diff --git a/rules/CHANGELOG b/rules/CHANGELOG
index e9b3f275..79d23516 100644
--- a/rules/CHANGELOG
+++ b/rules/CHANGELOG
@@ -1,10 +1,106 @@
+--------------------------
+Version 2.0 - 07/29/2009
+--------------------------
+
+New Rules & Features:
+- Fine Grained Policy
+    The rules have been split to having one signature per rule instead of having
+    all signatures combined into one optimized regular expression.
+    This should allow you to modify/disable events based on specific patterns
+    instead of having to deal with the whole rule.
+- Converted Snort Rules
+    Emerging Threat web attack rules have been converted.
+    http://www.emergingthreats.net/
+- Anomaly Scoring Mode Option
+    The rules have been updated to include anomaly scoring variables which allow
+    you to evaluate the score at the end of phase:2 and phase:5 and decide on what 
+    logging and disruptive actions to take based on the score.
+- Correlated Events
+    There are rules in phase:5 that will provide some correlation between inbound
+    events and outbound events and will provide a result of successful atttack or
+    attempted attack.
+- Updated Severity Ratings
+    The severity ratings in the rules have been updated to the following:
+    - 0: Emergency - is generated from correlation where there is an inbound attack and
+         an outbound leakage.
+    - 1: Alert - is generated from correlation where there is an inbound attack and an
+         outbound application level error.
+    - 2: Critical - is the highest severity level possible without correlation.  It is
+         normally generated by the web attack rules (40 level files).
+    - 3: Error - is generated mostly from outbound leakabe rules (50 level files).
+    - 4: Warning - is generated by malicious client rules (35 level files).
+    - 5: Notice - is generated by the Protocol policy and anomaly files.
+    - 6: Info - is generated by the search engine clients (55 marketing file). 
+- Updated Comment SPAM Protections
+    Updated rules to include RBL lookups and client fingerprinting concepts from
+    Bad Behavior (www.bad-behavior.ioerror.us)
+- Creation of Global Collection
+    Automatically create a Global collection in the *10* config file.  Other rules
+    can then access it.
+- Use of Block Action
+    Updated the rules to use the "block" action.  This allows the Admin to globally
+    set the desired block action once with SecDefaultAction in the *10* config file 
+    rather than having to edit the disruptive actions in all of the rules or for 
+    the need to have multiple versions of the rules (blocking vs. non-blocking).
+- "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
+   http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html 
+- "Possibly malicious iframe tag in output" (Rules 981001,981002)
+    Planting invisible iframes in a site can be used by attackers to point users
+    from the victim site to their malicious site. This is actually as if the
+    user was visiting the attacker's site himself, causing the user's browser to
+    process the content in the attacker's site.
+		 
+New Events:
+- Rule 960019 - Expect Header Not Allowed.
+- Rule 960020 - Pragma Header Requires Cache-Control Header
+- Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
+                as it is reserved for use as a fragment identifier within the html page.
+- Rule 958291 - Range: field exists and begins with 0.
+- Rule 958292 - Invalid Request Header Found.
+- Rule 958293 - Lowercase Via Request Header Found.
+- Rule 958294 - Common SPAM Proxies found in Via Request Header.
+- Rule 958295 - Multiple/Conflicting Connection Header Data Found.
+- Rule 958296 - Request Indicates a SPAM client accessed the Site.
+- Rule 958297 - Common SPAM/Email Harvester crawler.
+- Rule 958298 - Common SPAM/Email Harvester crawler
+
+Bug Fixes:
+- Rule 950107 - Split the rule into 2 separate rules to factor in the
+                Content-Type when inspecting the REQUEST_BODY variable.
+- Rule 960017 - Bug fix for when having port in the host header.
+- Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
+- Rule 950801 - Increased the logic so that the rule will only run if the web site
+                uses UTF-8 Encoding.
+- Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
+                        allow the IPv6 loopback address
+- Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG
+                and to identify offsite hosts by comparing the ARG URI to the Host 
+                header.  Due to this rule now being stronger, moved it from optional
+                tight security rule to *40* generic attacks file.
+
+Other Fixes:
+- Added more HTTP Protocol violations to *20* file.
+- Set the SecDefaultAction in the *10* config file to log/pass (This was the
+  default setting, however this sets it explicitly.
+- Added SecResponseBodyLimitAction ProcessPartial to the *10* config file.  This
+  was added so that when running the SecRuleEngine in DetectionOnly mode, it will
+  not deny response bodies that go over the size restrictions.
+- Changed SecServerSignature to "Apache/1.3.28"
+- Fixed the use of SkipAfter and SecMarkers to make it consistent.  Now have 
+  BEGIN and END SecMarkers for rule groups to more accurately allow moving to 
+  proper locations.
+- Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
+  This removes the need for some SecAction/SkipAfter rules.
+- Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier
+  rules and chained rules).
+
 --------------------------
 Version 1.6.1 - 2008/04/22
 --------------------------
 
 - Fixed a bug where phases and transformations where not specified explicitly
     in rules. The issue affected a significant number of rules, and we strongly
-		recommend to upgrade.
+    recommend to upgrade.
 
 --------------------------
 Version 1.6.0 - 2008/02/19
diff --git a/rules/README b/rules/README
index 57fd34fa..a98a322b 100644
--- a/rules/README
+++ b/rules/README
@@ -3,7 +3,7 @@
 ModSecurity Core Rule Set
 ==============================
 
-(c) 2006-2007 Breach Secuiry Inc.
+(c) 2006-2009 Breach Secuiry Inc.
 
 The ModSecurity Core Rule Set is provided to you under the terms and 
 conditions of GPL version 2
@@ -33,10 +33,12 @@ Rule Set is heavily commented to allow it to be used as a step-by-step
 deployment guide for ModSecurity.
 
 For more information refer to the Core Rule Set page at
-http://www.modsecurity.org/
-
-
+http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 
+Core Rules Mail-list - 
+Suscribe here: https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
+Archive: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/
+  
 Core Rule Set Structure & Usage
 ====================================
 
@@ -46,10 +48,15 @@ To activate the rules for your web server installation:
      Additionally you may want to edit modsecurity_crs_30_http_policy.conf
      which enforces an application specific HTTP protocol usage.
 
+     Should also update the appropriate anomaly scoring level in the
+     modsecurity_crs_49_enforcement.conf and modsecurity_crs_60_correlation.conf
+     files.  This will determine when you log and block events.
+
   2) Add the following line to your httpd.conf (assuming
      you've placed the rule files into conf/modsecurity/):
 
      Include conf/modsecurity/*.conf
+     Include conf/modsecurity/base_rules/*conf
 
   3) Restart web server.
 
diff --git a/rules/base_rules/modsecurity_40_generic_attacks.data b/rules/base_rules/modsecurity_40_generic_attacks.data
new file mode 100644
index 00000000..43619b91
--- /dev/null
+++ b/rules/base_rules/modsecurity_40_generic_attacks.data
@@ -0,0 +1,277 @@
+set-cookie
+.cookie
+expiressys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+mysql.user
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_namexp_enumdsn
+insert
+infile
+autonomous_transaction
+nvarchar
+openrowset
+print
+data_type
+outfile
+castb
+shutdown
+inner
+tbcreator
+xp_filelist
+@@version
+sql_longvarchar
+sp_prepare
+xp_regenumkeys
+xp_dirtree
+xp_loginconfig
+ifnull
+sp_addextendedproc
+xp_regaddmultistring
+delete
+sp_sqlexec
+sp_oacreate
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+xp_execresultset
+varchar
+to_number
+dba_users
+having
+xp_regenumvalues
+utl_file
+xp_terminate
+xp_availablemedia
+xp_regdeletevalue
+sql_variant
+dumpfile
+isnull
+'sa'
+select
+xp_regremovemultistring
+xp_makecab
+xp_cmdshell
+'msdasql'
+sp_executesql
+openquery
+'sqloledb'
+'dbo'
+sp_makewebtask
+utl_http
+dbms_java
+benchmark
+xp_regread
+xp_regwritejscript
+onsubmit
+copyparentfolder
+javascript
+meta
+onchange
+onmove
+onkeydown
+onkeyup
+activexobject
+onerror
+onmouseup
+ecmascript
+bexpression
+onmouseover
+vbscript:
+<![cdata[
+http:
+.innerhtml
+settimeout
+shell:
+onabort
+asfunction:
+onkeypress
+onmousedown
+onclick
+.fromcharcode
+background-image:
+.cookie
+x-javascript
+ondragdrop
+onblur
+mocha:
+javascript:
+onfocus
+lowsrc
+getparentfolder
+onresize
+@import
+alert
+script
+onselect
+onmouseout
+application
+onmousemove
+background
+.execscript
+livescript:
+vbscript
+getspecialfolder
+.addimport
+iframe
+onunload
+createtextrange
+<input
+onload.www_acl
+.htpasswd
+.htaccess
+httpd.conf
+boot.ini
+/etc/
+.htgroup
+global.asa
+.wwwaclnet.exe
+cmd.exe
+cmd
+telnet.exe
+wguest.exe
+ftp.exe
+nmap.exe
+wsh.exe
+rcmd.exe
+nc.exe
+cmd32.exechgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++chgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++<?
diff --git a/rules/base_rules/modsecurity_41_sql_injection_attacks.data b/rules/base_rules/modsecurity_41_sql_injection_attacks.data
new file mode 100644
index 00000000..b67a4ea7
--- /dev/null
+++ b/rules/base_rules/modsecurity_41_sql_injection_attacks.data
@@ -0,0 +1,114 @@
+sys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+mysql.user
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_namexp_enumdsn
+insert
+infile
+autonomous_transaction
+nvarchar
+openrowset
+print
+data_type
+outfile
+castb
+shutdown
+inner
+tbcreator
+xp_filelist
+@@version
+sql_longvarchar
+sp_prepare
+xp_regenumkeys
+xp_dirtree
+xp_loginconfig
+ifnull
+sp_addextendedproc
+xp_regaddmultistring
+delete
+sp_sqlexec
+sp_oacreate
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+xp_execresultset
+varchar
+to_number
+dba_users
+having
+xp_regenumvalues
+utl_file
+xp_terminate
+xp_availablemedia
+xp_regdeletevalue
+sql_variant
+dumpfile
+isnull
+'sa'
+select
+xp_regremovemultistring
+xp_makecab
+xp_cmdshell
+'msdasql'
+sp_executesql
+openquery
+'sqloledb'
+'dbo'
+sp_makewebtask
+utl_http
+dbms_java
+benchmark
+xp_regread
+xp_regwrite
diff --git a/rules/base_rules/modsecurity_46_et_sql_injection.data b/rules/base_rules/modsecurity_46_et_sql_injection.data
new file mode 100644
index 00000000..722f7d39
--- /dev/null
+++ b/rules/base_rules/modsecurity_46_et_sql_injection.data
@@ -0,0 +1,346 @@
+/ASPKAT.ASP
+/DocPay.w2b
+/G_Display.php
+/HABERLER.ASP
+/HaberDetay.asp
+/News/page.asp
+/OmegaMw7.asp
+/ProductDetails.asp
+/Search/DisplayResults.php
+/SecureLoginManager/list.asp
+/SelGruFra.asp
+/Types.asp
+/ViewBugs.php
+/ViewCat.php
+/ViewReport.php
+/account_change.php
+/activeNews_categories.asp
+/activeNews_comments.asp
+/activenews_search.asp
+/activenews_view.asp
+/actualpic.asp
+/ad.asp
+/add2.php
+/add_comment.php
+/addrating.php
+/admin.asp
+/admin.php
+/admin/admin_acronyms.php
+/admin/admin_annonce/changeannonce.php
+/admin/admin_annonce/okvalannonce.php
+/admin/admin_mail_adressee.asp
+/admin/admin_membre/fiche_membre.php
+/admin/cms/opentree.php
+/admin/config.php
+/admin/edit.asp
+/admin/memberlist.php
+/admin/modules/modules.php
+/admin_check_user.asp
+/admin_hacks_list.php
+/admincp/attachment.php
+/administration/administre2.php
+/albmgr.php
+/applications/SecureLoginManager/inc_secureloginmanager.asp
+/aramayap.asp
+/archives.php
+/articles.asp
+/artreplydelete.asp
+/auth.php
+/badword.asp
+/banner.php
+/bb-includes/formatting-functions.php
+/blocks/block-Old_Articles.php
+/boxx/ShowAppendix.asp
+/bry.asp
+/bt-trackback.php
+/bus_details.asp
+/calendar_detail.asp
+/cart.inc.php
+/cat.asp
+/categoria.php
+/category.php
+/cats.asp
+/cgi-bin/reorder2.asp
+/check_vote.php
+/class/debug/debug_show.php
+/class/table_broken.php
+/classes/class.news.php
+/classes/class_session.php
+/code/guestadd.php
+/com_comment.php
+/comersus_optReviewReadExec.asp
+/comment.php
+/comments.php
+/compareHomes.asp
+/compare_product.php
+/connexion.php
+/content.asp
+/content.php
+/coupon_detail.asp
+/dagent/downloadreport.asp
+/database/table/user.php
+/db_ecard.php
+/default.asp
+/default2.asp
+/detail.asp
+/detail.php
+/details.asp
+/dettaglio.asp
+/devami.asp
+/diary.php
+/dirSub.asp
+/dircat.asp
+/directions.php
+/directory.php
+/dispimage.asp
+/displayCalendar.asp
+/display_review.php
+/displaypic.asp
+/dl.php
+/dlwallpaper.php
+/down.asp
+/down_indir.asp
+/download_image.asp
+/duyuru.asp
+/eWebQuiz.asp
+/edit.asp
+/edit_day.php
+/email.php
+/error.asp
+/etkinlikbak.asp
+/example.php
+/faq.php
+/faqDsp.asp
+/filecheck.php
+/filelist.asp
+/forgotpass.asp
+/forum.asp
+/forum.php
+/forum/include/error/autherror.cfm
+/forum/modules/gallery/post.php
+/forum/pop_up_member_search.asp
+/forum2.asp
+/forums.php
+/functions.php
+/functions/functions_filters.asp
+/gallery.asp
+/gallery.php
+/game.php
+/game_listing.php
+/getnewsitem.php
+/giris.asp
+/giris_yap.asp
+/glossaire-p-f.php
+/gmail.php
+/goster.asp
+/guestbook.php
+/h_goster.asp
+/haber.asp
+/haberdetay.asp
+/haberoku.asp
+/home.php
+/homeDetail.asp
+/i-search.php
+/inc/class_users.php
+/inc/common.php
+/inc_listnews.asp
+/include.php
+/includes/a_register.asp
+/includes/mambo.php
+/includes/nsbypass.php
+/includes/rating.php
+/index.asp
+/index.cfm
+/index.php
+/index1.asp
+/info_book.asp
+/info_user.asp
+/inlinemod.php
+/inout/status.asp
+/inout/update.asp
+/install.php
+/item.asp
+/item.php
+/item_list.asp
+/item_show.asp
+/ixm_ixpnews.php
+/journal.php
+/jump.php
+/kategori.asp
+/kernel/group.php
+/kullanicilistesi.asp
+/letterman.class.php
+/lib/entry_reply_entry.php
+/linkslist.asp
+/lire-avis.php
+/list.asp
+/list.php
+/list_comments.php
+/listfull.asp
+/listings.asp
+/listmain.asp
+/listmembers.php
+/listpics.asp
+/login.asp
+/login.php
+/login/register.asp
+/logon_user.php
+/low.php
+/mailer.w2b
+/main.asp
+/main/auth/my_progress.php
+/main_page.php
+/mainfile.php
+/manufacturer.php
+/meal_rest.asp
+/members.asp
+/mesajkutum.asp
+/mezungiris.asp
+/mod.php
+/mod_banners.php
+/models/category.php
+/modules.php
+/modules/Advertising/admin/index.php
+/modules/News/index.php
+/modules/admin/modules/gallery.php
+/modules/mod_mainmenu/menu.php
+/moscomment.php
+/mystats.php
+/navigacija.php
+/news.asp
+/news.php
+/news_detail.asp
+/news_page.asp
+/newsdetail.asp
+/newsletters/edition.php
