Merge 2.5.x changes to trunk.

CHANGES

@@ -1,4 +1,4 @@
-23 July 2009 - trunk
+27 July 2009 - trunk
 --------------------
 
  * Allow mlogc to periodically flush memory pools.

apache2/mlogc-src/mlogc-default.conf

@@ -64,6 +64,13 @@ ErrorLogLevel       3
 # over a slow link (e.g. not over a LAN).
 MaxConnections      10
 
+# How many requests a worker will process before recycling itself.
+# This is to help prevent problems due to any memory leaks that may
+# exists.  If this is set to 0, then no maximum is imposed. The default
+# is 1000 requests per worker (the number of workers is controlled by the
+# MaxConnections limit).
+MaxWorkerRequests   1000
+
 # The time each connection will sit idle before being reused,
 # in milliseconds. Increase if you don't want ModSecurity Console
 # to be hit with too many log collector requests.

apache2/mlogc-src/mlogc.c

@@ -151,6 +151,7 @@ int                          keep_entries = 0;
 const char                  *log_repository = NULL;
 void                        *logline_regex = NULL;
 int                          max_connections = 10;
+int                          max_worker_requests = 1000;
 apr_global_mutex_t          *gmutex = NULL;
 apr_thread_mutex_t          *mutex = NULL;
 apr_pool_t                  *pool = NULL;
@@ -835,6 +836,13 @@ static void init_configuration(void)
         error_log(LOG_DEBUG2, NULL, "MaxConnections=%d", max_connections);
     }
 
+    s = apr_table_get(conf, "MaxWorkerRequests");
+    if (s != NULL) {
+        int v = atoi(s);
+        if (v >= 0) max_worker_requests = v;
+        error_log(LOG_DEBUG2, NULL, "MaxWorkerRequests=%d", max_worker_requests);
+    }
+
     s = apr_table_get(conf, "KeepAlive");
     if (s != NULL) {
         int v = atoi(s);
@@ -1221,6 +1229,7 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
     apr_pool_t *tpool;
     struct curl_slist *headerlist = NULL;
     char curl_error_buffer[CURL_ERROR_SIZE] = "";
+    int num_requests = 0;
 
     /* There is no need to do the sleep if this was an invalid entry
      * as the sleep is just to protect flooding the console server
@@ -1311,6 +1320,11 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
         error_log(LOG_DEBUG, thread, "Processing entry.");
         take_new = 0;
 
+        /* Keep track of requests processed if we need to */
+        if (max_worker_requests > 0) {
+            num_requests++;
+        }
+
         rc = pcre_exec(logline_regex, NULL, entry->line, entry->line_size, 0, 0,
             capturevector, CAPTUREVECTORSIZE);
         if (rc == PCRE_ERROR_NOMATCH) { /* No match. */
@@ -1479,6 +1493,15 @@ static void * APR_THREAD_FUNC thread_worker(apr_thread_t *thread, void *data)
                 take_new = 1;
                 nodelay = 1;
             }
+
+            /* If we are tracking num_requests, then shutdown if we are
+             * over our threshold.
+             */
+            if (num_requests && (num_requests >= max_worker_requests)) {
+                error_log(LOG_NOTICE, thread, "Reached max requests (%d) for this worker, exiting.", max_worker_requests);
+
+                goto THREAD_SHUTDOWN;
+            }
         }
 
         THREAD_CLEANUP:

apache2/t/regression/action/10-logging.t

@@ -134,9 +134,7 @@
 		SecAction "phase:1,pass,nolog,auditlog"
 	),
 	match_log => {
-		-error => [ qr/ModSecurity: /, 1 ],
-		# No message, but should have data.  This may need changed
-		audit => [ qr/-H--\s+Stopwatch: /s, 1 ],
+		audit => [ qr/-H--\s+Message: .*Stopwatch: /s, 1 ],
 	},
 	match_response => {
 		status => qr/^200$/,

apache2/t/regression/misc/00-multipart-parser.t

@@ -30,11 +30,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -70,11 +70,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--),
 		),
@@ -111,11 +111,11 @@
 			q(
 				--------------------------------------------------boundary
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				--------------------------------------------------boundary
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				--------------------------------------------------boundary--
 			),
@@ -154,11 +154,11 @@
 			q(
 				----------0xKhTmLbOuNdArY
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				----------0xKhTmLbOuNdArY
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				----------0xKhTmLbOuNdArY--
 			),
@@ -195,11 +195,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				--test
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				--
 				-----------------------------69343412719991675451336310646--),
 		),
@@ -235,11 +235,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 			),
 		),
@@ -273,10 +273,10 @@
 		normalize_raw_request_data(
 			q(
 				-----------------------------69343412719991675451336310646
-
+				
 				1
 				-----------------------------69343412719991675451336310646
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -311,11 +311,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -351,11 +351,11 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data;
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data;
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),
@@ -391,13 +391,13 @@
 			q(
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="a"
-
+				
 				1
 				-----------------------------69343412719991675451336310646
 				:
 				-----------------------------69343412719991675451336310646
 				Content-Disposition: form-data; name="b"
-
+				
 				2
 				-----------------------------69343412719991675451336310646--
 			),

doc/modsecurity2-apache-reference.xml

@@ -6,7 +6,7 @@
   Manual</title>
 
   <articleinfo>
-    <releaseinfo>Version 2.6.0-trunk (July 23, 2009)</releaseinfo>
+    <releaseinfo>Version 2.6.0-trunk (July 27, 2009)</releaseinfo>
 
     <copyright>
       <year>2004-2009</year>
@@ -249,11 +249,12 @@
   <section id="installation">
     <title>Installation</title>
 
-    <para>ModSecurity installation consists of the following steps:</para>
+    <para>ModSecurity installation requirements:</para>
 
     <orderedlist continuation="restarts" inheritnum="ignore">
       <listitem>
-        <para>ModSecurity 2.x works with Apache 2.0.x or better.</para>
+        <para>ModSecurity 2.x works only with Apache 2.0.x or higher. Version
+        2.2.x is highly recommended.</para>
       </listitem>
 
       <listitem>
@@ -264,17 +265,31 @@
       </listitem>
 
       <listitem>
-        <para>Install the latest version of libxml2, if it isn't already
-        installed on the server.</para>
+        <para>libapr and libapr-util</para>
+
+        <para><ulink type=""
+        url="http://apr.apache.org/">http://apr.apache.org/</ulink></para>
+      </listitem>
+
+      <listitem>
+        <para>libpcre</para>
+
+        <para><ulink type=""
+        url="http://www.pcre.org/">http://www.pcre.org/</ulink></para>
+      </listitem>
+
+      <listitem>
+        <para>libxml2</para>
 
         <para><ulink type=""
         url="http://xmlsoft.org/downloads.html">http://xmlsoft.org/downloads.html</ulink></para>
       </listitem>
 
       <listitem>
-        <para>Optionally install the latest version of Lua in the 5.1.x
-        branch, if it isn't already installed on the server and you will be
-        using the new Lua engine.</para>
+        <para>liblua v5.1.x</para>
+
+        <para>This library is optional and only needed if you will be using
+        the new Lua engine.</para>
 
         <para><ulink type=""
         url="http://www.lua.org/download.html">http://www.lua.org/download.html</ulink></para>
@@ -284,6 +299,21 @@
         distribution is recommended.</para>
       </listitem>
 
+      <listitem>
+        <para>libcurl v7.15.1 or higher</para>
+
+        <para>If you will be using the ModSecurity Log Collector (mlogc) to
+        send audit logs to a central repository, then you will also need the
+        curl library.</para>
+
+        <para><ulink type=""
+        url="http://curl.haxx.se/libcurl/">http://curl.haxx.se/libcurl/</ulink></para>
+      </listitem>
+    </orderedlist>
+
+    <para>ModSecurity installation consists of the following steps:</para>
+
+    <orderedlist continuation="restarts" inheritnum="ignore">
       <listitem>
         <para>Stop Apache httpd</para>
       </listitem>
@@ -444,6 +474,16 @@ LoadFile /usr/lib/liblua5.1.so</programlisting></para>
       moreinfo="none">WITH_PCRE_STUDY</literal> defined,which would possibly
       give you a slight performance edge in regular expression
       processing.</para>
+
+      <para>Non-gcc compilers may have problems running out-of-the-box as the
+      current build system was designed around the gcc compiler and some
+      compiler/linker flags may differ. To use a non-gcc compiler you may need
+      some manual Makefile tweaks if issues cannot be solved by exporting
+      custom CFLAGS and CPPFLAGS environment variables.</para>
+
+      <para>If you are upgrading from ModSecurity 1.x, please refer to the
+      migration matrix at <ulink type=""
+      url="http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf">http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf</ulink></para>
     </note>
   </section>
 

rules/CHANGELOG

@@ -1,10 +1,106 @@
+--------------------------
+Version 2.0 - 07/29/2009
+--------------------------
+
+New Rules & Features:
+- Fine Grained Policy
+    The rules have been split to having one signature per rule instead of having
+    all signatures combined into one optimized regular expression.
+    This should allow you to modify/disable events based on specific patterns
+    instead of having to deal with the whole rule.
+- Converted Snort Rules
+    Emerging Threat web attack rules have been converted.
+    http://www.emergingthreats.net/
+- Anomaly Scoring Mode Option
+    The rules have been updated to include anomaly scoring variables which allow
+    you to evaluate the score at the end of phase:2 and phase:5 and decide on what 
+    logging and disruptive actions to take based on the score.
+- Correlated Events
+    There are rules in phase:5 that will provide some correlation between inbound
+    events and outbound events and will provide a result of successful atttack or
+    attempted attack.
+- Updated Severity Ratings
+    The severity ratings in the rules have been updated to the following:
+    - 0: Emergency - is generated from correlation where there is an inbound attack and
+         an outbound leakage.
+    - 1: Alert - is generated from correlation where there is an inbound attack and an
+         outbound application level error.
+    - 2: Critical - is the highest severity level possible without correlation.  It is
+         normally generated by the web attack rules (40 level files).
+    - 3: Error - is generated mostly from outbound leakabe rules (50 level files).
+    - 4: Warning - is generated by malicious client rules (35 level files).
+    - 5: Notice - is generated by the Protocol policy and anomaly files.
+    - 6: Info - is generated by the search engine clients (55 marketing file). 
+- Updated Comment SPAM Protections
+    Updated rules to include RBL lookups and client fingerprinting concepts from
+    Bad Behavior (www.bad-behavior.ioerror.us)
+- Creation of Global Collection
+    Automatically create a Global collection in the *10* config file.  Other rules
+    can then access it.
+- Use of Block Action
+    Updated the rules to use the "block" action.  This allows the Admin to globally
+    set the desired block action once with SecDefaultAction in the *10* config file 
+    rather than having to edit the disruptive actions in all of the rules or for 
+    the need to have multiple versions of the rules (blocking vs. non-blocking).
+- "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
+   http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html 
+- "Possibly malicious iframe tag in output" (Rules 981001,981002)
+    Planting invisible iframes in a site can be used by attackers to point users
+    from the victim site to their malicious site. This is actually as if the
+    user was visiting the attacker's site himself, causing the user's browser to
+    process the content in the attacker's site.
+		 
+New Events:
+- Rule 960019 - Expect Header Not Allowed.
+- Rule 960020 - Pragma Header Requires Cache-Control Header
+- Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
+                as it is reserved for use as a fragment identifier within the html page.
+- Rule 958291 - Range: field exists and begins with 0.
+- Rule 958292 - Invalid Request Header Found.
+- Rule 958293 - Lowercase Via Request Header Found.
+- Rule 958294 - Common SPAM Proxies found in Via Request Header.
+- Rule 958295 - Multiple/Conflicting Connection Header Data Found.
+- Rule 958296 - Request Indicates a SPAM client accessed the Site.
+- Rule 958297 - Common SPAM/Email Harvester crawler.
+- Rule 958298 - Common SPAM/Email Harvester crawler
+
+Bug Fixes:
+- Rule 950107 - Split the rule into 2 separate rules to factor in the
+                Content-Type when inspecting the REQUEST_BODY variable.
+- Rule 960017 - Bug fix for when having port in the host header.
+- Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
+- Rule 950801 - Increased the logic so that the rule will only run if the web site
+                uses UTF-8 Encoding.
+- Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
+                        allow the IPv6 loopback address
+- Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG
+                and to identify offsite hosts by comparing the ARG URI to the Host 
+                header.  Due to this rule now being stronger, moved it from optional
+                tight security rule to *40* generic attacks file.
+
+Other Fixes:
+- Added more HTTP Protocol violations to *20* file.
+- Set the SecDefaultAction in the *10* config file to log/pass (This was the
+  default setting, however this sets it explicitly.
+- Added SecResponseBodyLimitAction ProcessPartial to the *10* config file.  This
+  was added so that when running the SecRuleEngine in DetectionOnly mode, it will
+  not deny response bodies that go over the size restrictions.
+- Changed SecServerSignature to "Apache/1.3.28"
+- Fixed the use of SkipAfter and SecMarkers to make it consistent.  Now have 
+  BEGIN and END SecMarkers for rule groups to more accurately allow moving to 
+  proper locations.
+- Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
+  This removes the need for some SecAction/SkipAfter rules.
+- Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier
+  rules and chained rules).
+
 --------------------------
 Version 1.6.1 - 2008/04/22
 --------------------------
 
 - Fixed a bug where phases and transformations where not specified explicitly
     in rules. The issue affected a significant number of rules, and we strongly
-		recommend to upgrade.
+    recommend to upgrade.
 
 --------------------------
 Version 1.6.0 - 2008/02/19

rules/README

@@ -3,7 +3,7 @@
 ModSecurity Core Rule Set
 ==============================
 
-(c) 2006-2007 Breach Secuiry Inc.
+(c) 2006-2009 Breach Secuiry Inc.
 
 The ModSecurity Core Rule Set is provided to you under the terms and 
 conditions of GPL version 2
@@ -33,10 +33,12 @@ Rule Set is heavily commented to allow it to be used as a step-by-step
 deployment guide for ModSecurity.
 
 For more information refer to the Core Rule Set page at
-http://www.modsecurity.org/
-
-
+http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 
+Core Rules Mail-list - 
+Suscribe here: https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
+Archive: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
+  
 Core Rule Set Structure & Usage
 ====================================
 
@@ -46,10 +48,15 @@ To activate the rules for your web server installation:
      Additionally you may want to edit modsecurity_crs_30_http_policy.conf
      which enforces an application specific HTTP protocol usage.
 
