Merge 2.5.x changes to trunk.

rules/base_rules/modsecurity_40_generic_attacks.data

@@ -0,0 +1,277 @@
+set-cookie
+.cookie
+expiressys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+mysql.user
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_namexp_enumdsn
+insert
+infile
+autonomous_transaction
+nvarchar
+openrowset
+print
+data_type
+outfile
+castb
+shutdown
+inner
+tbcreator
+xp_filelist
+@@version
+sql_longvarchar
+sp_prepare
+xp_regenumkeys
+xp_dirtree
+xp_loginconfig
+ifnull
+sp_addextendedproc
+xp_regaddmultistring
+delete
+sp_sqlexec
+sp_oacreate
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+xp_execresultset
+varchar
+to_number
+dba_users
+having
+xp_regenumvalues
+utl_file
+xp_terminate
+xp_availablemedia
+xp_regdeletevalue
+sql_variant
+dumpfile
+isnull
+'sa'
+select
+xp_regremovemultistring
+xp_makecab
+xp_cmdshell
+'msdasql'
+sp_executesql
+openquery
+'sqloledb'
+'dbo'
+sp_makewebtask
+utl_http
+dbms_java
+benchmark
+xp_regread
+xp_regwritejscript
+onsubmit
+copyparentfolder
+javascript
+meta
+onchange
+onmove
+onkeydown
+onkeyup
+activexobject
+onerror
+onmouseup
+ecmascript
+bexpression
+onmouseover
+vbscript:
+<![cdata[
+http:
+.innerhtml
+settimeout
+shell:
+onabort
+asfunction:
+onkeypress
+onmousedown
+onclick
+.fromcharcode
+background-image:
+.cookie
+x-javascript
+ondragdrop
+onblur
+mocha:
+javascript:
+onfocus
+lowsrc
+getparentfolder
+onresize
+@import
+alert
+script
+onselect
+onmouseout
+application
+onmousemove
+background
+.execscript
+livescript:
+vbscript
+getspecialfolder
+.addimport
+iframe
+onunload
+createtextrange
+<input
+onload.www_acl
+.htpasswd
+.htaccess
+httpd.conf
+boot.ini
+/etc/
+.htgroup
+global.asa
+.wwwaclnet.exe
+cmd.exe
+cmd
+telnet.exe
+wguest.exe
+ftp.exe
+nmap.exe
+wsh.exe
+rcmd.exe
+nc.exe
+cmd32.exechgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++chgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++<?

rules/base_rules/modsecurity_41_sql_injection_attacks.data

@@ -0,0 +1,114 @@
+sys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+mysql.user
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_namexp_enumdsn
+insert
+infile
+autonomous_transaction
+nvarchar
+openrowset
+print
+data_type
+outfile
+castb
+shutdown
+inner
+tbcreator
+xp_filelist
+@@version
+sql_longvarchar
+sp_prepare
+xp_regenumkeys
+xp_dirtree
+xp_loginconfig
+ifnull
+sp_addextendedproc
+xp_regaddmultistring
+delete
+sp_sqlexec
+sp_oacreate
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+xp_execresultset
+varchar
+to_number
+dba_users
+having
+xp_regenumvalues
+utl_file
+xp_terminate
+xp_availablemedia
+xp_regdeletevalue
+sql_variant
+dumpfile
+isnull
+'sa'
+select
+xp_regremovemultistring
+xp_makecab
+xp_cmdshell
+'msdasql'
+sp_executesql
+openquery
+'sqloledb'
+'dbo'
+sp_makewebtask
+utl_http
+dbms_java
+benchmark
+xp_regread
+xp_regwrite

rules/base_rules/modsecurity_46_et_sql_injection.data

@@ -0,0 +1,346 @@
+/ASPKAT.ASP
+/DocPay.w2b
+/G_Display.php
+/HABERLER.ASP
+/HaberDetay.asp
+/News/page.asp
+/OmegaMw7.asp
+/ProductDetails.asp
+/Search/DisplayResults.php
+/SecureLoginManager/list.asp
+/SelGruFra.asp
+/Types.asp
+/ViewBugs.php
+/ViewCat.php
+/ViewReport.php
+/account_change.php
+/activeNews_categories.asp
+/activeNews_comments.asp
+/activenews_search.asp
+/activenews_view.asp
+/actualpic.asp
+/ad.asp
+/add2.php
+/add_comment.php
+/addrating.php
+/admin.asp
+/admin.php
+/admin/admin_acronyms.php
+/admin/admin_annonce/changeannonce.php
+/admin/admin_annonce/okvalannonce.php
+/admin/admin_mail_adressee.asp
+/admin/admin_membre/fiche_membre.php
+/admin/cms/opentree.php
+/admin/config.php
+/admin/edit.asp
+/admin/memberlist.php
+/admin/modules/modules.php
+/admin_check_user.asp
+/admin_hacks_list.php
+/admincp/attachment.php
+/administration/administre2.php
+/albmgr.php
+/applications/SecureLoginManager/inc_secureloginmanager.asp
+/aramayap.asp
+/archives.php
+/articles.asp
+/artreplydelete.asp
+/auth.php
+/badword.asp
+/banner.php
+/bb-includes/formatting-functions.php
+/blocks/block-Old_Articles.php
+/boxx/ShowAppendix.asp
+/bry.asp
+/bt-trackback.php
+/bus_details.asp
+/calendar_detail.asp
+/cart.inc.php
+/cat.asp
+/categoria.php
+/category.php
+/cats.asp
+/cgi-bin/reorder2.asp
+/check_vote.php
+/class/debug/debug_show.php
+/class/table_broken.php
+/classes/class.news.php
+/classes/class_session.php
+/code/guestadd.php
+/com_comment.php
+/comersus_optReviewReadExec.asp
+/comment.php
+/comments.php
+/compareHomes.asp
+/compare_product.php
+/connexion.php
+/content.asp
+/content.php
+/coupon_detail.asp
+/dagent/downloadreport.asp
+/database/table/user.php
+/db_ecard.php
+/default.asp
+/default2.asp
+/detail.asp
+/detail.php
+/details.asp
+/dettaglio.asp
+/devami.asp
+/diary.php
+/dirSub.asp
+/dircat.asp
+/directions.php
+/directory.php
+/dispimage.asp
+/displayCalendar.asp
+/display_review.php
+/displaypic.asp
+/dl.php
+/dlwallpaper.php
+/down.asp
+/down_indir.asp
+/download_image.asp
+/duyuru.asp
+/eWebQuiz.asp
+/edit.asp
+/edit_day.php
+/email.php
+/error.asp
+/etkinlikbak.asp
+/example.php
+/faq.php
+/faqDsp.asp
+/filecheck.php
+/filelist.asp
+/forgotpass.asp
+/forum.asp
+/forum.php
+/forum/include/error/autherror.cfm
+/forum/modules/gallery/post.php
+/forum/pop_up_member_search.asp
+/forum2.asp
+/forums.php
+/functions.php
+/functions/functions_filters.asp
+/gallery.asp
+/gallery.php
+/game.php
+/game_listing.php
+/getnewsitem.php
+/giris.asp
+/giris_yap.asp
+/glossaire-p-f.php
+/gmail.php
+/goster.asp
+/guestbook.php
+/h_goster.asp
+/haber.asp
+/haberdetay.asp
+/haberoku.asp
+/home.php
+/homeDetail.asp
+/i-search.php
+/inc/class_users.php
+/inc/common.php
+/inc_listnews.asp
+/include.php
+/includes/a_register.asp
+/includes/mambo.php
+/includes/nsbypass.php
+/includes/rating.php
+/index.asp
+/index.cfm
+/index.php
+/index1.asp
+/info_book.asp
+/info_user.asp
+/inlinemod.php
+/inout/status.asp
+/inout/update.asp
+/install.php
+/item.asp
+/item.php
+/item_list.asp
+/item_show.asp
+/ixm_ixpnews.php
+/journal.php
+/jump.php
+/kategori.asp
+/kernel/group.php
+/kullanicilistesi.asp
+/letterman.class.php
+/lib/entry_reply_entry.php
+/linkslist.asp
+/lire-avis.php
+/list.asp
+/list.php
+/list_comments.php
+/listfull.asp
+/listings.asp
+/listmain.asp
+/listmembers.php
+/listpics.asp
+/login.asp
+/login.php
+/login/register.asp
+/logon_user.php
+/low.php
+/mailer.w2b
+/main.asp
+/main/auth/my_progress.php
+/main_page.php
+/mainfile.php
+/manufacturer.php
+/meal_rest.asp
+/members.asp
+/mesajkutum.asp
+/mezungiris.asp
+/mod.php
+/mod_banners.php
+/models/category.php
+/modules.php
+/modules/Advertising/admin/index.php
+/modules/News/index.php
+/modules/admin/modules/gallery.php
+/modules/mod_mainmenu/menu.php
+/moscomment.php
+/mystats.php
+/navigacija.php
+/news.asp
+/news.php
+/news_detail.asp
+/news_page.asp
+/newsdetail.asp
+/newsletters/edition.php
+/nickpage.php
+/nukesentinel.php
+/ogretmenkontrol.asp
+/oku.asp
+/openPolicy.asp
+/open_tree.php
+/openlink.asp
+/orange.asp
+/order-track.php
+/outputs.php
+/page.asp
+/page.php
+/pages/addcomment2.php
+/pfs/pfs.edit.inc.php
+/philboard_forum.asp
+/phonemessage.asp
+/php-stats.recphp.php
+/plugins/authentication/ldap.php
+/plugins/ipsearch/ipsearch.admin.php
+/plugins/mp3playlist/mp3playlist.php
+/plugins/search/categories.php
+/plugins/search/contacts.php
+/plugins/search/content.php
+/plugins/search/sections.php
+/plugins/search/weblinks.php
+/plugins/user/example.php
+/pms.php
+/pollmentorres.asp
+/polls.php
+/pop_profile.asp
+/post.php
+/postingdetails.php
+/preferences.asp
+/prikazInformacije.php
+/print.asp
+/print.php
+/printarticle.asp
+/printmain.asp
+/printview.php
+/process.php
+/prodList.asp
+/product.asp
+/product_review.php
+/productdetail.asp
+/products.asp
+/public/code/cp_downloads.php
+/publication_view.asp
+/publications_list.asp
+/question.php
+/rating.asp
+/read/index.php
+/recipe.php
+/register.php
+/repass.php
+/res_details.asp
+/result.asp
+/result.php
+/rss.asp
+/rss/show_webfeed.php
+/save.php
+/search.asp
+/search.php
+/search_listing.asp
+/searchkey.asp
+/searchmain.asp
+/searchoption.asp
+/section/default.asp
+/send_password_preferences.asp
+/sendarticle.asp
+/set_preferences.asp
+/shared/code/cp_authorization.php
+/shared/code/cp_functions_downloads.php
+/shopgiftregsearch.asp
+/show_joined.php
+/show_news.php
+/show_owned.php
+/showfile.asp
+/simplog/archive.php
+/simplog/index.php
+/slideshow.asp
+/sptrees/default.aspx
+/style.php
+/stylesheet.php
+/subcat.php
+/system/core/users/users.register.inc.php
+/system/index.php
+/templates/modif.html
+/thread.php
+/thumbnails.asp
+/thumbnails.php
+/topic_title.php
+/torrents.php
+/tracking/courseLog.php
+/types.asp
+/update_profile.php
+/urunbak.asp
+/user.asp
+/user.php
+/user_confirm.asp
+/user_pages/page.asp
+/userdetail.php
+/usergroups.php
+/usermgr.php
+/users.php
+/utilities/usermessages.asp
+/uye_giris_islem.asp
+/vBSupport.php
+/vdateUsr.asp
+/vehiclelistings.asp
+/verify.php
+/vf_memberdetail.asp
+/view.php
+/view_gallery.asp
+/view_profile.php
+/view_recent.asp
+/viewad.asp
+/viewcat.php
+/viewimage.php
+/viewlinks.asp
+/viewthread.php
+/virtuemart_parser.php
+/visu_user.asp
+/voirannonce.php
+/wallpaper.php
+/wbsearch.aspx
+/windows.asp
+/wp-admin/admin-ajax.php
+/wp-admin/admin-functions.php
+/wp-trackback.php
+/xNews.php
+/xmlrpc.php