+/nickpage.php
+/nukesentinel.php
+/ogretmenkontrol.asp
+/oku.asp
+/openPolicy.asp
+/open_tree.php
+/openlink.asp
+/orange.asp
+/order-track.php
+/outputs.php
+/page.asp
+/page.php
+/pages/addcomment2.php
+/pfs/pfs.edit.inc.php
+/philboard_forum.asp
+/phonemessage.asp
+/php-stats.recphp.php
+/plugins/authentication/ldap.php
+/plugins/ipsearch/ipsearch.admin.php
+/plugins/mp3playlist/mp3playlist.php
+/plugins/search/categories.php
+/plugins/search/contacts.php
+/plugins/search/content.php
+/plugins/search/sections.php
+/plugins/search/weblinks.php
+/plugins/user/example.php
+/pms.php
+/pollmentorres.asp
+/polls.php
+/pop_profile.asp
+/post.php
+/postingdetails.php
+/preferences.asp
+/prikazInformacije.php
+/print.asp
+/print.php
+/printarticle.asp
+/printmain.asp
+/printview.php
+/process.php
+/prodList.asp
+/product.asp
+/product_review.php
+/productdetail.asp
+/products.asp
+/public/code/cp_downloads.php
+/publication_view.asp
+/publications_list.asp
+/question.php
+/rating.asp
+/read/index.php
+/recipe.php
+/register.php
+/repass.php
+/res_details.asp
+/result.asp
+/result.php
+/rss.asp
+/rss/show_webfeed.php
+/save.php
+/search.asp
+/search.php
+/search_listing.asp
+/searchkey.asp
+/searchmain.asp
+/searchoption.asp
+/section/default.asp
+/send_password_preferences.asp
+/sendarticle.asp
+/set_preferences.asp
+/shared/code/cp_authorization.php
+/shared/code/cp_functions_downloads.php
+/shopgiftregsearch.asp
+/show_joined.php
+/show_news.php
+/show_owned.php
+/showfile.asp
+/simplog/archive.php
+/simplog/index.php
+/slideshow.asp
+/sptrees/default.aspx
+/style.php
+/stylesheet.php
+/subcat.php
+/system/core/users/users.register.inc.php
+/system/index.php
+/templates/modif.html
+/thread.php
+/thumbnails.asp
+/thumbnails.php
+/topic_title.php
+/torrents.php
+/tracking/courseLog.php
+/types.asp
+/update_profile.php
+/urunbak.asp
+/user.asp
+/user.php
+/user_confirm.asp
+/user_pages/page.asp
+/userdetail.php
+/usergroups.php
+/usermgr.php
+/users.php
+/utilities/usermessages.asp
+/uye_giris_islem.asp
+/vBSupport.php
+/vdateUsr.asp
+/vehiclelistings.asp
+/verify.php
+/vf_memberdetail.asp
+/view.php
+/view_gallery.asp
+/view_profile.php
+/view_recent.asp
+/viewad.asp
+/viewcat.php
+/viewimage.php
+/viewlinks.asp
+/viewthread.php
+/virtuemart_parser.php
+/visu_user.asp
+/voirannonce.php
+/wallpaper.php
+/wbsearch.aspx
+/windows.asp
+/wp-admin/admin-ajax.php
+/wp-admin/admin-functions.php
+/wp-trackback.php
+/xNews.php
+/xmlrpc.php
\ No newline at end of file
diff --git a/rules/base_rules/modsecurity_46_et_web_rules.data b/rules/base_rules/modsecurity_46_et_web_rules.data
new file mode 100644
index 00000000..cd92eef8
--- /dev/null
+++ b/rules/base_rules/modsecurity_46_et_web_rules.data
@@ -0,0 +1,55 @@
+.aspx
+.php
+/CCMAdmin/serverlist.asp
+/OpenView5.exe
+/WindowManager.dll
+/apage.cgi
+/awstats.pl
+/cfexec.cfm
+/class.csv.php
+/cmd-asp-5.1.asp
+/cmd.exe
+/cmd.php
+/cmdasp.asp
+/cmdasp.aspx
+/cmdjsp.jsp
+/contact/contact/index.php
+/default.aspx
+/functionen/ref_kd_rubrik.php
+/grab_globals.lib.php
+/graph_image.php
+/help_text_vars.php
+/hg_referenz_jobgalerie.php
+/include/sessionRegister.php
+/index.php
+/jsp-reverse.jsp
+/misc.php
+/module/referenz.php
+/nquser.php
+/passwiki.php
+/perlcmd.cgi
+/php-backdoor.php
+/piranha/secure/control.php3
+/pmwiki.php
+/prod.php
+/produkte_nach_serie.php
+/produkte_nach_serie_alle.php
+/ref_kd_rubrik.php
+/simple-backdoor.php
+/site_conf.php
+/standard/1/lay.php
+/standard/3/lay.php
+/surfer_aendern.php
+/surfer_anmeldung_NWL.php
+/tiki-featured_link.php
+/wf_startpage.js
+/wf_startqs.htm
+/whcsh_home.htm
+/whstart.js
+/wp-login.php
+/wps_shop.cgi
+?Redirect
+forumdisplay.php
+graph_view.php
+tree.php
+webmail.exe
\ No newline at end of file
diff --git a/rules/base_rules/modsecurity_50_outbound.data b/rules/base_rules/modsecurity_50_outbound.data
new file mode 100644
index 00000000..6c5b0045
--- /dev/null
+++ b/rules/base_rules/modsecurity_50_outbound.data
@@ -0,0 +1,91 @@
+<TITLE>Index of
+><br>
+<title>Index ofMicrosoft VBScript runtime (0x8
+error '800
+Application uses a value of the wrong type for the current operation
+Microsoft VBScript compilation (0x8
+Microsoft VBScript compilation error
+Microsoft .NET Framework Version:
+A trappable error occurred in an external object. The script cannot continue running
+rror
+Microsoft VBScript runtime Error
+>error 'ASP
+ADODB.Command
+Object required: '
+<b>Version Information:</b> does not match with a table name or alias name used in the query
+Either BOF or EOF is True, or the current record has been deleted; the operation
+PostgreSQL query failed:
+You have an error in your SQL syntax near '
+ORA-
+select list because it is not contained in either an aggregate function or the GROUP BY clause
+Syntax error converting the 
+supplied argument is not a valid MS SQL
+supplied argument is not a valid Oracle
+Unclosed quotation mark before the character string
+Warning: mysql_connect():
+Unable to connect to PostgreSQL server:
+SQL Server does not exist or access denied
+microsoft jet database engine error '8
+supplied argument is not a valid PostgreSQL result
+Microsoft OLE DB Provider for 
+You have an error in your SQL syntax;
+Either BOF or EOF is True, or the current record has been deleted
+supplied argument is not a valid ODBC
+supplied argument is not a valid MySQL
+[Microsoft][ODBC 
+error '800a01b8'
+ data type as an argument.
+select list because it is not contained in an aggregate function and there is no GROUP BY clause
+' in sysservers. execute sp_addlinkedserver
+incorrect syntax near These statistics were produced by PeLAB
+This analysis was produced by
+These statistics were produced by getstats
+This report was generated by WebLog
+ebalizer
+This summary was generated byfgets
+move_uploaded_file
+$_session
+ftp_fget
+ftp_put
+readfile
+ftp_nb_put
+gzencode
+bzopen
+fopen
+readdir
+$_post
+gzread
+ftp_nb_fput
+ftp_nb_fget
+ftp_get
+$_get
+scandir
+fscanf
+readgzfile
+fread
+fgetc
+proc_open
+ftp_fput
+fgetss
+ftp_nb_get
+fwrite
+session_start
+gzopen
+gzcompress
+gzwriteserver.urlencode
+server.createobject
+scripting.filesystemobject
+server.execute
+wscript.shell
+<jsp:
+.createtextfile
+.addheader
+wscript.network
+javax.servlet
+.loadfromfile
+server.mappath
+vbscript.encode
+server.htmlencode
+response.write
+response.binarywrite
+.getfile
diff --git a/rules/base_rules/modsecurity_crs_20_protocol_violations.conf b/rules/base_rules/modsecurity_crs_20_protocol_violations.conf
new file mode 100644
index 00000000..568e6768
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_20_protocol_violations.conf
@@ -0,0 +1,122 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# TODO in some cases a valid client (usually automated) generates requests that
+#      violates the HTTP protocol. Create exceptions for those clients, but try
+#      to limit the exception to a source IP or other additional properties of 
+#      the request such as URL and not allow the violation generally. 
+#  
+#
+
+# Validate request line
+#
+SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
+    "t:none,t:lowercase,phase:2,block,nolog,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+# Block request with malformed content.
+# ModSecurity will not inspect these, but the server application might do so
+#
+SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,block,nolog,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+
+# Accept only digits in content length 
+#
+SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
+
+# Do not accept GET or HEAD requests with bodies
+# HTTP standard allows GET requests to have a body but this
+# feature is not used in real life. Attackers could try to force
+# a request body on an unsuspecting web applications.
+#
+SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
+	SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.protocol_violation_score=+1,setvar:tx.anomaly_score=+5,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Require Content-Length to be provided with every POST request.
+#
+SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
+	SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Don't accept transfer encodings we know we don't know how to handle
+#
+# NOTE ModSecurity does not support chunked transfer encodings at
+#      this time. You MUST reject all such requests.
+#
+SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Expect header is an HTTP/1.1 protocol feature
+#
+SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,t:none,nolog,block,auditlog,msg:'Expect Header Not Allowed.',severity:'5',id:'960019',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
+	SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Pragma Header requires a Cache-Control Header
+#	
+SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
+	SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain"
+		SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Range Header exists and begins with 0 - normal browsers don't do this.
+#		
+SecRule REQUEST_HEADERS:Range "@contains =0-" "phase:2,t:none,block,nolog,auditlog,msg:'Range: field exists and begins with 0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Broken/Malicous clients often have duplicate or conflicting headers
+#
+SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+# Check encodings
+SecRule REQUEST_URI "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+	"chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:Content-Type "^application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+	"chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_BODY "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
+		SecRule REQUEST_BODY "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+# Check UTF enconding
+# This rule checks to see if your system uses UTF encoding.
+SecRule RESPONSE_HEADERS:Content-Type "charset=utf-8" \
+	"phase:3,t:none,pass,nolog,setvar:global.utf8_encoding_used=1"
+
+# If UTF-8 encoding was detected in the server's respone headers, run this rule on inbound data.
+SecRule GLOBAL:UTF8_ENCODING_USED "@eq 1" "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+	SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+
+# Disallow use of full-width unicode
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
+  "t:none,phase:2,block,nolog,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+# Proxy access attempt
+# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
+#      included in case Apache proxy is misconfigured.
+# NOTE There are some clients (mobile devices) that will send a full URI even when connecting to
+#      your local application and this rule allows it.
+# NOTE Need to have UseCononicalName On in Apache config to properly set the SERVER_NAME variable.
+SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,t:none,block,nolog,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
+	SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}"
+
+#
+# Restrict type of characters sent
+#
+# NOTE In order to be broad and support localized applications this rule
+#      only validates that NULL Is not used.
+#
+#	   The strict policy version also validates that protocol and application 
+#	   generated fields are limited to printable ASCII. 
+#
+# TODO If your application use the range 32-126 for parameters.
+#
+#SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
+#	"@validateByteRange 32-126" \
+#	"phase:2,block,nolog,auditlog,status:400,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matchedvar}"
+
+SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
+	"phase:2,block,nolog,auditlog,status:400,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
diff --git a/rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf
new file mode 100644
index 00000000..44d8bdb7
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf
@@ -0,0 +1,73 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# TODO in some cases a valid client (usually automated) generates requests that
+#      violates the HTTP protocol. Create exceptions for those clients, but try
+#      to limit the exception to a source IP or other additional properties of 
+#      the request such as URL and not allow the violation generally. 
+#
+
+# Do not accept requests without common headers. 
+# Implies either an attacker or a legitimate automation client. 
+#
+
+# Detect HTTP/0.9 Requests
+SecRule REQUEST_PROTOCOL ^HTTP/0.9$ "t:none,phase:2,nolog,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+SecMarker BEGIN_HOST_CHECK
+
+	SecRule &REQUEST_HEADERS:Host "@eq 0" \
+    		"skipAfter:END_HOST_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:Host "^$" \
+    		"phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_HOST_CHECK
+    
+
+SecMarker BEGIN_ACCEPT_CHECK
+
+	SecRule &REQUEST_HEADERS:Accept "@eq 0" \
+    		"chain,phase:2,t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
+		SecRule REQUEST_METHOD "!^OPTIONS$" "skipAfter:END_ACCEPT_CHECK,t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:Accept "^$" \
+    		"chain,phase:2,t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
+		SecRule REQUEST_METHOD "!^OPTIONS$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_ACCEPT_CHECK
+
+SecMarker BEGIN_UA_CHECK
+
+	SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
+    		"skipAfter:END_UA_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:User-Agent "^$" \
+    		"t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_UA_CHECK
+
+
+SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
+    "chain,phase:2,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
+	SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+
+# Check that the host header is not an IP address 
+#
+SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"
+
+
+# Log a security event when the request is rejected by apache
+#
+# You must patch mod_unique_id for this to work correctly.  See the following
+# mod-security-users mail-list post for the patch details -
+# http://article.gmane.org/gmane.comp.apache.mod-security.user/5808
+#
+SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,nolog,auditlog,pass,msg:'Invalid request',id:'960913',severity:'4'"
+	SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.leakage_score=+1,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
diff --git a/rules/base_rules/modsecurity_crs_23_request_limits.conf b/rules/base_rules/modsecurity_crs_23_request_limits.conf
new file mode 100644
index 00000000..49c025bd
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_23_request_limits.conf
@@ -0,0 +1,69 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# In most cases, you should expect a certain volume of each a request on your
+# website. For example, a request with 400 arguments, can be suspicious.
