent) -i Blackboard +acl bad_bot hdr_sub(User-Agent) -i Blow +acl bad_bot hdr_sub(User-Agent) -i BlowFish +acl bad_bot hdr_sub(User-Agent) -i Boardreader +acl bad_bot hdr_sub(User-Agent) -i Bolt +acl bad_bot hdr_sub(User-Agent) -i BotALot +acl bad_bot hdr_sub(User-Agent) -i Brandprotect +acl bad_bot hdr_sub(User-Agent) -i Brandwatch +acl bad_bot hdr_sub(User-Agent) -i Buck +acl bad_bot hdr_sub(User-Agent) -i Buddy +acl bad_bot hdr_sub(User-Agent) -i BuiltBotTough +acl bad_bot hdr_sub(User-Agent) -i BuiltWith +acl bad_bot hdr_sub(User-Agent) -i Bullseye +acl bad_bot hdr_sub(User-Agent) -i BunnySlippers +acl bad_bot hdr_sub(User-Agent) -i BuzzSumo +acl bad_bot hdr_sub(User-Agent) -i Bytespider +acl bad_bot hdr_sub(User-Agent) -i CATExplorador +acl bad_bot hdr_sub(User-Agent) -i CCBot +acl bad_bot hdr_sub(User-Agent) -i CODE87 +acl bad_bot hdr_sub(User-Agent) -i CSHttp +acl bad_bot hdr_sub(User-Agent) -i Calculon +acl bad_bot hdr_sub(User-Agent) -i CazoodleBot +acl bad_bot hdr_sub(User-Agent) -i Cegbfeieh +acl bad_bot hdr_sub(User-Agent) -i CensysInspect +acl bad_bot hdr_sub(User-Agent) -i ChatGPT-User +acl bad_bot hdr_sub(User-Agent) -i CheTeam +acl bad_bot hdr_sub(User-Agent) -i CheeseBot +acl bad_bot hdr_sub(User-Agent) -i CherryPicker +acl bad_bot hdr_sub(User-Agent) -i ChinaClaw +acl bad_bot hdr_sub(User-Agent) -i Chlooe +acl bad_bot hdr_sub(User-Agent) -i Citoid +acl bad_bot hdr_sub(User-Agent) -i Claritybot +acl bad_bot hdr_sub(User-Agent) -i ClaudeBot +acl bad_bot hdr_sub(User-Agent) -i Cliqzbot +acl bad_bot hdr_sub(User-Agent) -i Cloud\ mapping +acl bad_bot hdr_sub(User-Agent) -i Cocolyzebot +acl bad_bot hdr_sub(User-Agent) -i Cogentbot +acl bad_bot hdr_sub(User-Agent) -i Collector +acl bad_bot hdr_sub(User-Agent) -i Copier +acl bad_bot hdr_sub(User-Agent) -i CopyRightCheck +acl bad_bot hdr_sub(User-Agent) -i Copyscape +acl bad_bot hdr_sub(User-Agent) -i Cosmos +acl bad_bot hdr_sub(User-Agent) -i Craftbot +acl bad_bot hdr_sub(User-Agent) -i Crawling\ at\ Home\ Project +acl bad_bot hdr_sub(User-Agent) -i CrazyWebCrawler +acl bad_bot hdr_sub(User-Agent) -i Crescent +acl bad_bot hdr_sub(User-Agent) -i CrunchBot +acl bad_bot hdr_sub(User-Agent) -i Curious +acl bad_bot hdr_sub(User-Agent) -i Custo +acl bad_bot hdr_sub(User-Agent) -i CyotekWebCopy +acl bad_bot hdr_sub(User-Agent) -i DBLBot +acl bad_bot hdr_sub(User-Agent) -i DIIbot +acl bad_bot hdr_sub(User-Agent) -i DSearch +acl bad_bot hdr_sub(User-Agent) -i DTS\ Agent +acl bad_bot hdr_sub(User-Agent) -i DataCha0s +acl bad_bot hdr_sub(User-Agent) -i DatabaseDriverMysqli +acl bad_bot hdr_sub(User-Agent) -i Demon +acl bad_bot hdr_sub(User-Agent) -i Deusu +acl bad_bot hdr_sub(User-Agent) -i Devil +acl bad_bot hdr_sub(User-Agent) -i Digincore +acl bad_bot hdr_sub(User-Agent) -i DigitalPebble +acl bad_bot hdr_sub(User-Agent) -i Dirbuster +acl bad_bot hdr_sub(User-Agent) -i Disco +acl bad_bot hdr_sub(User-Agent) -i Discobot +acl bad_bot hdr_sub(User-Agent) -i Discoverybot +acl bad_bot hdr_sub(User-Agent) -i Dispatch +acl bad_bot hdr_sub(User-Agent) -i DittoSpyder +acl bad_bot hdr_sub(User-Agent) -i DnBCrawler-Analytics +acl bad_bot hdr_sub(User-Agent) -i DnyzBot +acl bad_bot hdr_sub(User-Agent) -i DomCopBot +acl bad_bot hdr_sub(User-Agent) -i DomainAppender +acl bad_bot hdr_sub(User-Agent) -i DomainCrawler +acl bad_bot hdr_sub(User-Agent) -i DomainSigmaCrawler +acl bad_bot hdr_sub(User-Agent) -i DomainStatsBot +acl bad_bot hdr_sub(User-Agent) -i Domains\ Project +acl bad_bot hdr_sub(User-Agent) -i Dotbot +acl bad_bot hdr_sub(User-Agent) -i Download\ Wonder +acl bad_bot hdr_sub(User-Agent) -i Dragonfly +acl bad_bot hdr_sub(User-Agent) -i Drip +acl bad_bot hdr_sub(User-Agent) -i ECCP/1.0 +acl bad_bot hdr_sub(User-Agent) -i EMail\ Siphon +acl bad_bot hdr_sub(User-Agent) -i EMail\ Wolf +acl bad_bot hdr_sub(User-Agent) -i EasyDL +acl bad_bot hdr_sub(User-Agent) -i Ebingbong +acl bad_bot hdr_sub(User-Agent) -i Ecxi +acl bad_bot hdr_sub(User-Agent) -i EirGrabber +acl bad_bot hdr_sub(User-Agent) -i EroCrawler +acl bad_bot hdr_sub(User-Agent) -i Evil +acl bad_bot hdr_sub(User-Agent) -i Exabot +acl bad_bot hdr_sub(User-Agent) -i Express\ WebPictures +acl bad_bot hdr_sub(User-Agent) -i ExtLinksBot +acl bad_bot hdr_sub(User-Agent) -i Extractor +acl bad_bot hdr_sub(User-Agent) -i ExtractorPro +acl bad_bot hdr_sub(User-Agent) -i Extreme\ Picture\ Finder +acl bad_bot hdr_sub(User-Agent) -i EyeNetIE +acl bad_bot hdr_sub(User-Agent) -i Ezooms +acl bad_bot hdr_sub(User-Agent) -i FDM +acl bad_bot hdr_sub(User-Agent) -i FHscan +acl bad_bot hdr_sub(User-Agent) -i FacebookBot +acl bad_bot hdr_sub(User-Agent) -i FemtosearchBot +acl bad_bot hdr_sub(User-Agent) -i Fimap +acl bad_bot hdr_sub(User-Agent) -i Firefox/7.0 +acl bad_bot hdr_sub(User-Agent) -i FlashGet +acl bad_bot hdr_sub(User-Agent) -i Flunky +acl bad_bot hdr_sub(User-Agent) -i Foobot +acl bad_bot hdr_sub(User-Agent) -i Freeuploader +acl bad_bot hdr_sub(User-Agent) -i FrontPage +acl bad_bot hdr_sub(User-Agent) -i Fuzz +acl bad_bot hdr_sub(User-Agent) -i FyberSpider +acl bad_bot hdr_sub(User-Agent) -i Fyrebot +acl bad_bot hdr_sub(User-Agent) -i G-i-g-a-b-o-t +acl bad_bot hdr_sub(User-Agent) -i GPTBot +acl bad_bot hdr_sub(User-Agent) -i GT::WWW +acl bad_bot hdr_sub(User-Agent) -i GalaxyBot +acl bad_bot hdr_sub(User-Agent) -i Genieo +acl bad_bot hdr_sub(User-Agent) -i GermCrawler +acl bad_bot hdr_sub(User-Agent) -i GetRight +acl bad_bot hdr_sub(User-Agent) -i GetWeb +acl bad_bot hdr_sub(User-Agent) -i Getintent +acl bad_bot hdr_sub(User-Agent) -i Gigabot +acl bad_bot hdr_sub(User-Agent) -i Go!Zilla +acl bad_bot hdr_sub(User-Agent) -i Go-Ahead-Got-It +acl bad_bot hdr_sub(User-Agent) -i GoZilla +acl bad_bot hdr_sub(User-Agent) -i Gotit +acl bad_bot hdr_sub(User-Agent) -i GrabNet +acl bad_bot hdr_sub(User-Agent) -i Grabber +acl bad_bot hdr_sub(User-Agent) -i Grafula +acl bad_bot hdr_sub(User-Agent) -i GrapeFX +acl bad_bot hdr_sub(User-Agent) -i GrapeshotCrawler +acl bad_bot hdr_sub(User-Agent) -i GridBot +acl bad_bot hdr_sub(User-Agent) -i HEADMasterSEO +acl bad_bot hdr_sub(User-Agent) -i HMView +acl bad_bot hdr_sub(User-Agent) -i HTMLparser +acl bad_bot hdr_sub(User-Agent) -i HTTP::Lite +acl bad_bot hdr_sub(User-Agent) -i HTTrack +acl bad_bot hdr_sub(User-Agent) -i Haansoft +acl bad_bot hdr_sub(User-Agent) -i HaosouSpider +acl bad_bot hdr_sub(User-Agent) -i Harvest +acl bad_bot hdr_sub(User-Agent) -i Havij +acl bad_bot hdr_sub(User-Agent) -i Heritrix +acl bad_bot hdr_sub(User-Agent) -i Hloader +acl bad_bot hdr_sub(User-Agent) -i HonoluluBot +acl bad_bot hdr_sub(User-Agent) -i Humanlinks +acl bad_bot hdr_sub(User-Agent) -i HybridBot +acl bad_bot hdr_sub(User-Agent) -i IDBTE4M +acl bad_bot hdr_sub(User-Agent) -i IDBot +acl bad_bot hdr_sub(User-Agent) -i IRLbot +acl bad_bot hdr_sub(User-Agent) -i Iblog +acl bad_bot hdr_sub(User-Agent) -i Id-search +acl bad_bot hdr_sub(User-Agent) -i IlseBot +acl bad_bot hdr_sub(User-Agent) -i Image\ Fetch +acl bad_bot hdr_sub(User-Agent) -i Image\ Sucker +acl bad_bot hdr_sub(User-Agent) -i ImagesiftBot +acl bad_bot hdr_sub(User-Agent) -i IndeedBot +acl bad_bot hdr_sub(User-Agent) -i Indy\ Library +acl bad_bot hdr_sub(User-Agent) -i InfoNaviRobot +acl bad_bot hdr_sub(User-Agent) -i InfoTekies +acl bad_bot hdr_sub(User-Agent) -i Information\ Security\ Team\ InfraSec\ Scanner +acl bad_bot hdr_sub(User-Agent) -i InfraSec\ Scanner +acl bad_bot hdr_sub(User-Agent) -i Intelliseek +acl bad_bot hdr_sub(User-Agent) -i InterGET +acl bad_bot hdr_sub(User-Agent) -i InternetMeasurement +acl bad_bot hdr_sub(User-Agent) -i InternetSeer +acl bad_bot hdr_sub(User-Agent) -i Internet\ Ninja +acl bad_bot hdr_sub(User-Agent) -i Iria +acl bad_bot hdr_sub(User-Agent) -i Iskanie +acl bad_bot hdr_sub(User-Agent) -i IstellaBot +acl bad_bot hdr_sub(User-Agent) -i JOC\ Web\ Spider +acl bad_bot hdr_sub(User-Agent) -i JamesBOT +acl bad_bot hdr_sub(User-Agent) -i Jbrofuzz +acl bad_bot hdr_sub(User-Agent) -i JennyBot +acl bad_bot hdr_sub(User-Agent) -i JetCar +acl bad_bot hdr_sub(User-Agent) -i Jetty +acl bad_bot hdr_sub(User-Agent) -i JikeSpider +acl bad_bot hdr_sub(User-Agent) -i Joomla +acl bad_bot hdr_sub(User-Agent) -i Jorgee +acl bad_bot hdr_sub(User-Agent) -i JustView +acl bad_bot hdr_sub(User-Agent) -i Jyxobot +acl bad_bot hdr_sub(User-Agent) -i Kenjin\ Spider +acl bad_bot hdr_sub(User-Agent) -i Keybot\ Translation-Search-Machine +acl bad_bot hdr_sub(User-Agent) -i Keyword\ Density +acl bad_bot hdr_sub(User-Agent) -i Kinza +acl bad_bot hdr_sub(User-Agent) -i Kozmosbot +acl bad_bot hdr_sub(User-Agent) -i LNSpiderguy +acl bad_bot hdr_sub(User-Agent) -i LWP::Simple +acl bad_bot hdr_sub(User-Agent) -i Lanshanbot +acl bad_bot hdr_sub(User-Agent) -i Larbin +acl bad_bot hdr_sub(User-Agent) -i Leap +acl bad_bot hdr_sub(User-Agent) -i LeechFTP +acl bad_bot hdr_sub(User-Agent) -i LeechGet +acl bad_bot hdr_sub(User-Agent) -i LexiBot +acl bad_bot hdr_sub(User-Agent) -i Lftp +acl bad_bot hdr_sub(User-Agent) -i LibWeb +acl bad_bot hdr_sub(User-Agent) -i Libwhisker +acl bad_bot hdr_sub(User-Agent) -i LieBaoFast +acl bad_bot hdr_sub(User-Agent) -i Lightspeedsystems +acl bad_bot hdr_sub(User-Agent) -i Likse +acl bad_bot hdr_sub(User-Agent) -i LinkScan +acl bad_bot hdr_sub(User-Agent) -i LinkWalker +acl bad_bot hdr_sub(User-Agent) -i Linkbot +acl bad_bot hdr_sub(User-Agent) -i LinkextractorPro +acl bad_bot hdr_sub(User-Agent) -i LinkpadBot +acl bad_bot hdr_sub(User-Agent) -i LinksManager +acl bad_bot hdr_sub(User-Agent) -i LinqiaMetadataDownloaderBot +acl bad_bot hdr_sub(User-Agent) -i LinqiaRSSBot +acl bad_bot hdr_sub(User-Agent) -i LinqiaScrapeBot +acl bad_bot hdr_sub(User-Agent) -i Lipperhey +acl bad_bot hdr_sub(User-Agent) -i Lipperhey\ Spider +acl bad_bot hdr_sub(User-Agent) -i Litemage_walker +acl bad_bot hdr_sub(User-Agent) -i Lmspider +acl bad_bot hdr_sub(User-Agent) -i Ltx71 +acl bad_bot hdr_sub(User-Agent) -i MFC_Tear_Sample +acl bad_bot hdr_sub(User-Agent) -i MIDown\ tool +acl bad_bot hdr_sub(User-Agent) -i MIIxpc +acl bad_bot hdr_sub(User-Agent) -i MJ12bot +acl bad_bot hdr_sub(User-Agent) -i MQQBrowser +acl bad_bot hdr_sub(User-Agent) -i MSFrontPage +acl bad_bot hdr_sub(User-Agent) -i MSIECrawler +acl bad_bot hdr_sub(User-Agent) -i MTRobot +acl bad_bot hdr_sub(User-Agent) -i Mag-Net +acl bad_bot hdr_sub(User-Agent) -i Magnet +acl bad_bot hdr_sub(User-Agent) -i Mail.RU_Bot +acl bad_bot hdr_sub(User-Agent) -i Majestic-SEO +acl bad_bot hdr_sub(User-Agent) -i Majestic12 +acl bad_bot hdr_sub(User-Agent) -i Majestic\ SEO +acl bad_bot hdr_sub(User-Agent) -i MarkMonitor +acl bad_bot hdr_sub(User-Agent) -i MarkWatch +acl bad_bot hdr_sub(User-Agent) -i Mass\ Downloader +acl bad_bot hdr_sub(User-Agent) -i Masscan +acl bad_bot hdr_sub(User-Agent) -i Mata\ Hari +acl bad_bot hdr_sub(User-Agent) -i MauiBot +acl bad_bot hdr_sub(User-Agent) -i Mb2345Browser +acl bad_bot hdr_sub(User-Agent) -i MeanPath\ Bot +acl bad_bot hdr_sub(User-Agent) -i Meanpathbot +acl bad_bot hdr_sub(User-Agent) -i Mediatoolkitbot +acl bad_bot hdr_sub(User-Agent) -i MegaIndex.ru +acl bad_bot hdr_sub(User-Agent) -i Metauri +acl bad_bot hdr_sub(User-Agent) -i MicroMessenger +acl bad_bot hdr_sub(User-Agent) -i Microsoft\ Data\ Access +acl bad_bot hdr_sub(User-Agent) -i Microsoft\ URL\ Control +acl bad_bot hdr_sub(User-Agent) -i Minefield +acl bad_bot hdr_sub(User-Agent) -i Mister\ PiX +acl bad_bot hdr_sub(User-Agent) -i Moblie\ Safari +acl bad_bot hdr_sub(User-Agent) -i Mojeek +acl bad_bot hdr_sub(User-Agent) -i Mojolicious +acl bad_bot hdr_sub(User-Agent) -i MolokaiBot +acl bad_bot hdr_sub(User-Agent) -i Morfeus\ Fucking\ Scanner +acl bad_bot hdr_sub(User-Agent) -i Mozlila +acl bad_bot hdr_sub(User-Agent) -i Mr.4x3 +acl bad_bot hdr_sub(User-Agent) -i Msrabot +acl bad_bot hdr_sub(User-Agent) -i Musobot +acl bad_bot hdr_sub(User-Agent) -i NICErsPRO +acl bad_bot hdr_sub(User-Agent) -i NPbot +acl bad_bot hdr_sub(User-Agent) -i Name\ Intelligence +acl bad_bot hdr_sub(User-Agent) -i Nameprotect +acl bad_bot hdr_sub(User-Agent) -i Navroad +acl bad_bot hdr_sub(User-Agent) -i NearSite +acl bad_bot hdr_sub(User-Agent) -i Needle +acl bad_bot hdr_sub(User-Agent) -i Nessus +acl bad_bot hdr_sub(User-Agent) -i NetAnts +acl bad_bot hdr_sub(User-Agent) -i NetLyzer +acl bad_bot hdr_sub(User-Agent) -i NetMechanic +acl bad_bot hdr_sub(User-Agent) -i NetSpider +acl bad_bot hdr_sub(User-Agent) -i NetZIP +acl bad_bot hdr_sub(User-Agent) -i Net\ Vampire +acl bad_bot hdr_sub(User-Agent) -i Netcraft +acl bad_bot hdr_sub(User-Agent) -i Nettrack +acl bad_bot hdr_sub(User-Agent) -i Netvibes +acl bad_bot hdr_sub(User-Agent) -i NextGenSearchBot +acl bad_bot hdr_sub(User-Agent) -i Nibbler +acl bad_bot hdr_sub(User-Agent) -i Niki-bot +acl bad_bot hdr_sub(User-Agent) -i Nikto +acl bad_bot hdr_sub(User-Agent) -i NimbleCrawler +acl bad_bot hdr_sub(User-Agent) -i Nimbostratus +acl bad_bot hdr_sub(User-Agent) -i Ninja +acl bad_bot hdr_sub(User-Agent) -i Nmap +acl bad_bot hdr_sub(User-Agent) -i Nuclei +acl bad_bot hdr_sub(User-Agent) -i Nutch +acl bad_bot hdr_sub(User-Agent) -i Octopus +acl bad_bot hdr_sub(User-Agent) -i Offline\ Explorer +acl bad_bot hdr_sub(User-Agent) -i Offline\ Navigator +acl bad_bot hdr_sub(User-Agent) -i OnCrawl +acl bad_bot hdr_sub(User-Agent) -i OpenLinkProfiler +acl bad_bot hdr_sub(User-Agent) -i OpenVAS +acl bad_bot hdr_sub(User-Agent) -i Openfind +acl bad_bot hdr_sub(User-Agent) -i Openvas +acl bad_bot hdr_sub(User-Agent) -i OrangeBot +acl bad_bot hdr_sub(User-Agent) -i OrangeSpider +acl bad_bot hdr_sub(User-Agent) -i OutclicksBot +acl bad_bot hdr_sub(User-Agent) -i OutfoxBot +acl bad_bot hdr_sub(User-Agent) -i PECL::HTTP +acl bad_bot hdr_sub(User-Agent) -i PHPCrawl +acl bad_bot hdr_sub(User-Agent) -i POE-Component-Client-HTTP +acl bad_bot hdr_sub(User-Agent) -i PageAnalyzer +acl bad_bot hdr_sub(User-Agent) -i PageGrabber +acl bad_bot hdr_sub(User-Agent) -i PageScorer +acl bad_bot hdr_sub(User-Agent) -i PageThing.com +acl bad_bot hdr_sub(User-Agent) -i Page\ Analyzer +acl bad_bot hdr_sub(User-Agent) -i Pandalytics +acl bad_bot hdr_sub(User-Agent) -i Panscient +acl bad_bot hdr_sub(User-Agent) -i Papa\ Foto +acl bad_bot hdr_sub(User-Agent) -i Pavuk +acl bad_bot hdr_sub(User-Agent) -i PeoplePal +acl bad_bot hdr_sub(User-Agent) -i Petalbot +acl bad_bot hdr_sub(User-Agent) -i Pi-Monster +acl bad_bot hdr_sub(User-Agent) -i Picscout +acl bad_bot hdr_sub(User-Agent) -i Picsearch +acl bad_bot hdr_sub(User-Agent) -i PictureFinder +acl bad_bot hdr_sub(User-Agent) -i Piepmatz +acl bad_bot hdr_sub(User-Agent) -i Pimonster +acl bad_bot hdr_sub(User-Agent) -i Pixray +acl bad_bot hdr_sub(User-Agent) -i PleaseCrawl +acl bad_bot hdr_sub(User-Agent) -i Pockey +acl bad_bot hdr_sub(User-Agent) -i ProPowerBot +acl bad_bot hdr_sub(User-Agent) -i ProWebWalker +acl bad_bot hdr_sub(User-Agent) -i Probethenet +acl bad_bot hdr_sub(User-Agent) -i Proximic +acl bad_bot hdr_sub(User-Agent) -i Psbot +acl bad_bot hdr_sub(User-Agent) -i Pu_iN +acl bad_bot hdr_sub(User-Agent) -i Pump +acl bad_bot hdr_sub(User-Agent) -i PxBroker +acl bad_bot hdr_sub(User-Agent) -i PyCurl +acl bad_bot hdr_sub(User-Agent) -i QueryN\ Metasearch +acl bad_bot hdr_sub(User-Agent) -i Quick-Crawler +acl bad_bot hdr_sub(User-Agent) -i RSSingBot +acl bad_bot hdr_sub(User-Agent) -i Rainbot +acl bad_bot hdr_sub(User-Agent) -i RankActive +acl bad_bot hdr_sub(User-Agent) -i RankActiveLinkBot +acl bad_bot hdr_sub(User-Agent) -i RankFlex +acl bad_bot hdr_sub(User-Agent) -i RankingBot +acl bad_bot hdr_sub(User-Agent) -i RankingBot2 +acl bad_bot hdr_sub(User-Agent) -i Rankivabot +acl bad_bot hdr_sub(User-Agent) -i RankurBot +acl bad_bot hdr_sub(User-Agent) -i Re-re +acl bad_bot hdr_sub(User-Agent) -i ReGet +acl bad_bot hdr_sub(User-Agent) -i RealDownload +acl bad_bot hdr_sub(User-Agent) -i Reaper +acl bad_bot hdr_sub(User-Agent) -i RebelMouse +acl bad_bot hdr_sub(User-Agent) -i Recorder +acl bad_bot hdr_sub(User-Agent) -i RedesScrapy +acl bad_bot hdr_sub(User-Agent) -i RepoMonkey +acl bad_bot hdr_sub(User-Agent) -i Ripper +acl bad_bot hdr_sub(User-Agent) -i RocketCrawler +acl bad_bot hdr_sub(User-Agent) -i Rogerbot +acl bad_bot hdr_sub(User-Agent) -i SBIder +acl bad_bot hdr_sub(User-Agent) -i SEOkicks +acl bad_bot hdr_sub(User-Agent) -i SEOkicks-Robot +acl bad_bot hdr_sub(User-Agent) -i SEOlyt +acl bad_bot hdr_sub(User-Agent) -i SEOlyticsCrawler +acl bad_bot hdr_sub(User-Agent) -i SEOprofiler +acl bad_bot hdr_sub(User-Agent) -i SEOstats +acl bad_bot hdr_sub(User-Agent) -i SISTRIX +acl bad_bot hdr_sub(User-Agent) -i SMTBot +acl bad_bot hdr_sub(User-Agent) -i SalesIntelligent +acl bad_bot hdr_sub(User-Agent) -i ScanAlert +acl bad_bot hdr_sub(User-Agent) -i Scanbot +acl bad_bot hdr_sub(User-Agent) -i ScoutJet +acl bad_bot