rules/base_rules/modsecurity_46_et_web_rules.data

@@ -0,0 +1,55 @@
+.aspx
+.php
+/CCMAdmin/serverlist.asp
+/OpenView5.exe
+/WindowManager.dll
+/apage.cgi
+/awstats.pl
+/cfexec.cfm
+/class.csv.php
+/cmd-asp-5.1.asp
+/cmd.exe
+/cmd.php
+/cmdasp.asp
+/cmdasp.aspx
+/cmdjsp.jsp
+/contact/contact/index.php
+/default.aspx
+/functionen/ref_kd_rubrik.php
+/grab_globals.lib.php
+/graph_image.php
+/help_text_vars.php
+/hg_referenz_jobgalerie.php
+/include/sessionRegister.php
+/index.php
+/jsp-reverse.jsp
+/misc.php
+/module/referenz.php
+/nquser.php
+/passwiki.php
+/perlcmd.cgi
+/php-backdoor.php
+/piranha/secure/control.php3
+/pmwiki.php
+/prod.php
+/produkte_nach_serie.php
+/produkte_nach_serie_alle.php
+/ref_kd_rubrik.php
+/simple-backdoor.php
+/site_conf.php
+/standard/1/lay.php
+/standard/3/lay.php
+/surfer_aendern.php
+/surfer_anmeldung_NWL.php
+/tiki-featured_link.php
+/wf_startpage.js
+/wf_startqs.htm
+/whcsh_home.htm
+/whstart.js
+/wp-login.php
+/wps_shop.cgi
+?Redirect
+forumdisplay.php
+graph_view.php
+tree.php
+webmail.exe

rules/base_rules/modsecurity_50_outbound.data

@@ -0,0 +1,91 @@
+<TITLE>Index of
+><br>
+<title>Index ofMicrosoft VBScript runtime (0x8
+error '800
+Application uses a value of the wrong type for the current operation
+Microsoft VBScript compilation (0x8
+Microsoft VBScript compilation error
+Microsoft .NET Framework Version:
+A trappable error occurred in an external object. The script cannot continue running
+rror
+Microsoft VBScript runtime Error
+>error 'ASP
+ADODB.Command
+Object required: '
+<b>Version Information:</b> does not match with a table name or alias name used in the query
+Either BOF or EOF is True, or the current record has been deleted; the operation
+PostgreSQL query failed:
+You have an error in your SQL syntax near '
+ORA-
+select list because it is not contained in either an aggregate function or the GROUP BY clause
+Syntax error converting the 
+supplied argument is not a valid MS SQL
+supplied argument is not a valid Oracle
+Unclosed quotation mark before the character string
+Warning: mysql_connect():
+Unable to connect to PostgreSQL server:
+SQL Server does not exist or access denied
+microsoft jet database engine error '8
+supplied argument is not a valid PostgreSQL result
+Microsoft OLE DB Provider for 
+You have an error in your SQL syntax;
+Either BOF or EOF is True, or the current record has been deleted
+supplied argument is not a valid ODBC
+supplied argument is not a valid MySQL
+[Microsoft][ODBC 
+error '800a01b8'
+ data type as an argument.
+select list because it is not contained in an aggregate function and there is no GROUP BY clause
+' in sysservers. execute sp_addlinkedserver
+incorrect syntax near These statistics were produced by PeLAB
+This analysis was produced by
+These statistics were produced by getstats
+This report was generated by WebLog
+ebalizer
+This summary was generated byfgets
+move_uploaded_file
+$_session
+ftp_fget
+ftp_put
+readfile
+ftp_nb_put
+gzencode
+bzopen
+fopen
+readdir
+$_post
+gzread
+ftp_nb_fput
+ftp_nb_fget
+ftp_get
+$_get
+scandir
+fscanf
+readgzfile
+fread
+fgetc
+proc_open
+ftp_fput
+fgetss
+ftp_nb_get
+fwrite
+session_start
+gzopen
+gzcompress
+gzwriteserver.urlencode
+server.createobject
+scripting.filesystemobject
+server.execute
+wscript.shell
+<jsp:
+.createtextfile
+.addheader
+wscript.network
+javax.servlet
+.loadfromfile
+server.mappath
+vbscript.encode
+server.htmlencode
+response.write
+response.binarywrite
+.getfile

rules/base_rules/modsecurity_crs_20_protocol_violations.conf

@@ -0,0 +1,122 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# TODO in some cases a valid client (usually automated) generates requests that
+#      violates the HTTP protocol. Create exceptions for those clients, but try
+#      to limit the exception to a source IP or other additional properties of 
+#      the request such as URL and not allow the violation generally. 
+#  
+#
+
+# Validate request line
+#
+SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
+    "t:none,t:lowercase,phase:2,block,nolog,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+# Block request with malformed content.
+# ModSecurity will not inspect these, but the server application might do so
+#
+SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,block,nolog,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+
+# Accept only digits in content length 
+#
+SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
+
+# Do not accept GET or HEAD requests with bodies
+# HTTP standard allows GET requests to have a body but this
+# feature is not used in real life. Attackers could try to force
+# a request body on an unsuspecting web applications.
+#
+SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
+	SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.protocol_violation_score=+1,setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Require Content-Length to be provided with every POST request.
+#
+SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
+	SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Don't accept transfer encodings we know we don't know how to handle
+#
+# NOTE ModSecurity does not support chunked transfer encodings at
+#      this time. You MUST reject all such requests.
+#
+SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Expect header is an HTTP/1.1 protocol feature
+#
+SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,t:none,nolog,block,auditlog,msg:'Expect Header Not Allowed.',severity:'5',id:'960019',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
+	SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Pragma Header requires a Cache-Control Header
+#	
+SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
+	SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain"
+		SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Range Header exists and begins with 0 - normal browsers don't do this.
+#		
+SecRule REQUEST_HEADERS:Range "@contains =0-" "phase:2,t:none,block,nolog,auditlog,msg:'Range: field exists and begins with 0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Broken/Malicous clients often have duplicate or conflicting headers
+#
+SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Check encodings
+SecRule REQUEST_URI "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+	"chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:Content-Type "^application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+	"chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_BODY "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
+		SecRule REQUEST_BODY "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+# Check UTF enconding
+# This rule checks to see if your system uses UTF encoding.
+SecRule RESPONSE_HEADERS:Content-Type "charset=utf-8" \
+	"phase:3,t:none,pass,nolog,setvar:global.utf8_encoding_used=1"
+
+# If UTF-8 encoding was detected in the server's respone headers, run this rule on inbound data.
+SecRule GLOBAL:UTF8_ENCODING_USED "@eq 1" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+
+# Disallow use of full-width unicode
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
+  "t:none,phase:2,block,nolog,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+# Proxy access attempt
+# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
+#      included in case Apache proxy is misconfigured.
+# NOTE There are some clients (mobile devices) that will send a full URI even when connecting to
+#      your local application and this rule allows it.
+# NOTE Need to have UseCononicalName On in Apache config to properly set the SERVER_NAME variable.
+SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
+	SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}"
+
+#
+# Restrict type of characters sent
+#
+# NOTE In order to be broad and support localized applications this rule
+#      only validates that NULL Is not used.
+#
+#	   The strict policy version also validates that protocol and application 
+#	   generated fields are limited to printable ASCII. 
+#
+# TODO If your application use the range 32-126 for parameters.
+#
+#SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
+#	"@validateByteRange 32-126" \
+#	"phase:2,block,nolog,auditlog,status:400,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matchedvar}"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
+	"phase:2,block,nolog,auditlog,status:400,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf

@@ -0,0 +1,73 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# TODO in some cases a valid client (usually automated) generates requests that
+#      violates the HTTP protocol. Create exceptions for those clients, but try
+#      to limit the exception to a source IP or other additional properties of 
+#      the request such as URL and not allow the violation generally. 
+#
+
+# Do not accept requests without common headers. 
+# Implies either an attacker or a legitimate automation client. 
+#
+
+# Detect HTTP/0.9 Requests
+SecRule REQUEST_PROTOCOL ^HTTP/0.9$ "t:none,phase:2,nolog,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+SecMarker BEGIN_HOST_CHECK
+
+	SecRule &REQUEST_HEADERS:Host "@eq 0" \
+    		"skipAfter:END_HOST_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:Host "^$" \
+    		"phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_HOST_CHECK
+    
+
+SecMarker BEGIN_ACCEPT_CHECK
+
+	SecRule &REQUEST_HEADERS:Accept "@eq 0" \
+    		"chain,phase:2,t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
+		SecRule REQUEST_METHOD "!^OPTIONS$" "skipAfter:END_ACCEPT_CHECK,t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:Accept "^$" \
+    		"chain,phase:2,t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
+		SecRule REQUEST_METHOD "!^OPTIONS$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_ACCEPT_CHECK
+
+SecMarker BEGIN_UA_CHECK
+
+	SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
+    		"skipAfter:END_UA_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:User-Agent "^$" \
+    		"t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_UA_CHECK
+
+
+SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
+    "chain,phase:2,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
+	SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+
+# Check that the host header is not an IP address 
+#
+SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"
+
+
+# Log a security event when the request is rejected by apache
+#
+# You must patch mod_unique_id for this to work correctly.  See the following
+# mod-security-users mail-list post for the patch details -
+# http://article.gmane.org/gmane.comp.apache.mod-security.user/5808
+#
+SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,nolog,auditlog,pass,msg:'Invalid request',id:'960913',severity:'4'"
+	SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.leakage_score=+1,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+

rules/base_rules/modsecurity_crs_23_request_limits.conf

@@ -0,0 +1,69 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# In most cases, you should expect a certain volume of each a request on your
+# website. For example, a request with 400 arguments, can be suspicious.
+# This file creates limitations on the request.
+# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
+#      Note that most of the rules are commented out by default.
+#      Uncomment the rules you need
+#
+
+## -- Arguments limits --
+
+# Limit argument name length
+#SecRule ARGS_NAMES "@gt 100" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit value name length
+#SecRule ARGS "@gt 400" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Maximum number of arguments in request limited
+SecRule &ARGS "@gt 255" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit arguments total length
+#SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+
+## -- File upload limits --
+
+# Individual file size is limited
+#SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Combined file size is limited
+#SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4',setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+
+
+## -- Apache Limits --
+
+# These are Apache limit directives, but we are including them here because
+# they are often forgotten. If you already have these configured leave this
+# section entirely commented-out. Otherwise review the limits and uncomment
+# the directives.
+
+# Maximum size of the request body.
+#
+# NOTE If your application allows file uploads the value below will
+#      most likely be way to low.
+#
+#LimitRequestBody 64000
+
+# Maximum number of request headers in a request.
+#
+#LimitRequestFields 32
+
+# Maximum size of request header lines.
+#
+#LimitRequestFieldSize 8000
+
+# Maximum size of the request line.
+#
+#LimitRequestLine 4000
+

rules/base_rules/modsecurity_crs_35_bad_robots.conf

@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE Bad robots detection is based on checking elements easily 
+#      controlled by the client. As such a determined attacked can bypass
+#      those checks. Therefore bad robots detection should not be viewed as
+#      a security mechanism against targeted attacks but rather as a nuisance
+#      reduction, eliminating most of the random attacks against your web
+#      site. 
+
+SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME "^/nessustest" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|w(?:eb(?:emailextrac| by mail|altbot)|i(?:se(?:nut)?bot|ndows xp 5)|ordpress\/4\.01|3mir)|a(?:t(?:tache|hens)|utoemailspider|dsarobot| href=)|m(?:ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:(?:oe-component-clien|ackra)t|cbrowser|surf)|c(?:ompatible(?: ; msie|-)|hinaclaw)|f(?:astlwspider|loodgate)|t(?:uring machine|akeout)|g(?:rub-client|ecko\/25)|h(?:hjhj@yahoo|anzoweb)|d(?:igout4u|ts )agent|larbin@unspecified|(?:; widow|zeu)s|\bdatacha0s\b|user-agent:|rsync|shai|\\r)" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \
+        "chain,phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'"
+SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MISC-%{matched_var_name}=%{matched_var}"
+

rules/base_rules/modsecurity_crs_40_generic_attacks.conf

@@ -0,0 +1,399 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# 
+# TODO While some of the pattern groups such as command injection are usually
+#      safe of false positives, other pattern groups such as SQL injection and 
+#      XSS may require setting exceptions and therefore are set to log only by
+#      default. 
+#
+#      Start ModSecurity in monitoring only mode and check whether your 
+#      application requires exceptions for a specific URL, Pattern or source IP
+#      before moving to blocking mode.  
+
+#
+# Begin RegEx Checks for rules that could not use @pm prequalifications
+#
+
+#
+# HTTP Parameter Pollution
+#
+SecRule ARGS_NAMES ".*" \
+	"chain,phase:2,t:none,nolog,auditlog,pass,capture,setvar:'tx.arg_name_%{tx.0}=+1',msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" 
+        SecRule TX:/ARG_NAME_*/ "@gt 1" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
+		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+
+#
+# Coldfusion injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'959008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# LDAP injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'LDAP Injection Attack',id:'959010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# SSI injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'SSI injection Attack',id:'959011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+
+#
+# UPDF XSS
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'950018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'959018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Email Injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
+        "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+# HTTP Request Smuggling
+#
+SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,block,nolog,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{matched_var}"
+
+#
+# HTTP Response Splitting
+#
+SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
+        "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{matched_var}"
+
+
+#
+# RFI Attack
+#
+# See - http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
+#
+SecRule ARGS "^(?:ht|f)tps?:\/\/([\d\.]+)" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:\binclude\s*\([^)]*(ht|f)tps?:\/\/)" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:ft|htt)ps?.*\?+$" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" \
+        "chain,phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"
+        SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+#
+# Prequalify Request Matches
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pmFromFile modsecurity_40_generic_attacks.data" \
+	"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
+
+SecRule TX:PM_SCORE "@eq 0" "phase:2,t:none,pass,skipAfter:END_PM_CHECK,nolog"
+
+#
+# Begin RegEx Checks for target locations that matched the prequalifier checks
+#
+	#
+	# Session fixation
+	#
+	SecRule TX:/PM_DATA_*/ "\.cookie\b.*?\;\W*?expires\W*?\=" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950301',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/PM_DATA_*/ "\.cookie\b.*?\;\W*?domain\W*?\=" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950300',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/PM_DATA_*/ "\bhttp-equiv\W+set-cookie\b" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950302',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+ 
+	
+	
+	#
+	# File Injection
+	#
+	SecRule TX:/PM_DATA_*/ "\bboot\.ini\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958711',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\/etc\/" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958700',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htaccess\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958706',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htpasswd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958708',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bhttpd\.conf\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958705',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bglobal\.asa\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958712',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.wwwacl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958710',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.www_acl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958709',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htgroup\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958707',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	        
+
+	#
+	# Command access
+	#
+	SecRule TX:/PM_DATA_*/ "\bnc\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958503',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958500',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958504',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btelnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972022',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwsh\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972032',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bftp\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958502',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\b\W*?\/c" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972030',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnmap\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972029',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwguest\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972031',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd32\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958501',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\brcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958505',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"        
+
+	#
+	# Command injection
+	#
+	SecRule TX:/PM_DATA_*/ "\btclsh8\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958929',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnmap\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958870',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bperl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958873',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bcpp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958928',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bpython\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958887',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnc\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958828',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\buname\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958898',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bpasswd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958888',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\b\W+?\blocalgroup\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958830',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bls\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958883',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchown\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958877',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\brcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958832',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnc\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958891',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\brm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958894',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwsh\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958839',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bfinger\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958881',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bftp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958890',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\becho\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958872',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bxterm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958879',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bkill\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958884',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchsh\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958927',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bping\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958893',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcd\b\W*?[\\/]" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958821',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\btelnet\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958889',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchmod\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958876',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwguest\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958838',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\b\W*?\/c" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958871',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958829',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bg\+\+" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958875',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnasm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958882',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd32\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958824',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\blsof\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958897',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bid\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958885',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btelnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958834',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btracert\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958926',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnmap\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958896',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\becho\b\W*?\by+\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958826',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btraceroute\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958837',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btftp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958836',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bgcc\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958874',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bchmod.{0,40}?\+.{0,3}x" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958822',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bps\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958886',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bftp\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958827',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bcmd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958892',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btclsh\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958833',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bmail\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchgrp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958878',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcd\W*?\.\." \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958925',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958823',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+		
+	#
+	# PHP injection
+	#
+	
+	SecRule TX:/PM_DATA_*/ "<\?(?!xml)" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958823',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+		
+	SecRule TX:/PM_DATA_*/ "\bproc_open\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958976',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzread\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958972',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_fget\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958963',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958965',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfscanf\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958959',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breadfile\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958978',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgetss\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958955',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_post\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958941',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bsession_start\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958982',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breaddir\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958977',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzwrite\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958973',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bscandir\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958981',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958962',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfread\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958958',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breadgzfile\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958979',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_put\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958967',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfwrite\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958968',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzencode\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958970',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958957',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_session\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958942',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_fput\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958964',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_fput\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958961',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzcompress\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958969',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bbzopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958946',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958971',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgetc\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958953',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bmove_uploaded_file\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958975',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_put\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958966',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958940',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgets\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958954',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_fget\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958960',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+
+SecMarker END_PM_CHECK

rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

@@ -0,0 +1,442 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# 
+# TODO While some of the pattern groups such as command injection are usually
+#      safe of false positives, other pattern groups such as SQL injection and 
+#      XSS may require setting exceptions and therefore are set to log only by
+#      default. 
+#
+#      Start ModSecurity in monitoring only mode and check whether your 
+#      application requires exceptions for a specific URL, Pattern or source IP
+#      before moving to blocking mode.  
+
+#
+# Prequalify Request Matches
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pmFromFile modsecurity_41_sql_injection_attacks.data" \
+	"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_sqli_score=+1,setvar:tx.pm_sqli_data_%{matched_var_name}=%{matched_var}"
+
+SecRule TX:PM_SQLI_SCORE "@eq 0" "phase:2,t:none,pass,skipAfter:END_SQL_INJECTION_PM,nolog"
+
+#
+# Begin RegEx Checks for target locations that matched the prequalifier checks
+#
+
+	#
+	# Blind SQL injection
+	#
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_catalog\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bconstraint_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959503',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959521',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysqueries\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959509',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysaces\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959506',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\@\@spid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959500',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcharindex\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959502',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.all_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959515',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_constraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959518',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}buser\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959514',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bwaitfor\b\W*?\bdelay\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959538',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsyscolumns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959507',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}\bsubstring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959513',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_triggers\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959522',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\blocate\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959505',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysrelationships\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959510',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_tab_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959520',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\battnotnull\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959501',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysobjects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959508',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.tab\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959516',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}\bascii\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959512',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_views\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959523',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binstr\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959504',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959519',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmysql\.user\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959511',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+			
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959918',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_tab_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959536',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\ball_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959900',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bpg_class\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959910',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsyscat\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959524',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsubstr\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959912',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysdba\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959527',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btextpos\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959533',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\battrelid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bpg_attribute\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959909',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_password\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959917',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959919',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_constraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959534',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxtype\W+\bchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959537',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959916',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcolumn_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysfilegroups\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959528',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsyscolumns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959525',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsubstring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959913',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysobjects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959530',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_id\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysibm\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959529',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_ind_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959535',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcolumn_id\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysprocesses\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959531',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmb_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btable_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959914',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsystables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959532',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959907',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\brownum\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959911',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysconstraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959526',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\batttypid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959902',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_group\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959915',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+
+
+	#
+	# SQL injection
+	#
+
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'msdasql\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959020',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_makecab\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959058',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\butl_http\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959049',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bto_number\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959035',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btbcreator\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959046',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_execute\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959038',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bgroup\b.*\bbyb.{1,100}?\bhaving\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959011',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bdata_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959027',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_cmdshell\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959052',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bisnull\b\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959018',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdba_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959008',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bopenrowset\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959023',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bunion\b.{1,100}?\bselect\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binsert\b\W*?\binto\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959015',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959032',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\;\W*?\bdrop\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_execresultset\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959055',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regaddmultistring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959060',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\@\@version\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959004',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regread\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959065',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bloadb\W*?\bdata\b.*\binfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959019',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bto_char\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959034',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdbms_java\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959009',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_enumdsn\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959054',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_availablemedia\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959051',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_prepare\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959042',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bnvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959021',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\butl_file\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959048',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binner\b\W*?\bjoin\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959014',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regdeletekey\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959061',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_loginconfig\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959057',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_sqlexec\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959043',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bprint\b\W*?\@\@" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959024',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959031',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regremovemultistring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959066',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regwrite\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959067',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959050',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bintob\W*?\bdumpfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959016',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bifb\W*?\(\W*?\bbenchmark\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959012',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bopenquery\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959022',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959033',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcastb\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959006',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdelete\b\W*?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959075',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regdeletevalue\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959062',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'sqloledb\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959003',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_addextendedproc\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959037',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsql_longvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959044',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_dirtree\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959053',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regenumkeys\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959063',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bdump\b.*\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959028',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_filelist\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959056',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'sa\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959026',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_terminate\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959068',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_executesql\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959039',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bifnull\b\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959013',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bintob\W*?\boutfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959017',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_makewebtask\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959040',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'dbo\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959010',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsql_variant\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959045',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_ntsec\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959059',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\;\W*?\bshutdown\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959002',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\binstr\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959029',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bautonomous_transaction\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959005',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_oacreate\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959041',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959036',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regenumvalues\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959064',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	
+SecMarker END_SQL_INJECTION_PM
+
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
+       	"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|REQUEST_HEADERS|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecMarker BEGIN_SQL_INJECTION_WEAK
+SecRule &TX:/SQL_INJECTION/ "@eq 0" "phase:2,t:none,nolog,pass,skipAfter:END_SQL_INJECTION_WEAK"
+
+	SecRule TX:/SQL_INJECTION/ "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
+       		"phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
+		SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)" \
+			"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/SQL_INJECTION/ "\b(?:benchmark|encode)\b" \
+		"phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
+		SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_SQL_INJECTION_WEAK