+# This file creates limitations on the request.
+# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
+#      Note that most of the rules are commented out by default.
+#      Uncomment the rules you need
+#
+
+## -- Arguments limits --
+
+# Limit argument name length
+#SecRule ARGS_NAMES "@gt 100" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit value name length
+#SecRule ARGS "@gt 400" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Maximum number of arguments in request limited
+SecRule &ARGS "@gt 255" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit arguments total length
+#SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+
+## -- File upload limits --
+
+# Individual file size is limited
+#SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Combined file size is limited
+#SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4',setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+
+
+## -- Apache Limits --
+
+# These are Apache limit directives, but we are including them here because
+# they are often forgotten. If you already have these configured leave this
+# section entirely commented-out. Otherwise review the limits and uncomment
+# the directives.
+
+# Maximum size of the request body.
+#
+# NOTE If your application allows file uploads the value below will
+#      most likely be way to low.
+#
+#LimitRequestBody 64000
+
+# Maximum number of request headers in a request.
+#
+#LimitRequestFields 32
+
+# Maximum size of request header lines.
+#
+#LimitRequestFieldSize 8000
+
+# Maximum size of the request line.
+#
+#LimitRequestLine 4000
+
diff --git a/rules/modsecurity_crs_30_http_policy.conf b/rules/base_rules/modsecurity_crs_30_http_policy.conf
similarity index 100%
rename from rules/modsecurity_crs_30_http_policy.conf
rename to rules/base_rules/modsecurity_crs_30_http_policy.conf
diff --git a/rules/base_rules/modsecurity_crs_35_bad_robots.conf b/rules/base_rules/modsecurity_crs_35_bad_robots.conf
new file mode 100644
index 00000000..3006c8c2
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_35_bad_robots.conf
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE Bad robots detection is based on checking elements easily 
+#      controlled by the client. As such a determined attacked can bypass
+#      those checks. Therefore bad robots detection should not be viewed as
+#      a security mechanism against targeted attacks but rather as a nuisance
+#      reduction, eliminating most of the random attacks against your web
+#      site. 
+
+SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME "^/nessustest" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|w(?:eb(?:emailextrac| by mail|altbot)|i(?:se(?:nut)?bot|ndows xp 5)|ordpress\/4\.01|3mir)|a(?:t(?:tache|hens)|utoemailspider|dsarobot| href=)|m(?:ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:(?:oe-component-clien|ackra)t|cbrowser|surf)|c(?:ompatible(?: ; msie|-)|hinaclaw)|f(?:astlwspider|loodgate)|t(?:uring machine|akeout)|g(?:rub-client|ecko\/25)|h(?:hjhj@yahoo|anzoweb)|d(?:igout4u|ts )agent|larbin@unspecified|(?:; widow|zeu)s|\bdatacha0s\b|user-agent:|rsync|shai|\\r)" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \
+        "chain,phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'"
+SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MISC-%{matched_var_name}=%{matched_var}"
+
diff --git a/rules/base_rules/modsecurity_crs_40_generic_attacks.conf b/rules/base_rules/modsecurity_crs_40_generic_attacks.conf
new file mode 100644
index 00000000..9144e8d4
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_40_generic_attacks.conf
@@ -0,0 +1,399 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# 
+# TODO While some of the pattern groups such as command injection are usually
+#      safe of false positives, other pattern groups such as SQL injection and 
+#      XSS may require setting exceptions and therefore are set to log only by
+#      default. 
+#
+#      Start ModSecurity in monitoring only mode and check whether your 
+#      application requires exceptions for a specific URL, Pattern or source IP
+#      before moving to blocking mode.  
+
+#
+# Begin RegEx Checks for rules that could not use @pm prequalifications
+#
+
+#
+# HTTP Parameter Pollution
+#
+SecRule ARGS_NAMES ".*" \
+	"chain,phase:2,t:none,nolog,auditlog,pass,capture,setvar:'tx.arg_name_%{tx.0}=+1',msg:'Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.'" 
+        SecRule TX:/ARG_NAME_*/ "@gt 1" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
+		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+
+#
+# Coldfusion injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'959008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# LDAP injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'LDAP Injection Attack',id:'959010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# SSI injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'SSI injection Attack',id:'959011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+
+#
+# UPDF XSS
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'950018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'959018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Email Injection
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
+        "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+
+# HTTP Request Smuggling
+#
+SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,block,nolog,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{matched_var}"
+
+#
+# HTTP Response Splitting
+#
+SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
+        "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{matched_var}"
+
+
+#
+# RFI Attack
+#
+# See - http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
+#
+SecRule ARGS "^(?:ht|f)tps?:\/\/([\d\.]+)" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:\binclude\s*\([^)]*(ht|f)tps?:\/\/)" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "(?:ft|htt)ps?.*\?+$" \
+        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" \
+        "chain,phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"
+        SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{matched_var}"
+
+#
+# Prequalify Request Matches
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pmFromFile modsecurity_40_generic_attacks.data" \
+	"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}"
+
+SecRule TX:PM_SCORE "@eq 0" "phase:2,t:none,pass,skipAfter:END_PM_CHECK,nolog"
+
+#
+# Begin RegEx Checks for target locations that matched the prequalifier checks
+#
+	#
+	# Session fixation
+	#
+	SecRule TX:/PM_DATA_*/ "\.cookie\b.*?\;\W*?expires\W*?\=" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950301',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/PM_DATA_*/ "\.cookie\b.*?\;\W*?domain\W*?\=" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950300',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/PM_DATA_*/ "\bhttp-equiv\W+set-cookie\b" \
+		"phase:2,t:none,capture,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Session Fixation',id:'950302',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{matched_var}"
+ 
+	
+	
+	#
+	# File Injection
+	#
+	SecRule TX:/PM_DATA_*/ "\bboot\.ini\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958711',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\/etc\/" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958700',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htaccess\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958706',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htpasswd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958708',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bhttpd\.conf\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958705',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bglobal\.asa\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958712',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.wwwacl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958710',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.www_acl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958709',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\b\.htgroup\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Remote File Access Attempt',id:'958707',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	        
+
+	#
+	# Command access
+	#
+	SecRule TX:/PM_DATA_*/ "\bnc\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958503',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958500',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958504',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btelnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972022',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwsh\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972032',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bftp\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958502',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\b\W*?\/c" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972030',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnmap\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972029',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwguest\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'972031',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd32\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958501',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\brcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Access',id:'958505',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{matched_var}"        
+
+	#
+	# Command injection
+	#
+	SecRule TX:/PM_DATA_*/ "\btclsh8\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958929',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnmap\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958870',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bperl\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958873',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bcpp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958928',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bpython\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958887',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnc\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958828',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\buname\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958898',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bpasswd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958888',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\b\W+?\blocalgroup\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958830',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bls\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958883',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchown\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958877',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\brcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958832',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnc\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958891',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\brm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958894',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwsh\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958839',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bfinger\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958881',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bftp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958890',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\becho\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958872',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bxterm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958879',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bkill\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958884',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchsh\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958927',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bping\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958893',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcd\b\W*?[\\/]" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958821',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\btelnet\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958889',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchmod\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958876',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bwguest\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958838',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\b\W*?\/c" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958871',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958829',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bg\+\+" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958875',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnasm\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958882',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd32\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958824',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\blsof\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958897',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bid\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958885',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btelnet\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958834',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btracert\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958926',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bnmap\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958896',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\becho\b\W*?\by+\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958826',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btraceroute\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958837',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btftp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958836',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bgcc\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958874',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bchmod.{0,40}?\+.{0,3}x" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958822',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bps\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958886',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bftp\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958827',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bcmd\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958892',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\btclsh\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958833',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bmail\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "[\;\|\`]\W*?\bchgrp\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958878',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcd\W*?\.\." \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958925',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+	SecRule TX:/PM_DATA_*/ "\bcmd\.exe\b" \
+		"phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'System Command Injection',id:'958823',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}"
+		
+	#
+	# PHP injection
+	#
+	
+	SecRule TX:/PM_DATA_*/ "<\?(?!xml)" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958823',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+		
+	SecRule TX:/PM_DATA_*/ "\bproc_open\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958976',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzread\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958972',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_fget\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958963',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958965',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfscanf\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958959',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breadfile\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958978',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgetss\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958955',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_post\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958941',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bsession_start\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958982',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breaddir\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958977',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzwrite\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958973',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bscandir\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958981',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958962',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfread\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958958',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\breadgzfile\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958979',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_put\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958967',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfwrite\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958968',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzencode\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958970',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958957',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_session\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958942',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_fput\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958964',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_fput\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958961',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzcompress\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958969',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bbzopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958946',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bgzopen\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958971',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgetc\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958953',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bmove_uploaded_file\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958975',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_nb_put\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958966',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\$_get\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958940',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bfgets\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958954',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/PM_DATA_*/ "\bftp_fget\b" \
+	        "phase:2,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'958960',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+
+SecMarker END_PM_CHECK
diff --git a/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf b/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
new file mode 100644
index 00000000..9f2b447d
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
@@ -0,0 +1,442 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# 
+# TODO While some of the pattern groups such as command injection are usually
+#      safe of false positives, other pattern groups such as SQL injection and 
+#      XSS may require setting exceptions and therefore are set to log only by
+#      default. 
+#
+#      Start ModSecurity in monitoring only mode and check whether your 
+#      application requires exceptions for a specific URL, Pattern or source IP
+#      before moving to blocking mode.  
+
+#
+# Prequalify Request Matches
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pmFromFile modsecurity_41_sql_injection_attacks.data" \
+	"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_sqli_score=+1,setvar:tx.pm_sqli_data_%{matched_var_name}=%{matched_var}"
+
+SecRule TX:PM_SQLI_SCORE "@eq 0" "phase:2,t:none,pass,skipAfter:END_SQL_INJECTION_PM,nolog"
+
+#
+# Begin RegEx Checks for target locations that matched the prequalifier checks
+#
+
+	#
+	# Blind SQL injection
+	#
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_catalog\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bconstraint_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959503',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959521',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysqueries\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959509',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysaces\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959506',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\@\@spid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959500',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcharindex\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959502',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.all_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959515',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_constraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959518',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}buser\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959514',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bwaitfor\b\W*?\bdelay\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959538',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsyscolumns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959507',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}\bsubstring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959513',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_triggers\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959522',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\blocate\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959505',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysrelationships\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959510',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_tab_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959520',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\battnotnull\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959501',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmsysobjects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959508',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.tab\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959516',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{0,40}\bascii\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959512',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_views\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959523',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binstr\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959504',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsys\.user_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959519',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmysql\.user\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959511',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+			
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_tables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959918',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_tab_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959536',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\ball_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959900',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bpg_class\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959910',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsyscat\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959524',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsubstr\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959912',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysdba\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959527',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btextpos\W+\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959533',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\battrelid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bpg_attribute\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959909',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_password\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959917',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959919',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_constraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959534',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxtype\W+\bchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959537',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_objects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959916',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcolumn_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysfilegroups\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959528',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsyscolumns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959525',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsubstring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959913',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysobjects\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959530',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_id\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysibm\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959529',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_ind_columns\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959535',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcolumn_id\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysprocesses\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959531',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bmb_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btable_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959914',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsystables\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959532',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bobject_name\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959907',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\brownum\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959911',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsysconstraints\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959526',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\batttypid\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959902',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\buser_group\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959915',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+
+
+	#
+	# SQL injection
+	#
+
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'msdasql\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959020',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_makecab\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959058',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\butl_http\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959049',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bto_number\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959035',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\btbcreator\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959046',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_execute\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959038',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bgroup\b.*\bbyb.{1,100}?\bhaving\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959011',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bdata_type\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959027',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_cmdshell\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959052',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bisnull\b\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959018',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdba_users\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959008',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bopenrowset\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959023',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bunion\b.{1,100}?\bselect\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binsert\b\W*?\binto\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959015',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959032',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\;\W*?\bdrop\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_execresultset\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959055',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regaddmultistring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959060',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\@\@version\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959004',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regread\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959065',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bloadb\W*?\bdata\b.*\binfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959019',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bto_char\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959034',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdbms_java\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959009',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_enumdsn\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959054',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_availablemedia\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959051',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_prepare\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959042',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bnvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959021',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\butl_file\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959048',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\binner\b\W*?\bjoin\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959014',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regdeletekey\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959061',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_loginconfig\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959057',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_sqlexec\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959043',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bprint\b\W*?\@\@" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959024',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959031',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regremovemultistring\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959066',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regwrite\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959067',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959050',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bintob\W*?\bdumpfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959016',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bifb\W*?\(\W*?\bbenchmark\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959012',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bopenquery\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959022',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959033',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bcastb\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959006',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bdelete\b\W*?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959075',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regdeletevalue\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959062',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'sqloledb\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959003',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_addextendedproc\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959037',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsql_longvarchar\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959044',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_dirtree\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959053',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regenumkeys\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959063',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\bdump\b.*\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959028',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_filelist\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959056',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'sa\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959026',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_terminate\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959068',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_executesql\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959039',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bifnull\b\W*?\(" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959013',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bintob\W*?\boutfile\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959017',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_makewebtask\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959040',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\'dbo\'" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959010',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsql_variant\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959045',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_ntsec\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959059',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\;\W*?\bshutdown\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959002',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.*?\binstr\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959029',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bautonomous_transaction\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959005',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bsp_oacreate\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959041',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959036',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	SecRule TX:/^PM_SQLI_DATA_*/ "\bxp_regenumvalues\b" \
+		"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959064',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+	
+	
+SecMarker END_SQL_INJECTION_PM
+
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
+       	"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
+        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|REQUEST_HEADERS|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
+        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecMarker BEGIN_SQL_INJECTION_WEAK
+SecRule &TX:/SQL_INJECTION/ "@eq 0" "phase:2,t:none,nolog,pass,skipAfter:END_SQL_INJECTION_WEAK"
+
+	SecRule TX:/SQL_INJECTION/ "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
+       		"phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
+		SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)" \
+			"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+	SecRule TX:/SQL_INJECTION/ "\b(?:benchmark|encode)\b" \
+		"phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
+		SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_SQL_INJECTION_WEAK
diff --git a/rules/base_rules/modsecurity_crs_41_xss_attacks.conf b/rules/base_rules/modsecurity_crs_41_xss_attacks.conf
new file mode 100644
index 00000000..cce56e76
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_41_xss_attacks.conf
@@ -0,0 +1,447 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# XSS
+#
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \
+       "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,setvar:tx.pm_xss_data_%{matched_var_name}=%{matched_var}"
+SecAction phase:2,pass,nolog,skipAfter:END_XSS_REGEX
+
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bgetparentfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmousedown\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bmocha:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonabort\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bhttp:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseup\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bstyle\b\W*\=.*bexpression\b\W*\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bcreatetextrange\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bondragdrop\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bcopyparentfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonunload\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.execscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bgetspecialfolder\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bonload\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeydown\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmousemove\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blivescript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonblur\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmove\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsettimeout\b\W*?\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?iframe" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<body\b.*?\bbackground\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\becmascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonfocus\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.cookie\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\<\!\[cdata\[" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonerror\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bactivexobject\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeypress\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonsubmit\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.addimport\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonchange\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\balert\b\W*?\(" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?meta\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bsrc\b\W*?\bhttp:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bvbscript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseout\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\basfunction:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonmouseover\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bhref\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bjavascript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.innerhtml\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonselect\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\@import\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\blowsrc\b\W*?\bvbscript:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonload\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\< ?script\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonresize\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonclick\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\biframe\b.{0,100}?\bsrc\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bbackground-image:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\bonkeyup\b\W*?\=" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "<input\b.*?\btype\b\W*?\bimage\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\burl\b\W*?\bshell:" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\btype\b\W*?\btext\b\W*?\bjavascript\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:/^PM_XSS_DATA_*/ "\.fromcharcode\b" \
+	"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+SecMarker END_XSS_REGEX
+
+# Detect tags that are the most common direct HTML injection points.