+     Should also update the appropriate anomaly scoring level in the
+     modsecurity_crs_49_enforcement.conf and modsecurity_crs_60_correlation.conf
+     files.  This will determine when you log and block events.
+
   2) Add the following line to your httpd.conf (assuming
      you've placed the rule files into conf/modsecurity/):
 
      Include conf/modsecurity/*.conf
+     Include conf/modsecurity/base_rules/*conf
 
   3) Restart web server.
 

rules/base_rules/modsecurity_40_generic_attacks.data

@@ -0,0 +1,277 @@
+set-cookie
+.cookie
+expiressys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+mysql.user
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_namexp_enumdsn
+insert
+infile
+autonomous_transaction
+nvarchar
+openrowset
+print
+data_type
+outfile
+castb
+shutdown
+inner
+tbcreator
+xp_filelist
+@@version
+sql_longvarchar
+sp_prepare
+xp_regenumkeys
+xp_dirtree
+xp_loginconfig
+ifnull
+sp_addextendedproc
+xp_regaddmultistring
+delete
+sp_sqlexec
+sp_oacreate
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+xp_execresultset
+varchar
+to_number
+dba_users
+having
+xp_regenumvalues
+utl_file
+xp_terminate
+xp_availablemedia
+xp_regdeletevalue
+sql_variant
+dumpfile
+isnull
+'sa'
+select
+xp_regremovemultistring
+xp_makecab
+xp_cmdshell
+'msdasql'
+sp_executesql
+openquery
+'sqloledb'
+'dbo'
+sp_makewebtask
+utl_http
+dbms_java
+benchmark
+xp_regread
+xp_regwritejscript
+onsubmit
+copyparentfolder
+javascript
+meta
+onchange
+onmove
+onkeydown
+onkeyup
+activexobject
+onerror
+onmouseup
+ecmascript
+bexpression
+onmouseover
+vbscript:
+<![cdata[
+http:
+.innerhtml
+settimeout
+shell:
+onabort
+asfunction:
+onkeypress
+onmousedown
+onclick
+.fromcharcode
+background-image:
+.cookie
+x-javascript
+ondragdrop
+onblur
+mocha:
+javascript:
+onfocus
+lowsrc
+getparentfolder
+onresize
+@import
+alert
+script
+onselect
+onmouseout
+application
+onmousemove
+background
+.execscript
+livescript:
+vbscript
+getspecialfolder
+.addimport
+iframe
+onunload
+createtextrange
+<input
+onload.www_acl
+.htpasswd
+.htaccess
+httpd.conf
+boot.ini
+/etc/
+.htgroup
+global.asa
+.wwwaclnet.exe
+cmd.exe
+cmd
+telnet.exe
+wguest.exe
+ftp.exe
+nmap.exe
+wsh.exe
+rcmd.exe
+nc.exe
+cmd32.exechgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++chgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++<?

rules/base_rules/modsecurity_41_sql_injection_attacks.data

@@ -0,0 +1,114 @@
+sys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+mysql.user
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_namexp_enumdsn
+insert
+infile
+autonomous_transaction
+nvarchar
+openrowset
+print
+data_type
+outfile
+castb
+shutdown
+inner
+tbcreator
+xp_filelist
+@@version
+sql_longvarchar
+sp_prepare
+xp_regenumkeys
+xp_dirtree
+xp_loginconfig
+ifnull
+sp_addextendedproc
+xp_regaddmultistring
+delete
+sp_sqlexec
+sp_oacreate
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+xp_execresultset
+varchar
+to_number
+dba_users
+having
+xp_regenumvalues
+utl_file
+xp_terminate
+xp_availablemedia
+xp_regdeletevalue
+sql_variant
+dumpfile
+isnull
+'sa'
+select
+xp_regremovemultistring
+xp_makecab
+xp_cmdshell
+'msdasql'
+sp_executesql
+openquery
+'sqloledb'
+'dbo'
+sp_makewebtask
+utl_http
+dbms_java
+benchmark
+xp_regread
+xp_regwrite

rules/base_rules/modsecurity_46_et_sql_injection.data

@@ -0,0 +1,346 @@
+/ASPKAT.ASP
+/DocPay.w2b
+/G_Display.php
+/HABERLER.ASP
+/HaberDetay.asp
+/News/page.asp
+/OmegaMw7.asp
+/ProductDetails.asp
+/Search/DisplayResults.php
+/SecureLoginManager/list.asp
+/SelGruFra.asp
+/Types.asp
+/ViewBugs.php
+/ViewCat.php
+/ViewReport.php
+/account_change.php
+/activeNews_categories.asp
+/activeNews_comments.asp
+/activenews_search.asp
+/activenews_view.asp
+/actualpic.asp
+/ad.asp
+/add2.php
+/add_comment.php
+/addrating.php
+/admin.asp
+/admin.php
+/admin/admin_acronyms.php
+/admin/admin_annonce/changeannonce.php
+/admin/admin_annonce/okvalannonce.php
+/admin/admin_mail_adressee.asp
+/admin/admin_membre/fiche_membre.php
+/admin/cms/opentree.php
+/admin/config.php
+/admin/edit.asp
+/admin/memberlist.php
+/admin/modules/modules.php
+/admin_check_user.asp
+/admin_hacks_list.php
+/admincp/attachment.php
+/administration/administre2.php
+/albmgr.php
+/applications/SecureLoginManager/inc_secureloginmanager.asp
+/aramayap.asp
+/archives.php
+/articles.asp
+/artreplydelete.asp
+/auth.php
+/badword.asp
+/banner.php
+/bb-includes/formatting-functions.php
+/blocks/block-Old_Articles.php
+/boxx/ShowAppendix.asp
+/bry.asp
+/bt-trackback.php
+/bus_details.asp
+/calendar_detail.asp
+/cart.inc.php
+/cat.asp
+/categoria.php
+/category.php
+/cats.asp
+/cgi-bin/reorder2.asp
+/check_vote.php
+/class/debug/debug_show.php
+/class/table_broken.php
+/classes/class.news.php
+/classes/class_session.php
+/code/guestadd.php
+/com_comment.php
+/comersus_optReviewReadExec.asp
+/comment.php
+/comments.php
+/compareHomes.asp
+/compare_product.php
+/connexion.php
+/content.asp
+/content.php
+/coupon_detail.asp
+/dagent/downloadreport.asp
+/database/table/user.php
+/db_ecard.php
+/default.asp
+/default2.asp
+/detail.asp
+/detail.php
+/details.asp
+/dettaglio.asp
+/devami.asp
+/diary.php
+/dirSub.asp
+/dircat.asp
+/directions.php
+/directory.php
+/dispimage.asp
+/displayCalendar.asp
+/display_review.php
+/displaypic.asp
+/dl.php
+/dlwallpaper.php
+/down.asp
+/down_indir.asp
+/download_image.asp
+/duyuru.asp
+/eWebQuiz.asp
+/edit.asp
+/edit_day.php
+/email.php
+/error.asp
+/etkinlikbak.asp
+/example.php
+/faq.php
+/faqDsp.asp
+/filecheck.php
+/filelist.asp
+/forgotpass.asp
+/forum.asp
+/forum.php
+/forum/include/error/autherror.cfm
+/forum/modules/gallery/post.php
+/forum/pop_up_member_search.asp
+/forum2.asp
+/forums.php
+/functions.php
+/functions/functions_filters.asp
+/gallery.asp
+/gallery.php
+/game.php
+/game_listing.php
+/getnewsitem.php
+/giris.asp
+/giris_yap.asp
+/glossaire-p-f.php
+/gmail.php
+/goster.asp
+/guestbook.php
+/h_goster.asp
+/haber.asp
+/haberdetay.asp
+/haberoku.asp
+/home.php
+/homeDetail.asp
+/i-search.php
+/inc/class_users.php
+/inc/common.php
+/inc_listnews.asp
+/include.php
+/includes/a_register.asp
+/includes/mambo.php
+/includes/nsbypass.php
+/includes/rating.php
+/index.asp
+/index.cfm
+/index.php
+/index1.asp
+/info_book.asp
+/info_user.asp
+/inlinemod.php
+/inout/status.asp
+/inout/update.asp
+/install.php
+/item.asp
+/item.php
+/item_list.asp
+/item_show.asp
+/ixm_ixpnews.php
+/journal.php
+/jump.php
+/kategori.asp
+/kernel/group.php
+/kullanicilistesi.asp
+/letterman.class.php
+/lib/entry_reply_entry.php
+/linkslist.asp
+/lire-avis.php
+/list.asp
+/list.php
+/list_comments.php
+/listfull.asp
+/listings.asp
+/listmain.asp
+/listmembers.php
+/listpics.asp
+/login.asp
+/login.php
+/login/register.asp
+/logon_user.php
+/low.php
+/mailer.w2b
+/main.asp
+/main/auth/my_progress.php
+/main_page.php
+/mainfile.php
+/manufacturer.php
+/meal_rest.asp
+/members.asp
+/mesajkutum.asp
+/mezungiris.asp
+/mod.php
+/mod_banners.php
+/models/category.php
+/modules.php
+/modules/Advertising/admin/index.php
+/modules/News/index.php
+/modules/admin/modules/gallery.php
+/modules/mod_mainmenu/menu.php
+/moscomment.php
+/mystats.php
+/navigacija.php
+/news.asp
+/news.php
+/news_detail.asp
+/news_page.asp
+/newsdetail.asp
+/newsletters/edition.php
+/nickpage.php
+/nukesentinel.php
+/ogretmenkontrol.asp
+/oku.asp
+/openPolicy.asp
+/open_tree.php
+/openlink.asp
+/orange.asp
+/order-track.php
+/outputs.php
+/page.asp
+/page.php
+/pages/addcomment2.php
+/pfs/pfs.edit.inc.php
+/philboard_forum.asp
+/phonemessage.asp
+/php-stats.recphp.php
+/plugins/authentication/ldap.php
+/plugins/ipsearch/ipsearch.admin.php
+/plugins/mp3playlist/mp3playlist.php
+/plugins/search/categories.php
+/plugins/search/contacts.php
+/plugins/search/content.php
+/plugins/search/sections.php
+/plugins/search/weblinks.php
+/plugins/user/example.php
+/pms.php
+/pollmentorres.asp
+/polls.php
+/pop_profile.asp
+/post.php
+/postingdetails.php
+/preferences.asp
+/prikazInformacije.php
+/print.asp
+/print.php
+/printarticle.asp
+/printmain.asp
+/printview.php
+/process.php
+/prodList.asp
+/product.asp
+/product_review.php
+/productdetail.asp
+/products.asp
+/public/code/cp_downloads.php
+/publication_view.asp
+/publications_list.asp
+/question.php
+/rating.asp
+/read/index.php
+/recipe.php
+/register.php
+/repass.php
+/res_details.asp
+/result.asp
+/result.php
+/rss.asp
+/rss/show_webfeed.php
+/save.php
+/search.asp
+/search.php
+/search_listing.asp
+/searchkey.asp
+/searchmain.asp
+/searchoption.asp
+/section/default.asp
+/send_password_preferences.asp
+/sendarticle.asp
+/set_preferences.asp
+/shared/code/cp_authorization.php
+/shared/code/cp_functions_downloads.php
+/shopgiftregsearch.asp
+/show_joined.php
+/show_news.php
+/show_owned.php
+/showfile.asp
+/simplog/archive.php
+/simplog/index.php
+/slideshow.asp
+/sptrees/default.aspx
+/style.php
+/stylesheet.php
+/subcat.php
+/system/core/users/users.register.inc.php
+/system/index.php
+/templates/modif.html
+/thread.php
+/thumbnails.asp
+/thumbnails.php
+/topic_title.php
+/torrents.php
+/tracking/courseLog.php
+/types.asp
+/update_profile.php
+/urunbak.asp
+/user.asp
+/user.php
+/user_confirm.asp
+/user_pages/page.asp
+/userdetail.php
+/usergroups.php
+/usermgr.php
+/users.php
+/utilities/usermessages.asp
+/uye_giris_islem.asp
+/vBSupport.php
+/vdateUsr.asp
+/vehiclelistings.asp
+/verify.php
+/vf_memberdetail.asp
+/view.php
+/view_gallery.asp
+/view_profile.php
+/view_recent.asp
+/viewad.asp
+/viewcat.php
+/viewimage.php
+/viewlinks.asp
+/viewthread.php
+/virtuemart_parser.php
+/visu_user.asp
+/voirannonce.php
+/wallpaper.php
+/wbsearch.aspx
+/windows.asp
+/wp-admin/admin-ajax.php
+/wp-admin/admin-functions.php
+/wp-trackback.php
+/xNews.php
+/xmlrpc.php

rules/base_rules/modsecurity_46_et_web_rules.data

@@ -0,0 +1,55 @@
+.aspx
+.php
+/CCMAdmin/serverlist.asp
+/OpenView5.exe
+/WindowManager.dll
+/apage.cgi
+/awstats.pl
+/cfexec.cfm
+/class.csv.php
+/cmd-asp-5.1.asp
+/cmd.exe
+/cmd.php
+/cmdasp.asp
+/cmdasp.aspx
+/cmdjsp.jsp
+/contact/contact/index.php
+/default.aspx
+/functionen/ref_kd_rubrik.php
+/grab_globals.lib.php
+/graph_image.php
+/help_text_vars.php
+/hg_referenz_jobgalerie.php
+/include/sessionRegister.php
+/index.php
+/jsp-reverse.jsp
+/misc.php
+/module/referenz.php
+/nquser.php
+/passwiki.php
+/perlcmd.cgi
+/php-backdoor.php
+/piranha/secure/control.php3
+/pmwiki.php
+/prod.php
+/produkte_nach_serie.php
+/produkte_nach_serie_alle.php
+/ref_kd_rubrik.php
+/simple-backdoor.php
+/site_conf.php
+/standard/1/lay.php
+/standard/3/lay.php
+/surfer_aendern.php
+/surfer_anmeldung_NWL.php
+/tiki-featured_link.php
+/wf_startpage.js
+/wf_startqs.htm
+/whcsh_home.htm
+/whstart.js
+/wp-login.php
+/wps_shop.cgi
+?Redirect
+forumdisplay.php
+graph_view.php
+tree.php
+webmail.exe

rules/base_rules/modsecurity_50_outbound.data

@@ -0,0 +1,91 @@
+<TITLE>Index of
+><br>
+<title>Index ofMicrosoft VBScript runtime (0x8
+error '800
+Application uses a value of the wrong type for the current operation
+Microsoft VBScript compilation (0x8
+Microsoft VBScript compilation error
+Microsoft .NET Framework Version:
+A trappable error occurred in an external object. The script cannot continue running
+rror
+Microsoft VBScript runtime Error
+>error 'ASP
+ADODB.Command
+Object required: '
+<b>Version Information:</b> does not match with a table name or alias name used in the query
+Either BOF or EOF is True, or the current record has been deleted; the operation
+PostgreSQL query failed:
+You have an error in your SQL syntax near '
+ORA-
+select list because it is not contained in either an aggregate function or the GROUP BY clause
+Syntax error converting the 
+supplied argument is not a valid MS SQL
+supplied argument is not a valid Oracle
+Unclosed quotation mark before the character string
+Warning: mysql_connect():
+Unable to connect to PostgreSQL server:
+SQL Server does not exist or access denied
+microsoft jet database engine error '8
+supplied argument is not a valid PostgreSQL result
+Microsoft OLE DB Provider for 
+You have an error in your SQL syntax;
+Either BOF or EOF is True, or the current record has been deleted
+supplied argument is not a valid ODBC
+supplied argument is not a valid MySQL
+[Microsoft][ODBC 
+error '800a01b8'
+ data type as an argument.
+select list because it is not contained in an aggregate function and there is no GROUP BY clause
+' in sysservers. execute sp_addlinkedserver
+incorrect syntax near These statistics were produced by PeLAB
+This analysis was produced by
+These statistics were produced by getstats
+This report was generated by WebLog
+ebalizer
+This summary was generated byfgets
+move_uploaded_file
+$_session
+ftp_fget
+ftp_put
+readfile
+ftp_nb_put
+gzencode
+bzopen
+fopen
+readdir
+$_post
+gzread
+ftp_nb_fput
+ftp_nb_fget
+ftp_get
+$_get
+scandir
+fscanf
+readgzfile
+fread
+fgetc
+proc_open
+ftp_fput
+fgetss
+ftp_nb_get
+fwrite
+session_start
+gzopen
+gzcompress
+gzwriteserver.urlencode
+server.createobject
+scripting.filesystemobject
+server.execute
+wscript.shell
+<jsp:
+.createtextfile
+.addheader
+wscript.network
+javax.servlet
+.loadfromfile
+server.mappath
+vbscript.encode
+server.htmlencode
+response.write
+response.binarywrite
+.getfile

rules/base_rules/modsecurity_crs_20_protocol_violations.conf

@@ -0,0 +1,122 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# TODO in some cases a valid client (usually automated) generates requests that
+#      violates the HTTP protocol. Create exceptions for those clients, but try
+#      to limit the exception to a source IP or other additional properties of 
+#      the request such as URL and not allow the violation generally. 
+#  
+#
+
+# Validate request line
+#
+SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
+    "t:none,t:lowercase,phase:2,block,nolog,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+# Block request with malformed content.
+# ModSecurity will not inspect these, but the server application might do so
+#
+SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,block,nolog,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+
+# Accept only digits in content length 
+#
+SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
+
+# Do not accept GET or HEAD requests with bodies
+# HTTP standard allows GET requests to have a body but this
+# feature is not used in real life. Attackers could try to force
+# a request body on an unsuspecting web applications.
+#
+SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
+	SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.protocol_violation_score=+1,setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Require Content-Length to be provided with every POST request.
+#
+SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
+	SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Don't accept transfer encodings we know we don't know how to handle
+#
+# NOTE ModSecurity does not support chunked transfer encodings at
+#      this time. You MUST reject all such requests.
+#
+SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Expect header is an HTTP/1.1 protocol feature
+#
+SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,t:none,nolog,block,auditlog,msg:'Expect Header Not Allowed.',severity:'5',id:'960019',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
+	SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Pragma Header requires a Cache-Control Header
+#	
+SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
+	SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain"
+		SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Range Header exists and begins with 0 - normal browsers don't do this.
+#		
+SecRule REQUEST_HEADERS:Range "@contains =0-" "phase:2,t:none,block,nolog,auditlog,msg:'Range: field exists and begins with 0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Broken/Malicous clients often have duplicate or conflicting headers
+#
+SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Check encodings
+SecRule REQUEST_URI "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+	"chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:Content-Type "^application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+	"chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_BODY "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
+		SecRule REQUEST_BODY "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+# Check UTF enconding
+# This rule checks to see if your system uses UTF encoding.
+SecRule RESPONSE_HEADERS:Content-Type "charset=utf-8" \
+	"phase:3,t:none,pass,nolog,setvar:global.utf8_encoding_used=1"
+
+# If UTF-8 encoding was detected in the server's respone headers, run this rule on inbound data.
+SecRule GLOBAL:UTF8_ENCODING_USED "@eq 1" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+
+# Disallow use of full-width unicode
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
+  "t:none,phase:2,block,nolog,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+# Proxy access attempt
+# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
+#      included in case Apache proxy is misconfigured.
+# NOTE There are some clients (mobile devices) that will send a full URI even when connecting to
+#      your local application and this rule allows it.
+# NOTE Need to have UseCononicalName On in Apache config to properly set the SERVER_NAME variable.
+SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
+	SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}"
+
+#
+# Restrict type of characters sent
+#
+# NOTE In order to be broad and support localized applications this rule
+#      only validates that NULL Is not used.
+#
+#	   The strict policy version also validates that protocol and application 
+#	   generated fields are limited to printable ASCII. 
+#
+# TODO If your application use the range 32-126 for parameters.
+#
+#SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
+#	"@validateByteRange 32-126" \
+#	"phase:2,block,nolog,auditlog,status:400,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matchedvar}"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
+	"phase:2,block,nolog,auditlog,status:400,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"

rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf

@@ -0,0 +1,73 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# TODO in some cases a valid client (usually automated) generates requests that
+#      violates the HTTP protocol. Create exceptions for those clients, but try
+#      to limit the exception to a source IP or other additional properties of 
+#      the request such as URL and not allow the violation generally. 
+#
+
+# Do not accept requests without common headers. 
+# Implies either an attacker or a legitimate automation client. 
+#
+
+# Detect HTTP/0.9 Requests
+SecRule REQUEST_PROTOCOL ^HTTP/0.9$ "t:none,phase:2,nolog,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+SecMarker BEGIN_HOST_CHECK
+
+	SecRule &REQUEST_HEADERS:Host "@eq 0" \
+    		"skipAfter:END_HOST_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:Host "^$" \
+    		"phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_HOST_CHECK
+    
+
+SecMarker BEGIN_ACCEPT_CHECK
+
+	SecRule &REQUEST_HEADERS:Accept "@eq 0" \
+    		"chain,phase:2,t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
+		SecRule REQUEST_METHOD "!^OPTIONS$" "skipAfter:END_ACCEPT_CHECK,t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:Accept "^$" \
+    		"chain,phase:2,t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
+		SecRule REQUEST_METHOD "!^OPTIONS$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_ACCEPT_CHECK
+
+SecMarker BEGIN_UA_CHECK
+
+	SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
+    		"skipAfter:END_UA_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:User-Agent "^$" \
+    		"t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_UA_CHECK
+
+
+SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
+    "chain,phase:2,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
+	SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+
+# Check that the host header is not an IP address 
+#
+SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"
+
+
+# Log a security event when the request is rejected by apache
+#
+# You must patch mod_unique_id for this to work correctly.  See the following
+# mod-security-users mail-list post for the patch details -
+# http://article.gmane.org/gmane.comp.apache.mod-security.user/5808
+#
+SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,nolog,auditlog,pass,msg:'Invalid request',id:'960913',severity:'4'"
+	SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.leakage_score=+1,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+

rules/base_rules/modsecurity_crs_23_request_limits.conf

@@ -0,0 +1,69 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# In most cases, you should expect a certain volume of each a request on your
+# website. For example, a request with 400 arguments, can be suspicious.
+# This file creates limitations on the request.
+# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
+#      Note that most of the rules are commented out by default.
+#      Uncomment the rules you need
+#
+
+## -- Arguments limits --
+
+# Limit argument name length
+#SecRule ARGS_NAMES "@gt 100" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit value name length
+#SecRule ARGS "@gt 400" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Maximum number of arguments in request limited
+SecRule &ARGS "@gt 255" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit arguments total length
+#SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+
+## -- File upload limits --
+
+# Individual file size is limited
+#SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Combined file size is limited
+#SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4',setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+
+
+## -- Apache Limits --
+
+# These are Apache limit directives, but we are including them here because
+# they are often forgotten. If you already have these configured leave this
+# section entirely commented-out. Otherwise review the limits and uncomment
+# the directives.
+
+# Maximum size of the request body.
+#
+# NOTE If your application allows file uploads the value below will
+#      most likely be way to low.
+#
+#LimitRequestBody 64000
+
+# Maximum number of request headers in a request.
+#
+#LimitRequestFields 32
+
+# Maximum size of request header lines.
+#
+#LimitRequestFieldSize 8000
+
+# Maximum size of the request line.
+#
+#LimitRequestLine 4000
+

rules/base_rules/modsecurity_crs_35_bad_robots.conf

@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE Bad robots detection is based on checking elements easily 
+#      controlled by the client. As such a determined attacked can bypass
+#      those checks. Therefore bad robots detection should not be viewed as
+#      a security mechanism against targeted attacks but rather as a nuisance
+#      reduction, eliminating most of the random attacks against your web
+#      site. 
+
+SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME "^/nessustest" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|w(?:eb(?:emailextrac| by mail|altbot)|i(?:se(?:nut)?bot|ndows xp 5)|ordpress\/4\.01|3mir)|a(?:t(?:tache|hens)|utoemailspider|dsarobot| href=)|m(?:ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:(?:oe-component-clien|ackra)t|cbrowser|surf)|c(?:ompatible(?: ; msie|-)|hinaclaw)|f(?:astlwspider|loodgate)|t(?:uring machine|akeout)|g(?:rub-client|ecko\/25)|h(?:hjhj@yahoo|anzoweb)|d(?:igout4u|ts )agent|larbin@unspecified|(?:; widow|zeu)s|\bdatacha0s\b|user-agent:|rsync|shai|\\r)" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \
+        "chain,phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'"
+SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MISC-%{matched_var_name}=%{matched_var}"
+

rules/base_rules/modsecurity_crs_40_generic_attacks.conf

@@ -0,0 +1,399 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# 
+# TODO While some of the pattern groups such as command injection are usually
+#      safe of false positives, other pattern groups such as SQL injection and 
+#      XSS may require setting exceptions and therefore are set to log only by
+#      default. 
+#
+#      Start ModSecurity in monitoring only mode and check whether your 
+#      application requires exceptions for a specific URL, Pattern or source IP
+#      before moving to blocking mode.  
+
+#
+# Begin RegEx Checks for rules that could not use @pm prequalifications
+#
+
+#
+# HTTP Parameter Pollution
+#
+SecRule ARGS_NAMES ".*" \
+	"chain,phase:2,t:none,nolog,auditlog,pass,capture,setvar:'tx.arg_name_%{tx.0}=+1',msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" 
+        SecRule TX:/ARG_NAME_*/ "@gt 1" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
+		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+
+#
+# Coldfusion injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'959008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# LDAP injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'LDAP Injection Attack',id:'959010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# SSI injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'SSI injection Attack',id:'959011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+
+#
+# UPDF XSS
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'950018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'959018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Email Injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
+        "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+# HTTP Request Smuggling
+#
+SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,block,nolog,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{matched_var}"
+
+#
+# HTTP Response Splitting
+#
+SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
+        "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{matched_var}"
+
+
+#
+# RFI Attack
+#
+# See - http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
+#
+SecRule ARGS "^(?:ht|f)tps?:\/\/([\d\.]+)" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:\binclude\s*\([^)]*(ht|f)tps?:\/\/)" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:ft|htt)ps?.*\?+$" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" \
+        "chain,phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"
+        SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+#
+# Prequalify Request Matches
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pmFromFile modsecurity_40_generic_attacks.data" \
+	"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
+
+SecRule TX:PM_SCORE "@eq 0" "phase:2,t:none,pass,skipAfter:END_PM_CHECK,nolog"
+
+#
+# Begin RegEx Checks for target locations that matched the prequalifier checks
+#
+	#
+	# Session fixation
+	#
+	SecRule TX:/PM_DATA_*/ "\.cookie\b.*?\;\W*?expires\W*?\=" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950301',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/PM_DATA_*/ "\.cookie\b.*?\;\W*?domain\W*?\=" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950300',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/PM_DATA_*/ "\bhttp-equiv\W+set-cookie\b" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950302',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+ 
+	
+	
+	#
+	# File Injection
+	#
+	SecRule TX:/PM_DATA_*/ "\bboot\.ini\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958711',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\/etc\/" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958700',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htaccess\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958706',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htpasswd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958708',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bhttpd\.conf\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958705',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bglobal\.asa\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958712',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.wwwacl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958710',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.www_acl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958709',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htgroup\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958707',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	        
+
+	#
+	# Command access
+	#
+	SecRule TX:/PM_DATA_*/ "\bnc\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958503',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958500',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958504',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btelnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972022',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwsh\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972032',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bftp\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958502',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\b\W*?\/c" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972030',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnmap\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972029',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwguest\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972031',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd32\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958501',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\brcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958505',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"        
+
+	#
+	# Command injection
+	#
+	SecRule TX:/PM_DATA_*/ "\btclsh8\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958929',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnmap\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958870',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bperl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958873',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bcpp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958928',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bpython\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958887',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnc\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958828',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\buname\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958898',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bpasswd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958888',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\b\W+?\blocalgroup\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958830',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bls\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958883',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchown\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958877',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\brcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958832',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnc\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958891',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\brm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958894',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwsh\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958839',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bfinger\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958881',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bftp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958890',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\becho\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958872',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bxterm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958879',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bkill\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958884',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchsh\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958927',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bping\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958893',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcd\b\W*?[\\/]" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958821',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\btelnet\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958889',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchmod\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958876',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwguest\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958838',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\b\W*?\/c" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958871',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958829',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bg\+\+" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958875',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnasm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958882',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd32\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958824',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\blsof\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958897',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bid\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958885',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btelnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958834',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btracert\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958926',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnmap\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958896',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\becho\b\W*?\by+\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958826',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btraceroute\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958837',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btftp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958836',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bgcc\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958874',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bchmod.{0,40}?\+.{0,3}x" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958822',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bps\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958886',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bftp\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958827',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bcmd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958892',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btclsh\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958833',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bmail\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchgrp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958878',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcd\W*?\.\." \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958925',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958823',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+		
+	#
+	# PHP injection
+	#
+	
+	SecRule TX:/PM_DATA_*/ "<\?(?!xml)" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958823',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+		
+	SecRule TX:/PM_DATA_*/ "\bproc_open\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958976',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzread\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958972',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_fget\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958963',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958965',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfscanf\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958959',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breadfile\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958978',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgetss\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958955',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_post\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958941',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bsession_start\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958982',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breaddir\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958977',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzwrite\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958973',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bscandir\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958981',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958962',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfread\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958958',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breadgzfile\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958979',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_put\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958967',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfwrite\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958968',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzencode\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958970',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958957',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_session\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958942',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_fput\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958964',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_fput\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958961',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzcompress\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958969',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bbzopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958946',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958971',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgetc\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958953',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bmove_uploaded_file\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958975',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_put\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958966',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958940',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgets\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958954',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_fget\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958960',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+
+SecMarker END_PM_CHECK

rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

@@ -0,0 +1,442 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# 
+# TODO While some of the pattern groups such as command injection are usually
+#      safe of false positives, other pattern groups such as SQL injection and 
+#      XSS may require setting exceptions and therefore are set to log only by
+#      default. 
+#
+#      Start ModSecurity in monitoring only mode and check whether your 
+#      application requires exceptions for a specific URL, Pattern or source IP
+#      before moving to blocking mode.  
+
+#
+# Prequalify Request Matches
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pmFromFile modsecurity_41_sql_injection_attacks.data" \
+	"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_sqli_score=+1,setvar:tx.pm_sqli_data_%{matched_var_name}=%{matched_var}"
+
+SecRule TX:PM_SQLI_SCORE "@eq 0" "phase:2,t:none,pass,skipAfter:END_SQL_INJECTION_PM,nolog"
+
+#
+# Begin RegEx Checks for target locations that matched the prequalifier checks
+#
+
+	#
+	# Blind SQL injection
+	#
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_catalog\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bconstraint_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959503',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959521',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysqueries\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959509',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysaces\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959506',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\@\@spid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959500',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcharindex\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959502',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.all_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959515',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_constraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959518',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}buser\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959514',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bwaitfor\b\W*?\bdelay\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959538',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsyscolumns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959507',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}\bsubstring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959513',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_triggers\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959522',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\blocate\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959505',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysrelationships\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959510',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_tab_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959520',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\battnotnull\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959501',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysobjects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959508',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.tab\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959516',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}\bascii\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959512',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_views\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959523',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binstr\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959504',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959519',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmysql\.user\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959511',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+			
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959918',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_tab_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959536',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\ball_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959900',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bpg_class\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959910',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsyscat\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959524',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsubstr\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959912',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysdba\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959527',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btextpos\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959533',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\battrelid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bpg_attribute\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959909',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_password\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959917',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959919',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_constraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959534',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxtype\W+\bchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959537',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959916',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcolumn_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysfilegroups\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959528',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsyscolumns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959525',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsubstring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959913',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysobjects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959530',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_id\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysibm\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959529',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_ind_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959535',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcolumn_id\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysprocesses\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959531',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmb_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btable_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959914',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsystables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959532',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959907',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\brownum\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959911',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysconstraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959526',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\batttypid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959902',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_group\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959915',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+
+
+	#
+	# SQL injection
+	#
+
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'msdasql\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959020',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_makecab\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959058',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\butl_http\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959049',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bto_number\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959035',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btbcreator\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959046',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_execute\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959038',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bgroup\b.*\bbyb.{1,100}?\bhaving\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959011',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bdata_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959027',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_cmdshell\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959052',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bisnull\b\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959018',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdba_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959008',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bopenrowset\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959023',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bunion\b.{1,100}?\bselect\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binsert\b\W*?\binto\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959015',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959032',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\;\W*?\bdrop\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_execresultset\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959055',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regaddmultistring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959060',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\@\@version\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959004',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regread\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959065',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bloadb\W*?\bdata\b.*\binfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959019',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bto_char\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959034',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdbms_java\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959009',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_enumdsn\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959054',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_availablemedia\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959051',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_prepare\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959042',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bnvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959021',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\butl_file\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959048',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binner\b\W*?\bjoin\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959014',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regdeletekey\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959061',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_loginconfig\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959057',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_sqlexec\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959043',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bprint\b\W*?\@\@" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959024',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959031',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regremovemultistring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959066',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regwrite\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959067',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959050',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bintob\W*?\bdumpfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959016',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bifb\W*?\(\W*?\bbenchmark\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959012',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bopenquery\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959022',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959033',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcastb\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959006',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdelete\b\W*?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959075',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regdeletevalue\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959062',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'sqloledb\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959003',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_addextendedproc\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959037',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsql_longvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959044',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_dirtree\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959053',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regenumkeys\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959063',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bdump\b.*\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959028',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_filelist\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959056',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'sa\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959026',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_terminate\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959068',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_executesql\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959039',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bifnull\b\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959013',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bintob\W*?\boutfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959017',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_makewebtask\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959040',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'dbo\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959010',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsql_variant\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959045',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_ntsec\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959059',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\;\W*?\bshutdown\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959002',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\binstr\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959029',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bautonomous_transaction\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959005',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_oacreate\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959041',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959036',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regenumvalues\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959064',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	
+SecMarker END_SQL_INJECTION_PM
+
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
+       	"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|REQUEST_HEADERS|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecMarker BEGIN_SQL_INJECTION_WEAK
+SecRule &TX:/SQL_INJECTION/ "@eq 0" "phase:2,t:none,nolog,pass,skipAfter:END_SQL_INJECTION_WEAK"
+
+	SecRule TX:/SQL_INJECTION/ "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
+       		"phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
+		SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)" \
+			"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/SQL_INJECTION/ "\b(?:benchmark|encode)\b" \
+		"phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
+		SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_SQL_INJECTION_WEAK