rules/base_rules/modsecurity_crs_41_xss_attacks.conf

@@ -0,0 +1,447 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# XSS
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \
+       "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
+SecAction phase:2,pass,nolog,skipAfter:END_XSS_REGEX
+
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bgetparentfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmousedown\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bmocha:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonabort\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bhttp:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseup\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bstyle\b\W*\=.*bexpression\b\W*\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bcreatetextrange\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bondragdrop\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bcopyparentfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonunload\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.execscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bgetspecialfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bonload\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeydown\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmousemove\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blivescript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonblur\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmove\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsettimeout\b\W*?\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?iframe" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bbackground\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\becmascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonfocus\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.cookie\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\<\!\[cdata\[" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonerror\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bactivexobject\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeypress\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonsubmit\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.addimport\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonchange\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\balert\b\W*?\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?meta\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bhttp:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bvbscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseout\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\basfunction:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseover\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.innerhtml\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonselect\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\@import\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonload\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?script\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonresize\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonclick\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\biframe\b.{0,100}?\bsrc\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bbackground-image:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeyup\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<input\b.*?\btype\b\W*?\bimage\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjavascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.fromcharcode\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+SecMarker END_XSS_REGEX
+
+# Detect tags that are the most common direct HTML injection points.
+#
+#     <a href=javascript:...
+#     <applet src="..." type=text/html>
+#     <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
+#     <base href=javascript:...
+#     <base href=... // change base URL to something else to exploit relative filename inclusion
+#     <bgsound src=javascript:...
+#     <body background=javascript:...
+#     <body onload=...
+#     <embed src=http://www.example.com/flash.swf allowScriptAccess=always
+#     <embed src="data:image/svg+xml;
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...
+#     <img src=x onerror=...
+#     <input type=image src=javascript:...
+#     <layer src=...
+#     <link href="javascript:..." rel="stylesheet" type="text/css"
+#     <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
+#     <meta http-equiv="refresh" content="0;url=javascript:..."
+#     <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
+#     <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
+#     <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
+#     <object data=http://www.example.com
+#     <object type=text/x-scriptlet data=...
+#     <object type=application/x-shockwave-flash data=xss.swf>
+#     <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
+#     <script>...</script>
+#     <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
+#     <script src="data:text/javascript,alert(1)"></script>
+#     <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
+#     <style>STYLE</style>
+#     <style type=text/css>STYLE</style>
+#     <style type=text/javascript>alert('xss')</style>
+#     <table background=javascript:...
+#     <td background=javascript:
+#
+#
+# NOTES
+#
+#  - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
+#
+#  - Not using closing brackets because they are not needed for the
+#    attacks to succeed. The following seems to work in FF: <body/s/onload=...
+#
+#  - Also, browsers sometimes tend to translate < into >, in order to "repair"
+#    what they think was a mistake made by the programmer/template designer.
+#
+#  - Browsers are flexible when it comes to what they accept as separator between
+#    tag names and attributes. The following is commonly used in payloads: <img/src=...
+#    A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
+#
+#  - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
+#    but I don't believe we need to look for quotes anywhere.
+#
+#  - Links do not have to be fully qualified. For example, the following works:
+#    <script src="//ha.ckers.org/.j">
+#
+SecRule ARGS|ARGS_NAMES|QUERY_STRING|REQUEST_URI_RAW "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
+	"phase:2,t:none,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "\ballowscriptaccess\b|\brel\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# TODO Would evasion such as null and whitespace work here?
+#
+SecRule ARGS "application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript))" \
+	"phase:2,t:none,t:htmlEntityDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect event handler names
+#
+#     <body onload=...>
+#     <img src=x onerror=...>
+#
+SecRule ARGS "\bon(abort|blur|change|click|dblclick|dragdrop|error|\
+focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout\
+mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect usage of common URI attributes (e.g. src)
+#
+#     <a href="javascript:...">Link</a>
+#     <base href="javascript:...">
+#     <bgsound src="javascript:...">
+#     <body background="javascript:...">
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...>
+#     <img dynsrc=javascript:...>
+#     <img lowsrc=javascript:...>
+#     <img src=javascript:...>
+#     <input type=image src=javascript:...>
+#
+SecRule ARGS "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# As above, but try to catch the other bit that is necessary to execute the attack.
+#
+#     <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+#     <img src=jaVaScrIpt:...>
+#     <img src=&#6a;avascript:...> (not evasion)
+#     <img src="jav	ascript:..."> (embedded tab; null byte, other whitespace characters work too)
+#     <img src="jaa&#09;ascript:..."> (the combination of the above two)
+#
+# NOTES
+#
+#  - htmlEntityDecode needs to be applied because this content appears in HTML
+#    attributes, so it's not evasion.
+#
+# TODO I think asfunction only work in HTML files handled by Flash. Needs verifying.
+#
+SecRule ARGS "(asfunction|javascript|vbscript|data|mocha|livescript):" \
+	"phase:2,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect attempts to use the style attribute, which works with any tag in at
+# least one major browser.
+#
+#     <div style="background-image: url(javascript:...)">
+#
+SecRule ARGS "\bstyle\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# -- JavaScript fragments --
+#
+#    TODO Need more fragments.
+#
+#    TODO What about JavaScript code hidden behind CSS?
+#
+#    TODO There is a bunch of DOM-manipulation stuff that we want to cover here.
+#
+#    alert(String.fromCharCode(88,83,83)
+#    - window.name
+#    - document.cookie
+#    - document.location
+#    - document.write
+#    - document.styleSheets[0].addImport('yourstylesheet.css', 2);
+#    - window.execScript("alert('test');", "JavaScript");
+#    - document.body.innerHTML = ''
+#    - newObj = new ActiveXObject(servername.typename[, location])
+#    - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx
+#    - setTimeout("alert('xss')", 1000)
+#    - xmlHttp.onreadystatechange=function() {}
+#    - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier
+#
+# NOTES:
+# 
+#  - JavaScript evasion:
+#
+#    http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/
+#    http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/
+#
+SecRule ARGS "(fromcharcode|alert|eval)\s*\(" \
+	"phase:2,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# -- CSS attack fragments --
+
+#     <div style="background-image: url(javascript:...)">
+#     <div style="background-image: url(&#1;javascript:alert('XSS'))"> // not used
+#     <div style="width: expression(...);">
+#     <img style="x:expression(document.write(1))">
+#     <xss style="behavior: url(http://ha.ckers.org/xss.htc);">
+# -    <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss
+#     <style>@import url(...);</style>
+#     -moz-binding:url(...)
+#     background:url("javascript:...")
+#     </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify
+#     <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion)
+#     <li style="behavior:url(hilite.htc)">xss
+#
+#     Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
+#
+# Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors)
+#
+# Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring
+#       a match of that before we do anything might help us reduce the FP rate.
+#
+SecRule ARGS "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \
+	"phase:2,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#      <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion
+SecRule ARGS "<!\[cdata\[|\]\]>" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# -- Misc --
+
+#    alert('xss')
+#    alert("xss")
+#    alert(/xss/)
+#    <xss>
+#
+SecRule ARGS "[/'\"<]xss[/'\">]" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#    String.fromCharCode(88,83,83)
+# 
+SecRule ARGS "(88,83,83)" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#    '';!--"<XSS>=&{()}
+#
+SecRule ARGS "'';!--\"<xss>=&{()}" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Handle &{alert('xss')} which is supposed to work in Netscape 4.
+# 
+SecRule ARGS "&{" \
+	"phase:2,t:none,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# <!DOCTYPE html [  
+#   <!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
+# ]>
+# <html xmlns="http://www.w3.org/1999/xhtml">
+# <head>
+#   <title>Test</title>
+# </head>
+#
+# <body>
+# &inject;
+# </body>
+# </html>
+#
+SecRule ARGS "<!(doctype|entity)" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+

rules/base_rules/modsecurity_crs_45_trojans.conf

@@ -0,0 +1,34 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# The trojan access detection rules detects access to known Trojans already 
+# installed on a server. Uploading of Trojans is part of the Anti-Virus rules 
+# and uses external Anti Virus program when uploading files.
+#
+# Detection of Trojans access is especially important in a hosting environment
+# where the actual Trojan upload may be done through valid methods and not
+# through hacking.
+# --
+# 
+# NOTE Trojans detection is based on checking elements controlled by the client. 
+#      A determined attacked can bypass those checks. We are working on 
+#      enchaining the checks so it would require a major change in the Trojan
+#      to overcome.
+#      
+# NOTE We found out that Trojan horses are not detected easily by Anti-Virus 
+#      software when uploading as the signature set of AV software is not tuned
+#      for this purpose. We are working on adding signature tuned to detect
+#      Trojans upload to file uploading inspection. 
+# 
+
+SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME "root\.exe" \
+        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"