+#
+#     <a href=javascript:...
+#     <applet src="..." type=text/html>
+#     <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
+#     <base href=javascript:...
+#     <base href=... // change base URL to something else to exploit relative filename inclusion
+#     <bgsound src=javascript:...
+#     <body background=javascript:...
+#     <body onload=...
+#     <embed src=http://www.example.com/flash.swf allowScriptAccess=always
+#     <embed src="data:image/svg+xml;
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...
+#     <img src=x onerror=...
+#     <input type=image src=javascript:...
+#     <layer src=...
+#     <link href="javascript:..." rel="stylesheet" type="text/css"
+#     <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
+#     <meta http-equiv="refresh" content="0;url=javascript:..."
+#     <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
+#     <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
+#     <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
+#     <object data=http://www.example.com
+#     <object type=text/x-scriptlet data=...
+#     <object type=application/x-shockwave-flash data=xss.swf>
+#     <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
+#     <script>...</script>
+#     <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
+#     <script src="data:text/javascript,alert(1)"></script>
+#     <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
+#     <style>STYLE</style>
+#     <style type=text/css>STYLE</style>
+#     <style type=text/javascript>alert('xss')</style>
+#     <table background=javascript:...
+#     <td background=javascript:
+#
+#
+# NOTES
+#
+#  - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
+#
+#  - Not using closing brackets because they are not needed for the
+#    attacks to succeed. The following seems to work in FF: <body/s/onload=...
+#
+#  - Also, browsers sometimes tend to translate < into >, in order to "repair"
+#    what they think was a mistake made by the programmer/template designer.
+#
+#  - Browsers are flexible when it comes to what they accept as separator between
+#    tag names and attributes. The following is commonly used in payloads: <img/src=...
+#    A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
+#
+#  - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
+#    but I don't believe we need to look for quotes anywhere.
+#
+#  - Links do not have to be fully qualified. For example, the following works:
+#    <script src="//ha.ckers.org/.j">
+#
+SecRule ARGS|ARGS_NAMES|QUERY_STRING|REQUEST_URI_RAW "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
+	"phase:2,t:none,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "\ballowscriptaccess\b|\brel\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# TODO Would evasion such as null and whitespace work here?
+#
+SecRule ARGS "application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript))" \
+	"phase:2,t:none,t:htmlEntityDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect event handler names
+#
+#     <body onload=...>
+#     <img src=x onerror=...>
+#
+SecRule ARGS "\bon(abort|blur|change|click|dblclick|dragdrop|error|\
+focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout\
+mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect usage of common URI attributes (e.g. src)
+#
+#     <a href="javascript:...">Link</a>
+#     <base href="javascript:...">
+#     <bgsound src="javascript:...">
+#     <body background="javascript:...">
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...>
+#     <img dynsrc=javascript:...>
+#     <img lowsrc=javascript:...>
+#     <img src=javascript:...>
+#     <input type=image src=javascript:...>
+#
+SecRule ARGS "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# As above, but try to catch the other bit that is necessary to execute the attack.
+#
+#     <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+#     <img src=jaVaScrIpt:...>
+#     <img src=&#6a;avascript:...> (not evasion)
+#     <img src="jav	ascript:..."> (embedded tab; null byte, other whitespace characters work too)
+#     <img src="jaa&#09;ascript:..."> (the combination of the above two)
+#
+# NOTES
+#
+#  - htmlEntityDecode needs to be applied because this content appears in HTML
+#    attributes, so it's not evasion.
+#
+# TODO I think asfunction only work in HTML files handled by Flash. Needs verifying.
+#
+SecRule ARGS "(asfunction|javascript|vbscript|data|mocha|livescript):" \
+	"phase:2,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Detect attempts to use the style attribute, which works with any tag in at
+# least one major browser.
+#
+#     <div style="background-image: url(javascript:...)">
+#
+SecRule ARGS "\bstyle\b\W*?=" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# -- JavaScript fragments --
+#
+#    TODO Need more fragments.
+#
+#    TODO What about JavaScript code hidden behind CSS?
+#
+#    TODO There is a bunch of DOM-manipulation stuff that we want to cover here.
+#
+#    alert(String.fromCharCode(88,83,83)
+#    - window.name
+#    - document.cookie
+#    - document.location
+#    - document.write
+#    - document.styleSheets[0].addImport('yourstylesheet.css', 2);
+#    - window.execScript("alert('test');", "JavaScript");
+#    - document.body.innerHTML = ''
+#    - newObj = new ActiveXObject(servername.typename[, location])
+#    - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx
+#    - setTimeout("alert('xss')", 1000)
+#    - xmlHttp.onreadystatechange=function() {}
+#    - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier
+#
+# NOTES:
+# 
+#  - JavaScript evasion:
+#
+#    http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/
+#    http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/
+#
+SecRule ARGS "(fromcharcode|alert|eval)\s*\(" \
+	"phase:2,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+20,setvar:tx.anomaly_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# -- CSS attack fragments --
+
+#     <div style="background-image: url(javascript:...)">
+#     <div style="background-image: url(&#1;javascript:alert('XSS'))"> // not used
+#     <div style="width: expression(...);">
+#     <img style="x:expression(document.write(1))">
+#     <xss style="behavior: url(http://ha.ckers.org/xss.htc);">
+# -    <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss
+#     <style>@import url(...);</style>
+#     -moz-binding:url(...)
+#     background:url("javascript:...")
+#     </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify
+#     <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion)
+#     <li style="behavior:url(hilite.htc)">xss
+#
+#     Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
+#
+# Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors)
+#
+# Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring
+#       a match of that before we do anything might help us reduce the FP rate.
+#
+SecRule ARGS "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \
+	"phase:2,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#      <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion
+SecRule ARGS "<!\[cdata\[|\]\]>" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# -- Misc --
+
+#    alert('xss')
+#    alert("xss")
+#    alert(/xss/)
+#    <xss>
+#
+SecRule ARGS "[/'\"<]xss[/'\">]" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#    String.fromCharCode(88,83,83)
+# 
+SecRule ARGS "(88,83,83)" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+#    '';!--"<XSS>=&{()}
+#
+SecRule ARGS "'';!--\"<xss>=&{()}" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+# Handle &{alert('xss')} which is supposed to work in Netscape 4.
+# 
+SecRule ARGS "&{" \
+	"phase:2,t:none,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
+
+# <!DOCTYPE html [  
+#   <!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
+# ]>
+# <html xmlns="http://www.w3.org/1999/xhtml">
+# <head>
+#   <title>Test</title>
+# </head>
+#
+# <body>
+# &inject;
+# </body>
+# </html>
+#
+SecRule ARGS "<!(doctype|entity)" \
+	"phase:2,t:none,t:lowercase,block,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{matched_var}"
+
diff --git a/rules/modsecurity_crs_45_trojans.conf b/rules/base_rules/modsecurity_crs_45_trojans.conf
similarity index 57%
rename from rules/modsecurity_crs_45_trojans.conf
rename to rules/base_rules/modsecurity_crs_45_trojans.conf
index 0cc51f9f..14996e3f 100644
--- a/rules/modsecurity_crs_45_trojans.conf
+++ b/rules/base_rules/modsecurity_crs_45_trojans.conf
@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -27,8 +27,8 @@
 #      Trojans upload to file uploading inspection. 
 # 
 
-SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
+SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
 SecRule REQUEST_FILENAME "root\.exe" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
-SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
+        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
diff --git a/rules/base_rules/modsecurity_crs_46_et_sql_injection.conf b/rules/base_rules/modsecurity_crs_46_et_sql_injection.conf
new file mode 100644
index 00000000..d5dc5405
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_46_et_sql_injection.conf
@@ -0,0 +1,2346 @@
+SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES"
+
+# (sid 2007508) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007508,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:vehicleID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007514) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007514,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:categoryID_list/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007520) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007520,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sale_type/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007526) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007526,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:stock_number/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007532) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007532,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:manufacturer/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007538) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007538,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:model/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007544) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007544,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:vehicleID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007550) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007550,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:year/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007556) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007556,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:vin/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007562) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price 
+SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007562,rev:3,msg:'ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:listing_price/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004063) ET WEB_SPECIFIC 2z Project SQL Injection Attempt -- rating.php rating 
+SecRule REQUEST_URI_RAW "(?i:\/includes\/rating\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004063,rev:4,msg:'ET WEB_SPECIFIC 2z Project SQL Injection Attempt -- rating.php rating ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2z_project'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:rating/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 2z Project SQL Injection Attempt -- rating.php rating ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004075) ET WEB_SPECIFIC 2z Project SQL Injection Attempt -- rating.php post_id 
+SecRule REQUEST_URI_RAW "(?i:\/includes\/rating\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004075,rev:4,msg:'ET WEB_SPECIFIC 2z Project SQL Injection Attempt -- rating.php post_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2z_project'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 2z Project SQL Injection Attempt -- rating.php post_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007221) ET WEB_SPECIFIC 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/edit\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007221,rev:3,msg:'ET WEB_SPECIFIC 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_8pixel'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005061) ET WEB_SPECIFIC ACGVannu SQL Injection Attempt -- modif.html id_mod 
+SecRule REQUEST_URI_RAW "(?i:\/templates\/modif\.html)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005061,rev:4,msg:'ET WEB_SPECIFIC ACGVannu SQL Injection Attempt -- modif.html id_mod ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ACGVannu'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_mod/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ACGVannu SQL Injection Attempt -- modif.html id_mod ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005577) ET WEB_SPECIFIC All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name 
+SecRule REQUEST_URI_RAW "(?i:\/shared\/code\/cp_authorization\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005577,rev:3,msg:'ET WEB_SPECIFIC All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AIOCP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:xuser_name/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005583) ET WEB_SPECIFIC All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did 
+SecRule REQUEST_URI_RAW "(?i:\/public\/code\/cp_downloads\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005583,rev:3,msg:'ET WEB_SPECIFIC All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AIOCP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004533) ET WEB_SPECIFIC AJ Auction SQL Injection Attempt -- subcat.php cate_id 
+SecRule REQUEST_URI_RAW "(?i:\/subcat\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004533,rev:4,msg:'ET WEB_SPECIFIC AJ Auction SQL Injection Attempt -- subcat.php cate_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AJ'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cate_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AJ Auction SQL Injection Attempt -- subcat.php cate_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004539) ET WEB_SPECIFIC AJDating SQL Injection Attempt -- view_profile.php user_id 
+SecRule REQUEST_URI_RAW "(?i:\/view_profile\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004539,rev:4,msg:'ET WEB_SPECIFIC AJDating SQL Injection Attempt -- view_profile.php user_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AJ'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AJDating SQL Injection Attempt -- view_profile.php user_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004545) ET WEB_SPECIFIC AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid 
+SecRule REQUEST_URI_RAW "(?i:\/postingdetails\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004545,rev:4,msg:'ET WEB_SPECIFIC AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AJ'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:postingid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004550) ET WEB_SPECIFIC AJ Forum SQL Injection Attempt -- topic_title.php td_id 
+SecRule REQUEST_URI_RAW "(?i:\/topic_title\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004550,rev:4,msg:'ET WEB_SPECIFIC AJ Forum SQL Injection Attempt -- topic_title.php td_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AJ'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:td_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AJ Forum SQL Injection Attempt -- topic_title.php td_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006823) ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- forum2.asp soruid 
+SecRule REQUEST_URI_RAW "(?i:\/forum2\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006823,rev:3,msg:'ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- forum2.asp soruid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASPMForum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:soruid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- forum2.asp soruid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006829) ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak 
+SecRule REQUEST_URI_RAW "(?i:\/kullanicilistesi\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006829,rev:3,msg:'ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASPMForum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ak/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006835) ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler 
+SecRule REQUEST_URI_RAW "(?i:\/aramayap\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006835,rev:3,msg:'ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASPMForum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kelimeler/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006841) ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi 
+SecRule REQUEST_URI_RAW "(?i:\/giris\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006841,rev:3,msg:'ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASPMForum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kullaniciadi/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006847) ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno 
+SecRule REQUEST_URI_RAW "(?i:\/mesajkutum\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006847,rev:3,msg:'ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASPMForum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:mesajno/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006853) ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf 
+SecRule REQUEST_URI_RAW "(?i:\/kullanicilistesi\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006853,rev:3,msg:'ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASPMForum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:harf/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006859) ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- forum.asp baslik 
+SecRule REQUEST_URI_RAW "(?i:\/forum\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006859,rev:3,msg:'ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- forum.asp baslik ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASPMForum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:baslik/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASPMForum SQL Injection Attempt -- forum.asp baslik ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005109) ET WEB_SPECIFIC ASP EDGE SQL Injection Attempt -- artreplydelete.asp username 
+SecRule REQUEST_URI_RAW "(?i:\/artreplydelete\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005109,rev:4,msg:'ET WEB_SPECIFIC ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASP_EDGE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005168) ET WEB_SPECIFIC ASP NEWS SQL Injection Attempt -- news_detail.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/news_detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005168,rev:4,msg:'ET WEB_SPECIFIC ASP NEWS SQL Injection Attempt -- news_detail.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASP_NEWS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASP NEWS SQL Injection Attempt -- news_detail.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005174) ET WEB_SPECIFIC ASP EDGE SQL Injection Attempt -- user.asp user 
+SecRule REQUEST_URI_RAW "(?i:\/user\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005174,rev:4,msg:'ET WEB_SPECIFIC ASP EDGE SQL Injection Attempt -- user.asp user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASP_NEWS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASP EDGE SQL Injection Attempt -- user.asp user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005887) ET WEB_SPECIFIC ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005887,rev:4,msg:'ET WEB_SPECIFIC ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASP_Siteware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iPro/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007004) ET WEB_SPECIFIC ASP ListPics SQL Injection Attempt -- listpics.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/listpics\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007004,rev:3,msg:'ET WEB_SPECIFIC ASP ListPics SQL Injection Attempt -- listpics.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ASP_listpics'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ASP ListPics SQL Injection Attempt -- listpics.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004323) ET WEB_SPECIFIC Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004323,rev:3,msg:'ET WEB_SPECIFIC Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Absolute_Image_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007396) ET WEB_SPECIFIC Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid 
+SecRule REQUEST_URI_RAW "(?i:\/product\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007396,rev:3,msg:'ET WEB_SPECIFIC Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Acart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:productid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007402) ET WEB_SPECIFIC Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007402,rev:3,msg:'ET WEB_SPECIFIC Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Acart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:search/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007480) ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID 
+SecRule REQUEST_URI_RAW "(?i:\/activenews_view\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007480,rev:3,msg:'ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ActiveNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007485) ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- default.asp page 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007485,rev:3,msg:'ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- default.asp page ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ActiveNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- default.asp page ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007491) ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID 
+SecRule REQUEST_URI_RAW "(?i:\/activeNews_categories\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007491,rev:3,msg:'ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ActiveNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007497) ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID 
+SecRule REQUEST_URI_RAW "(?i:\/activeNews_comments\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007497,rev:3,msg:'ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ActiveNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:articleID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007503) ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query 
+SecRule REQUEST_URI_RAW "(?i:\/activenews_search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007503,rev:3,msg:'ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ActiveNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:query/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004891) ET WEB_SPECIFIC Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/HaberDetay\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004891,rev:4,msg:'ET WEB_SPECIFIC Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Aktueldownload_Haber_script'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004897) ET WEB_SPECIFIC Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid 
+SecRule REQUEST_URI_RAW "(?i:\/rss\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004897,rev:4,msg:'ET WEB_SPECIFIC Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Aktueldownload_Haber_script'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005776) ET WEB_SPECIFIC @lex Guestbook SQL Injection Attempt -- index.php lang 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005776,rev:4,msg:'ET WEB_SPECIFIC @lex Guestbook SQL Injection Attempt -- index.php lang ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Alex_Guestbook'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:lang/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC @lex Guestbook SQL Injection Attempt -- index.php lang ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004021) ET WEB_SPECIFIC AlstraSoft E-Friends SQL Injection Attempt -- index.php pack 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004021,rev:4,msg:'ET WEB_SPECIFIC AlstraSoft E-Friends SQL Injection Attempt -- index.php pack ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Alstrasoft'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pack/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AlstraSoft E-Friends SQL Injection Attempt -- index.php pack ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004721) ET WEB_SPECIFIC ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/section\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004721,rev:4,msg:'ET WEB_SPECIFIC ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Angel_Learning_Mgmt'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006565) ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- email.php id 