rules/base_rules/modsecurity_crs_41_xss_attacks.conf

@@ -0,0 +1,447 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# XSS
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \
+       "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
+SecAction phase:2,pass,nolog,skipAfter:END_XSS_REGEX
+
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bgetparentfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmousedown\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bmocha:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonabort\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bhttp:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseup\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bstyle\b\W*\=.*bexpression\b\W*\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bcreatetextrange\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bondragdrop\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bcopyparentfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonunload\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.execscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bgetspecialfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bonload\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeydown\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmousemove\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blivescript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonblur\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmove\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsettimeout\b\W*?\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?iframe" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bbackground\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\becmascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonfocus\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.cookie\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\<\!\[cdata\[" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonerror\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bactivexobject\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeypress\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonsubmit\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.addimport\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonchange\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\balert\b\W*?\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?meta\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bhttp:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bvbscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseout\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\basfunction:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseover\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.innerhtml\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonselect\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\@import\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonload\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?script\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonresize\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonclick\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\biframe\b.{0,100}?\bsrc\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bbackground-image:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeyup\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<input\b.*?\btype\b\W*?\bimage\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjavascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.fromcharcode\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+SecMarker END_XSS_REGEX
+
+# Detect tags that are the most common direct HTML injection points.
+#
+#     <a href=javascript:...
+#     <applet src="..." type=text/html>
+#     <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
+#     <base href=javascript:...
+#     <base href=... // change base URL to something else to exploit relative filename inclusion
+#     <bgsound src=javascript:...
+#     <body background=javascript:...
+#     <body onload=...
+#     <embed src=http://www.example.com/flash.swf allowScriptAccess=always
+#     <embed src="data:image/svg+xml;
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...
+#     <img src=x onerror=...
+#     <input type=image src=javascript:...
+#     <layer src=...
+#     <link href="javascript:..." rel="stylesheet" type="text/css"
+#     <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
+#     <meta http-equiv="refresh" content="0;url=javascript:..."
+#     <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
+#     <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
+#     <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
+#     <object data=http://www.example.com
+#     <object type=text/x-scriptlet data=...
+#     <object type=application/x-shockwave-flash data=xss.swf>
+#     <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
+#     <script>...</script>
+#     <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
+#     <script src="data:text/javascript,alert(1)"></script>
+#     <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
+#     <style>STYLE</style>
+#     <style type=text/css>STYLE</style>
+#     <style type=text/javascript>alert('xss')</style>
+#     <table background=javascript:...
+#     <td background=javascript:
+#
+#
+# NOTES
+#
+#  - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
+#
+#  - Not using closing brackets because they are not needed for the
+#    attacks to succeed. The following seems to work in FF: <body/s/onload=...
+#
+#  - Also, browsers sometimes tend to translate < into >, in order to "repair"
+#    what they think was a mistake made by the programmer/template designer.
+#
+#  - Browsers are flexible when it comes to what they accept as separator between
+#    tag names and attributes. The following is commonly used in payloads: <img/src=...
+#    A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
+#
+#  - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
+#    but I don't believe we need to look for quotes anywhere.
+#
+#  - Links do not have to be fully qualified. For example, the following works:
+#    <script src="//ha.ckers.org/.j">
+#
+SecRule ARGS|ARGS_NAMES|QUERY_STRING|REQUEST_URI_RAW "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
+	"phase:2,t:none,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "\ballowscriptaccess\b|\brel\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# TODO Would evasion such as null and whitespace work here?
+#
+SecRule ARGS "application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript))" \
+	"phase:2,t:none,t:htmlEntityDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect event handler names
+#
+#     <body onload=...>
+#     <img src=x onerror=...>
+#
+SecRule ARGS "\bon(abort|blur|change|click|dblclick|dragdrop|error|\
+focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout\
+mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect usage of common URI attributes (e.g. src)
+#
+#     <a href="javascript:...">Link</a>
+#     <base href="javascript:...">
+#     <bgsound src="javascript:...">
+#     <body background="javascript:...">
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...>
+#     <img dynsrc=javascript:...>
+#     <img lowsrc=javascript:...>
+#     <img src=javascript:...>
+#     <input type=image src=javascript:...>
+#
+SecRule ARGS "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# As above, but try to catch the other bit that is necessary to execute the attack.
+#
+#     <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+#     <img src=jaVaScrIpt:...>
+#     <img src=&#6a;avascript:...> (not evasion)
+#     <img src="jav	ascript:..."> (embedded tab; null byte, other whitespace characters work too)
+#     <img src="jaa&#09;ascript:..."> (the combination of the above two)
+#
+# NOTES
+#
+#  - htmlEntityDecode needs to be applied because this content appears in HTML
+#    attributes, so it's not evasion.
+#
+# TODO I think asfunction only work in HTML files handled by Flash. Needs verifying.
+#
+SecRule ARGS "(asfunction|javascript|vbscript|data|mocha|livescript):" \
+	"phase:2,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect attempts to use the style attribute, which works with any tag in at
+# least one major browser.
+#
+#     <div style="background-image: url(javascript:...)">
+#
+SecRule ARGS "\bstyle\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# -- JavaScript fragments --
+#
+#    TODO Need more fragments.
+#
+#    TODO What about JavaScript code hidden behind CSS?
+#
+#    TODO There is a bunch of DOM-manipulation stuff that we want to cover here.
+#
+#    alert(String.fromCharCode(88,83,83)
+#    - window.name
+#    - document.cookie
+#    - document.location
+#    - document.write
+#    - document.styleSheets[0].addImport('yourstylesheet.css', 2);
+#    - window.execScript("alert('test');", "JavaScript");
+#    - document.body.innerHTML = ''
+#    - newObj = new ActiveXObject(servername.typename[, location])
+#    - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx
+#    - setTimeout("alert('xss')", 1000)
+#    - xmlHttp.onreadystatechange=function() {}
+#    - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier
+#
+# NOTES:
+# 
+#  - JavaScript evasion:
+#
+#    http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/
+#    http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/
+#
+SecRule ARGS "(fromcharcode|alert|eval)\s*\(" \
+	"phase:2,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# -- CSS attack fragments --
+
+#     <div style="background-image: url(javascript:...)">
+#     <div style="background-image: url(&#1;javascript:alert('XSS'))"> // not used
+#     <div style="width: expression(...);">
+#     <img style="x:expression(document.write(1))">
+#     <xss style="behavior: url(http://ha.ckers.org/xss.htc);">
+# -    <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss
+#     <style>@import url(...);</style>
+#     -moz-binding:url(...)
+#     background:url("javascript:...")
+#     </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify
+#     <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion)
+#     <li style="behavior:url(hilite.htc)">xss
+#
+#     Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
+#
+# Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors)
+#
+# Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring
+#       a match of that before we do anything might help us reduce the FP rate.
+#
+SecRule ARGS "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \
+	"phase:2,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#      <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion
+SecRule ARGS "<!\[cdata\[|\]\]>" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# -- Misc --
+
+#    alert('xss')
+#    alert("xss")
+#    alert(/xss/)
+#    <xss>
+#
+SecRule ARGS "[/'\"<]xss[/'\">]" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#    String.fromCharCode(88,83,83)
+# 
+SecRule ARGS "(88,83,83)" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#    '';!--"<XSS>=&{()}
+#
+SecRule ARGS "'';!--\"<xss>=&{()}" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Handle &{alert('xss')} which is supposed to work in Netscape 4.
+# 
+SecRule ARGS "&{" \
+	"phase:2,t:none,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# <!DOCTYPE html [  
+#   <!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
+# ]>
+# <html xmlns="http://www.w3.org/1999/xhtml">
+# <head>
+#   <title>Test</title>
+# </head>
+#
+# <body>
+# &inject;
+# </body>
+# </html>
+#
+SecRule ARGS "<!(doctype|entity)" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+

rules/base_rules/modsecurity_crs_45_trojans.conf

@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -27,8 +27,8 @@
 #      Trojans upload to file uploading inspection. 
 # 
 
-SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
+SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
 SecRule REQUEST_FILENAME "root\.exe" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
-SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
+        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"