hdr_sub(User-Agent) -i Scrapy +acl bad_bot hdr_sub(User-Agent) -i Screaming +acl bad_bot hdr_sub(User-Agent) -i ScreenerBot +acl bad_bot hdr_sub(User-Agent) -i ScrepyBot +acl bad_bot hdr_sub(User-Agent) -i Searchestate +acl bad_bot hdr_sub(User-Agent) -i SearchmetricsBot +acl bad_bot hdr_sub(User-Agent) -i Seekport +acl bad_bot hdr_sub(User-Agent) -i SeekportBot +acl bad_bot hdr_sub(User-Agent) -i SemanticJuice +acl bad_bot hdr_sub(User-Agent) -i Semrush +acl bad_bot hdr_sub(User-Agent) -i SemrushBot +acl bad_bot hdr_sub(User-Agent) -i SentiBot +acl bad_bot hdr_sub(User-Agent) -i SenutoBot +acl bad_bot hdr_sub(User-Agent) -i SeoCherryBot +acl bad_bot hdr_sub(User-Agent) -i SeoSiteCheckup +acl bad_bot hdr_sub(User-Agent) -i SeobilityBot +acl bad_bot hdr_sub(User-Agent) -i Seomoz +acl bad_bot hdr_sub(User-Agent) -i Shodan +acl bad_bot hdr_sub(User-Agent) -i Siphon +acl bad_bot hdr_sub(User-Agent) -i SiteCheckerBotCrawler +acl bad_bot hdr_sub(User-Agent) -i SiteExplorer +acl bad_bot hdr_sub(User-Agent) -i SiteLockSpider +acl bad_bot hdr_sub(User-Agent) -i SiteSnagger +acl bad_bot hdr_sub(User-Agent) -i SiteSucker +acl bad_bot hdr_sub(User-Agent) -i Site\ Sucker +acl bad_bot hdr_sub(User-Agent) -i Sitebeam +acl bad_bot hdr_sub(User-Agent) -i Siteimprove +acl bad_bot hdr_sub(User-Agent) -i Sitevigil +acl bad_bot hdr_sub(User-Agent) -i SlySearch +acl bad_bot hdr_sub(User-Agent) -i SmartDownload +acl bad_bot hdr_sub(User-Agent) -i Snake +acl bad_bot hdr_sub(User-Agent) -i Snapbot +acl bad_bot hdr_sub(User-Agent) -i Snoopy +acl bad_bot hdr_sub(User-Agent) -i SocialRankIOBot +acl bad_bot hdr_sub(User-Agent) -i Sociscraper +acl bad_bot hdr_sub(User-Agent) -i Sogou\ web\ spider +acl bad_bot hdr_sub(User-Agent) -i Sosospider +acl bad_bot hdr_sub(User-Agent) -i Sottopop +acl bad_bot hdr_sub(User-Agent) -i SpaceBison +acl bad_bot hdr_sub(User-Agent) -i Spammen +acl bad_bot hdr_sub(User-Agent) -i SpankBot +acl bad_bot hdr_sub(User-Agent) -i Spanner +acl bad_bot hdr_sub(User-Agent) -i Spbot +acl bad_bot hdr_sub(User-Agent) -i Spider_Bot +acl bad_bot hdr_sub(User-Agent) -i Spider_Bot/3.0 +acl bad_bot hdr_sub(User-Agent) -i Spinn3r +acl bad_bot hdr_sub(User-Agent) -i SputnikBot +acl bad_bot hdr_sub(User-Agent) -i Sqlmap +acl bad_bot hdr_sub(User-Agent) -i Sqlworm +acl bad_bot hdr_sub(User-Agent) -i Sqworm +acl bad_bot hdr_sub(User-Agent) -i Steeler +acl bad_bot hdr_sub(User-Agent) -i Stripper +acl bad_bot hdr_sub(User-Agent) -i Sucker +acl bad_bot hdr_sub(User-Agent) -i Sucuri +acl bad_bot hdr_sub(User-Agent) -i SuperBot +acl bad_bot hdr_sub(User-Agent) -i SuperHTTP +acl bad_bot hdr_sub(User-Agent) -i Surfbot +acl bad_bot hdr_sub(User-Agent) -i SurveyBot +acl bad_bot hdr_sub(User-Agent) -i Suzuran +acl bad_bot hdr_sub(User-Agent) -i Swiftbot +acl bad_bot hdr_sub(User-Agent) -i Szukacz +acl bad_bot hdr_sub(User-Agent) -i T0PHackTeam +acl bad_bot hdr_sub(User-Agent) -i T8Abot +acl bad_bot hdr_sub(User-Agent) -i Teleport +acl bad_bot hdr_sub(User-Agent) -i TeleportPro +acl bad_bot hdr_sub(User-Agent) -i Telesoft +acl bad_bot hdr_sub(User-Agent) -i Telesphoreo +acl bad_bot hdr_sub(User-Agent) -i Telesphorep +acl bad_bot hdr_sub(User-Agent) -i TheNomad +acl bad_bot hdr_sub(User-Agent) -i The\ Intraformant +acl bad_bot hdr_sub(User-Agent) -i Thumbor +acl bad_bot hdr_sub(User-Agent) -i TightTwatBot +acl bad_bot hdr_sub(User-Agent) -i TinyTestBot +acl bad_bot hdr_sub(User-Agent) -i Titan +acl bad_bot hdr_sub(User-Agent) -i Toata +acl bad_bot hdr_sub(User-Agent) -i Toweyabot +acl bad_bot hdr_sub(User-Agent) -i Tracemyfile +acl bad_bot hdr_sub(User-Agent) -i Trendiction +acl bad_bot hdr_sub(User-Agent) -i Trendictionbot +acl bad_bot hdr_sub(User-Agent) -i True_Robot +acl bad_bot hdr_sub(User-Agent) -i Turingos +acl bad_bot hdr_sub(User-Agent) -i Turnitin +acl bad_bot hdr_sub(User-Agent) -i TurnitinBot +acl bad_bot hdr_sub(User-Agent) -i TwengaBot +acl bad_bot hdr_sub(User-Agent) -i Twice +acl bad_bot hdr_sub(User-Agent) -i Typhoeus +acl bad_bot hdr_sub(User-Agent) -i URLy.Warning +acl bad_bot hdr_sub(User-Agent) -i URLy\ Warning +acl bad_bot hdr_sub(User-Agent) -i UnisterBot +acl bad_bot hdr_sub(User-Agent) -i Upflow +acl bad_bot hdr_sub(User-Agent) -i V-BOT +acl bad_bot hdr_sub(User-Agent) -i VB\ Project +acl bad_bot hdr_sub(User-Agent) -i VCI +acl bad_bot hdr_sub(User-Agent) -i Vacuum +acl bad_bot hdr_sub(User-Agent) -i Vagabondo +acl bad_bot hdr_sub(User-Agent) -i VelenPublicWebCrawler +acl bad_bot hdr_sub(User-Agent) -i VeriCiteCrawler +acl bad_bot hdr_sub(User-Agent) -i VidibleScraper +acl bad_bot hdr_sub(User-Agent) -i Virusdie +acl bad_bot hdr_sub(User-Agent) -i VoidEYE +acl bad_bot hdr_sub(User-Agent) -i Voil +acl bad_bot hdr_sub(User-Agent) -i Voltron +acl bad_bot hdr_sub(User-Agent) -i WASALive-Bot +acl bad_bot hdr_sub(User-Agent) -i WBSearchBot +acl bad_bot hdr_sub(User-Agent) -i WEBDAV +acl bad_bot hdr_sub(User-Agent) -i WISENutbot +acl bad_bot hdr_sub(User-Agent) -i WPScan +acl bad_bot hdr_sub(User-Agent) -i WWW-Collector-E +acl bad_bot hdr_sub(User-Agent) -i WWW-Mechanize +acl bad_bot hdr_sub(User-Agent) -i WWW::Mechanize +acl bad_bot hdr_sub(User-Agent) -i WWWOFFLE +acl bad_bot hdr_sub(User-Agent) -i Wallpapers +acl bad_bot hdr_sub(User-Agent) -i Wallpapers/3.0 +acl bad_bot hdr_sub(User-Agent) -i WallpapersHD +acl bad_bot hdr_sub(User-Agent) -i WeSEE +acl bad_bot hdr_sub(User-Agent) -i WebAuto +acl bad_bot hdr_sub(User-Agent) -i WebBandit +acl bad_bot hdr_sub(User-Agent) -i WebCollage +acl bad_bot hdr_sub(User-Agent) -i WebCopier +acl bad_bot hdr_sub(User-Agent) -i WebEnhancer +acl bad_bot hdr_sub(User-Agent) -i WebFetch +acl bad_bot hdr_sub(User-Agent) -i WebFuck +acl bad_bot hdr_sub(User-Agent) -i WebGo\ IS +acl bad_bot hdr_sub(User-Agent) -i WebImageCollector +acl bad_bot hdr_sub(User-Agent) -i WebLeacher +acl bad_bot hdr_sub(User-Agent) -i WebPix +acl bad_bot hdr_sub(User-Agent) -i WebReaper +acl bad_bot hdr_sub(User-Agent) -i WebSauger +acl bad_bot hdr_sub(User-Agent) -i WebStripper +acl bad_bot hdr_sub(User-Agent) -i WebSucker +acl bad_bot hdr_sub(User-Agent) -i WebWhacker +acl bad_bot hdr_sub(User-Agent) -i WebZIP +acl bad_bot hdr_sub(User-Agent) -i Web\ Auto +acl bad_bot hdr_sub(User-Agent) -i Web\ Collage +acl bad_bot hdr_sub(User-Agent) -i Web\ Enhancer +acl bad_bot hdr_sub(User-Agent) -i Web\ Fetch +acl bad_bot hdr_sub(User-Agent) -i Web\ Fuck +acl bad_bot hdr_sub(User-Agent) -i Web\ Pix +acl bad_bot hdr_sub(User-Agent) -i Web\ Sauger +acl bad_bot hdr_sub(User-Agent) -i Web\ Sucker +acl bad_bot hdr_sub(User-Agent) -i Webalta +acl bad_bot hdr_sub(User-Agent) -i WebmasterWorldForumBot +acl bad_bot hdr_sub(User-Agent) -i Webshag +acl bad_bot hdr_sub(User-Agent) -i WebsiteExtractor +acl bad_bot hdr_sub(User-Agent) -i WebsiteQuester +acl bad_bot hdr_sub(User-Agent) -i Website\ Quester +acl bad_bot hdr_sub(User-Agent) -i Webster +acl bad_bot hdr_sub(User-Agent) -i Whack +acl bad_bot hdr_sub(User-Agent) -i Whacker +acl bad_bot hdr_sub(User-Agent) -i Whatweb +acl bad_bot hdr_sub(User-Agent) -i Who.is\ Bot +acl bad_bot hdr_sub(User-Agent) -i Widow +acl bad_bot hdr_sub(User-Agent) -i WinHTTrack +acl bad_bot hdr_sub(User-Agent) -i WiseGuys\ Robot +acl bad_bot hdr_sub(User-Agent) -i Wonderbot +acl bad_bot hdr_sub(User-Agent) -i Woobot +acl bad_bot hdr_sub(User-Agent) -i Wotbox +acl bad_bot hdr_sub(User-Agent) -i Wprecon +acl bad_bot hdr_sub(User-Agent) -i Xaldon\ WebSpider +acl bad_bot hdr_sub(User-Agent) -i Xaldon_WebSpider +acl bad_bot hdr_sub(User-Agent) -i Xenu +acl bad_bot hdr_sub(User-Agent) -i YaK +acl bad_bot hdr_sub(User-Agent) -i YoudaoBot +acl bad_bot hdr_sub(User-Agent) -i Zade +acl bad_bot hdr_sub(User-Agent) -i Zauba +acl bad_bot hdr_sub(User-Agent) -i Zermelo +acl bad_bot hdr_sub(User-Agent) -i Zeus +acl bad_bot hdr_sub(User-Agent) -i Zitebot +acl bad_bot hdr_sub(User-Agent) -i ZmEu +acl bad_bot hdr_sub(User-Agent) -i ZoomBot +acl bad_bot hdr_sub(User-Agent) -i ZoominfoBot +acl bad_bot hdr_sub(User-Agent) -i ZumBot +acl bad_bot hdr_sub(User-Agent) -i ZyBorg +acl bad_bot hdr_sub(User-Agent) -i adscanner +acl bad_bot hdr_sub(User-Agent) -i anthropic-ai +acl bad_bot hdr_sub(User-Agent) -i archive.org_bot +acl bad_bot hdr_sub(User-Agent) -i arquivo-web-crawler +acl bad_bot hdr_sub(User-Agent) -i arquivo.pt +acl bad_bot hdr_sub(User-Agent) -i autoemailspider +acl bad_bot hdr_sub(User-Agent) -i awario.com +acl bad_bot hdr_sub(User-Agent) -i backlink-check +acl bad_bot hdr_sub(User-Agent) -i cah.io.community +acl bad_bot hdr_sub(User-Agent) -i check1.exe +acl bad_bot hdr_sub(User-Agent) -i clark-crawler +acl bad_bot hdr_sub(User-Agent) -i coccocbot +acl bad_bot hdr_sub(User-Agent) -i cognitiveseo +acl bad_bot hdr_sub(User-Agent) -i cohere-ai +acl bad_bot hdr_sub(User-Agent) -i com.plumanalytics +acl bad_bot hdr_sub(User-Agent) -i crawl.sogou.com +acl bad_bot hdr_sub(User-Agent) -i crawler.feedback +acl bad_bot hdr_sub(User-Agent) -i crawler4j +acl bad_bot hdr_sub(User-Agent) -i dataforseo.com +acl bad_bot hdr_sub(User-Agent) -i dataforseobot +acl bad_bot hdr_sub(User-Agent) -i demandbase-bot +acl bad_bot hdr_sub(User-Agent) -i domainsproject.org +acl bad_bot hdr_sub(User-Agent) -i eCatch +acl bad_bot hdr_sub(User-Agent) -i evc-batch +acl bad_bot hdr_sub(User-Agent) -i everyfeed-spider +acl bad_bot hdr_sub(User-Agent) -i facebookscraper +acl bad_bot hdr_sub(User-Agent) -i gopher +acl bad_bot hdr_sub(User-Agent) -i heritrix +acl bad_bot hdr_sub(User-Agent) -i imagesift.com +acl bad_bot hdr_sub(User-Agent) -i instabid +acl bad_bot hdr_sub(User-Agent) -i internetVista\ monitor +acl bad_bot hdr_sub(User-Agent) -i ips-agent +acl bad_bot hdr_sub(User-Agent) -i isitwp.com +acl bad_bot hdr_sub(User-Agent) -i iubenda-radar +acl bad_bot hdr_sub(User-Agent) -i linkdexbot +acl bad_bot hdr_sub(User-Agent) -i linkfluence +acl bad_bot hdr_sub(User-Agent) -i lwp-request +acl bad_bot hdr_sub(User-Agent) -i lwp-trivial +acl bad_bot hdr_sub(User-Agent) -i magpie-crawler +acl bad_bot hdr_sub(User-Agent) -i meanpathbot +acl bad_bot hdr_sub(User-Agent) -i mediawords +acl bad_bot hdr_sub(User-Agent) -i muhstik-scan +acl bad_bot hdr_sub(User-Agent) -i netEstate\ NE\ Crawler +acl bad_bot hdr_sub(User-Agent) -i oBot +acl bad_bot hdr_sub(User-Agent) -i omgili +acl bad_bot hdr_sub(User-Agent) -i openai +acl bad_bot hdr_sub(User-Agent) -i openai.com +acl bad_bot hdr_sub(User-Agent) -i page\ scorer +acl bad_bot hdr_sub(User-Agent) -i pcBrowser +acl bad_bot hdr_sub(User-Agent) -i plumanalytics +acl bad_bot hdr_sub(User-Agent) -i polaris\ version +acl bad_bot hdr_sub(User-Agent) -i probe-image-size +acl bad_bot hdr_sub(User-Agent) -i ripz +acl bad_bot hdr_sub(User-Agent) -i s1z.ru +acl bad_bot hdr_sub(User-Agent) -i satoristudio.net +acl bad_bot hdr_sub(User-Agent) -i scalaj-http +acl bad_bot hdr_sub(User-Agent) -i scan.lol +acl bad_bot hdr_sub(User-Agent) -i seobility +acl bad_bot hdr_sub(User-Agent) -i seocompany.store +acl bad_bot hdr_sub(User-Agent) -i seoscanners +acl bad_bot hdr_sub(User-Agent) -i seostar +acl bad_bot hdr_sub(User-Agent) -i serpstatbot +acl bad_bot hdr_sub(User-Agent) -i sexsearcher +acl bad_bot hdr_sub(User-Agent) -i sitechecker.pro +acl bad_bot hdr_sub(User-Agent) -i siteripz +acl bad_bot hdr_sub(User-Agent) -i sogouspider +acl bad_bot hdr_sub(User-Agent) -i sp_auditbot +acl bad_bot hdr_sub(User-Agent) -i spyfu +acl bad_bot hdr_sub(User-Agent) -i sysscan +acl bad_bot hdr_sub(User-Agent) -i tAkeOut +acl bad_bot hdr_sub(User-Agent) -i trendiction.com +acl bad_bot hdr_sub(User-Agent) -i trendiction.de +acl bad_bot hdr_sub(User-Agent) -i ubermetrics-technologies.com +acl bad_bot hdr_sub(User-Agent) -i voyagerx.com +acl bad_bot hdr_sub(User-Agent) -i webgains-bot +acl bad_bot hdr_sub(User-Agent) -i webmeup-crawler +acl bad_bot hdr_sub(User-Agent) -i webpros.com +acl bad_bot hdr_sub(User-Agent) -i webprosbot +acl bad_bot hdr_sub(User-Agent) -i x09Mozilla +acl bad_bot hdr_sub(User-Agent) -i x22Mozilla +acl bad_bot hdr_sub(User-Agent) -i xpymep1.exe +acl bad_bot hdr_sub(User-Agent) -i zauba.io +acl bad_bot hdr_sub(User-Agent) -i zgrab +http-request deny if bad_bot diff --git a/waf_patterns/haproxy/waf.acl b/waf_patterns/haproxy/waf.acl new file mode 100644 index 0000000..8798c50 --- /dev/null +++ b/waf_patterns/haproxy/waf.acl @@ -0,0 +1,1327 @@ +# HAProxy WAF ACL rules +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @unconditionalMatch +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i !@rx (?:URLENCODED|MULTIPART|XML|JSON) +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i !@rx (?:URLENCODED|MULTIPART|XML|JSON) +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @eq 100 +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @rx ^[a-f]*([0-9])[a-f]*([0-9]) +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i nolog +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i !@lt %{tx.sampling_percentage} +http-request deny if block_INITIALIZATION +acl block_INITIALIZATION hdr_sub(User-Agent) -i @lt %{tx.blocking_paranoia_level} +http-request deny if block_INITIALIZATION +acl block_EXCEPTIONS hdr_sub(User-Agent) -i @streq GET / +http-request deny if block_EXCEPTIONS +acl block_EXCEPTIONS hdr_sub(User-Agent) -i @ipMatch 127.0.0.1,::1 +http-request deny if block_EXCEPTIONS +acl block_EXCEPTIONS hdr_sub(User-Agent) -i @ipMatch 127.0.0.1,::1 +http-request deny if block_EXCEPTIONS +acl block_EXCEPTIONS hdr_sub(User-Agent) -i @endsWith (internal dummy connection) +http-request deny if block_EXCEPTIONS +acl block_EXCEPTIONS hdr_sub(User-Agent) -i @rx ^(?:GET /|OPTIONS *) HTTP/[12].[01]$ +http-request deny if block_EXCEPTIONS +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@within %{tx.allowed_methods} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_ENFORCEMENT +acl block_DETECTION hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @pmFromFile scanners-user-agents.data +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_DETECTION +acl block_DETECTION hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_DETECTION +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx (?i)^(?:get /[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sx0b]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sx0b#]*)?(?:#[^sx0b]*)?)[sx0b]+[.-9A-Z_a-z]+)$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^d+$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^(?:GET|HEAD)$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^0?$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^(?:GET|HEAD)$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @streq POST +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx (d+)-(d+) +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt %{tx.1} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx b(?:keep-alive|close),s?(?:keep-alive|close)b +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx x25 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^(.*)/(?:[^?]+)?(?.*)?$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateUrlEncoding +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^.*%.*.[^sx0b.]+$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateUrlEncoding +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateUtf8Encoding +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx (?i)%uff[0-9a-f]{2} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateByteRange 1-255 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^OPTIONS$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@pm AppleWebKit Android Business Enterprise Entreprise +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^OPTIONS$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^0$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$) +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt %{tx.max_num_args} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt %{tx.arg_name_length} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt %{tx.arg_length} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt %{tx.total_arg_length} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^(?i)multipart/form-data +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt %{tx.max_file_size} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt %{tx.combined_file_sizes} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^[w/.+*-]+(?:s?;s*(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?[' +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^[^;s]+ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@within %{tx.allowed_request_content_type} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx charsets*=s*[ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@within %{tx.allowed_request_content_type_charset} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx charset.