+SecRule REQUEST_URI_RAW "(?i:\/email\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006565,rev:3,msg:'ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- email.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AnnounceScriptHP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- email.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006571) ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no 
+SecRule REQUEST_URI_RAW "(?i:\/voirannonce\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006571,rev:3,msg:'ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AnnounceScriptHP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:no/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006577) ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/admin_membre\/fiche_membre\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006577,rev:3,msg:'ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AnnounceScriptHP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:idmembre/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006583) ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/admin_annonce\/okvalannonce\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006583,rev:3,msg:'ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AnnounceScriptHP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006589) ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/admin_annonce\/changeannonce\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006589,rev:3,msg:'ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_AnnounceScriptHP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:idannonce/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006787) ET WEB_SPECIFIC Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici 
+SecRule REQUEST_URI_RAW "(?i:\/giris\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006787,rev:3,msg:'ET WEB_SPECIFIC Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Aspee'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kullanici/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006793) ET WEB_SPECIFIC Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola 
+SecRule REQUEST_URI_RAW "(?i:\/giris\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006793,rev:3,msg:'ET WEB_SPECIFIC Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Aspee'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:parola/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004728) ET WEB_SPECIFIC Audins Audiens SQL Injection Attempt -- index.php PHPSESSID 
+SecRule REQUEST_URI_RAW "(?i:\/system\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004728,rev:4,msg:'ET WEB_SPECIFIC Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Audins'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:PHPSESSID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007456) ET WEB_SPECIFIC BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob 
+SecRule REQUEST_URI_RAW "(?i:\/publications_list\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007456,rev:3,msg:'ET WEB_SPECIFIC BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BPG_Infotech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:vjob/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007462) ET WEB_SPECIFIC BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID 
+SecRule REQUEST_URI_RAW "(?i:\/publication_view\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007462,rev:3,msg:'ET WEB_SPECIFIC BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BPG_Infotech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:InfoID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004335) ET WEB_SPECIFIC BP Blog SQL Injection Attempt -- default.asp layout 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004335,rev:4,msg:'ET WEB_SPECIFIC BP Blog SQL Injection Attempt -- default.asp layout ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BP_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:layout/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BP Blog SQL Injection Attempt -- default.asp layout ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007215) ET WEB_SPECIFIC BasicForum SQL Injection Attempt -- edit.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/edit\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007215,rev:3,msg:'ET WEB_SPECIFIC BasicForum SQL Injection Attempt -- edit.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Basicforum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BasicForum SQL Injection Attempt -- edit.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006337) ET WEB_SPECIFIC Bluetrait SQL Injection Attempt -- bt-trackback.php 
+SecRule REQUEST_URI_RAW "(?i:\/bt\-trackback\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006337,rev:4,msg:'ET WEB_SPECIFIC Bluetrait SQL Injection Attempt -- bt-trackback.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Bluetrait'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004832) ET WEB_SPECIFIC Bookmark4U SQL Injection Attempt -- config.php sqlcmd 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/config\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004832,rev:4,msg:'ET WEB_SPECIFIC Bookmark4U SQL Injection Attempt -- config.php sqlcmd ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Bookmark4U'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sqlcmd/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Bookmark4U SQL Injection Attempt -- config.php sqlcmd ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004027) ET WEB_SPECIFIC BtiTracker SQL Injection Attempt -- account_change.php style 
+SecRule REQUEST_URI_RAW "(?i:\/account_change\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004027,rev:4,msg:'ET WEB_SPECIFIC BtiTracker SQL Injection Attempt -- account_change.php style ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BtiTracker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:style/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BtiTracker SQL Injection Attempt -- account_change.php style ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004033) ET WEB_SPECIFIC BtiTracker SQL Injection Attempt -- account_change.php langue 
+SecRule REQUEST_URI_RAW "(?i:\/account_change\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004033,rev:4,msg:'ET WEB_SPECIFIC BtiTracker SQL Injection Attempt -- account_change.php langue ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BtiTracker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:langue/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BtiTracker SQL Injection Attempt -- account_change.php langue ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004989) ET WEB_SPECIFIC BtitTracker SQL Injection Attempt -- torrents.php by 
+SecRule REQUEST_URI_RAW "(?i:\/torrents\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004989,rev:4,msg:'ET WEB_SPECIFIC BtitTracker SQL Injection Attempt -- torrents.php by ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BtitTracker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:by/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BtitTracker SQL Injection Attempt -- torrents.php by ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004995) ET WEB_SPECIFIC BtitTracker SQL Injection Attempt -- torrents.php order 
+SecRule REQUEST_URI_RAW "(?i:\/torrents\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004995,rev:4,msg:'ET WEB_SPECIFIC BtitTracker SQL Injection Attempt -- torrents.php order ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_BtitTracker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC BtitTracker SQL Injection Attempt -- torrents.php order ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003780) ET WEB_SPECIFIC Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/bry\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003780,rev:4,msg:'ET WEB_SPECIFIC Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Burak'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006253) ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid 
+SecRule REQUEST_URI_RAW "(?i:\/HABERLER\.ASP)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006253,rev:4,msg:'ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Burak'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006259) ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id 
+SecRule REQUEST_URI_RAW "(?i:\/HABERLER\.ASP)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006259,rev:4,msg:'ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Burak'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006265) ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id 
+SecRule REQUEST_URI_RAW "(?i:\/ASPKAT\.ASP)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006265,rev:4,msg:'ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Burak'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006271) ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid 
+SecRule REQUEST_URI_RAW "(?i:\/ASPKAT\.ASP)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006271,rev:4,msg:'ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Burak'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006277) ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/down\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006277,rev:4,msg:'ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Burak'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003797) ET WEB_SPECIFIC CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid 
+SecRule REQUEST_URI_RAW "(?i:\/stylesheet\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003797,rev:5,msg:'ET WEB_SPECIFIC CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CMS_Made_Simple'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:templateid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006169) ET WEB_SPECIFIC Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/calendar_detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006169,rev:4,msg:'ET WEB_SPECIFIC Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Calendar_MX'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006187) ET WEB_SPECIFIC Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/admin_mail_adressee\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006187,rev:4,msg:'ET WEB_SPECIFIC Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Calendar_MX'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007468) ET WEB_SPECIFIC CandyPress Store SQL Injection Attempt -- openPolicy.asp policy 
+SecRule REQUEST_URI_RAW "(?i:\/openPolicy\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007468,rev:3,msg:'ET WEB_SPECIFIC CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CandyPress'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:policy/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007474) ET WEB_SPECIFIC CandyPress Store SQL Injection Attempt -- prodList.asp brand 
+SecRule REQUEST_URI_RAW "(?i:\/prodList\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007474,rev:3,msg:'ET WEB_SPECIFIC CandyPress Store SQL Injection Attempt -- prodList.asp brand ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CandyPress'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:brand/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC CandyPress Store SQL Injection Attempt -- prodList.asp brand ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007227) ET WEB_SPECIFIC ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date 
+SecRule REQUEST_URI_RAW "(?i:\/displayCalendar\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007227,rev:3,msg:'ET WEB_SPECIFIC ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:date/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007233) ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage 
+SecRule REQUEST_URI_RAW "(?i:\/view_gallery\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007233,rev:3,msg:'ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007239) ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id 
+SecRule REQUEST_URI_RAW "(?i:\/view_gallery\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007239,rev:3,msg:'ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:gallery_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007245) ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id 
+SecRule REQUEST_URI_RAW "(?i:\/download_image\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007245,rev:3,msg:'ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007251) ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007251,rev:3,msg:'ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007257) ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007257,rev:3,msg:'ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007263) ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage 
+SecRule REQUEST_URI_RAW "(?i:\/view_recent\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007263,rev:3,msg:'ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:currentpage/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007269) ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007269,rev:3,msg:'ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:AlphaSort/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007275) ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp In 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007275,rev:3,msg:'ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp In ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:In/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp In ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007281) ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp orderby 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007281,rev:3,msg:'ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Clicktech'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:orderby/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004879) ET WEB_SPECIFIC CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID 
+SecRule REQUEST_URI_RAW "(?i:\/inc_listnews\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004879,rev:4,msg:'ET WEB_SPECIFIC CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CodeAvalance'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:CAT_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006508) ET WEB_SPECIFIC Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct 
+SecRule REQUEST_URI_RAW "(?i:\/comersus_optReviewReadExec\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006508,rev:4,msg:'ET WEB_SPECIFIC Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Comersus'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:idProduct/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004639) ET WEB_SPECIFIC Comicsense SQL Injection Attempt -- index.php epi 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004639,rev:4,msg:'ET WEB_SPECIFIC Comicsense SQL Injection Attempt -- index.php epi ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ComicSense_Portal'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:epi/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Comicsense SQL Injection Attempt -- index.php epi ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004709) ET WEB_SPECIFIC Connectix Boards SQL Injection Attempt -- admin.php uploadimage 
+SecRule REQUEST_URI_RAW "(?i:\/admin\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004709,rev:4,msg:'ET WEB_SPECIFIC Connectix Boards SQL Injection Attempt -- admin.php uploadimage ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Connectix_Portal'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:uploadimage/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Connectix Boards SQL Injection Attempt -- admin.php uploadimage ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004715) ET WEB_SPECIFIC Connectix Boards SQL Injection Attempt -- index.php p_skin 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004715,rev:4,msg:'ET WEB_SPECIFIC Connectix Boards SQL Injection Attempt -- index.php p_skin ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Connectix_Portal'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:p_skin/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Connectix Boards SQL Injection Attempt -- index.php p_skin ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007340) ET WEB_SPECIFIC ContentNow SQL Injection Attempt -- index.php pageid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007340,rev:3,msg:'ET WEB_SPECIFIC ContentNow SQL Injection Attempt -- index.php pageid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ContentNow'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pageid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ContentNow SQL Injection Attempt -- index.php pageid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006307) ET WEB_SPECIFIC Contra Haber Sistemi SQL Injection Attempt -- haber.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/haber\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006307,rev:4,msg:'ET WEB_SPECIFIC Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Contra_Haber'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004813) ET WEB_SPECIFIC Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav 
+SecRule REQUEST_URI_RAW "(?i:\/thumbnails\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004813,rev:4,msg:'ET WEB_SPECIFIC Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Coppermine_Photo_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cpg131_fav/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005845) ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat 
+SecRule REQUEST_URI_RAW "(?i:\/albmgr\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005845,rev:4,msg:'ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Coppermine_Photo_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005851) ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid 
+SecRule REQUEST_URI_RAW "(?i:\/usermgr\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005851,rev:4,msg:'ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Coppermine_Photo_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:gid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005857) ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start 
+SecRule REQUEST_URI_RAW "(?i:\/db_ecard\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005857,rev:4,msg:'ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Coppermine_Photo_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:start/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003756) ET WEB_SPECIFIC CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/error\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003756,rev:4,msg:'ET WEB_SPECIFIC CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Creascripts'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005863) ET WEB_SPECIFIC CreateAuction SQL Injection Attempt -- cats.asp catid 
+SecRule REQUEST_URI_RAW "(?i:\/cats\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005863,rev:4,msg:'ET WEB_SPECIFIC CreateAuction SQL Injection Attempt -- cats.asp catid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CreateAuction'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC CreateAuction SQL Injection Attempt -- cats.asp catid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004039) ET WEB_SPECIFIC CubeCart SQL Injection Attempt -- cart.inc.php 
+SecRule REQUEST_URI_RAW "(?i:\/cart\.inc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004039,rev:4,msg:'ET WEB_SPECIFIC CubeCart SQL Injection Attempt -- cart.inc.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_CubeCart'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2004087) ET WEB_SPECIFIC DGNews SQL Injection Attempt -- news.php catid 
+SecRule REQUEST_URI_RAW "(?i:\/news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004087,rev:4,msg:'ET WEB_SPECIFIC DGNews SQL Injection Attempt -- news.php catid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DGNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DGNews SQL Injection Attempt -- news.php catid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004460) ET WEB_SPECIFIC DGNews SQL Injection Attempt -- news.php newsid 
+SecRule REQUEST_URI_RAW "(?i:\/news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004460,rev:4,msg:'ET WEB_SPECIFIC DGNews SQL Injection Attempt -- news.php newsid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DGNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DGNews SQL Injection Attempt -- news.php newsid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004687) ET WEB_SPECIFIC DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004687,rev:4,msg:'ET WEB_SPECIFIC DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:mid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006085) ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp 
+SecRule REQUEST_URI_RAW "(?i:\/set_preferences\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006085,rev:4,msg:'ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2006091) ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp 
+SecRule REQUEST_URI_RAW "(?i:\/send_password_preferences\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006091,rev:4,msg:'ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2006097) ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- list.asp 
+SecRule REQUEST_URI_RAW "(?i:\/SecureLoginManager\/list\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006097,rev:4,msg:'ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- list.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2006103) ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent 
+SecRule REQUEST_URI_RAW "(?i:\/login\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006103,rev:4,msg:'ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006109) ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent 
+SecRule REQUEST_URI_RAW "(?i:\/content\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006109,rev:4,msg:'ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006115) ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent 
+SecRule REQUEST_URI_RAW "(?i:\/members\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006115,rev:4,msg:'ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006121) ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent 
+SecRule REQUEST_URI_RAW "(?i:\/applications\/SecureLoginManager\/inc_secureloginmanager\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006121,rev:4,msg:'ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DMXReady'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sent/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005899) ET WEB_SPECIFIC Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005899,rev:4,msg:'ET WEB_SPECIFIC Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_DQOS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ordernum/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004838) ET WEB_SPECIFIC Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id 
+SecRule REQUEST_URI_RAW "(?i:\/page\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004838,rev:4,msg:'ET WEB_SPECIFIC Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Design4Online'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005595) ET WEB_SPECIFIC Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/visu_user\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005595,rev:4,msg:'ET WEB_SPECIFIC Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Digiappz'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005839) ET WEB_SPECIFIC Digirez SQL Injection Attempt -- info_book.asp book_id 
+SecRule REQUEST_URI_RAW "(?i:\/info_book\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005839,rev:4,msg:'ET WEB_SPECIFIC Digirez SQL Injection Attempt -- info_book.asp book_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Digirez'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:book_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Digirez SQL Injection Attempt -- info_book.asp book_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004051) ET WEB_SPECIFIC Dokeos SQL Injection Attempt -- courseLog.php scormcontopen 
+SecRule REQUEST_URI_RAW "(?i:\/tracking\/courseLog\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004051,rev:4,msg:'ET WEB_SPECIFIC Dokeos SQL Injection Attempt -- courseLog.php scormcontopen ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Dokeos'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:scormcontopen/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Dokeos SQL Injection Attempt -- courseLog.php scormcontopen ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004069) ET WEB_SPECIFIC Dokeos SQL Injection Attempt -- my_progress.php course 