rules/base_rules/modsecurity_crs_46_et_web_rules.conf

@@ -0,0 +1,601 @@
+SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"
+
+# (sid 2003897) ET WEB Adobe RoboHelp XSS Attempt whstart.js
+SecRule REQUEST_URI_RAW "(?i:\/whstart\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003897,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whstart.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whstart.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003898) ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm
+SecRule REQUEST_URI_RAW "(?i:\/whcsh_home\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003898,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003899) ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js
+SecRule REQUEST_URI_RAW "(?i:\/wf_startpage\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003899,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003900) ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm
+SecRule REQUEST_URI_RAW "(?i:\/wf_startqs\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003900,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003901) ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll
+SecRule REQUEST_URI_RAW "(?i:\/WindowManager\.dll)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003901,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001945) ET WEB WebAPP Apage.CGI Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/apage\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001945,rev:6,msg:'ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache.cgi'"
+SecRule ARGS:f "(?i:(\.\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001669) ET WEB Proxy GET Request
+SecRule REQUEST_URI_RAW "@contains GET http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001669,rev:6,msg:'ET WEB Proxy GET Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy GET Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001670) ET WEB Proxy HEAD Request
+SecRule REQUEST_URI_RAW "@contains HEAD http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001670,rev:7,msg:'ET WEB Proxy HEAD Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy HEAD Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001674) ET WEB Proxy POST Request
+SecRule REQUEST_URI_RAW "@contains POST http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001674,rev:6,msg:'ET WEB Proxy POST Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy POST Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001675) ET WEB Proxy CONNECT Request
+SecRule REQUEST_URI_RAW "@contains CONNECT " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001675,rev:6,msg:'ET WEB Proxy CONNECT Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy CONNECT Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003156) ET WEB Crewbox Proxy Scan
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003156,rev:3,msg:'ET WEB Crewbox Proxy Scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy'"
+SecRule REQUEST_URI_RAW "@contains crewbox.by.ru/crew/" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Crewbox Proxy Scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002900) ET WEB CGI AWstats Migrate Command Attempt
+SecRule REQUEST_URI_RAW "(?i:\/awstats\.pl)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002900,rev:3,msg:'ET WEB CGI AWstats Migrate Command Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Awstats'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:migrate\s*=\s*\|)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB CGI AWstats Migrate Command Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002711) ET WEB includer.cgi Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "@contains /includer.cgi?|7c|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002711,rev:5,msg:'ET WEB includer.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_CGI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB includer.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002129) ET WEB Cacti Input Validation Attack
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002129,rev:7,msg:'ET WEB Cacti Input Validation Attack',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(config_settings|top_graph_header)\.php\?.*=(http|https)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti Input Validation Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002313) ET WEB Cacti graph_image.php Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/graph_image\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002313,rev:6,msg:'ET WEB Cacti graph_image.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(graph_start=%0a.+%0a))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti graph_image.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003334) ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/cmd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003334,rev:3,msg:'ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule REQUEST_URI_RAW "@contains UNION" "chain"
+SecRule REQUEST_URI_RAW "@contains SELECT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007889) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007889,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007890) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007890,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007891) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007891,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007892) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007892,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007893) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007893,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007894) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007894,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007895) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007895,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007896) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007896,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007897) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007897,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2004556) ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern
+SecRule REQUEST_URI_RAW "(?i:\/CCMAdmin\/serverlist\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004556,rev:4,msg:'ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cisco'"
+SecRule ARGS:pattern "(?i:.*<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002376) ET WEB IBM Lotus Domino BaseTarget XSS attempt
+SecRule REQUEST_URI_RAW "@contains OpenForm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002376,rev:7,msg:'ET WEB IBM Lotus Domino BaseTarget XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:BaseTarget=.*?\x22)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino BaseTarget XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002377) ET WEB IBM Lotus Domino Src XSS attempt
+SecRule REQUEST_URI_RAW "@contains OpenFrameSet" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002377,rev:6,msg:'ET WEB IBM Lotus Domino Src XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:src=.*\x22><\/FRAMESET>.*<script>.*<\/script>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino Src XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009361) ET WEB cmd.exe In URI - Possible Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/cmd\.exe)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009361,rev:2,msg:'ET WEB cmd.exe In URI - Possible Command Execution Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB cmd.exe In URI - Possible Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009362) ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt
+SecRule REQUEST_URI_RAW "@contains /system32/" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009362,rev:2,msg:'ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009363) ET WEB Suspicious Chmod Usage in URI
+SecRule QUERY_STRING|REQUEST_BODY "(?i:chmod.([r|w|x|1-7]))" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009363,rev:2,msg:'ET WEB Suspicious Chmod Usage in URI',tag:'attempted-admin',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Suspicious Chmod Usage in URI',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008171) ET WEB HP OpenView Network Node Manager CGI Directory Traversal
+SecRule REQUEST_URI_RAW "(?i:\/OpenView5\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008171,rev:2,msg:'ET WEB HP OpenView Network Node Manager CGI Directory Traversal',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_HP_Openview'"
+SecRule REQUEST_URI_RAW "@contains GET " "chain"
+SecRule REQUEST_URI_RAW "@contains /OvCgi/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains Action=../../" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains  HTTP/1" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB HP OpenView Network Node Manager CGI Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002897) ET WEB Horde README access probe
+SecRule REQUEST_URI_RAW "@contains /horde" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002897,rev:5,msg:'ET WEB Horde README access probe',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Horde'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Horde README access probe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001365) ET WEB-MISC Alternate Data Stream source view attempt
+SecRule REQUEST_URI_RAW "@contains |3A 3A|$DATA" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001365,rev:8,msg:'ET WEB-MISC Alternate Data Stream source view attempt',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_ADS_Source_Code_Exposure',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Alternate Data Stream source view attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001342) ET WEB IIS ASP.net Auth Bypass / Canonicalization
+SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001342,rev:21,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001343) ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
+SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001343,rev:19,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009510) ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt
+SecRule REQUEST_URI_RAW "@contains .jsp\:\:$DATA" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009510,rev:2,msg:'ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Java',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001546) ET WEB-MISC LINK Method
+SecRule QUERY_STRING|REQUEST_BODY "@contains LINK " "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001546,rev:7,msg:'ET WEB-MISC LINK Method',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_LINK_Method',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC LINK Method',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002777) ET WEB Light Weight Calendar 'date' Arbitrary Remote Code Execution
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002777,rev:3,msg:'ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Light_Weight_Calendar'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:date=\d{8}\)\;.+)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001075) ET WEB-MISC cross site scripting attempt IMG onerror or onload
+SecRule QUERY_STRING|REQUEST_BODY "@contains <IMG" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001075,rev:5,msg:'ET WEB-MISC cross site scripting attempt IMG onerror or onload',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\bonerror\b[\s]*=)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt IMG onerror or onload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001077) ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001077,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-javascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001078) ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/jscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001078,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/jscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001079) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001079,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001080) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001080,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001081) ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/ecmascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001081,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/ecmascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001082) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001082,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:STYLE[\s]*=[\s]*[^>]expression[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001083) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001083,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001084) ET WEB-MISC cross site scripting attempt using XML
+SecRule QUERY_STRING|REQUEST_BODY "@contains <XML" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001084,rev:5,msg:'ET WEB-MISC cross site scripting attempt using XML',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains <![CDATA[<]]>SCRIPT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt using XML',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001085) ET WEB-MISC cross site scripting attempt executing hidden Javascript 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains innerhtml" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001085,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001086) ET WEB-MISC cross site scripting attempt executing hidden Javascript 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains window.execscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001086,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:window.execScript[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001087) ET WEB-MISC cross site scripting attempt to execute Javascript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001087,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*javascript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001088) ET WEB-MISC cross site scripting attempt to execute VBScript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001088,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*vbscript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001089) ET WEB-MISC cross site scripting attempt to access SHELL\:
+SecRule QUERY_STRING|REQUEST_BODY "@contains shell" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001089,rev:6,msg:'ET WEB-MISC cross site scripting attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*shell[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001090) ET WEB-MISC cross site scripting stealth attempt to execute Javascript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001090,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001091) ET WEB-MISC cross site scripting stealth attempt to execute VBScript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001091,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001092) ET WEB-MISC cross site scripting stealth attempt to access SHELL\:
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:])" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001092,rev:8,msg:'ET WEB-MISC cross site scripting stealth attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002361) ET WEB Netquery Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/nquser\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002361,rev:4,msg:'ET WEB Netquery Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netquery'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(host=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netquery Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007936) ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability
+SecRule REQUEST_URI_RAW "(?i:webmail\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007936,rev:4,msg:'ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netwin'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[%n%s]{2,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002997) ET WEB PHP Remote File Inclusion (monster list http)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002997,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list http)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule REQUEST_URI_RAW "@contains http" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list http)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003098) ET WEB PHP Remote File Inclusion (monster list ftp)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003098,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list ftp)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule REQUEST_URI_RAW "@contains ftp\:" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*ftp)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list ftp)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003935) ET WEB PHP Remote File Inclusion (monster list php)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003935,rev:3,msg:'ET WEB PHP Remote File Inclusion (monster list php)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*php)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list php)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002730) ET WEB PHPGedView Remote Script Code Execution attempt
+SecRule REQUEST_URI_RAW "(?i:\/help_text_vars\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002730,rev:6,msg:'ET WEB PHPGedView Remote Script Code Execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPGedView'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:PGV_BASE_DIRECTORY=(f|ht)tp\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPGedView Remote Script Code Execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002314) ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/prod\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002314,rev:5,msg:'ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPOutsourcing'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(argv[1]=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001344) ET WEB PHP EasyDynamicPages exploit
+SecRule ARGS_NAMES "(?i:edp_relative_path)" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001344,rev:7,msg:'ET WEB PHP EasyDynamicPages exploit',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_EasyDynamicPages_Exploit',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP EasyDynamicPages exploit',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009336) ET WEB Possible Web Backdoor cfexec.cfm access
+SecRule REQUEST_URI_RAW "(?i:\/cfexec\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009336,rev:2,msg:'ET WEB Possible Web Backdoor cfexec.cfm access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cfexec.cfm access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009337) ET WEB Possible Web Backdoor cmdasp.asp access
+SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009337,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009338) ET WEB Possible Web Backdoor cmdasp.aspx access
+SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009338,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.aspx access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.aspx access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009339) ET WEB Possible Web Backdoor simple-backdoor.php access
+SecRule REQUEST_URI_RAW "(?i:\/simple\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009339,rev:2,msg:'ET WEB Possible Web Backdoor simple-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor simple-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009340) ET WEB Possible Web Backdoor php-backdoor.php access
+SecRule REQUEST_URI_RAW "(?i:\/php\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009340,rev:2,msg:'ET WEB Possible Web Backdoor php-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor php-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009341) ET WEB Possible Web Backdoor jsp-reverse.jsp access
+SecRule REQUEST_URI_RAW "(?i:\/jsp\-reverse\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009341,rev:2,msg:'ET WEB Possible Web Backdoor jsp-reverse.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor jsp-reverse.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009342) ET WEB Possible Web Backdoor perlcmd.cgi access
+SecRule REQUEST_URI_RAW "(?i:\/perlcmd\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009342,rev:2,msg:'ET WEB Possible Web Backdoor perlcmd.cgi access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor perlcmd.cgi access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009343) ET WEB Possible Web Backdoor cmdjsp.jsp access
+SecRule REQUEST_URI_RAW "(?i:\/cmdjsp\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009343,rev:2,msg:'ET WEB Possible Web Backdoor cmdjsp.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdjsp.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009344) ET WEB Possible Web Backdoor cmd-asp-5.1.asp access
+SecRule REQUEST_URI_RAW "(?i:\/cmd\-asp\-5\.1\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009344,rev:2,msg:'ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002972) ET WEB PHP ZeroBoard .htaccess upload
+SecRule QUERY_STRING|REQUEST_BODY "@contains filename=" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002972,rev:3,msg:'ET WEB PHP ZeroBoard .htaccess upload',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_ZeroBoard'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:^\s*\.htaccess)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP ZeroBoard .htaccess upload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001738) ET WEB PHP vBulletin Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:forumdisplay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001738,rev:9,msg:'ET WEB PHP vBulletin Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
+SecRule ARGS:comma "(?i:(\.system\(.+\)\.))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP vBulletin Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002388) ET WEB vBulletin misc.php Template Name Arbitrary Code Execution
+SecRule REQUEST_URI_RAW "(?i:\/misc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002388,rev:5,msg:'ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
+SecRule REQUEST_URI_RAW "@contains &template=.*{${" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002837) ET WEB PmWiki Globals Variables Overwrite Attempt
+SecRule REQUEST_URI_RAW "(?i:\/pmwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002837,rev:3,msg:'ET WEB PmWiki Globals Variables Overwrite Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PMWiki'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GLOBALS[FarmD]=" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:GLOBALS\x5bFarmD\x5d\x3d)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PmWiki Globals Variables Overwrite Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008687) ET WEB PassWiki site_id Parameter Local File Inclusion
+SecRule REQUEST_URI_RAW "(?i:\/passwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008687,rev:2,msg:'ET WEB PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PassWiki'"
+SecRule REQUEST_URI_RAW "@contains GET " "chain"
+SecRule ARGS:site_id "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007871) ET WEB Philips VOIP841 Web Server Directory Traversal
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007871,rev:2,msg:'ET WEB Philips VOIP841 Web Server Directory Traversal',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Philips_VOIP'"
+SecRule REQUEST_URI_RAW "@contains /etc/passwd" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Philips VOIP841 Web Server Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002331) ET WEB Piranha default passwd attempt
+SecRule REQUEST_URI_RAW "(?i:\/piranha\/secure\/control\.php3)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002331,rev:3,msg:'ET WEB Piranha default passwd attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Piranha'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains Authorization\: Basic cGlyYW5oYTp" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Piranha default passwd attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008622) ET WEB Pritlog index.php filename File Disclosure
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008622,rev:2,msg:'ET WEB Pritlog index.php filename File Disclosure',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Pritlog'"
+SecRule REQUEST_URI_RAW "@contains /index.php?option=viewEntry" "chain"
+SecRule ARGS:&filename "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Pritlog index.php filename File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009152) ET WEB PHP Generic Remote File Include Attempt (HTTPS)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009152,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (HTTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =https\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (HTTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009153) ET WEB PHP Generic Remote File Include Attempt (FTP)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009153,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (FTP)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =ftp\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTP)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009155) ET WEB PHP Generic Remote File Include Attempt (FTPS)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009155,rev:5,msg:'ET WEB PHP Generic Remote File Include Attempt (FTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =ftps\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002660) ET WEB RSA Web Auth Exploit Attempt - Long URL
+SecRule REQUEST_URI_RAW "(?i:\?Redirect)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002660,rev:5,msg:'ET WEB RSA Web Auth Exploit Attempt - Long URL',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RSA'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:url=.{8000})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB RSA Web Auth Exploit Attempt - Long URL',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006443) ET WEB Possible SQL Injection Attempt DELETE FROM
+SecRule REQUEST_URI_RAW "@contains DELETE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006443,rev:6,msg:'ET WEB Possible SQL Injection Attempt DELETE FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt DELETE FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006444) ET WEB Possible SQL Injection Attempt INSERT INTO
+SecRule REQUEST_URI_RAW "@contains INSERT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006444,rev:6,msg:'ET WEB Possible SQL Injection Attempt INSERT INTO',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  INTO " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt INSERT INTO',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006445) ET WEB Possible SQL Injection Attempt SELECT FROM
+SecRule REQUEST_URI_RAW "@contains SELECT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006445,rev:6,msg:'ET WEB Possible SQL Injection Attempt SELECT FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt SELECT FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006446) ET WEB Possible SQL Injection Attempt UNION SELECT
+SecRule REQUEST_URI_RAW "@contains UNION " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006446,rev:6,msg:'ET WEB Possible SQL Injection Attempt UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  SELECT " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006447) ET WEB Possible SQL Injection Attempt UPDATE SET
+SecRule REQUEST_URI_RAW "@contains UPDATE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006447,rev:7,msg:'ET WEB Possible SQL Injection Attempt UPDATE SET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  SET " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[&\?].*UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UPDATE SET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003903) ET WEB Microsoft SharePoint XSS Attempt default.aspx
+SecRule REQUEST_URI_RAW "(?i:\/default\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003903,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt default.aspx',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt default.aspx',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003904) ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]
+SecRule REQUEST_URI_RAW "(?i:\/contact\/contact\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003904,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
+SecRule ARGS:form[mail] "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003705) ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe
+SecRule REQUEST_URI_RAW "(?i:\/site_conf\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003705,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:ordnertiefe)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003706) ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/class\.csv\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003706,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003707) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003707,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003708) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/functionen\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003708,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003709) ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/hg_referenz_jobgalerie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003709,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003710) ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/surfer_anmeldung_NWL\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003710,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003711) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie_alle\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003711,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003712) ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/surfer_aendern\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003712,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003715) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003715,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003713) ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/module\/referenz\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003713,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003714) ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/standard\/1\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003714,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003867) ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/standard\/3\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003867,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002662) ET WEB TWiki INCLUDE remote command execution attempt
+SecRule QUERY_STRING|REQUEST_BODY "(?i:%INCLUDE\s*{.*rev=\x22\d+\|.+\x22.*}\s*%)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002662,rev:5,msg:'ET WEB TWiki INCLUDE remote command execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki INCLUDE remote command execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003085) ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt
+SecRule QUERY_STRING|REQUEST_BODY "(?i:&TYPEOF\:.+system\s*\()" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003085,rev:4,msg:'ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003099) ET WEB-MISC Poison Null Byte
+SecRule REQUEST_URI_RAW "@contains |00|" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003099,rev:4,msg:'ET WEB-MISC Poison Null Byte',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_URI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Poison Null Byte',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002494) ET WEB Versatile Bulletin Board SQL Injection Attack
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002494,rev:5,msg:'ET WEB Versatile Bulletin Board SQL Injection Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_VersatileBB'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:select=.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Versatile Bulletin Board SQL Injection Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002100) ET WEB WPS wps_shop.cgi Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/wps_shop\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002100,rev:4,msg:'ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WPS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(art=\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002844) ET WEB WebDAV search overflow
+SecRule QUERY_STRING|REQUEST_BODY "@contains SEARCH " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002844,rev:4,msg:'ET WEB WebDAV search overflow',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Webdav',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebDAV search overflow',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2004574) ET WEB WikyBlog XSS Attempt sessionRegister.php
+SecRule REQUEST_URI_RAW "(?i:\/include\/sessionRegister\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004574,rev:4,msg:'ET WEB WikyBlog XSS Attempt sessionRegister.php',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WikyBlog'"
+SecRule REQUEST_URI_RAW "@contains | 3C |" "chain"
+SecRule REQUEST_URI_RAW "@contains SCRIPT" "chain"
+SecRule REQUEST_URI_RAW "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WikyBlog XSS Attempt sessionRegister.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007872) ET WEB WinIPDS Directory Traversal Vulnerabilities GET
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007872,rev:2,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities GET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities GET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007873) ET WEB WinIPDS Directory Traversal Vulnerabilities POST
+SecRule REQUEST_URI_RAW "@contains POST " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007873,rev:3,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities POST',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities POST',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008553) ET WEB WordPress Random Password Generation Insufficient Entropy Attack
+SecRule REQUEST_URI_RAW "(?i:\/wp\-login\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008553,rev:2,msg:'ET WEB WordPress Random Password Generation Insufficient Entropy Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress'"
+SecRule REQUEST_URI_RAW "@contains POST " "chain"
+SecRule ARGS:action "(?i:\w+(%20){60,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WordPress Random Password Generation Insufficient Entropy Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002408) ET WEB phpMyAdmin Suspicious Activity
+SecRule REQUEST_URI_RAW "(?i:\/grab_globals\.lib\.php)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002408,rev:7,msg:'ET WEB phpMyAdmin Suspicious Activity',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin'"
+SecRule REQUEST_URI_RAW "@contains POST " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Suspicious Activity',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002409) ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)
+SecRule QUERY_STRING|REQUEST_BODY "@contains [redirect]" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002409,rev:5,msg:'ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002667) ET WEB sumthin scan
+SecRule REQUEST_URI_RAW "@contains GET /sumthin HTTP/1." "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002667,rev:3,msg:'ET WEB sumthin scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_sumthin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB sumthin scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003167) ET WEB tikiwiki featured link XSS attempt
+SecRule REQUEST_URI_RAW "(?i:\/tiki\-featured_link\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003167,rev:4,msg:'ET WEB tikiwiki featured link XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_tikiwiki'"
+SecRule ARGS_NAMES "(?i:type)" "chain"
+SecRule REQUEST_URI_RAW "@contains /iframe>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB tikiwiki featured link XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+SecMarker END_SNORT_RULES

rules/base_rules/modsecurity_crs_47_common_exceptions.conf

@@ -0,0 +1,28 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used as an exception mechanism to remove common false positives
+# that may be encountered.
+#
+# Exception for Apache SSL pinger
+#
+SecRule REQUEST_LINE "^GET /$" "chain,phase:2,t:none,pass,nolog"
+        SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+                SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# Exception for Apache internal dummy connection
+#
+SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,t:none,pass,nolog"
+	SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+		SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none,t:none,chain"
+                	SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        	SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+

rules/base_rules/modsecurity_crs_48_local_exceptions.conf

@@ -0,0 +1,110 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used to allow custom checks and exclusions for the transactional
+# variable rules.  Place rules in this file so that you may influence what happens
+# in the 49 - Enforcement File. 
+
+# In previous ModSecurity rules, the TARGET list would have to be updated in
+# order to exclude a specific paramater like this -
+#
+# SecRule ARGS_NAMES|ARGS|!ARGS:foo
+# 
+# With the new transactional variable rules, parameter exceptions can now
+# be handled AFTER the initial inspection as the rules now use setvars to 
+# capture meta-data with each rule match.  They use this syntax -  
+#
+# 	setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}
+#
+# When the transactional rules trigger, they will set a TX variable similar to this 
+# for an SQL Injection attack -
+#
+# 	Set variable "tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments" to "1' or select * from users where username = admin ".
+# 
+# With this data now available, the user can implement flexible exceptions.
+# 
+# Exception example - exclude a parameter
+#
+# In this example, we are inspecting
+# the TX collections to see if there is a current variable that has matched
+# for the 950001 SQL Injection rule ID and for the "comments" parameter.  If
+# so, then we are going to remove the collection entirely by using the 
+# setvar:!tx. syntax.  By doing this, the TX collection is removed before final
+# inspection at the end of phase 2 in the enforcement file.
+#
+#SecRule TX:'/^950001.*ARGS:comments/' ".*" "chain,phase:2,t:none,nolog,pass"
+#	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# This is an example exclusion for the entire SQL Injection category of rules
+#
+#SecRule TX:'/SQL_INJECTION/' ".*" "phase:2,t:none,nolog,pass,chain,setvar:tx.sql_injection=+1,setvar:tx.sql_injection_%{tx.sql_injection}=%{matched_var_name}"
+#	SecRule TX:'/^SQL_INJECTION_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# This is an example exclusion that combines the URL and parameter and removes
+# a specific SQL Injection ID only if the parameter foo payload matches
+#
+#SecRule REQUEST_FILENAME "@streq /path/to/file.php" "chain,phase:2,t:none,nolog,pass"
+#	SecRule TX:'/^950001.*ARGS:foo/' "@streq Item 1=1" "chain,t:none"
+#       	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+# allow request methods
+#
+#SecAction "phase:1,setvar:tx.e60032=1"
+#SecRule REQUEST_METHOD "^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
+#    "phase:1,pass,nolog,t:none,setvar:tx.m60032=1"
+
+
+# restrict request methods
+#
+#SecRule REQUEST_METHOD "^()$" \
+#    "phase:1,pass,nolog,t:none,t:urlDecodeUni,setvar:tx.m60033=1"
+
+
+# allow content type
+#
+#SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
+#	"phase:1,pass,nolog,t:none,chain,setvar:tx.e60010=1"
+#SecRule HTTP_HEADERS:Content-Type "(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" \
+#    "t:lowercase,setvar:tx.m60010=1"
+
+
+# allow file extensions
+#
+#SecAction "setvar:tx.e60036=1"
+#SecRule REQUEST_BASENAME "\.$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60036=1"
+
+
+# Restrict file extension
+#
+#SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60035=1"
+
+
+# Restrict directories and patterns in path
+#
+#SecRule REQUEST_FILENAME  "" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60037=1"
+
+
+# Allow directories and patterns in path
+#
+#SecAction "setvar:tx.e60039=1"
+#SecRule REQUEST_FILENAME "" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60039=1"
+
+
+# Restricted HTTP headers 
+#
+#SecAction "setvar:tx.e60038=1"
+#SecRule REQUEST_HEADERS_NAMES "^(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:lowercase,setvar:tx.m60038=1"
+