*?charset +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@within %{tx.allowed_http_versions} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx .([^.]+)$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @within %{tx.restricted_extensions} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx .[^.~]+~(?:/.*|)$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^.*$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @within %{tx.restricted_headers_basic} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt 100 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^(?:(?:*|[^! +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@streq JSON +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx (?i)x5cu[0-9a-f]{4} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @contains # +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@endsWith .pdf +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @endsWith .pdf +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx %[0-9a-fA-F]{2} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateByteRange 9,10,13,32-126,128-255 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx [' +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^0$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^.*$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @within %{tx.restricted_headers_extended} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^(?i)application/x-www-form-urlencoded +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx x25 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateUrlEncoding +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateByteRange 32-36,38-126 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^(?:OPTIONS|CONNECT)$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@pm AppleWebKit Android +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @ge 1 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^(?i)up +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @gt 0 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip) +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @endsWith .pdf +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6} +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateByteRange 38,44-46,48-58,61,65-90,95,97-122 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @validateByteRange 32,34,38,42-59,61,65-90,95,97-122 +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i !@rx ^(?:?[01])?$ +http-request deny if block_ENFORCEMENT +acl block_ENFORCEMENT hdr_sub(User-Agent) -i @rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789] +http-request deny if block_ENFORCEMENT +acl block_ATTACK hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx (?:bhttp/d|<(?:html|meta)b) +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [nr] +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [nr] +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*: +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [nr] +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*) +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx ^[^sx0b,;]+[sx0b,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml) +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx unix:[^|]*| +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [nr] +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx ^[^sx0b,;]+[sx0b,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @gt 0 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx . +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @gt 1 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx (][^]]+$|][^]]+[) +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [ +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i !@eq 0 +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i !@within %{tx.allowed_request_content_type_charset} +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx ^content-types*:s*(.*)$ +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i !@rx ^(?:(?:*|[^! +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx content-transfer-encoding:(.*) +http-request deny if block_ATTACK +acl block_ATTACK hdr_sub(User-Agent) -i @rx [^x21-x7E][x21-x39x3B-x7E]*: +http-request deny if block_ATTACK +acl block_LFI hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @rx (?i)(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:.(?:%0[01]|?)?|?.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c)) +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @rx (?:(?:^|[x5c/;]).{2,3}[x5c/;]|[x5c/;].{2,3}(?:[x5c/;]|$)) +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @pmFromFile lfi-os-files.data +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @pmFromFile restricted-files.data +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @pmFromFile lfi-os-files.data +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_LFI +acl block_LFI hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_LFI +acl block_RFI hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3}) +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?):// +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @rx ^(?i:file|ftps?|https?).*??+$ +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*) +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i !@endsWith .%{request_headers.host} +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*) +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i !@endsWith .%{request_headers.host} +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_RFI +acl block_RFI hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_RFI +acl block_RCE hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @pmFromFile windows-powershell-commands.data +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+] +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx b(?:for(?:/[dflr].*)? %+[^ ]+ in(.*)[sx0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)b|[ (].*(?:b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))b|==))) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ~(?:[+-](?:$|[sx0b0-9]+)|[0-9]+) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:^|b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:^|b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx !-d +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @pmFromFile unix-shell.data +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ^(s*)s+{ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ^(s*)s+{ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ba[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @pmFromFile restricted-upload.data +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:[nr;`{]|||?|&&?)[sx0b]*[sx0b +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?:b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx $(?:((?:.*|(.*)))|{.*}|[.*])|[<>](.*)|/[0-9A-Z_a-z]*[!?.+] +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{] +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx / +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx s +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ^[^#]+ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ^[^.]+.[^;?]+[;?](.*(['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{])) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx / +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx s +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ^[^.]*?(?:['*?x5c`][^n/]+/|/[^/]+?['*?x5c`]|$[!#$(*-0-9?-[_a-{]) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx / +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx s +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i).|(?:[sx0b]*|b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)[-0-9_a-z]+(?:[sx0b]*[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i !@rx [0-9]s*'s*[0-9] +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx ;[sx0b]*.[sx0b]*[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx rn.*?b(?:E(?:HLO [-.A-Za-zx17fx212a]{1,255}|XPN .{1,64})|HELO [-.A-Za-zx17fx212a]{1,255}|MAIL FROM:<.{1,64}@.{1,255}>|R(?:CPT TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SETb)|VRFY .{1,64}(?: <.{1,64}@.{1,255}>|@.{1,255})|AUTH [-0-9A-Z_a-zx17fx212a]{1,20} (?:(?:[+/-9A-Z_a-zx17fx212a]{4})*(?:[+/-9A-Z_a-zx17fx212a]{2}=|[+/-9A-Z_a-zx17fx212a]{3}))?=|STARTTLSb|NOOPb(?: .{1,255})?) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:A(?:PPEND (?:[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?is)rn.*?b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [-0-9_a-z]{1,20} (?:(?:[+/-9A-Z_a-z]{4})*(?:[+/-9A-Z_a-z]{2}=|[+/-9A-Z_a-z]{3}))?=)) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:^|b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:^|b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @pmFromFile unix-shell.data +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?:b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[sx0b&)<>|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[sx0b&)<>|]|pt(?:(?:itude)?[sx0b&)<>|]|-get)|r(?:[sx0b&)<>j|]|(?:p|ch)[sx0b&)<>|]|ia2c)|s(?:h?[sx0b&)<>|]|cii(?:-xfr|85)|pell)|t(?:[sx0b&)<>|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[sx0b&)<>|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[sx0b&)<>|]|c))|h[sx0b&)<>|])|tch[sx0b&)<>|])|lkid|pftrace|r(?:eaksw|idge[sx0b&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sx0b&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[sx0b&)<>|]|mp|p(?:[sx0b&)<>|]|io|ulimit)|s(?:h|cli[sx0b&)<>|]|plit|vtool)|u(?:t[sx0b&)<>|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[sx0b&)<>|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[sx0b&)-<>|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sx0b&)<>|]|++)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[sx0b&)<>|]|w(?:say|think))|r(?:ash[sx0b&)<>|]|on(?:[sx0b&)<>|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[sx0b&)<>|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[sx0b&)<>|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[sx0b&)<>|]|n(?:v(?:[sx0b&)<>|]|-update)|d(?:if|sw))|qn|s(?:[sx0b&)<>h|]|ac)|x(?:(?:ec)?[sx0b&)<>|]|iftool|p(?:(?:and|(?:ec|or)t)[sx0b&)<>|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[sx0b&)<>|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[sx0b&)<>|]|le(?:[sx0b&)<>|]|test))|mt|tp(?:[sx0b&)<>|]|stats|who)|acter|o(?:ld[sx0b&)<>|]|reach)|ping)|g(?:c(?:c[^sx0b]|ore)|db|e(?:(?:m|tfacl)[sx0b&)<>|]|ni(?:e[sx0b&)<>|]|soimage))|hci?|i(?:(?:t|mp)[sx0b&)<>|]|nsh)|(?:o|awk)[sx0b&)<>|]|pg|r(?:c|ep[sx0b&)<>|]|oup(?:[sx0b&)<>|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[sx0b&)<>|]|e(?:ad[sx0b&)<>|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[sx0b&)<>|]|onice|spell)|j(?:js|q|ava[sx0b&)<>|]|exec|o(?:(?:bs|in)[sx0b&)<>|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[sx0b&)<>|]|all)|nife[sx0b&)<>|])|l(?:d(?:d?[sx0b&)<>|]|config)|(?:[np]|ynx)[sx0b&)<>|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[sx0b&)<>|]|(?:la)?tex)|z(?:[sx0b&)4<>|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[sx0b&)<>|]|comm|log(?:in)?)|tex[sx0b&)<>|])|ess(?:[sx0b&)<>|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[sx0b&)<>|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[sx0b&)<>|]|il(?:[sx0b&)<>q|]|x[sx0b&)<>|])|ster.passwd|wk)|tr|(?:v|utt)[sx0b&)<>|]|k(?:dir[sx0b&)<>|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[sx0b&)<>|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[sx0b&)<>|]|.(?:openbsd|traditional)|at)|e(?:t(?:[sx0b&)<>|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[sx0b&)<>|]|m(?:[sx0b&)<>|]|ap)|p(?:m[sx0b&)<>|]|ing)|a(?:no[sx0b&)<>|]|sm|wk)|o(?:de[sx0b&)<>|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[sx0b&)<>|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[sx0b&)<>|]|s(?:swd|te[sx0b&)<>|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[sx0b&)<>|]|tp)|g(?:[sx0b&)<>|]|rep)|hp(?:[sx0b&)57<>|]|-cgi)|i(?:(?:co?|ng)[sx0b&)<>|]|p[^sx0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[sx0b&)<>|]|int(?:env|f[sx0b&)<>|]))|s(?:[sx0b&)<>|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:.db)?|xz|er(?:(?:f|ms)[sx0b&)<>|]|l(?:[sx0b&)5<>|]|sh))|opd|u(?:ppet[sx0b&)<>|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[sx0b&)<>|]|k(?:e[sx0b&)<>|]|u))|c(?:p[sx0b&)<>|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[sx0b&)<>|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[sx0b&)<>|]|user)|pm(?:[sx0b&)<>|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[sx0b&)<>|]|sync|u(?:by[^sx0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[sx0b&)<>|])|e(?:(?:d|lf|rvice)[sx0b&)<>|]|t(?:(?:facl)?[sx0b&)<>|]|arch|env|sid)|ndmail)|(?:g|ash)[sx0b&)<>|]|h(?:(?:adow|ells)?[sx0b&)<>|]|.distrib|u(?:f|tdown[sx0b&)<>|]))|s(?:[sx0b&)<>|]|h(?:[sx0b&)<>|]|-key(?:ge|sca)n|pass))|u(?:[sx0b&)<>|]|do)|vn|diff|ftp|l(?:eep[sx0b&)<>|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[sx0b&)<>|])|p(?:lit[sx0b&)<>|]|wd.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[sx0b&)<>|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[sx0b&)<>|]|il[sx0b&)<>f|]|sk(?:[sx0b&)<>|]|set))|bl|c(?:p(?:[sx0b&)<>|]|dump|ing|traceroute)|l?sh)|e(?:[ex][sx0b&)<>|]|lnet)|i(?:c[sx0b&)<>|]|me(?:(?:out)?[sx0b&)<>|]|datectl))|o(?:p|uch[sx0b&)<>|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[sx0b&)<>|]|n(?:ame|(?:compress|s(?:et|hare))[sx0b&)<>|]|expand|iq|l(?:ink[sx0b&)<>|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[sx0b&)<>|]|std))|p(?:2date[sx0b&)<>|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[sx0b&)<>|]|m(?:[sx0b&)<>|]|diff)|gr|pw|rsh|sudo)|algrind|olatility[sx0b&)<>|])|w(?:[sx0b&)<>c|]|h(?:o(?:[sx0b&)<>|]|ami|is)?|iptail[sx0b&)<>|])|a(?:ll|tch)[sx0b&)<>|]|i(?:reshark|sh[sx0b&)<>|]))|x(?:(?:x|pa)d|z(?:[sx0b&)<>|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[sx0b&)<>|]|um)|z(?:ip(?:[sx0b&)<>|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[sx0b&)<>|])|f?grep|less|more|run|ypper))(?:b|[^0-9A-Z_a-z]) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?i)(?:^|b[ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx rn.*?b(?:DATA|QUIT|HELP(?: .{1,255})?) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx (?is)rn[0-9A-Z_a-z]{1,50}b (?:C(?:(?:REATE|OPY [*,0-:]+) [ +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx rn.*?b(?:(?:QUI|STA|RSE)T|NOOP|CAPA) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @rx !(?:d|!) +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_RCE +acl block_RCE hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_RCE +acl block_PHP hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @rx (?i) +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @rx (?:((?:.+)(?:[ +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_PHP +acl block_GENERIC hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx _(?:$$ND_FUNC$$_|_js_function)|(?:beval|new[sx0b]+Function[sx0b]*)(|String.fromCharCode|function(){|this.constructor|module.exports=|([sx0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][sx0b]*)|process(?:.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:.call)?(|binding|constructor|env|global|main(?:Module)?|process|require)|[[ +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @pmFromFile ssrf.data +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx (?:__proto__|constructors*(?:.|[)s*prototype) +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx Process[sx0b]*.[sx0b]*spawn[sx0b]*( +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx while[sx0b]*([sx0b(]*(?:!+(?:false|null|undefined|NaN|[+-]?0| +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx ^data:(?:(?:*|[^! +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[sx0b]*( +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}.(?:[0-9]{1,3}.[0-9]{5}|[0-9]{8})|(?:x5cx5c[-0-9a-z].?_?)+|[[0-:a-f]+(?:[.0-9]+|%[0-9A-Z_a-z]+)?]|[a-z][-.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[sx0b]*&?@(?:(?:[0-9]{1,3}.){3}[0-9]{1,3}|[a-z][-.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[.0-9]{0,11}(?:xe2(?:x91[xa0-xbf]|x92[x80-xbf]|x93[x80-xa9xab-xbf])|xe3x80x82)+) +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @rx ^(?:[^@]|@[^{])*@+{.*} +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_GENERIC +acl block_GENERIC hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_GENERIC +acl block_XSS hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i !@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122 +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @detectXSS +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx (?i)]*>[sS]*? +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx (?i).(?:b(?:x(?:link:href|html|mlns)|data:text/html|formaction|patternb.*?=)|!ENTITY[sx0b]+(?:%[sx0b]+)?