+SecRule REQUEST_URI_RAW "(?i:\/main\/auth\/my_progress\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004069,rev:4,msg:'ET WEB_SPECIFIC Dokeos SQL Injection Attempt -- my_progress.php course ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Dokeos'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:course/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Dokeos SQL Injection Attempt -- my_progress.php course ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006145) ET WEB_SPECIFIC Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/bus_details\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006145,rev:4,msg:'ET WEB_SPECIFIC Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Dragon_Business_Dir'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004389) ET WEB_SPECIFIC fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/goster\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004389,rev:4,msg:'ET WEB_SPECIFIC fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duruyu'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006691) ET WEB_SPECIFIC DUware DUdownload SQL Injection Attempt -- detail.asp iFile 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006691,rev:4,msg:'ET WEB_SPECIFIC DUware DUdownload SQL Injection Attempt -- detail.asp iFile ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iFile/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DUware DUdownload SQL Injection Attempt -- detail.asp iFile ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006698) ET WEB_SPECIFIC DUware DUdownload SQL Injection Attempt -- detail.asp action 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006698,rev:4,msg:'ET WEB_SPECIFIC DUware DUdownload SQL Injection Attempt -- detail.asp action ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:action/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DUware DUdownload SQL Injection Attempt -- detail.asp action ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006704) ET WEB_SPECIFIC DUware DUpaypal SQL Injection Attempt -- detail.asp iType 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006704,rev:4,msg:'ET WEB_SPECIFIC DUware DUpaypal SQL Injection Attempt -- detail.asp iType ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iType/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DUware DUpaypal SQL Injection Attempt -- detail.asp iType ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006710) ET WEB_SPECIFIC DuWare DuClassmate SQL Injection Attempt -- default.asp iCity 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006710,rev:4,msg:'ET WEB_SPECIFIC DuWare DuClassmate SQL Injection Attempt -- default.asp iCity ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iCity/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DuWare DuClassmate SQL Injection Attempt -- default.asp iCity ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006716) ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp iNews 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006716,rev:4,msg:'ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp iNews ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iNews/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp iNews ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006722) ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp iType 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006722,rev:4,msg:'ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp iType ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iType/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp iType ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006728) ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp Action 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006728,rev:4,msg:'ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp Action ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Duware'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Action/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC DuWare DuNews SQL Injection Attempt -- detail.asp Action ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003774) ET WEB_SPECIFIC E-Annu SQL Injection Attempt -- home.php a 
+SecRule REQUEST_URI_RAW "(?i:\/home\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003774,rev:4,msg:'ET WEB_SPECIFIC E-Annu SQL Injection Attempt -- home.php a ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_E-Annu'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:a/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC E-Annu SQL Injection Attempt -- home.php a ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004628) ET WEB_SPECIFIC EQdkp SQL Injection Attempt -- listmembers.php rank 
+SecRule REQUEST_URI_RAW "(?i:\/listmembers\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004628,rev:4,msg:'ET WEB_SPECIFIC EQdkp SQL Injection Attempt -- listmembers.php rank ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_EQdkp'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:rank/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC EQdkp SQL Injection Attempt -- listmembers.php rank ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005272) ET WEB_SPECIFIC Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/memberlist\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005272,rev:4,msg:'ET WEB_SPECIFIC Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Easebay'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005278) ET WEB_SPECIFIC Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/memberlist\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005278,rev:4,msg:'ET WEB_SPECIFIC Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Easebay'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:init_row/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005043) ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- add_comment.php i 
+SecRule REQUEST_URI_RAW "(?i:\/add_comment\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005043,rev:4,msg:'ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- add_comment.php i ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_EasyMoblog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:i/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- add_comment.php i ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005049) ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- add_comment.php post_id 
+SecRule REQUEST_URI_RAW "(?i:\/add_comment\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005049,rev:4,msg:'ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- add_comment.php post_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_EasyMoblog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- add_comment.php post_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005055) ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- list_comments.php i 
+SecRule REQUEST_URI_RAW "(?i:\/list_comments\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005055,rev:4,msg:'ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- list_comments.php i ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_EasyMoblog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:i/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC EasyMoblog SQL Injection Attempt -- list_comments.php i ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006558) ET WEB_SPECIFIC EasyPage SQL Injection Attempt -- default.aspx docId 
+SecRule REQUEST_URI_RAW "(?i:\/sptrees\/default\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006558,rev:3,msg:'ET WEB_SPECIFIC EasyPage SQL Injection Attempt -- default.aspx docId ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_EasyPage'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:docId/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC EasyPage SQL Injection Attempt -- default.aspx docId ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005091) ET WEB_SPECIFIC Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005091,rev:4,msg:'ET WEB_SPECIFIC Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Eclectic_Designs'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:qid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005115) ET WEB_SPECIFIC Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005115,rev:4,msg:'ET WEB_SPECIFIC Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Eclectic_Designs'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005989) ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- admin.asp grup 
+SecRule REQUEST_URI_RAW "(?i:\/admin\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005989,rev:4,msg:'ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- admin.asp grup ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Efkan'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:grup/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- admin.asp grup ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005995) ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- default.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005995,rev:4,msg:'ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- default.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Efkan'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- default.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006001) ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- admin.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/admin\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006001,rev:4,msg:'ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- admin.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Efkan'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- admin.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006163) ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- default.asp grup 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006163,rev:4,msg:'ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- default.asp grup ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Efkan'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:grup/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Efkan Forum SQL Injection Attempt -- default.asp grup ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006453) ET WEB_SPECIFIC Elxis CMS SQL Injection Attempt -- mod_banners.php 
+SecRule REQUEST_URI_RAW "(?i:\/mod_banners\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006453,rev:4,msg:'ET WEB_SPECIFIC Elxis CMS SQL Injection Attempt -- mod_banners.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Elxis'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2006139) ET WEB_SPECIFIC Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/newsdetail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006139,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006151) ET WEB_SPECIFIC Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id 
+SecRule REQUEST_URI_RAW "(?i:\/Types\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006151,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Type_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006157) ET WEB_SPECIFIC Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID 
+SecRule REQUEST_URI_RAW "(?i:\/actualpic\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006157,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Biz_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007046) ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID 
+SecRule REQUEST_URI_RAW "(?i:\/ad\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007046,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007052) ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id 
+SecRule REQUEST_URI_RAW "(?i:\/ad\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007052,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007058) ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id 
+SecRule REQUEST_URI_RAW "(?i:\/ad\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007058,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sub_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007028) ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id 
+SecRule REQUEST_URI_RAW "(?i:\/ad\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007028,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ad_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007034) ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid 
+SecRule REQUEST_URI_RAW "(?i:\/dircat\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007034,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007040) ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid 
+SecRule REQUEST_URI_RAW "(?i:\/dirSub\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007040,rev:4,msg:'ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007080) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid 
+SecRule REQUEST_URI_RAW "(?i:\/dircat\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007080,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007086) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid 
+SecRule REQUEST_URI_RAW "(?i:\/dirSub\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007086,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007092) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID 
+SecRule REQUEST_URI_RAW "(?i:\/types\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007092,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:TYPE_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007098) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID 
+SecRule REQUEST_URI_RAW "(?i:\/homeDetail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007098,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:AD_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007104) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/result\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007104,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007110) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare 
+SecRule REQUEST_URI_RAW "(?i:\/compareHomes\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007110,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:compare/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007116) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear 
+SecRule REQUEST_URI_RAW "(?i:\/compareHomes\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007116,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:clear/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007122) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID 
+SecRule REQUEST_URI_RAW "(?i:\/compareHomes\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007122,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:adID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007128) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice 
+SecRule REQUEST_URI_RAW "(?i:\/result\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007128,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:aminprice/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007134) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice 
+SecRule REQUEST_URI_RAW "(?i:\/result\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007134,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:amaxprice/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007140) ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms 
+SecRule REQUEST_URI_RAW "(?i:\/result\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007140,rev:3,msg:'ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthrallweb'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:abedrooms/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005260) ET WEB_SPECIFIC Enthusiast SQL Injection Attempt -- show_owned.php cat 
+SecRule REQUEST_URI_RAW "(?i:\/show_owned\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005260,rev:4,msg:'ET WEB_SPECIFIC Enthusiast SQL Injection Attempt -- show_owned.php cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthusiast'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthusiast SQL Injection Attempt -- show_owned.php cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005266) ET WEB_SPECIFIC Enthusiast SQL Injection Attempt -- show_joined.php cat 
+SecRule REQUEST_URI_RAW "(?i:\/show_joined\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005266,rev:4,msg:'ET WEB_SPECIFIC Enthusiast SQL Injection Attempt -- show_joined.php cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Enthusiast'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Enthusiast SQL Injection Attempt -- show_joined.php cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006223) ET WEB_SPECIFIC Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user 
+SecRule REQUEST_URI_RAW "(?i:\/administration\/administre2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006223,rev:4,msg:'ET WEB_SPECIFIC Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Eric_Guillaume'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005881) ET WEB_SPECIFIC E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id 
+SecRule REQUEST_URI_RAW "(?i:\/productdetail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005881,rev:4,msg:'ET WEB_SPECIFIC E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Esmartcart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005340) ET WEB_SPECIFIC e-Vision CMS SQL Injection Attempt -- style.php template 
+SecRule REQUEST_URI_RAW "(?i:\/style\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005340,rev:4,msg:'ET WEB_SPECIFIC e-Vision CMS SQL Injection Attempt -- style.php template ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Evision'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:template/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC e-Vision CMS SQL Injection Attempt -- style.php template ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007064) ET WEB_SPECIFIC Evolve shopping cart SQL Injection Attempt -- products.asp partno 
+SecRule REQUEST_URI_RAW "(?i:\/products\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007064,rev:3,msg:'ET WEB_SPECIFIC Evolve shopping cart SQL Injection Attempt -- products.asp partno ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Evolve'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:partno/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Evolve shopping cart SQL Injection Attempt -- products.asp partno ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005085) ET WEB_SPECIFIC ExoPHPDesk SQL Injection Attempt -- faq.php id 
+SecRule REQUEST_URI_RAW "(?i:\/faq\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005085,rev:4,msg:'ET WEB_SPECIFIC ExoPHPDesk SQL Injection Attempt -- faq.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ExoPHPDesk'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ExoPHPDesk SQL Injection Attempt -- faq.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006817) ET WEB_SPECIFIC Expinion.net iNews SQL Injection Attempt -- articles.asp ex 
+SecRule REQUEST_URI_RAW "(?i:\/articles\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006817,rev:4,msg:'ET WEB_SPECIFIC Expinion.net iNews SQL Injection Attempt -- articles.asp ex ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Expinion.net'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ex/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Expinion.net iNews SQL Injection Attempt -- articles.asp ex ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006343) ET WEB_SPECIFIC EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp 
+SecRule REQUEST_URI_RAW "(?i:\/vdateUsr\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006343,rev:4,msg:'ET WEB_SPECIFIC EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_EzHRS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005619) ET WEB_SPECIFIC Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid 
+SecRule REQUEST_URI_RAW "(?i:\/boxx\/ShowAppendix\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005619,rev:4,msg:'ET WEB_SPECIFIC Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Ezboxx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003850) ET WEB_SPECIFIC FAQEngine SQL Injection Attempt -- question.php questionref 
+SecRule REQUEST_URI_RAW "(?i:\/question\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003850,rev:4,msg:'ET WEB_SPECIFIC FAQEngine SQL Injection Attempt -- question.php questionref ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_FAQEngine'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:questionref/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC FAQEngine SQL Injection Attempt -- question.php questionref ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006127) ET WEB_SPECIFIC Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006127,rev:4,msg:'ET WEB_SPECIFIC Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_FUM'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006331) ET WEB_SPECIFIC Fantastic News SQL Injection Attempt -- news.php id 
+SecRule REQUEST_URI_RAW "(?i:\/news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006331,rev:4,msg:'ET WEB_SPECIFIC Fantastic News SQL Injection Attempt -- news.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fantastic_News'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fantastic News SQL Injection Attempt -- news.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003792) ET WEB_SPECIFIC FileRun SQL Injection Attempt -- index.php fid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003792,rev:4,msg:'ET WEB_SPECIFIC FileRun SQL Injection Attempt -- index.php fid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_FileRun'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC FileRun SQL Injection Attempt -- index.php fid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006902) ET WEB_SPECIFIC FipsSHOP SQL Injection Attempt -- index.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006902,rev:4,msg:'ET WEB_SPECIFIC FipsSHOP SQL Injection Attempt -- index.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_FipsSHOP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC FipsSHOP SQL Injection Attempt -- index.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006908) ET WEB_SPECIFIC FipsSHOP SQL Injection Attempt -- index.asp did 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006908,rev:4,msg:'ET WEB_SPECIFIC FipsSHOP SQL Injection Attempt -- index.asp did ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_FipsSHOP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC FipsSHOP SQL Injection Attempt -- index.asp did ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007186) ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id 
+SecRule REQUEST_URI_RAW "(?i:\/filelist\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007186,rev:3,msg:'ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fixit_iDMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:show_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007192) ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid 
+SecRule REQUEST_URI_RAW "(?i:\/filelist\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007192,rev:3,msg:'ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fixit_iDMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:parentid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007198) ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid 
+SecRule REQUEST_URI_RAW "(?i:\/showfile\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007198,rev:3,msg:'ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fixit_iDMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003827) ET WEB_SPECIFIC Flashgames SQL Injection Attempt -- game.php lid 
+SecRule REQUEST_URI_RAW "(?i:\/game\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003827,rev:4,msg:'ET WEB_SPECIFIC Flashgames SQL Injection Attempt -- game.php lid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Flashgames'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Flashgames SQL Injection Attempt -- game.php lid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005150) ET WEB_SPECIFIC Forum Livre SQL Injection Attempt -- info_user.asp user 
+SecRule REQUEST_URI_RAW "(?i:\/info_user\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005150,rev:4,msg:'ET WEB_SPECIFIC Forum Livre SQL Injection Attempt -- info_user.asp user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Forum_Livre'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Forum Livre SQL Injection Attempt -- info_user.asp user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004921) ET WEB_SPECIFIC Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/listmain\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004921,rev:4,msg:'ET WEB_SPECIFIC Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fullaspsite'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005079) ET WEB_SPECIFIC Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id 
+SecRule REQUEST_URI_RAW "(?i:\/windows\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005079,rev:4,msg:'ET WEB_SPECIFIC Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fullaspsite'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kategori_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005376) ET WEB_SPECIFIC Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/down_indir\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005376,rev:4,msg:'ET WEB_SPECIFIC Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fullaspsite'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006465) ET WEB_SPECIFIC FuseTalk SQL Injection Attempt -- index.cfm 