rules/base_rules/modsecurity_crs_49_enforcement.conf

@@ -0,0 +1,41 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# Uncomment the anomaly sections you wish to use.
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Alert and Deny on High Anomaly Scores
+#
+SecRule TX:ANOMALY_SCORE "@ge 20" \
+    "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
+
+# Alert on any anomalies
+#
+#SecRule TX:ANOMALY_SCORE "@ge 0" \
+#    "phase:2,t:none,nolog,auditlog,pass,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
+
+# Alert on SQL Injection anomalies
+#
+#SecRule TX:SQLI_SCORE "@gt 0" \
+#    "phase:2,t:none,log,deny,msg:'SQL Injection Detected (score %{TX.SQLI_SCORE}): %{tx.msg}'"
+
+# Alert on XSS anomalies
+#
+#SecRule TX:XSS_SCORE "!@eq 0" \
+#    "phase:2,t:none,log,deny,msg:'XSS Detected (score %{TX.XSS_SCORE}): %{tx.msg}'"
+

rules/base_rules/modsecurity_crs_50_outbound.conf

@@ -0,0 +1,306 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE   By default the status code sent is 501, which implies that the web 
+#        server does not support the required operation. This is a non standard
+#        of this status code which normally refers to unsupported HTTP methods. 
+#        It is used in order to confuse automated clients and scanners. 
+
+
+# Zope Information Leakage
+SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# CF Information Leakage
+SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# PHP Information Leakage
+SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# ISA server existence revealed
+SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ISA server existence revealed',id:'970010',tag:'MISCONFIGURATION',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{matched_var}"
+
+# Microsoft Office document properties leakage
+SecRule RESPONSE_BODY "<o:documentproperties>" \
+        "phase:4,t:none,nolog,auditlog,msg:'Microsoft Office document properties leakage',id:'970012',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+
+SecRule RESPONSE_BODY "\<\%" "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE',severity:'3'"
+SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+          
+# CF source code leakage
+SecRule RESPONSE_BODY "<cf" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'Cold Fusion source code leakage',id:'970016',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# IIS default location
+SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
+        "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,nolog,auditlog,msg:'IIS installed in default location',id:'970018',severity:'3',chain"
+SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15"
+
+# The application is not available
+SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970901',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970118',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{matched_var}"
+
+# Weblogic information disclosure
+SecRule RESPONSE_STATUS "^500$" "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'WebLogic information disclosure',id:'970021',severity:'3'"
+SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# File or Directory Names Leakage
+SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,chain,capture,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'File or Directory Names Leakage',id:'970011',tag:'LEAKAGE/INFO',severity:'3'"
+SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+#
+# IFrame Injection
+#
+SecRule RESPONSE_BODY "!@pm iframe" \
+				"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \
+				"t:replaceComments,phase:4,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Possibly malicious iframe tag in output',id:'981000',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \
+				"t:replaceComments,phase:4,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Possibly malicious iframe tag in output',id:'981001',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{matched_var}"				
+SecMarker END_IFRAME_CHECK 
+
+#
+# Run PM check against response body data before running any RegEx Checks
+# If nothing matches, then we skip the remainder of phase:4 
+#
+SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
+        "phase:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,nolog,allow"
+
+# ASP/JSP source code leakage
+SecRule RESPONSE_BODY "\bwscript\.shell\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971379',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<jsp:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971300',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.addheader\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971360',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.execute\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971373',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.mappath\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971375',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bresponse\.binarywrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971369',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.createobject\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971372',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.createtextfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971361',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bwscript\.network\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971378',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bvbscript\.encode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971377',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.htmlencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971374',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bjavax\.servlet" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971301',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bscripting\.filesystemobject\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971371',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.urlencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971376',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.getfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971362',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.loadfromfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971363',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bresponse\.write\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971370',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# PHP source code leakage
+SecRule RESPONSE_BODY "\bproc_open\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958976',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzread\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958972',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_fget\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958963',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958965',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfscanf\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958959',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breadfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958978',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgetss\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958955',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_post\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958941',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsession_start\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958982',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breaddir\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958977',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzwrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958973',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bscandir\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958981',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958962',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfread\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958958',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breadgzfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958979',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_put\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958967',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfwrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958968',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958970',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958957',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_session\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958942',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_fput\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958964',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_fput\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958961',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzcompress\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958969',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bbzopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958946',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958971',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgetc\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958953',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bmove_uploaded_file\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958975',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_put\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958966',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958940',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgets\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958954',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_fget\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958960',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecMarker 900771
+SecRule RESPONSE_BODY "<\?(?!xml)" \
+        "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'970902',tag:'LEAKAGE/SOURCE_CODE',severity:'3'"
+SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# Statistics pages revealed
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?webcruncher\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971019',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThese statistics were produced by PeLAB\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971011',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?analog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971020',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?Jware\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971018',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?wwwstat\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971014',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?calamaris\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971022',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis report was generated by WebLog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971013',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\b[gG]enerated by.{0,100}?[Ww]ebalizer\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971024',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThese statistics were produced by getstats\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971010',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?EasyStat\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971023',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?analog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971021',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+
+# SQL Errors leakage
+SecRule RESPONSE_BODY "\bCould not find server \'\w+\' in sysservers\. execute sp_addlinkedserver\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971154',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bSyntax error converting the \w+ value .*? to a column of data type\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971153',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bORA-\d{5}\: " \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971198',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bUnclosed quotation mark before the character string\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971092',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\[Microsoft\]\[ODBC " \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971197',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\berror \'800a01b8\'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971069',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax near \'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971094',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bmicrosoft jet database engine error \'8" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971072',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bselect list because it is not contained in an aggregate function and there is no GROUP BY clause\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971086',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bUnable to connect to PostgreSQL server\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971091',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bPostgreSQL query failed\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971068',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid MS SQL\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971158',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid Oracle\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971157',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bWarning: mysql_connect\(\)\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971093',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid ODBC\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971159',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft OLE DB Provider for .{0,30} [eE]rror '" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971076',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bSQL Server does not exist or access denied\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971096',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted; the operation\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971099',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bcannot take a \w+ data type as an argument\." \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971060',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bselect list because it is not contained in either an aggregate function or the GROUP BY clause\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971087',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThe column prefix .{0,50}? does not match with a table name or alias name used in the query\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971155',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid PostgreSQL result\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971088',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax;" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971150',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid MySQL\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971156',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted. Requested\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971067',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bincorrect syntax near (?:\'|the\b|\@\@error\b)" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971152',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+
+# IIS Errors leakage
+SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?:&nbsp;|\s)Microsoft \.NET Framework Version\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971123',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY ">error \'ASP\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971111',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\berror \'800" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971116',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?:&nbsp;|\s)ASP\.NET Version\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971124',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bA trappable error occurred in an external object\. The script cannot continue running\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971122',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime Error\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971125',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation \(0x8\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971121',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.aspx\?[Ee]rror\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971113',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime \(0x8\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971126',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bObject required\: \'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971112',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\bApplication uses a value of the wrong type for the current operation\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971115',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.asp\?[Ee]rror\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971127',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\berror\'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971114',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation error\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971119',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
+        "phase:4,chain,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',tag:'LEAKAGE/ERRORS',severity:'3'"
+SecRule RESPONSE_STATUS "!^404$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# Directory Listing
+SecRule RESPONSE_BODY ">[To Parent Directory]</[Aa]><br>" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971202',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<TITLE>Index of.*?<H1>Index of" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971201',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<title>Index of.*?<h1>Index of" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971200',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+             

rules/base_rules/modsecurity_crs_60_correlation.conf

@@ -0,0 +1,43 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Correlated Successful Attack
+#
+SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
+    "chain,phase:5,t:none,log,pass,severity:'0',msg:'Correlated Successful Attack Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Data Leakage (%{tx.msg}) - (Transactional Anomaly Score: %{TX.ANOMALY_SCORE})'"
+        SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
+
+# Correlated Attack Attempt 
+#
+SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
+    "chain,phase:5,t:none,log,pass,severity:'1',msg:'Correlated Attack Attempt Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Application Error (%{tx.msg}) - (Transactional Anomaly Score %{TX.ANOMALY_SCORE})'"
+	SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
+
+# Alert on High Anomaly Scores
+#
+#SecRule TX:ANOMALY_SCORE "@ge 40" \
+#    "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
+
+# Alert on any anomalies
+#
+SecRule TX:ANOMALY_SCORE "@ge 5" \
+    "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
+
+SecMarker END_CORRELATION

rules/modsecurity_crs_10_config.conf

@@ -1,12 +1,15 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
 # ---------------------------------------------------------------
 
 
+# The directives within this file can be included within
+# Virtual Host containers.
+#
 # Configuration contained in this file should be customized
 # for your specific requirements before deployment.
 #
@@ -75,6 +78,9 @@ SecResponseBodyAccess On
 SecResponseBodyMimeType (null) text/html text/plain text/xml
 SecResponseBodyLimit 524288
 
+# The following directive will not block large response bodies, but rather will
+# only inspect data up to the size SecResponseBodyLimit setting.
+SecResponseBodyLimitAction ProcessPartial
 
 # Initiate XML Processor in case of xml content-type
 #
@@ -92,6 +98,14 @@ SecResponseBodyLimit 524288
 # This is a reasonable setting to start with because you do not
 # want to reject legitimate requests with an untuned rule set.
 #
+# The following line's settings will be inherited by rules that
+# either do not specify an action at all, or if they use the 
+# "block" action. This will also allow the rules to use 
+# Anomaly Scoring (must use the
+# modsecurity_crs_49_anomaly_scoring.conf file).
+#
+SecDefaultAction "phase:2,pass"
+
 # If, after monitoring the performance of the rule set after a
 # sufficient period, you determine the rules never (or rarely
 # trigger on legitimate requests) you can change to something
@@ -100,21 +114,7 @@ SecResponseBodyLimit 524288
 # to only configure some rules to reject requests, leaving most
 # of them to work in detection mode.
 #
-#SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
-
-# Set web server identification string
-#
-# TODO In case you use Apache, you may want specify a simple server signature
-#      instead of the detailed Apache default signature that list most modules
-#      used on the specific Apache deployment:
-#      "Apache/2.2.0 (Fedora)"   
-#      For this directive to work, you need to set Apache ServerTokens
-#      to Full (this is the default option)
-SecServerSignature "Apache/2.2.0 (Fedora)"
-
-# Add ruleset identity to the logs
-#
-SecComponentSignature "core ruleset/1.6.1"
+#SecDefaultAction "phase:2,deny"
 
 ## -- File uploads configuration -----------------------------------------------
 # Temporary file storage path.
@@ -243,19 +243,6 @@ SecAuditLogParts "ABIFHKZ"
 # modifications unless 
 
  
-# Parameters separator
-#
-# Specifies which character to use as separator for 
-# application/x-www-form-urlencoded content. 
-# Defaults to "&". Applications are sometimes (very rarely) written to use 
-# a semicolon (";").
-#
-# NOTE Changing the value for this directive has significant influence on how
-#      ModSecurity works. Make the change only if you are absolutely sure it
-#      is required.
-SecArgumentSeparator "&" 
-
-
 # Selects the cookie format that will be used in the current configuration 
 # context. 
 #
@@ -285,16 +272,5 @@ SecRequestBodyInMemoryLimit 131072
 SecDebugLog             logs/modsec_debug.log
 SecDebugLogLevel        3
 
-# Path where persistent data (e.g. IP address data, session data, etc) is to
-# be stored. Must be writable by the web server user.
-#
-# TODO It is advisable to create a directory structure for ModSecurity such as
-#      /var/log/msa and create sub directories for SecDataDir, SecTmpDir,
-#      SecUploadDir, SecAuditLog and SecAuditLogStorageDir
-#      underneath it and set the permission for read and write only by the
-#      Apache user.
-
-SecDataDir /tmp
-
 # Configures the directory where temporary files will be created.
 SecTmpDir /tmp

rules/modsecurity_crs_10_global_config.conf

@@ -0,0 +1,64 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# Configuration contained in this file should be included 
+# in the MAIN Apache config section as these directives
+# can not be included within Virtual Host containers.
+#
+
+# Set web server identification string
+#
+# If you want to spoof another web server type, you can specify it like this -
+#
+# SecServerSignature "Microsoft-IIS/6.0"
+#  or
+# SecServerSignature "Sun-ONE-Web-Server/6.1"
+#
+# Spoofing the Server token data is considered by some to be "Security by Obscurity"
+# and that may be true when it is the *only* security measure taken.  There is
+# a security benefit, however, with changing this data and that is to help
+# protect against automated banner-grabbing tools, exploit code and worms that
+# decide to send the attack payload based on the target platform data in the
+# Server token.
+#
+# For this directive to work, you need to set Apache ServerTokens
+# to Full (this is the default option)
+#
+# The default setting is to server a blank Server banner
+SecServerSignature " "
+
+# Add ruleset identity to the logs
+#
+SecComponentSignature "core ruleset/2.0"
+
+# Parameters separator
+#
+# Specifies which character to use as separator for 
+# application/x-www-form-urlencoded content. 
+# Defaults to "&". Applications are sometimes (very rarely) written to use 
+# a semicolon (";").
+#
+# NOTE Changing the value for this directive has significant influence on how
+#      ModSecurity works. Make the change only if you are absolutely sure it
+#      is required.
+SecArgumentSeparator "&" 
+
+# Path where persistent data (e.g. IP address data, session data, etc) is to
+# be stored. Must be writable by the web server user.
+#
+# TODO It is advisable to create a directory structure for ModSecurity such as
+#      /var/log/msa and create sub directories for SecDataDir, SecTmpDir,
+#      SecUploadDir, SecAuditLog and SecAuditLogStorageDir
+#      underneath it and set the permission for read and write only by the
+#      Apache user.
+
+SecDataDir /tmp
+
+# Create both Global and IP collections for rules to use
+SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"

rules/modsecurity_crs_20_protocol_violations.conf

@@ -1,92 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# TODO in some cases a valid client (usually automated) generates requests that
-#      violates the HTTP protocol. Create exceptions for those clients, but try
-#      to limit the exception to a source IP or other additional properties of 
-#      the request such as URL and not allow the violation generally. 
-#  
-#
-
-# Validate request line
-#
-SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
-    "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'"
-
-
-# HTTP Request Smuggling
-#
-SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'"
-
-# Block request with malformed content.
-# ModSecurity will not inspect these, but the server application might do so
-#
-SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'"
-
-
-# Accept only digits in content length 
-#
-SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
-
-# Do not accept GET or HEAD requests with bodies
-# HTTP standard allows GET requests to have a body but this
-# feature is not used in real life. Attackers could try to force
-# a request body on an unsuspecting web applications.
-#
-SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
-SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
-
-# Require Content-Length to be provided with every POST request.
-#
-SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
-SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
-
-# Don't accept transfer encodings we know we don't know how to handle
-#
-# NOTE ModSecurity does not support chunked transfer encodings at
-#      this time. You MUST reject all such requests.
-#
-SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"
-
-# Check encodings
-SecRule REQUEST_BODY|REQUEST_URI|XML:/* "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
-	"chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
-SecRule REQUEST_BODY|REQUEST_URI|XML:/* "@validateUrlEncoding"
-
-# Check UTF enconding
-# Uncomment this rule if your system uses UTF encoding.
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "phase:2,t:none,deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
-
-# Disallow use of full-width unicode
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
-  "t:none,phase:2,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4'"
-
-# Proxy access attempt
-# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
-#      included in case Apache proxy is misconfigured.
-SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
-
-#
-# Restrict type of characters sent
-#
-# NOTE In order to be broad and support localized applications this rule
-#      only validates that NULL Is not used.
-#
-#	   The strict policy version also validates that protocol and application 
-#	   generated fields are limited to printable ASCII. 
-#
-# TODO If your application use the range 32-126 for parameters.
-#
-SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
-	"@validateByteRange 1-255" \
-	"phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"
-
-SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
-	"phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"

rules/modsecurity_crs_21_protocol_anomalies.conf

@@ -1,67 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# TODO in some cases a valid client (usually automated) generates requests that
-#      violates the HTTP protocol. Create exceptions for those clients, but try
-#      to limit the exception to a source IP or other additional properties of 
-#      the request such as URL and not allow the violation generally. 
-#
-
-# Do not accept requests without common headers. 
-# Implies either an attacker or a legitimate automation client. 
-#
-# Exception for Apache SSL pinger
-
-SecRule REQUEST_LINE "^GET /$" "chain,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999210',severity:'5'"
-SecRule REMOTE_ADDR "^127\.0\.0\.1$" t:none
-
-# Exception for Apache internal dummy connection
-SecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999211',severity:'5'"
-SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain,t:none"
-SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"
-
-
-# Detect HTTP/0.9 Requests
-SecRule REQUEST_PROTOCOL ^http/0.9$ "t:none,t:lowercase,phase:2,log,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4'"
-
-SecRule &REQUEST_HEADERS:Host "@eq 0" \
-    "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
-SecRule REQUEST_HEADERS:Host "^$" \
-    "phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"    
-
-
-SecRule &REQUEST_HEADERS:Accept "@eq 0" \
-    "chain,phase:2,skip:1,t:none,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
-SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
-SecRule REQUEST_HEADERS:Accept "^$" \
-    "chain,phase:2,t:none,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
-SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
-
-SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
-    "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
-SecRule REQUEST_HEADERS:User-Agent "^$" \
-    "t:none,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
-
-
-SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
-    "chain,phase:2,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'4'"
-SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none"
-
-
-# Check that the host header is not an IP address 
-#
-SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST'"
-
-
-# Log a security event when the request is rejected by apache
-#
-SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,pass,msg:'Invalid request',id:'960913',severity:'2'"
-SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none"
-