rules/base_rules/modsecurity_crs_46_et_web_rules.conf

@@ -0,0 +1,601 @@
+SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"
+
+# (sid 2003897) ET WEB Adobe RoboHelp XSS Attempt whstart.js
+SecRule REQUEST_URI_RAW "(?i:\/whstart\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003897,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whstart.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whstart.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003898) ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm
+SecRule REQUEST_URI_RAW "(?i:\/whcsh_home\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003898,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003899) ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js
+SecRule REQUEST_URI_RAW "(?i:\/wf_startpage\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003899,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003900) ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm
+SecRule REQUEST_URI_RAW "(?i:\/wf_startqs\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003900,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003901) ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll
+SecRule REQUEST_URI_RAW "(?i:\/WindowManager\.dll)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003901,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001945) ET WEB WebAPP Apage.CGI Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/apage\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001945,rev:6,msg:'ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache.cgi'"
+SecRule ARGS:f "(?i:(\.\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001669) ET WEB Proxy GET Request
+SecRule REQUEST_URI_RAW "@contains GET http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001669,rev:6,msg:'ET WEB Proxy GET Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy GET Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001670) ET WEB Proxy HEAD Request
+SecRule REQUEST_URI_RAW "@contains HEAD http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001670,rev:7,msg:'ET WEB Proxy HEAD Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy HEAD Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001674) ET WEB Proxy POST Request
+SecRule REQUEST_URI_RAW "@contains POST http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001674,rev:6,msg:'ET WEB Proxy POST Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy POST Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001675) ET WEB Proxy CONNECT Request
+SecRule REQUEST_URI_RAW "@contains CONNECT " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001675,rev:6,msg:'ET WEB Proxy CONNECT Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy CONNECT Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003156) ET WEB Crewbox Proxy Scan
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003156,rev:3,msg:'ET WEB Crewbox Proxy Scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy'"
+SecRule REQUEST_URI_RAW "@contains crewbox.by.ru/crew/" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Crewbox Proxy Scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002900) ET WEB CGI AWstats Migrate Command Attempt
+SecRule REQUEST_URI_RAW "(?i:\/awstats\.pl)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002900,rev:3,msg:'ET WEB CGI AWstats Migrate Command Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Awstats'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:migrate\s*=\s*\|)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB CGI AWstats Migrate Command Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002711) ET WEB includer.cgi Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "@contains /includer.cgi?|7c|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002711,rev:5,msg:'ET WEB includer.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_CGI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB includer.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002129) ET WEB Cacti Input Validation Attack
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002129,rev:7,msg:'ET WEB Cacti Input Validation Attack',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(config_settings|top_graph_header)\.php\?.*=(http|https)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti Input Validation Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002313) ET WEB Cacti graph_image.php Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/graph_image\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002313,rev:6,msg:'ET WEB Cacti graph_image.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(graph_start=%0a.+%0a))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti graph_image.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003334) ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/cmd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003334,rev:3,msg:'ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule REQUEST_URI_RAW "@contains UNION" "chain"
+SecRule REQUEST_URI_RAW "@contains SELECT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007889) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007889,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007890) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007890,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007891) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007891,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007892) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007892,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007893) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007893,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007894) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007894,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007895) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007895,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007896) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007896,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007897) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007897,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2004556) ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern
+SecRule REQUEST_URI_RAW "(?i:\/CCMAdmin\/serverlist\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004556,rev:4,msg:'ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cisco'"
+SecRule ARGS:pattern "(?i:.*<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002376) ET WEB IBM Lotus Domino BaseTarget XSS attempt
+SecRule REQUEST_URI_RAW "@contains OpenForm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002376,rev:7,msg:'ET WEB IBM Lotus Domino BaseTarget XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:BaseTarget=.*?\x22)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino BaseTarget XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002377) ET WEB IBM Lotus Domino Src XSS attempt
+SecRule REQUEST_URI_RAW "@contains OpenFrameSet" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002377,rev:6,msg:'ET WEB IBM Lotus Domino Src XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:src=.*\x22><\/FRAMESET>.*<script>.*<\/script>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino Src XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009361) ET WEB cmd.exe In URI - Possible Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/cmd\.exe)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009361,rev:2,msg:'ET WEB cmd.exe In URI - Possible Command Execution Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB cmd.exe In URI - Possible Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009362) ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt
+SecRule REQUEST_URI_RAW "@contains /system32/" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009362,rev:2,msg:'ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009363) ET WEB Suspicious Chmod Usage in URI
+SecRule QUERY_STRING|REQUEST_BODY "(?i:chmod.([r|w|x|1-7]))" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009363,rev:2,msg:'ET WEB Suspicious Chmod Usage in URI',tag:'attempted-admin',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Suspicious Chmod Usage in URI',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008171) ET WEB HP OpenView Network Node Manager CGI Directory Traversal
+SecRule REQUEST_URI_RAW "(?i:\/OpenView5\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008171,rev:2,msg:'ET WEB HP OpenView Network Node Manager CGI Directory Traversal',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_HP_Openview'"
+SecRule REQUEST_URI_RAW "@contains GET " "chain"
+SecRule REQUEST_URI_RAW "@contains /OvCgi/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains Action=../../" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains  HTTP/1" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB HP OpenView Network Node Manager CGI Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002897) ET WEB Horde README access probe
+SecRule REQUEST_URI_RAW "@contains /horde" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002897,rev:5,msg:'ET WEB Horde README access probe',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Horde'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Horde README access probe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001365) ET WEB-MISC Alternate Data Stream source view attempt
+SecRule REQUEST_URI_RAW "@contains |3A 3A|$DATA" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001365,rev:8,msg:'ET WEB-MISC Alternate Data Stream source view attempt',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_ADS_Source_Code_Exposure',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Alternate Data Stream source view attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001342) ET WEB IIS ASP.net Auth Bypass / Canonicalization
+SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001342,rev:21,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001343) ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
+SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001343,rev:19,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009510) ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt
+SecRule REQUEST_URI_RAW "@contains .jsp\:\:$DATA" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009510,rev:2,msg:'ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Java',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001546) ET WEB-MISC LINK Method
+SecRule QUERY_STRING|REQUEST_BODY "@contains LINK " "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001546,rev:7,msg:'ET WEB-MISC LINK Method',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_LINK_Method',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC LINK Method',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002777) ET WEB Light Weight Calendar 'date' Arbitrary Remote Code Execution
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002777,rev:3,msg:'ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Light_Weight_Calendar'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:date=\d{8}\)\;.+)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001075) ET WEB-MISC cross site scripting attempt IMG onerror or onload
+SecRule QUERY_STRING|REQUEST_BODY "@contains <IMG" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001075,rev:5,msg:'ET WEB-MISC cross site scripting attempt IMG onerror or onload',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\bonerror\b[\s]*=)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt IMG onerror or onload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001077) ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001077,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-javascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001078) ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/jscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001078,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/jscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001079) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001079,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001080) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001080,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001081) ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/ecmascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001081,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/ecmascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001082) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001082,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:STYLE[\s]*=[\s]*[^>]expression[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001083) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001083,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001084) ET WEB-MISC cross site scripting attempt using XML
+SecRule QUERY_STRING|REQUEST_BODY "@contains <XML" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001084,rev:5,msg:'ET WEB-MISC cross site scripting attempt using XML',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains <![CDATA[<]]>SCRIPT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt using XML',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001085) ET WEB-MISC cross site scripting attempt executing hidden Javascript 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains innerhtml" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001085,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001086) ET WEB-MISC cross site scripting attempt executing hidden Javascript 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains window.execscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001086,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:window.execScript[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001087) ET WEB-MISC cross site scripting attempt to execute Javascript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001087,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*javascript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001088) ET WEB-MISC cross site scripting attempt to execute VBScript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001088,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*vbscript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001089) ET WEB-MISC cross site scripting attempt to access SHELL\:
+SecRule QUERY_STRING|REQUEST_BODY "@contains shell" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001089,rev:6,msg:'ET WEB-MISC cross site scripting attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*shell[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001090) ET WEB-MISC cross site scripting stealth attempt to execute Javascript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001090,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001091) ET WEB-MISC cross site scripting stealth attempt to execute VBScript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001091,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001092) ET WEB-MISC cross site scripting stealth attempt to access SHELL\:
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:])" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001092,rev:8,msg:'ET WEB-MISC cross site scripting stealth attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002361) ET WEB Netquery Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/nquser\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002361,rev:4,msg:'ET WEB Netquery Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netquery'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(host=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netquery Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007936) ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability
+SecRule REQUEST_URI_RAW "(?i:webmail\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007936,rev:4,msg:'ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netwin'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[%n%s]{2,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002997) ET WEB PHP Remote File Inclusion (monster list http)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002997,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list http)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule REQUEST_URI_RAW "@contains http" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list http)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003098) ET WEB PHP Remote File Inclusion (monster list ftp)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003098,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list ftp)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule REQUEST_URI_RAW "@contains ftp\:" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*ftp)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list ftp)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003935) ET WEB PHP Remote File Inclusion (monster list php)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003935,rev:3,msg:'ET WEB PHP Remote File Inclusion (monster list php)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*php)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list php)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002730) ET WEB PHPGedView Remote Script Code Execution attempt
+SecRule REQUEST_URI_RAW "(?i:\/help_text_vars\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002730,rev:6,msg:'ET WEB PHPGedView Remote Script Code Execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPGedView'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:PGV_BASE_DIRECTORY=(f|ht)tp\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPGedView Remote Script Code Execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002314) ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/prod\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002314,rev:5,msg:'ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPOutsourcing'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(argv[1]=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001344) ET WEB PHP EasyDynamicPages exploit
+SecRule ARGS_NAMES "(?i:edp_relative_path)" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001344,rev:7,msg:'ET WEB PHP EasyDynamicPages exploit',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_EasyDynamicPages_Exploit',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP EasyDynamicPages exploit',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009336) ET WEB Possible Web Backdoor cfexec.cfm access
+SecRule REQUEST_URI_RAW "(?i:\/cfexec\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009336,rev:2,msg:'ET WEB Possible Web Backdoor cfexec.cfm access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cfexec.cfm access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009337) ET WEB Possible Web Backdoor cmdasp.asp access
+SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009337,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009338) ET WEB Possible Web Backdoor cmdasp.aspx access
+SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009338,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.aspx access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.aspx access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009339) ET WEB Possible Web Backdoor simple-backdoor.php access
+SecRule REQUEST_URI_RAW "(?i:\/simple\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009339,rev:2,msg:'ET WEB Possible Web Backdoor simple-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor simple-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009340) ET WEB Possible Web Backdoor php-backdoor.php access
+SecRule REQUEST_URI_RAW "(?i:\/php\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009340,rev:2,msg:'ET WEB Possible Web Backdoor php-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor php-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009341) ET WEB Possible Web Backdoor jsp-reverse.jsp access
+SecRule REQUEST_URI_RAW "(?i:\/jsp\-reverse\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009341,rev:2,msg:'ET WEB Possible Web Backdoor jsp-reverse.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor jsp-reverse.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009342) ET WEB Possible Web Backdoor perlcmd.cgi access
+SecRule REQUEST_URI_RAW "(?i:\/perlcmd\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009342,rev:2,msg:'ET WEB Possible Web Backdoor perlcmd.cgi access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor perlcmd.cgi access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009343) ET WEB Possible Web Backdoor cmdjsp.jsp access
+SecRule REQUEST_URI_RAW "(?i:\/cmdjsp\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009343,rev:2,msg:'ET WEB Possible Web Backdoor cmdjsp.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdjsp.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009344) ET WEB Possible Web Backdoor cmd-asp-5.1.asp access
+SecRule REQUEST_URI_RAW "(?i:\/cmd\-asp\-5\.1\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009344,rev:2,msg:'ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002972) ET WEB PHP ZeroBoard .htaccess upload
+SecRule QUERY_STRING|REQUEST_BODY "@contains filename=" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002972,rev:3,msg:'ET WEB PHP ZeroBoard .htaccess upload',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_ZeroBoard'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:^\s*\.htaccess)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP ZeroBoard .htaccess upload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001738) ET WEB PHP vBulletin Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:forumdisplay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001738,rev:9,msg:'ET WEB PHP vBulletin Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
+SecRule ARGS:comma "(?i:(\.system\(.+\)\.))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP vBulletin Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002388) ET WEB vBulletin misc.php Template Name Arbitrary Code Execution
+SecRule REQUEST_URI_RAW "(?i:\/misc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002388,rev:5,msg:'ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
+SecRule REQUEST_URI_RAW "@contains &template=.*{${" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002837) ET WEB PmWiki Globals Variables Overwrite Attempt
+SecRule REQUEST_URI_RAW "(?i:\/pmwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002837,rev:3,msg:'ET WEB PmWiki Globals Variables Overwrite Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PMWiki'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GLOBALS[FarmD]=" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:GLOBALS\x5bFarmD\x5d\x3d)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PmWiki Globals Variables Overwrite Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008687) ET WEB PassWiki site_id Parameter Local File Inclusion
+SecRule REQUEST_URI_RAW "(?i:\/passwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008687,rev:2,msg:'ET WEB PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PassWiki'"
+SecRule REQUEST_URI_RAW "@contains GET " "chain"
+SecRule ARGS:site_id "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007871) ET WEB Philips VOIP841 Web Server Directory Traversal
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007871,rev:2,msg:'ET WEB Philips VOIP841 Web Server Directory Traversal',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Philips_VOIP'"
+SecRule REQUEST_URI_RAW "@contains /etc/passwd" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Philips VOIP841 Web Server Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002331) ET WEB Piranha default passwd attempt
+SecRule REQUEST_URI_RAW "(?i:\/piranha\/secure\/control\.php3)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002331,rev:3,msg:'ET WEB Piranha default passwd attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Piranha'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains Authorization\: Basic cGlyYW5oYTp" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Piranha default passwd attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008622) ET WEB Pritlog index.php filename File Disclosure
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008622,rev:2,msg:'ET WEB Pritlog index.php filename File Disclosure',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Pritlog'"
+SecRule REQUEST_URI_RAW "@contains /index.php?option=viewEntry" "chain"
+SecRule ARGS:&filename "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Pritlog index.php filename File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009152) ET WEB PHP Generic Remote File Include Attempt (HTTPS)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009152,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (HTTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =https\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (HTTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009153) ET WEB PHP Generic Remote File Include Attempt (FTP)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009153,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (FTP)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =ftp\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTP)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009155) ET WEB PHP Generic Remote File Include Attempt (FTPS)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009155,rev:5,msg:'ET WEB PHP Generic Remote File Include Attempt (FTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =ftps\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002660) ET WEB RSA Web Auth Exploit Attempt - Long URL
+SecRule REQUEST_URI_RAW "(?i:\?Redirect)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002660,rev:5,msg:'ET WEB RSA Web Auth Exploit Attempt - Long URL',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RSA'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:url=.{8000})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB RSA Web Auth Exploit Attempt - Long URL',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006443) ET WEB Possible SQL Injection Attempt DELETE FROM
+SecRule REQUEST_URI_RAW "@contains DELETE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006443,rev:6,msg:'ET WEB Possible SQL Injection Attempt DELETE FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt DELETE FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006444) ET WEB Possible SQL Injection Attempt INSERT INTO
+SecRule REQUEST_URI_RAW "@contains INSERT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006444,rev:6,msg:'ET WEB Possible SQL Injection Attempt INSERT INTO',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  INTO " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt INSERT INTO',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006445) ET WEB Possible SQL Injection Attempt SELECT FROM
+SecRule REQUEST_URI_RAW "@contains SELECT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006445,rev:6,msg:'ET WEB Possible SQL Injection Attempt SELECT FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt SELECT FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006446) ET WEB Possible SQL Injection Attempt UNION SELECT
+SecRule REQUEST_URI_RAW "@contains UNION " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006446,rev:6,msg:'ET WEB Possible SQL Injection Attempt UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  SELECT " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006447) ET WEB Possible SQL Injection Attempt UPDATE SET
+SecRule REQUEST_URI_RAW "@contains UPDATE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006447,rev:7,msg:'ET WEB Possible SQL Injection Attempt UPDATE SET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  SET " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[&\?].*UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UPDATE SET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003903) ET WEB Microsoft SharePoint XSS Attempt default.aspx
+SecRule REQUEST_URI_RAW "(?i:\/default\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003903,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt default.aspx',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt default.aspx',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003904) ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]
+SecRule REQUEST_URI_RAW "(?i:\/contact\/contact\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003904,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
+SecRule ARGS:form[mail] "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003705) ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe
+SecRule REQUEST_URI_RAW "(?i:\/site_conf\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003705,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:ordnertiefe)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003706) ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/class\.csv\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003706,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003707) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003707,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003708) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/functionen\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003708,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003709) ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/hg_referenz_jobgalerie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003709,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003710) ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/surfer_anmeldung_NWL\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003710,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003711) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie_alle\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003711,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003712) ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/surfer_aendern\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003712,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003715) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003715,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003713) ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/module\/referenz\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003713,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003714) ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/standard\/1\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003714,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003867) ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/standard\/3\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003867,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002662) ET WEB TWiki INCLUDE remote command execution attempt
+SecRule QUERY_STRING|REQUEST_BODY "(?i:%INCLUDE\s*{.*rev=\x22\d+\|.+\x22.*}\s*%)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002662,rev:5,msg:'ET WEB TWiki INCLUDE remote command execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki INCLUDE remote command execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003085) ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt
+SecRule QUERY_STRING|REQUEST_BODY "(?i:&TYPEOF\:.+system\s*\()" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003085,rev:4,msg:'ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003099) ET WEB-MISC Poison Null Byte
+SecRule REQUEST_URI_RAW "@contains |00|" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003099,rev:4,msg:'ET WEB-MISC Poison Null Byte',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_URI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Poison Null Byte',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002494) ET WEB Versatile Bulletin Board SQL Injection Attack
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002494,rev:5,msg:'ET WEB Versatile Bulletin Board SQL Injection Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_VersatileBB'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:select=.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Versatile Bulletin Board SQL Injection Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002100) ET WEB WPS wps_shop.cgi Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/wps_shop\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002100,rev:4,msg:'ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WPS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(art=\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002844) ET WEB WebDAV search overflow
+SecRule QUERY_STRING|REQUEST_BODY "@contains SEARCH " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002844,rev:4,msg:'ET WEB WebDAV search overflow',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Webdav',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebDAV search overflow',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2004574) ET WEB WikyBlog XSS Attempt sessionRegister.php
+SecRule REQUEST_URI_RAW "(?i:\/include\/sessionRegister\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004574,rev:4,msg:'ET WEB WikyBlog XSS Attempt sessionRegister.php',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WikyBlog'"
+SecRule REQUEST_URI_RAW "@contains | 3C |" "chain"
+SecRule REQUEST_URI_RAW "@contains SCRIPT" "chain"
+SecRule REQUEST_URI_RAW "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WikyBlog XSS Attempt sessionRegister.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007872) ET WEB WinIPDS Directory Traversal Vulnerabilities GET
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007872,rev:2,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities GET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities GET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007873) ET WEB WinIPDS Directory Traversal Vulnerabilities POST
+SecRule REQUEST_URI_RAW "@contains POST " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007873,rev:3,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities POST',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities POST',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008553) ET WEB WordPress Random Password Generation Insufficient Entropy Attack
+SecRule REQUEST_URI_RAW "(?i:\/wp\-login\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008553,rev:2,msg:'ET WEB WordPress Random Password Generation Insufficient Entropy Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress'"
+SecRule REQUEST_URI_RAW "@contains POST " "chain"
+SecRule ARGS:action "(?i:\w+(%20){60,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WordPress Random Password Generation Insufficient Entropy Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002408) ET WEB phpMyAdmin Suspicious Activity
+SecRule REQUEST_URI_RAW "(?i:\/grab_globals\.lib\.php)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002408,rev:7,msg:'ET WEB phpMyAdmin Suspicious Activity',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin'"
+SecRule REQUEST_URI_RAW "@contains POST " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Suspicious Activity',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002409) ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)
+SecRule QUERY_STRING|REQUEST_BODY "@contains [redirect]" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002409,rev:5,msg:'ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002667) ET WEB sumthin scan
+SecRule REQUEST_URI_RAW "@contains GET /sumthin HTTP/1." "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002667,rev:3,msg:'ET WEB sumthin scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_sumthin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB sumthin scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003167) ET WEB tikiwiki featured link XSS attempt
+SecRule REQUEST_URI_RAW "(?i:\/tiki\-featured_link\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003167,rev:4,msg:'ET WEB tikiwiki featured link XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_tikiwiki'"
+SecRule ARGS_NAMES "(?i:type)" "chain"
+SecRule REQUEST_URI_RAW "@contains /iframe>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB tikiwiki featured link XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+SecMarker END_SNORT_RULES