[^sx0b]+[sx0b]+(?:SYSTEM|PUBLIC)|@import|;base64)b +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url(javascript +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx (?i)<[^0-9<>A-Z_a-z]*(?:[^sx0b +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx (?i)(?:W|^)(?:javascript:(?:[sS]+[=x5c([.<]|[sS]*?(?:bnameb|x5c[ux]d))|data:(?:(?:[a-z]w+/w[w+-]+w)?[;,]|[sS]*?;[sS]*?b(?:base64|charset=)|[sS]*?,[sS]*?<[sS]*?w[sS]*?>))|@W*?iW*?mW*?pW*?oW*?rW*?tW*?(?:/*[sS]*?)?(?:[ +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)W +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx (?i:[ +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx (?i)[ +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @rx {{.*?}} +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_XSS +acl block_XSS hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_XSS +acl block_SQLI hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @detectSQLi +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*(|(?:information_schema|m(?:aster..sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql.db)|northwind|pg_(?:catalog|toast)|tempdb)b|s(?:chema(?:_nameb|[^0-9A-Z_a-z]*()|(?:qlite_(?:temp_)?master|ys(?:aux|.database_name))b)) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*( +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i:sleep(s*?d*?s*?)|benchmark(.*?,.*?)) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)(?:select|;)[sx0b]+(?:benchmark|if|sleep)[sx0b]*?([sx0b]*?(?[sx0b]*?[0-9A-Z_a-z]+ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[sx0b()]case[sx0b]+when.*?then|)[sx0b]*?like[sx0b]*?(|select.*?having[sx0b]*?[^sx0b]+[sx0b]*?[^sx0b0-9A-Z_a-z]|if[sx0b]?([0-9A-Z_a-z]+[sx0b]*?[<->~] +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)alter[sx0b]*?[0-9A-Z_a-z]+.*?char(?:acter)?[sx0b]+set[sx0b]+[0-9A-Z_a-z]+|[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i:merge.*?usings*?(|executes*?immediates*?[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)union.*?select.*?from +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)select[sx0b]*?pg_sleep|waitfor[sx0b]*?delay[sx0b]?[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[?$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)]? +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)create[sx0b]+function[sx0b].+[sx0b]returns|;[sx0b]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)b[sx0b]*?[([]?[0-9A-Z_a-z]{2,} +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)b[sx0b]*(?|end[sx0b]*?);)|[sx0b(]load_file[sx0b]*?(|[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)/*[sx0b]*?[!+](?:[sx0b()-0-9=A-Z_a-z]+)?*/ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ^(?:[^']*'|[^ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)1.e[(),] +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx [ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[!=]=|&&||||->|>[=>]|<(?:[<=]|>(?:[sx0b]+binary)?)|b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[sx0b +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @streq %{TX.2} +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[sx0b +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i !@streq %{TX.2} +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*( +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)(?:/*)+[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i),.*?[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)(?:&&||||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[sx0b(]+[0-9A-Z_a-z]+[sx0b)]*?[!+=]+[sx0b0-9]*?[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i))[sx0b]*?when[sx0b]*?[0-9]+[sx0b]*?then|[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)(?:([sx0b]*?select[sx0b]*?[0-9A-Z_a-z]+|coalesce|order[sx0b]+by[sx0b]+if[0-9A-Z_a-z]*?)[sx0b]*?(|*/from|+[sx0b]*?[0-9]+[sx0b]*?+[sx0b]*?@|[0-9A-Z_a-z][ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)in[sx0b]*?(+[sx0b]*?select|(?:(?:N?AND|X?X?OR|DIV|LIKE|BETWEEN|NOT)[sx0b]+|(?:|||&&)[sx0b]*)[sx0b+0-9A-Z_a-z]+(?:regexp[sx0b]*?(|sounds[sx0b]+like[sx0b]*?[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i:^[Wd]+s*?(?:alter|union)b) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[sx0b]+(?:char|group_concat|load_file)[sx0b]?(?|end[sx0b]*?);|[sx0b(]load_file[sx0b]*?(|[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:havingb(?:[sx0b]+(?:[0-9]{1,10}|'[^=]{1,10}')[sx0b]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:orb(?:[sx0b]?(?:[0-9]{1,10}|[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)bandb(?:[sx0b]+(?:[0-9]{1,10}[sx0b]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[12]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?( +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:(?:d(?:bms_[0-9A-Z_a-z]+.|eleteb[^0-9A-Z_a-z]*?bfrom)|(?:groupb.*?bbyb.{1,100}?bhav|overlayb[^0-9A-Z_a-z]*?(.*?b[^0-9A-Z_a-z]*?plac)ing|in(?:nerb[^0-9A-Z_a-z]*?bjoin|sertb[^0-9A-Z_a-z]*?binto|tob[^0-9A-Z_a-z]*?b(?:dump|out)file)|loadb[^0-9A-Z_a-z]*?bdatab.*?binfile|s(?:electb.{1,100}?b(?:(?:.*?bdumpb.*|(?:count|length)b.{1,100}?)bfrom|(?:data_typ|fromb.{1,100}?bwher)e|instr|to(?:_(?:cha|numbe)r|pb.{1,100}?bfrom))|ys_context)|u(?:nionb.{1,100}?bselect|tl_inaddr))b|printb[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?(a|@@version|;[^0-9A-Z_a-z]*?b(?:drop|shutdown))b|'(?:dbo|msdasql|s(?:a|qloledb))' +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i !ARGS:foo +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ((?:[~!@#$%^&*()-+={}[]|:; +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx [a-zA-Z0-9_-]{61,61} +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx [a-zA-Z0-9_-]{91,91} +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx /*!?|*/|[';]--|--(?:[sx0b]|[^-]*?-)|[^&-]#.*?[sx0b]|;?x00 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i !@rx ^ey[-0-9A-Z_a-z]+.ey[-0-9A-Z_a-z]+.[-0-9A-Z_a-z]+$ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i:b0x[a-fd]{3,}) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?:`(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)[ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ^(?:and|or)$ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ^.*?x5c[' +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @detectSQLi +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*( +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)create[sx0b]+(?:function|procedure)[sx0b]*?[0-9A-Z_a-z]+[sx0b]*?([sx0b]*?)[sx0b]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][sx0b]*?[0-9A-Z_a-z]+|iv[sx0b]*?([+-]*[sx0b.0-9]+,[+-]*[sx0b.0-9]+))|exec[sx0b]*?([sx0b]*?@|(?:lo_(?:impor|ge)t|procedure[sx0b]+analyse)[sx0b]*?(|;[sx0b]*?(?:declare|open)[sx0b]+[-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[sx0b]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t) +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?i)W+d*?s*?bhavingbs*?[^s-] +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx [ +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i !REQUEST_COOKIES:foo_id +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ((?:[~!@#$%^&*()-+={}[]|:; +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ((?:[~!@#$%^&*()-+={}[]|:; +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx W{4} +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx (?:'(?:(?:[ws=_-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)') +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx '; +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ((?:[~!@#$%^&*()-+={}[]|:; +http-request deny if block_SQLI +acl block_SQLI hdr_sub(User-Agent) -i @rx ((?:[~!@#$%^&*()-+={}[]|:; +http-request deny if block_SQLI +acl block_FIXATION hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @rx (?i:.cookieb.*?;W*?(?:expires|domain)W*?=|bhttp-equivW+set-cookieb) +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$ +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @rx ^(?:ht|f)tps?://(.*?)/ +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i !@endsWith %{request_headers.host} +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$ +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @eq 0 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_FIXATION +acl block_FIXATION hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_FIXATION +acl block_JAVA hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx java.lang.