rules/modsecurity_crs_23_request_limits.conf

@@ -1,69 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-
-# In most cases, you should expect a certain volume of each a request on your
-# website. For example, a request with 400 arguments, can be suspicious.
-# This file creates limitations on the request.
-# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
-#      Note that most of the rules are commented out by default.
-#      Uncomment the rules you need
-#
-
-## -- Arguments limits --
-
-# Limit argument name length
-#SecRule ARGS_NAMES "^.{100}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4'"
-
-# Limit value name length
-#SecRule ARGS "^.{400}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4'"
-
-# Maximum number of arguments in request limited
-SecRule &ARGS "@gt 255" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4'"
-
-# Limit arguments total length
-#SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4'"
-
-
-## -- File upload limits --
-
-# Individual file size is limited
-#SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4'"
-
-# Combined file size is limited
-#SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4'"
-
-
-
-## -- Apache Limits --
-
-# These are Apache limit directives, but we are including them here because
-# they are often forgotten. If you already have these configured leave this
-# section entirely commented-out. Otherwise review the limits and uncomment
-# the directives.
-
-# Maximum size of the request body.
-#
-# NOTE If your application allows file uploads the value below will
-#      most likely be way to low.
-#
-#LimitRequestBody 64000
-
-# Maximum number of request headers in a request.
-#
-#LimitRequestFields 32
-
-# Maximum size of request header lines.
-#
-#LimitRequestFieldSize 8000
-
-# Maximum size of the request line.
-#
-#LimitRequestLine 4000
-

rules/modsecurity_crs_30_http_policy.conf

@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -15,10 +15,6 @@
 # HTTP protocol usage is effective in therefore effective in blocking many 
 # application layer attacks. 
 #
-# TODO If you are using the ModSecurity Core Ruleset template system you can set 
-#      the policy limitations in the ruleset.config file. Otherwise edit this 
-#      file manually to set you policy limitations.
-#
 # TODO Many automation programs use non standard HTTP requests. While you may 
 #      want to allow some of those, try not to create exceptions only for the
 #      automated program based on properties such as their source IP address or
@@ -31,8 +27,7 @@
 #      methods. If that is not the case with your environment, you are advised 
 #      to edit the line or uncomment it.
 #
-SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
-    "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
+SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 
 
 
 # Restrict which content-types we accept.
@@ -65,9 +60,8 @@ SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
 #      M-Business iAnywhere      application/x-mal-client-data
 #      UltraLite iAnywhere       application/octet-stream
 #
-SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
-    "phase:2,chain,t:none,t:lowercase,deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
-SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none"
+SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'" 
+	SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
 
 # Restrict protocol versions.
 #
@@ -79,8 +73,7 @@ SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
 #      to use your site, try to create a narrower expection and not allow any 
 #      client to send HTTP requests in a version lower than 1.1  
 #       
-SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
-    "phase:2,t:none,deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED'"
+SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" "phase:2,t:none,block,nolog,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 
 
 # Restrict file extension
 #
@@ -90,8 +83,7 @@ SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
 #      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
 #      comment the whole rule.       
 #
-SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
-    "phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'"
+SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,block,nolog,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" 
 
 
 
@@ -102,8 +94,7 @@ SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(
 #      the list of blocked extensions. You may need to use ModSecurity Core Rule 
 #      Set Templates to do so, otherwise comment the whole rule.       
 #
-SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
-    "phase:2,t:none,t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4'"
+SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,block,nolog,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" 
 
 
 # Restricted Content Encodings
@@ -113,10 +104,8 @@ SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
 #   - Inbound compressed content will be denied
 #   - Outbound compressed content will be logged once, to alert the user
 # Deny inbound compressed content
-SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \
-    "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'3'"
+SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}" 
 # Log outbound compressed content (log once)
-SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
-    "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
-SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression"
+SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" "phase:4,t:none,pass,nolog,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global" 
+	SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
 

rules/modsecurity_crs_35_bad_robots.conf

@@ -1,31 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# NOTE Bad robots detection is based on checking elements easily 
-#      controlled by the client. As such a determined attacked can bypass
-#      those checks. Therefore bad robots detection should not be viewed as
-#      a security mechanism against targeted attacks but rather as a nuisance
-#      reduction, eliminating most of the random attacks against your web
-#      site. 
-
-SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
-SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
-SecRule REQUEST_FILENAME "^/nessustest" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
-
-SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|m(?:ozilla\/4\.0 \(compatible; advanced email extractor|ailto:craftbot\@yahoo\.com)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|\bdatacha0s\b|hhjhj@yahoo|chinaclaw|rsync|shai|zeus)" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'2'"
-
-SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \
-        "chain,phase:2,t:none,t:lowercase,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'"
-SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase"
-

rules/modsecurity_crs_40_generic_attacks.conf

@@ -1,214 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-# 
-# TODO While some of the pattern groups such as command injection are usually
-#      safe of false positives, other pattern groups such as SQL injection and 
-#      XSS may require setting exceptions and therefore are set to log only by
-#      default. 
-#
-#      Start ModSecurity in monitoring only mode and check whether your 
-#      application requires exceptions for a specific URL, Pattern or source IP
-#      before moving to blocking mode.  
- 
-#
-# Session fixation
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959009
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
-        "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'959009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Blind SQL injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959007
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.user)|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.user)|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-				
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(?:benchmark|encode)\b" \
-#        "phase:2,chain,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,(?:[\\\(\)\%#]|--)"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,\b(?:benchmark|encode)\b" \
-#        "phase:2,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:[\\\(\)\%#]|--)" t:none
-
-SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959904
-SecRule REQUEST_FILENAME|ARGS "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# SQL injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,id:999501,skipAfter:959001
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
-#        "phase:2,chain,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:[\\\(\)\%#]|--)" "t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
-#        "phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:[\\\(\)\%#]|--)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
-
-SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959906
-SecRule REQUEST_FILENAME|ARGS "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# XSS
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959004
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'959004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# File Injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959005
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'950005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'959005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Command access
-#
-SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Command injection
-#
-SecRule ARGS "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \
-        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:950006
-SecRule ARGS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \
-        "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction pass,nolog,skipAfter:959006
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \
-        "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-SecRule ARGS \
-		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
-		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Coldfusion injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'959008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# LDAP injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack',id:'959010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# SSI injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'959011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# PHP injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction pass,nolog,skipAfter:959013
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'950013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'959013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# UPDF XSS
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'950018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'959018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2'"
-
-
-#
-# Email Injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
-        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
-        "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# HTTP Response Splitting
-#
-SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
-        "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'1'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'1'"
-

rules/modsecurity_crs_50_outbound.conf

@@ -1,89 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# NOTE   By default the status code sent is 501, which implies that the web 
-#        server does not support the required operation. This is a non standard
-#        of this status code which normally refers to unsupported HTTP methods. 
-#        It is used in order to confuse automated clients and scanners. 
-
-
-# Statistics pages revealed
-SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',id:'970002',severity:'4'"
-
-# SQL Errors leakage
-SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:(?:M(?:S |y)|Postgre)SQL|O(?:racle|DBC)))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(?:; the operation|\. Requested)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|(?:Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|(?:Warning: mysql_connect\(\)|PostgreSQL query failed):|You have an error in your SQL syntax(?: near '|;)|cannot take a \w+ data type as an argument\.|incorrect syntax near (?:\'|the\b|@@error\b)|microsoft jet database engine error '8|ORA-\d{5}: )|\[Microsoft\]\[ODBC )" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',id:'970003',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# IIS Errors leakage
-SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|(?:\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror|>error 'ASP)\b)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970004',tag:'LEAKAGE/ERRORS',severity:'4'"
-SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
-        "phase:4,chain,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',tag:'LEAKAGE/ERRORS',severity:'4'"
-SecRule RESPONSE_STATUS "!^404$" "t:none"
-
-# Zope Information Leakage
-SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# CF Information Leakage
-SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# PHP Information Leakage
-SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# ISA server existence revealed
-SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',id:'970010',tag:'MISCONFIGURATION',severity:'4'"
-
-# Microsoft Office document properties leakage
-SecRule RESPONSE_BODY "<o:documentproperties>" \
-        "phase:4,t:none,log,auditlog,msg:'Microsoft Office document properties leakage',id:'970012',tag:'LEAKAGE/INFO',severity:'4'"
-
-# Directory Listing
-SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',id:'970013',tag:'LEAKAGE/INFO',severity:'4'"
-
-# ASP/JSP source code leakage
-SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970014',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "\<\%" "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none"
-
-# PHP source code leakage
-SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970015',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "<\?(?!xml)" \
-        "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none"       
-
-# CF source code leakage
-SecRule RESPONSE_BODY "<cf" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',id:'970016',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-
-# IIS default location
-SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
-        "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'IIS installed in default location',id:'970018',severity:'5',chain,initcol:global=global"
-SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc"
-
-# The application is not available
-SecRule RESPONSE_STATUS "^503$" "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970901',severity:'5'"
-SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970118',severity:'5'"
-
-# Weblogic information disclosure
-SecRule RESPONSE_STATUS "^500$" "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'WebLogic information disclosure',id:'970021',severity:'4'"
-SecRule RESPONSE_BODY "t:none,<title>JSP compile error<\/title>" t:none
-
-# File or Directory Names Leakage
-SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,chain,capture,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'File or Directory Names Leakage',id:'970011',tag:'LEAKAGE/INFO',severity:'4'"
-SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,t:lowercase"

rules/optional_rules/modsecurity_crs_42_comment_spam.conf

@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -16,17 +16,27 @@
 #   more noticable in search results.
 #
 
+SecRule &IP:SPAMMER "@eq 0" "chain,phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',skipAfter:END_RBL_CHECK"
+	SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" \
+        "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}',setvar:ip.spammer=1,expirevar:ip.spammer=86400"
+
+SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
+
+SecMarker END_RBL_CHECK
+
+SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla(?:\/4\.0\+?\()?|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy|<sc|")" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
+
 # Prequalifier. Look for <http> first
-SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'5'"
+SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'"
 
-SecAction phase:2,pass,nolog,skipAfter:999011
+SecAction phase:2,pass,nolog,skipAfter:END_COMMENT_SPAM
 
-# Look for 2 ways of posting a link
-SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
-SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
+	# Look for 2 ways of posting a link
+	SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
+		SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
 
-# Look for too many links in an argument (Prone to FPs)
-SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"
+	# Look for too many links in an argument (Prone to FPs)
+	SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
 
-
-SecMarker 999011
+SecMarker END_COMMENT_SPAM 

rules/optional_rules/modsecurity_crs_42_tight_security.conf

@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -19,15 +19,9 @@
 # Directory Traversal
 #
 SecRule REQUEST_URI "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
-        "phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
+        "phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
 
 # Weaker signature
-SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
+#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
 
 
-#
-# RFI Attack
-#
-SecRule ARGS "^(?:ht|f)tp:/" \
-        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"
-

rules/optional_rules/modsecurity_crs_55_marketing.conf

@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -12,10 +12,10 @@
 # --
 
 SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
-        "phase:2,t:none,t:lowercase,log,auditlog,msg:'MSN robot activity',id:'910008',severity:'5'"
+        "phase:2,t:none,t:lowercase,nolog,auditlog,msg:'MSN robot activity',id:'910008',severity:'6'"
 
 SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \
-        "phase:2,t:none,t:lowercase,log,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'5'"
+        "phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'6'"
 
 SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \
-        "phase:2,t:none,t:lowercase,log,auditlog,msg:'Google robot activity',id:'910006',severity:'5'"
+        "phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Google robot activity',id:'910006',severity:'6'"