+SecRule REQUEST_URI_RAW "(?i:\/index\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006465,rev:4,msg:'ET WEB_SPECIFIC FuseTalk SQL Injection Attempt -- index.cfm ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fusetalk'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2006471) ET WEB_SPECIFIC FuseTalk SQL Injection Attempt -- autherror.cfm errorcode 
+SecRule REQUEST_URI_RAW "(?i:\/forum\/include\/error\/autherror\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006471,rev:4,msg:'ET WEB_SPECIFIC FuseTalk SQL Injection Attempt -- autherror.cfm errorcode ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fusetalk'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:errorcode/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC FuseTalk SQL Injection Attempt -- autherror.cfm errorcode ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006193) ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm newsId 
+SecRule REQUEST_URI_RAW "(?i:\/index\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006193,rev:4,msg:'ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm newsId ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Future_Internet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newsId/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm newsId ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006199) ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm categoryid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006199,rev:4,msg:'ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm categoryid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Future_Internet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm categoryid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006205) ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm langId 
+SecRule REQUEST_URI_RAW "(?i:\/index\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006205,rev:4,msg:'ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm langId ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Future_Internet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:langId/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Future Internet SQL Injection Attempt -- index.cfm langId ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005334) ET WEB_SPECIFIC Fuzzylime Forum SQL Injection Attempt -- low.php topic 
+SecRule REQUEST_URI_RAW "(?i:\/low\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005334,rev:4,msg:'ET WEB_SPECIFIC Fuzzylime Forum SQL Injection Attempt -- low.php topic ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Fuzzylime'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Fuzzylime Forum SQL Injection Attempt -- low.php topic ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004003) ET WEB_SPECIFIC Gazi Download Portal SQL Injection Attempt -- down_indir.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/down_indir\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004003,rev:4,msg:'ET WEB_SPECIFIC Gazi Download Portal SQL Injection Attempt -- down_indir.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Gazi'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Gazi Download Portal SQL Injection Attempt -- down_indir.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004401) ET WEB_SPECIFIC GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori 
+SecRule REQUEST_URI_RAW "(?i:\/kategori\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004401,rev:4,msg:'ET WEB_SPECIFIC GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GaziYapBoz'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kategori/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005013) ET WEB_SPECIFIC GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user 
+SecRule REQUEST_URI_RAW "(?i:\/inc\/common\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005013,rev:4,msg:'ET WEB_SPECIFIC GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_GlobalMegaCorp'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003844) ET WEB_SPECIFIC Glossaire SQL Injection Attempt -- glossaire-p-f.php sid 
+SecRule REQUEST_URI_RAW "(?i:\/glossaire\-p\-f\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003844,rev:4,msg:'ET WEB_SPECIFIC Glossaire SQL Injection Attempt -- glossaire-p-f.php sid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Glossaire'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Glossaire SQL Injection Attempt -- glossaire-p-f.php sid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004353) ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- userdetail.php id 
+SecRule REQUEST_URI_RAW "(?i:\/userdetail\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004353,rev:4,msg:'ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- userdetail.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Grayscale_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- userdetail.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004359) ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- jump.php id 
+SecRule REQUEST_URI_RAW "(?i:\/jump\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004359,rev:4,msg:'ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- jump.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Grayscale_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- jump.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004365) ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- detail.php id 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004365,rev:4,msg:'ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- detail.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Grayscale_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- detail.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004371) ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- jump.php url 
+SecRule REQUEST_URI_RAW "(?i:\/jump\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004371,rev:4,msg:'ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- jump.php url ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Grayscale_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:url/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Grayscale Blog SQL Injection Attempt -- jump.php url ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005311) ET WEB_SPECIFIC Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/print\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005311,rev:4,msg:'ET WEB_SPECIFIC Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Guo_Xu_Guos'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004395) ET WEB_SPECIFIC HC NEWSSYSTEM SQL Injection Attempt -- index.php ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004395,rev:4,msg:'ET WEB_SPECIFIC HC NEWSSYSTEM SQL Injection Attempt -- index.php ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_HC_News'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC HC NEWSSYSTEM SQL Injection Attempt -- index.php ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007408) ET WEB_SPECIFIC HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd 
+SecRule REQUEST_URI_RAW "(?i:\/addrating\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007408,rev:3,msg:'ET WEB_SPECIFIC HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_HIOX'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ipadd/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007414) ET WEB_SPECIFIC HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url 
+SecRule REQUEST_URI_RAW "(?i:\/addrating\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007414,rev:3,msg:'ET WEB_SPECIFIC HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_HIOX'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:url/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004425) ET WEB_SPECIFIC Hazir Site SQL Injection Attempt -- giris_yap.asp sifre 
+SecRule REQUEST_URI_RAW "(?i:\/giris_yap\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004425,rev:4,msg:'ET WEB_SPECIFIC Hazir Site SQL Injection Attempt -- giris_yap.asp sifre ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hazir'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Hazir Site SQL Injection Attempt -- giris_yap.asp sifre ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004633) ET WEB_SPECIFIC Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/haberoku\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004633,rev:4,msg:'ET WEB_SPECIFIC Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hunkaray'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005067) ET WEB_SPECIFIC Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/oku\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005067,rev:4,msg:'ET WEB_SPECIFIC Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Hunkaray'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005643) ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/dispimage\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005643,rev:4,msg:'ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Image_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005649) ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- default.asp order 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005649,rev:4,msg:'ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- default.asp order ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Image_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- default.asp order ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005655) ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- default.asp page 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005655,rev:4,msg:'ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- default.asp page ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Image_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Image Gallery with Access Database SQL Injection Attempt -- default.asp page ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006866) ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/rating\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006866,rev:4,msg:'ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Infinitytechs'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006872) ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid 
+SecRule REQUEST_URI_RAW "(?i:\/meal_rest\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006872,rev:4,msg:'ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Infinitytechs'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:mealid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006878) ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid 
+SecRule REQUEST_URI_RAW "(?i:\/res_details\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006878,rev:4,msg:'ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Infinitytechs'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:resid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004801) ET WEB_SPECIFIC Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP 
+SecRule REQUEST_URI_RAW "(?i:\/classes\/class_session\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004801,rev:4,msg:'ET WEB_SPECIFIC Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Invision'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:CLIENT_IP/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006673) ET WEB_SPECIFIC Invision Gallery SQL Injection Attempt -- post.php img 
+SecRule REQUEST_URI_RAW "(?i:\/forum\/modules\/gallery\/post\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006673,rev:4,msg:'ET WEB_SPECIFIC Invision Gallery SQL Injection Attempt -- post.php img ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Invision'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:img/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Invision Gallery SQL Injection Attempt -- post.php img ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006679) ET WEB_SPECIFIC Invision Gallery SQL Injection Attempt -- index.php img 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006679,rev:4,msg:'ET WEB_SPECIFIC Invision Gallery SQL Injection Attempt -- index.php img ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Invision'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:img/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Invision Gallery SQL Injection Attempt -- index.php img ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006685) ET WEB_SPECIFIC Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid 
+SecRule REQUEST_URI_RAW "(?i:\/lib\/entry_reply_entry\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006685,rev:4,msg:'ET WEB_SPECIFIC Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Invision'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:eid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006211) ET WEB_SPECIFIC Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id 
+SecRule REQUEST_URI_RAW "(?i:\/ixm_ixpnews\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006211,rev:4,msg:'ET WEB_SPECIFIC Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Ixprim'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:story_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005346) ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass 
+SecRule REQUEST_URI_RAW "(?i:\/auth\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005346,rev:4,msg:'ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_JFF_NM'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005364) ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user 
+SecRule REQUEST_URI_RAW "(?i:\/auth\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005364,rev:4,msg:'ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_JFF_NM'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005370) ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass 
+SecRule REQUEST_URI_RAW "(?i:\/auth\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005370,rev:4,msg:'ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_JFF_NM'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004156) ET WEB_SPECIFIC JGBBS SQL Injection Attempt -- search.asp title 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004156,rev:4,msg:'ET WEB_SPECIFIC JGBBS SQL Injection Attempt -- search.asp title ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_JGBBS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:title/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC JGBBS SQL Injection Attempt -- search.asp title ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004341) ET WEB_SPECIFIC JGBBS SQL Injection Attempt -- search.asp author 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004341,rev:4,msg:'ET WEB_SPECIFIC JGBBS SQL Injection Attempt -- search.asp author ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_JGBBS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:author/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC JGBBS SQL Injection Attempt -- search.asp author ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004484) ET WEB_SPECIFIC PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq 
+SecRule REQUEST_URI_RAW "(?i:\/G_Display\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004484,rev:4,msg:'ET WEB_SPECIFIC PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_JackKnife'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iCategoryUnq/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004490) ET WEB_SPECIFIC PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID 
+SecRule REQUEST_URI_RAW "(?i:\/Search\/DisplayResults\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004490,rev:4,msg:'ET WEB_SPECIFIC PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_JackKnife'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:iSearchID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006496) ET WEB_SPECIFIC Jasmine CMS SQL Injection Attempt -- login.php login_username 
+SecRule REQUEST_URI_RAW "(?i:\/login\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006496,rev:4,msg:'ET WEB_SPECIFIC Jasmine CMS SQL Injection Attempt -- login.php login_username ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jasmine_CMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:login_username/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Jasmine CMS SQL Injection Attempt -- login.php login_username ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006502) ET WEB_SPECIFIC Jasmine CMS SQL Injection Attempt -- news.php item 
+SecRule REQUEST_URI_RAW "(?i:\/news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006502,rev:4,msg:'ET WEB_SPECIFIC Jasmine CMS SQL Injection Attempt -- news.php item ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jasmine_CMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:item/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Jasmine CMS SQL Injection Attempt -- news.php item ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004081) ET WEB_SPECIFIC Jelsoft vBulletin SQL Injection Attempt -- attachment.php 
+SecRule REQUEST_URI_RAW "(?i:\/admincp\/attachment\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004081,rev:4,msg:'ET WEB_SPECIFIC Jelsoft vBulletin SQL Injection Attempt -- attachment.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jelsoft'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2004150) ET WEB_SPECIFIC Jelsoft vBulletin SQL Injection Attempt -- attachment.php 
+SecRule REQUEST_URI_RAW "(?i:\/admincp\/attachment\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004150,rev:4,msg:'ET WEB_SPECIFIC Jelsoft vBulletin SQL Injection Attempt -- attachment.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jelsoft'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004670) ET WEB_SPECIFIC Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids 
+SecRule REQUEST_URI_RAW "(?i:\/inlinemod\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004670,rev:4,msg:'ET WEB_SPECIFIC Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jelsoft'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:postids/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003943) ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- main_page.php 
+SecRule REQUEST_URI_RAW "(?i:\/main_page\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003943,rev:4,msg:'ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- main_page.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jetbox'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2003949) ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- open_tree.php 
+SecRule REQUEST_URI_RAW "(?i:\/open_tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003949,rev:4,msg:'ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- open_tree.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jetbox'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2003955) ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- outputs.php 
+SecRule REQUEST_URI_RAW "(?i:\/outputs\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003955,rev:4,msg:'ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- outputs.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jetbox'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2003961) ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- index.php view 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003961,rev:4,msg:'ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- index.php view ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jetbox'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:view/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- index.php view ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003967) ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- opentree.php id 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/cms\/opentree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003967,rev:4,msg:'ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- opentree.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jetbox'"
+SecRule REQUEST_URI_RAW "@contains id[" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2003973) ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- index.php login 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003973,rev:4,msg:'ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- index.php login ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jetbox'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:login/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Jetbox CMS SQL Injection Attempt -- index.php login ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007348) ET WEB_SPECIFIC JiRos FAQ Manager SQL Injection Attempt -- index.asp tID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007348,rev:3,msg:'ET WEB_SPECIFIC JiRos FAQ Manager SQL Injection Attempt -- index.asp tID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jiros'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:tID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC JiRos FAQ Manager SQL Injection Attempt -- index.asp tID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007354) ET WEB_SPECIFIC JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID 
+SecRule REQUEST_URI_RAW "(?i:\/openlink\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007354,rev:3,msg:'ET WEB_SPECIFIC JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jiros'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:LinkID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007360) ET WEB_SPECIFIC JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID 
+SecRule REQUEST_URI_RAW "(?i:\/viewlinks\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007360,rev:3,msg:'ET WEB_SPECIFIC JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jiros'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:CategoryID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004377) ET WEB_SPECIFIC PHP Labs JobSitePro SQL Injection Attempt -- search.php salary 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004377,rev:4,msg:'ET WEB_SPECIFIC PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Jobsitepro'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:salary/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003762) ET WEB_SPECIFIC John Mordo Jobs SQL Injection Attempt -- index.php cid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003762,rev:4,msg:'ET WEB_SPECIFIC John Mordo Jobs SQL Injection Attempt -- index.php cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_John_Mordo'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC John Mordo Jobs SQL Injection Attempt -- index.php cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005296) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- category.php catid 
+SecRule REQUEST_URI_RAW "(?i:\/models\/category\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005296,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- category.php catid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- category.php catid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005302) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- letterman.class.php id 
+SecRule REQUEST_URI_RAW "(?i:\/letterman\.class\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005302,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- letterman.class.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- letterman.class.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005394) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- example.php 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/user\/example\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005394,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- example.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005400) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- gmail.php 
+SecRule REQUEST_URI_RAW "(?i:\/gmail\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005400,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- gmail.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005406) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- example.php 