(?:runtime|processbuilder) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?:runtime|processbuilder) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?i)(?:unmarshaller|base64data|java.) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?:runtime|processbuilder) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @pmFromFile java-classes.data +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx .*.(?:jsp|jspx).*$ +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]{0,15}(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?)(?:[^}]*(?:$|$?)(?:{|&l(?:brace|cub);?)|jndi|ctx) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx xacxedx00x05 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?:rO0ABQ|KztAAU|Cs7QAF) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx javab.+(?:runtime|processbuilder) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?:class.module.classLoader.resources.context.parent.pipeline|springframework.context.support.FileSystemXmlApplicationContext) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU) +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @rx (?i)(?:$|$?)(?:{|&l(?:brace|cub);?) +http-request deny if block_JAVA +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 1 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 1 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 2 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 2 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 3 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 3 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 4 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 4 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 1 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 1 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 2 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 2 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 3 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 3 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 4 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge 4 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge %{tx.inbound_anomaly_score_threshold} +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @ge %{tx.inbound_anomaly_score_threshold} +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_EVALUATION +acl block_EVALUATION hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_EVALUATION +acl block_LEAKAGES hdr_sub(User-Agent) -i @eq 1 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @pm gzip compress deflate br zstd +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>[To Parent Directory]
) +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @rx ^#!s?/ +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @rx ^5d{2}$ +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_LEAKAGES +acl block_LEAKAGES hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_LEAKAGES +acl block_SQL hdr_sub(User-Agent) -i @pm gzip compress deflate br zstd +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i !@pmFromFile sql-errors.data +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i:JET Database Engine|Access Database Engine|[Microsoft][ODBC Microsoft Access Driver]) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)bORA-[0-9][0-9][0-9][0-9][0-9]:|java.sql.SQLException|Oracle(?: erro|[^()]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20}) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i:DB2 SQL error:|[IBM][CLI Driver][DB2/6000]|CLI Driver.*DB2|DB2 SQL error|db2_w+() +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i:[DM_QUERY_E_SYNTAX]|has occurred in the vicinity of:) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)Dynamic SQL Error +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)Exception (?:condition )?d+. Transaction rollback. +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)org.hsqldb.jdbc +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i:An illegal character has been found in the statement|com.informix.jdbc|Exception.*Informix) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i:Warning.*ingres_|Ingres SQLSTATE|IngresW.*Driver) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i:Warning: ibase_|Unexpected end of command in statement) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)(?:System.Data.OleDb.OleDbException|[Microsoft][ODBC SQL Server Driver]|[Macromedia][SQLServer JDBC Driver]|[SqlException|System.Data.SqlClient.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query()|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression.|ADODB.Field (0x800A0BCD)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*WSystem.Data.SqlClient.|Conversion failed when converting the varchar value .*? to data type int.) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array()|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient.)|[MySQL][ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[()_a-z]{1,26})?|(?:ERROR [0-9]{4} ([0-9a-z]{5})|XPATH syntax error): +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)() [|org.postgresql.util.PSQLException):|Warning.{1,20}bpg_.*|valid PostgreSQL result|Npgsql.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*) +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_SQL +acl block_SQL hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_SQL +acl block_JAVA hdr_sub(User-Agent) -i @pm gzip compress deflate br zstd +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @pmFromFile java-code-leakages.data +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @pmFromFile java-errors.data +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_JAVA +acl block_JAVA hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_JAVA +acl block_PHP hdr_sub(User-Agent) -i @pm gzip compress deflate br zstd +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @pmFromFile php-errors.data +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @rx (?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b +http-request deny if block_PHP +acl block_PHP hdr_sub(User-Agent) -i @rx (?i).{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error.

|cannot connect to the server: timed out) +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @pmFromFile iis-errors.data +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i !@rx ^404$ +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @rx bServer Error in.{0,50}?bApplicationb +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @lt 2 +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @lt 3 +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_IIS +acl block_IIS hdr_sub(User-Agent) -i @lt 4 +http-request deny if block_IIS +acl block_SHELLS hdr_sub(User-Agent) -i @pm gzip compress deflate br zstd +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @lt 1 +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @pmFromFile web-shells-php.data +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx r57 Shell Version [0-9.]+|r57 shell +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^.*?(?: -)? W[Ss][Oo] [0-9.]+ +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx B4TM4N SH3LL.* +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx Mini Shell.*Developed By LameHacker +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx .:: .* ~ Ashiyane V [0-9.]+ ::. +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx Symlink_Sa [0-9.]+ +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx CasuS [0-9.]+ by MafiABoY +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^rnrnGRP WebShell [0-9.]+ +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>n$ +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^<!DOCTYPE html>n<html>n<!-- By Artyum .*<title>Web Shell +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx lama's'hell v. [0-9.]+ +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^ *n[ ]+n[ ]+lostDC - +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^<title>PHP Web Shellrnrnrn +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^nn
nnRu24PostWebShell +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^rnrnnnnng00nshell v[0-9.]+ +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @contains <title>punkholicshell +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx ^n n azrail [0-9.]+ by C-W-M +http-request deny if block_SHELLS +acl block_SHELLS hdr_sub(User-Agent) -i @rx >SmEvK_PaThAn Shell v[0-9]+ coded by n.*? ~ Shell Inn