rules/util/httpd-guardian.pl

@@ -0,0 +1,518 @@
+#!/usr/bin/perl -w
+#
+# httpd-guardian - detect DoS attacks by monitoring requests
+# Apache Security, http://www.apachesecurity.net
+# Copyright (C) 2005 Ivan Ristic <ivanr@webkreator.com>
+#
+# $Id: httpd-guardian,v 1.6 2005/12/04 11:30:35 ivanr Exp $
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+
+# This script is designed to monitor all web server requests through
+# the piped logging mechanism. It keeps track of the number of requests
+# sent from each IP address. Request speed is calculated at 1 minute and
+# 5 minute intervals. Once a threshold is reached, httpd-guardian can
+# either emit a warning or execute a script to block the IP address.
+#
+# Error message will be sent to stderr, which means they will end up
+# in the Apache error log.
+#
+# Usage (in httpd.conf)
+# ---------------------
+#
+# Without mod_security, Apache 1.x:
+#
+#   LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{UNIQUE_ID}e \"-\" %T 0 \"%{modsec_message}i\" 0" guardian
+#   CustomLog "|/path/to/httpd-guardian" guardian
+#
+# or without mod_security, Apache 2.x:
+#
+#   LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{UNIQUE_ID}e \"-\" %T %D \"%{modsec_message}i\" 0" guardian
+#   CustomLog "|/path/to/httpd-guardian" guardian
+#
+# or with mod_security (better):
+#
+#   SecGuardianLog "|/path/to/httpd-guardian"
+#
+# NOTE: In order for this script to be effective it must be able to
+#       see all requests coming to the web server. This will not happen
+#       if you are using per-virtual host logging. In such cases either
+#       use the ModSecurity 1.9 SecGuardianLog directive (which was designed
+#       for this very purpose).
+#
+#
+# Usage (with Spread)
+# -------------------
+#
+# 1) First you need to make sure you have Spread running on the machine
+#    where you intend to run httpd-guardian on.
+#
+# 2) Then uncomment line "use Spread;" in this script, and change
+#    $USE_SPREAD to "1".
+#
+# 3) The default port for Spread is 3333. Change it if you want to
+#    and then start httpd-guardian. We will be looking for messages
+#    in the Spread group called "httpd-guardian".
+
+# TODO Add support to ignore certain log entries based on a
+#      regex applied script_name.
+#
+# TODO Warn about session hijacking.
+#
+# TODO Track ip addresses, sessions, and individual users.
+#
+# TODO Detect status code anomalies.
+#
+# TODO Track accesses to specific pages.
+#
+# TODO Open proxy detection.
+#
+# TODO Check IP addresses with blacklists (e.g.
+#      http://www.spamhaus.org/XBL/).
+#
+# TODO Is there a point to keep per-vhost state?
+#
+# TODO Enhance the script to tail a log file - useful for test
+#      runs, in preparation for deployment.
+#
+# TODO Can we track connections as Apache creates and destroys them?
+#
+# TODO Command-line option to support multiple log formats. E.g. common,
+#      combined, vcombined, guardian.
+#
+# TODO Command-line option not to save state
+#
+
+use strict;
+use Time::Local;
+# SPREAD UNCOMMENT
+# use Spread;
+
+
+# -- Configuration----------------------------------------------------------
+
+my $USE_SPREAD = 0;
+my $SPREAD_CLIENT_NAME = "httpd-guardian";
+my $SPREAD_DAEMON = "3333";
+my $SPREAD_GROUP_NAME = "httpd-guardian";
+my $SPREAD_TIMEOUT = 1;
+
+# If defined, execute this command when a threshold is reached
+# block the IP address for one hour.
+# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";
+# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com";
+#my $PROTECT_EXEC;
+
+# For testing only:
+my $PROTECT_EXEC = "/usr/bin/logger Possible DoS Attack from %s";
+
+# Max. speed allowed, in requests per
+# second, measured over an 1-minute period
+#my $THRESHOLD_1MIN = 2; # 120 requests in a minute
+
+# For testing only:
+my $THRESHOLD_1MIN = 0.01;
+
+# Max. speed allowed, in requests per
+# second, measured over a 5-minute period
+my $THRESHOLD_5MIN = 1; # 360 requests in 5 minutes
+
+# If defined, httpd-guardian will make a copy
+# of the data it receives from Apache
+# $COPY_LOG = "";
+my $COPY_LOG;
+
+# Remove IP address data after a 10-minute inactivity
+my $STALE_INTERVAL = 400;
+
+# Where to save state (at this point only useful
+# for monitoring what the script does)
+my $SAVE_STATE_FILE = "/tmp/httpd-guardian.state";
+
+# How often to save state (in seconds).
+my $SAVE_STATE_INTERVAL = 10;
+
+my $DEBUG = 0;
+
+
+# -----------------------------------------------------------------
+
+my %months = (
+    "Jan" => 0,
+    "Feb" => 1,
+    "Mar" => 2,
+    "Apr" => 3,
+    "May" => 4,
+    "Jun" => 5,
+    "Jul" => 6,
+    "Aug" => 7,
+    "Sep" => 8, 
+    "Oct" => 9,
+    "Nov" => 10,
+    "Dec" => 11
+);
+
+# -- log parsing regular expression
+
+
+# 127.0.0.1 192.168.2.11 - - [05/Jul/2005:16:56:54 +0100]
+# "GET /favicon.ico HTTP/1.1" 404 285 "-"
+# "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"
+# - "-" 0 0 "-" 0
+
+my $logline_regex = "";
+
+# hostname
+$logline_regex .= "^(\\S+)";
+# remote host, remote username, local username
+$logline_regex .= "\\ (\\S+)\\ (\\S+)\\ (\\S+)";
+# date, time, and gmt offset
+$logline_regex .= "\\ \\[([^:]+):(\\d+:\\d+:\\d+)\\ ([^\\]]+)\\]";
+# request method + request uri + protocol (as one field)
+$logline_regex .= "\\ \"(.*)\"";
+# status, bytes out
+$logline_regex .= "\\ (\\d+)\\ (\\S+)";
+# referer, user_agent
+$logline_regex .= "\\ \"(.*)\"\\ \"(.*)\"";
+# uniqueid, session, duration, duration_msec
+$logline_regex .= "\\ (\\S+)\\ \"(.*)\"\\ (\\d+)\\ (\\d+)";
+# modsec_message, modsec_rating
+$logline_regex .= "\\ \"(.*)\"\\ (\\d+)";
+
+# the rest (always keep this part of the regex)
+$logline_regex .= "(.*)\$";
+
+my $therequest_regex = "(\\S+)\\ (.*?)\\ (\\S+)";
+
+# use strict
+my %ipaddresses = ();
+my %request;
+my $current_time;
+my $last_state_save;
+
+sub parse_logline {
+    $_ = shift;
+
+    my %request = ();
+    $request{"invalid"} = 0;
+
+    my @parsed_logline = /$logline_regex/x;
+    if (@parsed_logline == 0) {
+        return (0,0);
+    }
+
+    (
+        $request{"hostname"},
+        $request{"remote_ip"},
+        $request{"remote_username"},
+        $request{"username"},
+        $request{"date"},
+        $request{"time"},
+        $request{"gmt_offset"},
+        $request{"the_request"},
+        $request{"status"},
+        $request{"bytes_out"},
+        $request{"referer"},
+        $request{"user_agent"},
+        $request{"unique_id"},
+        $request{"session_id"},
+        $request{"duration"},
+        $request{"duration_msec"},
+        $request{"modsec_message"},
+        $request{"modsec_rating"},
+        $request{"the_rest"}
+    ) = @parsed_logline;
+
+    if ($DEBUG == 2) {
+        print "\n";
+        print "hostname = " . $request{"hostname"} . "\n";
+        print "remote_ip = " . $request{"remote_ip"} . "\n";
+        print "remote_username = " . $request{"remote_username"} . "\n";
+        print "username = " . $request{"username"} . "\n";
+        print "date = " . $request{"date"} . "\n";
+        print "time = " . $request{"time"} . "\n";
+        print "gmt_offset = " . $request{"gmt_offset"} . "\n";
+        print "the_request = " . $request{"the_request"} . "\n";
+        print "status = " . $request{"status"} . "\n";
+        print "bytes_out = " . $request{"bytes_out"} . "\n";
+        print "referer = " . $request{"referer"} . "\n";
+        print "user_agent = " . $request{"user_agent"} . "\n";
+        print "unique_id = " . $request{"unique_id"} . "\n";
+        print "session_id = " . $request{"session_id"} . "\n";
+        print "duration = " . $request{"duration"} . "\n";
+        print "duration_msec = " . $request{"duration_msec"} . "\n";
+        print "modsec_message = " . $request{"modsec_message"} . "\n";
+        print "modsec_rating = " . $request{"modsec_rating"} . "\n";
+        print "\n\n";
+    }
+
+    # parse the request line
+    $_ = $request{"the_request"};
+    my @parsed_therequest = /$therequest_regex/x;
+    if (@parsed_therequest == 0) {
+        $request{"invalid"} = "1";
+        $request{"request_method"} = "";
+        $request{"request_uri"} = "";
+        $request{"protocol"} = "";
+    } else {
+        (
+            $request{"request_method"},
+            $request{"request_uri"},
+            $request{"protocol"}
+        ) = @parsed_therequest;
+    }
+
+    if ($request{"bytes_out"} eq "-") {
+        $request{"bytes_out"} = 0;
+    }
+
+    # print "date=" . $request{"date"} . "\n";
+    (
+        $request{"time_mday"},
+        $request{"time_mon"},
+        $request{"time_year"}
+    ) = ( $request{"date"} =~ m/^(\d+)\/(\S+)\/(\d+)/x );
+
+    # print "time=" . $request{"time"} . "\n";
+    (
+        $request{"time_hour"},
+        $request{"time_min"},
+        $request{"time_sec"}
+    ) = ( $request{"time"} =~ m/(\d+):(\d+):(\d+)/x );
+
+    $request{"time_mon"} = $months{$request{"time_mon"}};
+
+    $request{"time_epoch"} = timelocal(
+        $request{"time_sec"},
+        $request{"time_min"},
+        $request{"time_hour"},
+        $request{"time_mday"},
+        $request{"time_mon"},
+        $request{"time_year"}
+    );
+
+    # print %request;
+
+    my $offset = index($request{"request_uri"}, "?");
+    if ($offset != -1) {
+        $request{"script_name"} = substr($request{"request_uri"}, 0, $offset);
+        $request{"query_string"} = substr($request{"request_uri"}, $offset + 1);
+    } else {
+        $request{"script_name"} = $request{"request_uri"};
+        $request{"query_string"} = "";
+    }
+
+    $request{"request_uri"} =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
+    $request{"query_string"} =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
+
+    return %request;
+}
+
+sub update_ip_address() {
+    my $ipd = $ipaddresses{$request{"remote_ip"}};
+    if (defined($$ipd{"counter"})) {
+        $$ipd{"counter"} = $$ipd{"counter"} + 1;
+
+        if ($DEBUG) {
+            print STDERR "httpd-guardian: Incrementing counter for " . $request{"remote_ip"} . " (" . $$ipd{"counter"} . ")\n";
+        }
+
+        my($exec) = 0;
+
+        # check the 1 min counter
+        if ($current_time - $$ipd{"time_1min"} > 60) {
+            # check the counters
+            my $speed = ($$ipd{"counter"} - $$ipd{"counter_1min"}) / ($current_time - $$ipd{"time_1min"});
+            if ($speed > $THRESHOLD_1MIN) {
+                print STDERR "httpd-guardian: IP address " . $ipaddresses{$request{"remote_ip"}} . " reached the 1 min threshold (speed = $speed req/sec, threshold = $THRESHOLD_1MIN req/sec)\n";
+                $exec = 1;
+            }
+
+            # reset the 1 min counter
+            $$ipd{"time_1min"} = $current_time;
+            $$ipd{"counter_1min"} = $$ipd{"counter"};
+        }
+
+        # check the 5 min counter
+        if ($current_time - $$ipd{"time_5min"} > 360) {
+            # check the counters
+            my $speed = ($$ipd{"counter"} - $$ipd{"counter_5min"}) / ($current_time - $$ipd{"time_5min"});
+            if ($speed > $THRESHOLD_5MIN) {
+                print STDERR "httpd-guardian: IP address " . $request{"remote_ip"} . " reached the 5 min threshold (speed = $speed req/sec, threshold = $THRESHOLD_5MIN req/sec)\n";
+                $exec = 1;
+            }
+
+            # reset the 5 min counter
+            $$ipd{"time_5min"} = $current_time;
+            $$ipd{"counter_5min"} = $$ipd{"counter"};
+        }
+    
+        if (($exec == 1)&&(defined($PROTECT_EXEC))) {
+            my $cmd = sprintf($PROTECT_EXEC, $request{"remote_ip"});
+            print STDERR "httpd-guardian: Executing: $cmd\n";
+            system($cmd);
+        }
+
+    } else {
+        # start tracking this email address
+        my %ipd = ();
+        $ipd{"counter"} = 1;
+        $ipd{"counter_1min"} = 1;
+        $ipd{"time_1min"} = $current_time;
+        $ipd{"counter_5min"} = 1;
+        $ipd{"time_5min"} = $current_time;
+        $ipaddresses{$request{"remote_ip"}} = \%ipd;
+    }
+}
+
+sub process_log_line {
+    update_ip_address();
+}
+
+sub remove_stale_data {
+    while(my($key, $value) = each(%ipaddresses)) {
+        if ($current_time - $$value{"time_1min"} > $STALE_INTERVAL) {
+            if ($DEBUG) {
+                print STDERR "httpd-guardian: Removing key $key\n";
+            }
+            delete($ipaddresses{$key});
+        }
+    }
+}
+
+sub save_state {
+    if (!defined($SAVE_STATE_FILE)) {
+        return;
+    }
+
+    if (!defined($last_state_save)) {
+        $last_state_save = 0;
+    }
+
+    if ($current_time - $last_state_save > $SAVE_STATE_INTERVAL) {
+        open(FILE, ">$SAVE_STATE_FILE") || die("Failed to save state to $SAVE_STATE_FILE");
+        print FILE "# $current_time\n";
+        print FILE "# IP Address\x09Counter\x09\x091min (time)\x095min (time)\n";
+        while(my($key, $value) = each(%ipaddresses)) {
+            print FILE ("$key" . "\x09" . $$value{"counter"} . "\x09\x09" . $$value{"counter_1min"} . " (" . $$value{"time_1min"} . ")\x09" . $$value{"counter_5min"} . " (" . $$value{"time_5min"} . ")\n");
+        }
+        close(FILE);
+        $last_state_save = $current_time;
+    }
+}
+
+# load state from $SAVE_STATE_FILE, store the data into $ipaddresses
+sub load_state {
+    return unless ( defined $SAVE_STATE_FILE );
+    return unless ( -e $SAVE_STATE_FILE && -r $SAVE_STATE_FILE );
+    open my $fd, "<", $SAVE_STATE_FILE
+        or die "cannot open state file for reading : $SAVE_STATE_FILE : $!";
+    while (<$fd>) {
+        s/^\s+//;
+        next if /^#/;
+        #--------------------------------------------------
+        # # 1133599679
+        # # IP Address  Counter     1min (time)         5min (time)
+        # 211.19.48.12  396         396 (1133599679)    395 (1133599379)
+        #-------------------------------------------------- 
+        my ($addr, $counter, $time1, $time5) = split /\t+/, $_; # TAB
+        my ($counter_1min, $time_1min) = split /\s+/, $time1;
+        my ($counter_5min, $time_5min) = split /\s+/, $time5;
+        $ipaddresses{$addr} = {
+            counter         => $counter,
+            counter_1min    => $counter_1min,
+            time_1min       => chop_brace($time_1min),
+            counter_5min    => $counter_5min,
+            time_5min       => chop_brace($time_5min),
+        }
+    }
+    close $fd;
+}
+
+# return strings between braces
+sub chop_brace {
+	my $str = shift;
+	$str =~ /\((.*)\)/;
+	return $1;
+}
+sub process_line {
+    my $line = shift(@_);
+
+    if (defined($COPY_LOG)) {
+        print COPY_LOG_FD $line;
+    }
+
+    if ($DEBUG) {
+        print STDERR "httpd-guardian: Received: $line";
+    }
+
+    %request = parse_logline($line);
+    if (!defined($request{0})) {
+        # TODO verify IP address is in correct format
+
+        # extract the time from the log line, to allow the
+        # script to be used for batch processing too
+        $current_time = $request{"time_epoch"};
+
+        remove_stale_data();
+        process_log_line();
+        save_state();
+    } else {
+        print STDERR "Failed to parse line: " . $line;
+    }
+}
+
+# -----------------------------------
+
+load_state();
+if (defined($COPY_LOG)) {
+    open(COPY_LOG_FD, ">>$COPY_LOG") || die("Failed to open $COPY_LOG for writing");
+    # enable autoflush on the file descriptor
+    $| = 1, select $_ for select COPY_LOG_FD;  
+}
+
+if ($USE_SPREAD) {
+    my($sperrno);
+    my %args;
+
+    $args{"spread_name"} = $SPREAD_DAEMON;
+    $args{"private_name"} = $SPREAD_CLIENT_NAME;
+
+    my($mbox, $privategroup) = Spread::connect(\%args);
+    if (!defined($mbox)) {
+        die "Failed to connect to Spread daemon: $sperrno\n";
+    }
+
+    Spread::join($mbox, $SPREAD_GROUP_NAME);
+
+    for(;;) {
+        my($st, $s, $g, $mt, $e, $msg);
+        while(($st, $s, $g, $mt, $e, $msg) = Spread::receive($mbox, $SPREAD_TIMEOUT)) {
+            if ((defined($st))&&($st == 2)&&(defined($msg))) {
+                process_line($msg . "\n");
+            }
+        }
+    }
+
+} else {
+    while(<STDIN>) {
+        process_line($_);    
+    }
+}
+
+if (defined($COPY_LOG)) {
+    close(COPY_LOG_FD);
+}
+

rules/util/modsec-clamscan.pl

@@ -0,0 +1,50 @@
+#!/usr/bin/perl
+#
+# modsec-clamscan.pl
+# ModSecurity for Apache (http://www.modsecurity.org)
+# Copyright (c) 2002-2007 Breach Security, Inc. (http://www.breach.com)
+#
+# This script is an interface between mod_security and its
+# ability to intercept files being uploaded through the
+# web server, and ClamAV
+
+# by default use the command-line version of ClamAV,
+# which is slower but more likely to work out of the
+# box
+$CLAMSCAN = "/usr/bin/clamscan";
+
+# using ClamAV in daemon mode is faster since the
+# anti-virus engine is already running, but you also
+# need to configure file permissions to allow ClamAV,
+# usually running as a user other than the one Apache
+# is running as, to access the files
+# $CLAMSCAN = "/usr/bin/clamdscan";
+
+if (@ARGV != 1) {
+    print "Usage: modsec-clamscan.pl <filename>\n";
+    exit;
+}
+
+my ($FILE) = @ARGV;
+
+$cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
+$input = `$cmd`;
+$input =~ m/^(.+)/;
+$error_message = $1;
+
+$output = "0 Unable to parse clamscan output [$1]";
+
+if ($error_message =~ m/: Empty file\.?$/) {
+    $output = "1 empty file";
+}
+elsif ($error_message =~ m/: (.+) ERROR$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: (.+) FOUND$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: OK$/) {
+    $output = "1 clamscan: OK";
+}
+
+print "$output\n";

rules/util/runav.pl

@@ -0,0 +1,40 @@
+#!/usr/bin/perl
+#
+# runav.pl
+# Copyright (c) 2007 Breach Security
+#
+# This script is an interface between ModSecurity and its
+# ability to intercept files being uploaded through the
+# web server, and ClamAV
+
+
+$CLAMSCAN = "clamscan";
+
+if ($#ARGV != 0) {
+    print "Usage: modsec-clamscan.pl <filename>\n";
+    exit;
+}
+
+my ($FILE) = shift @ARGV;
+
+$cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
+$input = `$cmd`;
+$input =~ m/^(.+)/;
+$error_message = $1;
+
+$output = "0 Unable to parse clamscan output [$1]";
+
+if ($error_message =~ m/: Empty file\.?$/) {
+    $output = "1 empty file";
+}
+elsif ($error_message =~ m/: (.+) ERROR$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: (.+) FOUND$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: OK$/) {
+    $output = "1 clamscan: OK";
+}
+
+print "$output\n";