rules/base_rules/modsecurity_crs_47_common_exceptions.conf

@@ -0,0 +1,28 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used as an exception mechanism to remove common false positives
+# that may be encountered.
+#
+# Exception for Apache SSL pinger
+#
+SecRule REQUEST_LINE "^GET /$" "chain,phase:2,t:none,pass,nolog"
+        SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+                SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# Exception for Apache internal dummy connection
+#
+SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,t:none,pass,nolog"
+	SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+		SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none,t:none,chain"
+                	SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        	SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+

rules/base_rules/modsecurity_crs_48_local_exceptions.conf

@@ -0,0 +1,110 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used to allow custom checks and exclusions for the transactional
+# variable rules.  Place rules in this file so that you may influence what happens
+# in the 49 - Enforcement File. 
+
+# In previous ModSecurity rules, the TARGET list would have to be updated in
+# order to exclude a specific paramater like this -
+#
+# SecRule ARGS_NAMES|ARGS|!ARGS:foo
+# 
+# With the new transactional variable rules, parameter exceptions can now
+# be handled AFTER the initial inspection as the rules now use setvars to 
+# capture meta-data with each rule match.  They use this syntax -  
+#
+# 	setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}
+#
+# When the transactional rules trigger, they will set a TX variable similar to this 
+# for an SQL Injection attack -
+#
+# 	Set variable "tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments" to "1' or select * from users where username = admin ".
+# 
+# With this data now available, the user can implement flexible exceptions.
+# 
+# Exception example - exclude a parameter
+#
+# In this example, we are inspecting
+# the TX collections to see if there is a current variable that has matched
+# for the 950001 SQL Injection rule ID and for the "comments" parameter.  If
+# so, then we are going to remove the collection entirely by using the 
+# setvar:!tx. syntax.  By doing this, the TX collection is removed before final
+# inspection at the end of phase 2 in the enforcement file.
+#
+#SecRule TX:'/^950001.*ARGS:comments/' ".*" "chain,phase:2,t:none,nolog,pass"
+#	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# This is an example exclusion for the entire SQL Injection category of rules
+#
+#SecRule TX:'/SQL_INJECTION/' ".*" "phase:2,t:none,nolog,pass,chain,setvar:tx.sql_injection=+1,setvar:tx.sql_injection_%{tx.sql_injection}=%{matched_var_name}"
+#	SecRule TX:'/^SQL_INJECTION_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# This is an example exclusion that combines the URL and parameter and removes
+# a specific SQL Injection ID only if the parameter foo payload matches
+#
+#SecRule REQUEST_FILENAME "@streq /path/to/file.php" "chain,phase:2,t:none,nolog,pass"
+#	SecRule TX:'/^950001.*ARGS:foo/' "@streq Item 1=1" "chain,t:none"
+#       	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+# allow request methods
+#
+#SecAction "phase:1,setvar:tx.e60032=1"
+#SecRule REQUEST_METHOD "^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
+#    "phase:1,pass,nolog,t:none,setvar:tx.m60032=1"
+
+
+# restrict request methods
+#
+#SecRule REQUEST_METHOD "^()$" \
+#    "phase:1,pass,nolog,t:none,t:urlDecodeUni,setvar:tx.m60033=1"
+
+
+# allow content type
+#
+#SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
+#	"phase:1,pass,nolog,t:none,chain,setvar:tx.e60010=1"
+#SecRule HTTP_HEADERS:Content-Type "(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" \
+#    "t:lowercase,setvar:tx.m60010=1"
+
+
+# allow file extensions
+#
+#SecAction "setvar:tx.e60036=1"
+#SecRule REQUEST_BASENAME "\.$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60036=1"
+
+
+# Restrict file extension
+#
+#SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60035=1"
+
+
+# Restrict directories and patterns in path
+#
+#SecRule REQUEST_FILENAME  "" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60037=1"
+
+
+# Allow directories and patterns in path
+#
+#SecAction "setvar:tx.e60039=1"
+#SecRule REQUEST_FILENAME "" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60039=1"
+
+
+# Restricted HTTP headers 
+#
+#SecAction "setvar:tx.e60038=1"
+#SecRule REQUEST_HEADERS_NAMES "^(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:lowercase,setvar:tx.m60038=1"
+

rules/base_rules/modsecurity_crs_49_enforcement.conf

@@ -0,0 +1,41 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# Uncomment the anomaly sections you wish to use.
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Alert and Deny on High Anomaly Scores
+#
+SecRule TX:ANOMALY_SCORE "@ge 20" \
+    "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
+
+# Alert on any anomalies
+#
+#SecRule TX:ANOMALY_SCORE "@ge 0" \
+#    "phase:2,t:none,nolog,auditlog,pass,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
+
+# Alert on SQL Injection anomalies
+#
+#SecRule TX:SQLI_SCORE "@gt 0" \
+#    "phase:2,t:none,log,deny,msg:'SQL Injection Detected (score %{TX.SQLI_SCORE}): %{tx.msg}'"
+
+# Alert on XSS anomalies
+#
+#SecRule TX:XSS_SCORE "!@eq 0" \
+#    "phase:2,t:none,log,deny,msg:'XSS Detected (score %{TX.XSS_SCORE}): %{tx.msg}'"
+

rules/base_rules/modsecurity_crs_50_outbound.conf

@@ -0,0 +1,306 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE   By default the status code sent is 501, which implies that the web 
+#        server does not support the required operation. This is a non standard
+#        of this status code which normally refers to unsupported HTTP methods. 
+#        It is used in order to confuse automated clients and scanners. 
+
+
+# Zope Information Leakage
+SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# CF Information Leakage
+SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# PHP Information Leakage
+SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# ISA server existence revealed
+SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ISA server existence revealed',id:'970010',tag:'MISCONFIGURATION',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{matched_var}"
+
+# Microsoft Office document properties leakage
+SecRule RESPONSE_BODY "<o:documentproperties>" \
+        "phase:4,t:none,nolog,auditlog,msg:'Microsoft Office document properties leakage',id:'970012',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+
+SecRule RESPONSE_BODY "\<\%" "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE',severity:'3'"
+SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+          
+# CF source code leakage
+SecRule RESPONSE_BODY "<cf" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'Cold Fusion source code leakage',id:'970016',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# IIS default location
+SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
+        "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,nolog,auditlog,msg:'IIS installed in default location',id:'970018',severity:'3',chain"
+SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15"
+
+# The application is not available
+SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970901',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970118',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{matched_var}"
+
+# Weblogic information disclosure
+SecRule RESPONSE_STATUS "^500$" "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'WebLogic information disclosure',id:'970021',severity:'3'"
+SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# File or Directory Names Leakage
+SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,chain,capture,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'File or Directory Names Leakage',id:'970011',tag:'LEAKAGE/INFO',severity:'3'"
+SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+#
+# IFrame Injection
+#
+SecRule RESPONSE_BODY "!@pm iframe" \
+				"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \
+				"t:replaceComments,phase:4,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Possibly malicious iframe tag in output',id:'981000',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \
+				"t:replaceComments,phase:4,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Possibly malicious iframe tag in output',id:'981001',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{matched_var}"				
+SecMarker END_IFRAME_CHECK 
+
+#
+# Run PM check against response body data before running any RegEx Checks
+# If nothing matches, then we skip the remainder of phase:4 
+#
+SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
+        "phase:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,nolog,allow"
+
+# ASP/JSP source code leakage
+SecRule RESPONSE_BODY "\bwscript\.shell\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971379',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<jsp:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971300',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.addheader\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971360',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.execute\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971373',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.mappath\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971375',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bresponse\.binarywrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971369',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.createobject\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971372',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.createtextfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971361',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bwscript\.network\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971378',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bvbscript\.encode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971377',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.htmlencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971374',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bjavax\.servlet" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971301',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bscripting\.filesystemobject\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971371',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.urlencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971376',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.getfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971362',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.loadfromfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971363',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bresponse\.write\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971370',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# PHP source code leakage
+SecRule RESPONSE_BODY "\bproc_open\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958976',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzread\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958972',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_fget\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958963',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958965',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfscanf\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958959',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breadfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958978',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgetss\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958955',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_post\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958941',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsession_start\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958982',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breaddir\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958977',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzwrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958973',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bscandir\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958981',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958962',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfread\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958958',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breadgzfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958979',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_put\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958967',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfwrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958968',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958970',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958957',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_session\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958942',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_fput\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958964',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_fput\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958961',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzcompress\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958969',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bbzopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958946',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958971',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgetc\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958953',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bmove_uploaded_file\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958975',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_put\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958966',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958940',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgets\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958954',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_fget\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958960',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecMarker 900771
+SecRule RESPONSE_BODY "<\?(?!xml)" \
+        "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'970902',tag:'LEAKAGE/SOURCE_CODE',severity:'3'"
+SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# Statistics pages revealed
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?webcruncher\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971019',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThese statistics were produced by PeLAB\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971011',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?analog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971020',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?Jware\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971018',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?wwwstat\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971014',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?calamaris\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971022',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis report was generated by WebLog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971013',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\b[gG]enerated by.{0,100}?[Ww]ebalizer\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971024',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThese statistics were produced by getstats\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971010',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?EasyStat\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971023',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?analog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971021',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+
+# SQL Errors leakage
+SecRule RESPONSE_BODY "\bCould not find server \'\w+\' in sysservers\. execute sp_addlinkedserver\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971154',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bSyntax error converting the \w+ value .*? to a column of data type\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971153',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bORA-\d{5}\: " \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971198',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bUnclosed quotation mark before the character string\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971092',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\[Microsoft\]\[ODBC " \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971197',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\berror \'800a01b8\'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971069',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax near \'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971094',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bmicrosoft jet database engine error \'8" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971072',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bselect list because it is not contained in an aggregate function and there is no GROUP BY clause\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971086',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bUnable to connect to PostgreSQL server\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971091',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bPostgreSQL query failed\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971068',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid MS SQL\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971158',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid Oracle\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971157',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bWarning: mysql_connect\(\)\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971093',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid ODBC\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971159',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft OLE DB Provider for .{0,30} [eE]rror '" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971076',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bSQL Server does not exist or access denied\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971096',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted; the operation\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971099',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bcannot take a \w+ data type as an argument\." \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971060',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bselect list because it is not contained in either an aggregate function or the GROUP BY clause\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971087',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThe column prefix .{0,50}? does not match with a table name or alias name used in the query\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971155',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid PostgreSQL result\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971088',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax;" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971150',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid MySQL\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971156',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted. Requested\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971067',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bincorrect syntax near (?:\'|the\b|\@\@error\b)" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971152',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+
+# IIS Errors leakage
+SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?:&nbsp;|\s)Microsoft \.NET Framework Version\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971123',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY ">error \'ASP\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971111',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\berror \'800" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971116',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?:&nbsp;|\s)ASP\.NET Version\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971124',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bA trappable error occurred in an external object\. The script cannot continue running\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971122',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime Error\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971125',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation \(0x8\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971121',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.aspx\?[Ee]rror\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971113',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime \(0x8\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971126',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bObject required\: \'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971112',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\bApplication uses a value of the wrong type for the current operation\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971115',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.asp\?[Ee]rror\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971127',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\berror\'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971114',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation error\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971119',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
+        "phase:4,chain,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',tag:'LEAKAGE/ERRORS',severity:'3'"
+SecRule RESPONSE_STATUS "!^404$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# Directory Listing
+SecRule RESPONSE_BODY ">[To Parent Directory]</[Aa]><br>" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971202',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<TITLE>Index of.*?<H1>Index of" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971201',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<title>Index of.*?<h1>Index of" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971200',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+             

rules/base_rules/modsecurity_crs_60_correlation.conf

@@ -0,0 +1,43 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Correlated Successful Attack
+#
+SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
+    "chain,phase:5,t:none,log,pass,severity:'0',msg:'Correlated Successful Attack Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Data Leakage (%{tx.msg}) - (Transactional Anomaly Score: %{TX.ANOMALY_SCORE})'"
+        SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
+
+# Correlated Attack Attempt 
+#
+SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
+    "chain,phase:5,t:none,log,pass,severity:'1',msg:'Correlated Attack Attempt Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Application Error (%{tx.msg}) - (Transactional Anomaly Score %{TX.ANOMALY_SCORE})'"
+	SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
+
+# Alert on High Anomaly Scores
+#
+#SecRule TX:ANOMALY_SCORE "@ge 40" \
+#    "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
+
+# Alert on any anomalies
+#
+SecRule TX:ANOMALY_SCORE "@ge 5" \
+    "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
+
+SecMarker END_CORRELATION