+SecRule REQUEST_URI_RAW "(?i:\/example\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005406,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- example.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005412) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- ldap.php 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/authentication\/ldap\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005412,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- ldap.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005418) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- menu.php 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/mod_mainmenu\/menu\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005418,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- menu.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005424) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- content.php where 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/search\/content\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005424,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- content.php where ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:where/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- content.php where ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005430) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- weblinks.php where 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/search\/weblinks\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005430,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- weblinks.php where ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:where/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- weblinks.php where ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005436) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- contacts.php text 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/search\/contacts\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005436,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- contacts.php text ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- contacts.php text ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005442) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- categories.php text 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/search\/categories\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005442,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- categories.php text ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- categories.php text ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005448) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- sections.php text 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/search\/sections\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005448,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- sections.php text ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:text/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- sections.php text ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005454) ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- user.php email 
+SecRule REQUEST_URI_RAW "(?i:\/database\/table\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005454,rev:4,msg:'ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- user.php email ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Joomla'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:email/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Joomla! SQL Injection Attempt -- user.php email ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006764) ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category 
+SecRule REQUEST_URI_RAW "(?i:\/search_listing\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006764,rev:4,msg:'ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_KLF_Design'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:category/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006770) ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent 
+SecRule REQUEST_URI_RAW "(?i:\/search_listing\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006770,rev:4,msg:'ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_KLF_Design'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:agent/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006776) ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006776,rev:4,msg:'ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_KLF_Design'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:property_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004645) ET WEB_SPECIFIC Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id 
+SecRule REQUEST_URI_RAW "(?i:\/news\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004645,rev:4,msg:'ET WEB_SPECIFIC Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Kartli'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004126) ET WEB_SPECIFIC Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004126,rev:4,msg:'ET WEB_SPECIFIC Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Katalog_Plyt'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kolumna/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004983) ET WEB_SPECIFIC Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid 
+SecRule REQUEST_URI_RAW "(?i:\/forum\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004983,rev:4,msg:'ET WEB_SPECIFIC Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Kisisel'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005800) ET WEB_SPECIFIC Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/down\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005800,rev:4,msg:'ET WEB_SPECIFIC Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Kolayindir'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004693) ET WEB_SPECIFIC Kubix SQL Injection Attempt -- index.php member_id 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004693,rev:4,msg:'ET WEB_SPECIFIC Kubix SQL Injection Attempt -- index.php member_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Kubix'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:member_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Kubix SQL Injection Attempt -- index.php member_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005073) ET WEB_SPECIFIC Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid 
+SecRule REQUEST_URI_RAW "(?i:\/i\-search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005073,rev:4,msg:'ET WEB_SPECIFIC Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_L2J_DropCalc'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:itemid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005977) ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w 
+SecRule REQUEST_URI_RAW "(?i:\/journal\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005977,rev:4,msg:'ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_LDU'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:w/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006319) ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id 
+SecRule REQUEST_URI_RAW "(?i:\/polls\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006319,rev:4,msg:'ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_LDU'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004527) ET WEB_SPECIFIC LI-Guestbook SQL Injection Attempt -- guestbook.php country 
+SecRule REQUEST_URI_RAW "(?i:\/guestbook\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004527,rev:4,msg:'ET WEB_SPECIFIC LI-Guestbook SQL Injection Attempt -- guestbook.php country ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_LI_Guestbook'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:country/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC LI-Guestbook SQL Injection Attempt -- guestbook.php country ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007298) ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/inout\/status\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007298,rev:3,msg:'ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Liberum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007304) ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/inout\/update\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007304,rev:3,msg:'ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Liberum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007310) ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/forgotpass\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007310,rev:3,msg:'ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Liberum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007316) ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid 
+SecRule REQUEST_URI_RAW "(?i:\/forgotpass\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007316,rev:3,msg:'ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Liberum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007322) ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid 
+SecRule REQUEST_URI_RAW "(?i:\/inout\/update\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007322,rev:3,msg:'ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Liberum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007328) ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid 
+SecRule REQUEST_URI_RAW "(?i:\/inout\/status\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007328,rev:3,msg:'ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Liberum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007334) ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/details\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007334,rev:3,msg:'ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Liberum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006661) ET WEB_SPECIFIC LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni 
+SecRule REQUEST_URI_RAW "(?i:\/navigacija\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006661,rev:4,msg:'ET WEB_SPECIFIC LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Link_CMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:IDMeniGlavni/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006667) ET WEB_SPECIFIC LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci 
+SecRule REQUEST_URI_RAW "(?i:\/prikazInformacije\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006667,rev:4,msg:'ET WEB_SPECIFIC LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Link_CMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:IDStranicaPodaci/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007366) ET WEB_SPECIFIC Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch 
+SecRule REQUEST_URI_RAW "(?i:\/linkslist\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007366,rev:3,msg:'ET WEB_SPECIFIC Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Link_Exchange_Lite'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:psearch/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007372) ET WEB_SPECIFIC Link Exchange Lite SQL Injection Attempt -- search.asp 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007372,rev:3,msg:'ET WEB_SPECIFIC Link Exchange Lite SQL Injection Attempt -- search.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Link_Exchange_Lite'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2004413) ET WEB_SPECIFIC Links Management Application SQL Injection Attempt -- index.php lcnt 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004413,rev:4,msg:'ET WEB_SPECIFIC Links Management Application SQL Injection Attempt -- index.php lcnt ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Links_Management'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:lcnt/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Links Management Application SQL Injection Attempt -- index.php lcnt ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006477) ET WEB_SPECIFIC LiveCMS SQL Injection Attempt -- categoria.php cid 
+SecRule REQUEST_URI_RAW "(?i:\/categoria\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006477,rev:4,msg:'ET WEB_SPECIFIC LiveCMS SQL Injection Attempt -- categoria.php cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_LiveCMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC LiveCMS SQL Injection Attempt -- categoria.php cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005833) ET WEB_SPECIFIC LocazoList SQL Injection Attempt -- main.asp subcatID 
+SecRule REQUEST_URI_RAW "(?i:\/main\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005833,rev:4,msg:'ET WEB_SPECIFIC LocazoList SQL Injection Attempt -- main.asp subcatID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_LocazoList'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:subcatID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC LocazoList SQL Injection Attempt -- main.asp subcatID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006325) ET WEB_SPECIFIC Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID 
+SecRule REQUEST_URI_RAW "(?i:\/ProductDetails\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006325,rev:4,msg:'ET WEB_SPECIFIC Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Lotfian'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:PID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004965) ET WEB_SPECIFIC LushiNews SQL Injection Attempt -- comments.php id 
+SecRule REQUEST_URI_RAW "(?i:\/comments\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004965,rev:4,msg:'ET WEB_SPECIFIC LushiNews SQL Injection Attempt -- comments.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Lushi'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC LushiNews SQL Injection Attempt -- comments.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004971) ET WEB_SPECIFIC LushiWarPlaner SQL Injection Attempt -- register.php id 
+SecRule REQUEST_URI_RAW "(?i:\/register\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004971,rev:4,msg:'ET WEB_SPECIFIC LushiWarPlaner SQL Injection Attempt -- register.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Lushi'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC LushiWarPlaner SQL Injection Attempt -- register.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005139) ET WEB_SPECIFIC MAXdev MDPro SQL Injection Attempt -- index.php startrow 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005139,rev:4,msg:'ET WEB_SPECIFIC MAXdev MDPro SQL Injection Attempt -- index.php startrow ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MDPro'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:startrow/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MAXdev MDPro SQL Injection Attempt -- index.php startrow ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005516) ET WEB_SPECIFIC MGB OpenSource Guestbook SQL Injection Attempt -- email.php id 
+SecRule REQUEST_URI_RAW "(?i:\/email\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005516,rev:4,msg:'ET WEB_SPECIFIC MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MGB'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006229) ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p 
+SecRule REQUEST_URI_RAW "(?i:\/detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006229,rev:4,msg:'ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MGinternet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:p/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006235) ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l 
+SecRule REQUEST_URI_RAW "(?i:\/listings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006235,rev:4,msg:'ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MGinternet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:l/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006241) ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ 
+SecRule REQUEST_URI_RAW "(?i:\/listings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006241,rev:4,msg:'ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MGinternet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:typ/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006247) ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc 
+SecRule REQUEST_URI_RAW "(?i:\/listings\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006247,rev:4,msg:'ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MGinternet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:loc/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003991) ET WEB_SPECIFIC Mambo SQL Injection Attempt -- index.php listid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003991,rev:4,msg:'ET WEB_SPECIFIC Mambo SQL Injection Attempt -- index.php listid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mambo'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:listid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Mambo SQL Injection Attempt -- index.php listid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004431) ET WEB_SPECIFIC Mambo SQL Injection Attempt -- moscomment.php mcname 
+SecRule REQUEST_URI_RAW "(?i:\/moscomment\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004431,rev:4,msg:'ET WEB_SPECIFIC Mambo SQL Injection Attempt -- moscomment.php mcname ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mambo'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Mambo SQL Injection Attempt -- moscomment.php mcname ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004437) ET WEB_SPECIFIC Mambo SQL Injection Attempt -- com_comment.php mcname 
+SecRule REQUEST_URI_RAW "(?i:\/com_comment\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004437,rev:4,msg:'ET WEB_SPECIFIC Mambo SQL Injection Attempt -- com_comment.php mcname ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mambo'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:mcname/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Mambo SQL Injection Attempt -- com_comment.php mcname ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004770) ET WEB_SPECIFIC Mambo LaiThai SQL Injection Attempt -- mambo.php 
+SecRule REQUEST_URI_RAW "(?i:\/includes\/mambo\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004770,rev:4,msg:'ET WEB_SPECIFIC Mambo LaiThai SQL Injection Attempt -- mambo.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mambo'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005145) ET WEB_SPECIFIC Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid 
+SecRule REQUEST_URI_RAW "(?i:\/news_page\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005145,rev:4,msg:'ET WEB_SPECIFIC Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Martyn_Kilbryde_Newsposter'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:uid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004269) ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php x 
+SecRule REQUEST_URI_RAW "(?i:\/product_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004269,rev:4,msg:'ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mega_Mall'"
+SecRule REQUEST_URI_RAW "@contains x[" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004275) ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php t 
+SecRule REQUEST_URI_RAW "(?i:\/product_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004275,rev:4,msg:'ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mega_Mall'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:t/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004281) ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId 
+SecRule REQUEST_URI_RAW "(?i:\/product_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004281,rev:4,msg:'ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mega_Mall'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:productId/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004287) ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk 
+SecRule REQUEST_URI_RAW "(?i:\/product_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004287,rev:4,msg:'ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mega_Mall'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sk/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004293) ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php x 
+SecRule REQUEST_URI_RAW "(?i:\/product_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004293,rev:4,msg:'ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mega_Mall'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:x/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004299) ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php so 
+SecRule REQUEST_URI_RAW "(?i:\/product_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004299,rev:4,msg:'ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mega_Mall'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:so/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004305) ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo 
+SecRule REQUEST_URI_RAW "(?i:\/order\-track\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004305,rev:4,msg:'ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Mega_Mall'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:orderNo/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006349) ET WEB_SPECIFIC Messageriescripthp SQL Injection Attempt -- lire-avis.php aa 
+SecRule REQUEST_URI_RAW "(?i:\/lire\-avis\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006349,rev:4,msg:'ET WEB_SPECIFIC Messageriescripthp SQL Injection Attempt -- lire-avis.php aa ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Messageriescripthp'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:aa/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Messageriescripthp SQL Injection Attempt -- lire-avis.php aa ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006799) ET WEB_SPECIFIC Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi 
+SecRule REQUEST_URI_RAW "(?i:\/uye_giris_islem\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006799,rev:4,msg:'ET WEB_SPECIFIC Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Metyus'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kullanici_ismi/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006805) ET WEB_SPECIFIC Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre 
+SecRule REQUEST_URI_RAW "(?i:\/uye_giris_islem\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006805,rev:4,msg:'ET WEB_SPECIFIC Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Metyus'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sifre/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005607) ET WEB_SPECIFIC MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/duyuru\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005607,rev:4,msg:'ET WEB_SPECIFIC MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MiNT'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007010) ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant 
+SecRule REQUEST_URI_RAW "(?i:\/item_show\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007010,rev:4,msg:'ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Midicart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id2006quant/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007016) ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup 
+SecRule REQUEST_URI_RAW "(?i:\/item_list\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007016,rev:4,msg:'ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Midicart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:maingroup/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007022) ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup 
+SecRule REQUEST_URI_RAW "(?i:\/item_list\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007022,rev:4,msg:'ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Midicart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:secondgroup/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004168) ET WEB_SPECIFIC Minerva mod SQL Injection Attempt -- forum.php c 
+SecRule REQUEST_URI_RAW "(?i:\/forum\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004168,rev:4,msg:'ET WEB_SPECIFIC Minerva mod SQL Injection Attempt -- forum.php c ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Minerva'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:c/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Minerva mod SQL Injection Attempt -- forum.php c ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005782) ET WEB_SPECIFIC Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName 
+SecRule REQUEST_URI_RAW "(?i:\/admin_check_user\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005782,rev:4,msg:'ET WEB_SPECIFIC Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Motionborg'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:txtUserName/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003839) ET WEB_SPECIFIC MyConference SQL Injection Attempt -- index.php cid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003839,rev:4,msg:'ET WEB_SPECIFIC MyConference SQL Injection Attempt -- index.php cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MyConference'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MyConference SQL Injection Attempt -- index.php cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006631) ET WEB_SPECIFIC MyStats SQL Injection Attempt -- mystats.php details 
+SecRule REQUEST_URI_RAW "(?i:\/mystats\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006631,rev:4,msg:'ET WEB_SPECIFIC MyStats SQL Injection Attempt -- mystats.php details ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_MyStats'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:details/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC MyStats SQL Injection Attempt -- mystats.php details ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004616) ET WEB_SPECIFIC My Datebook SQL Injection Attempt -- diary.php delete 
+SecRule REQUEST_URI_RAW "(?i:\/diary\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004616,rev:4,msg:'ET WEB_SPECIFIC My Datebook SQL Injection Attempt -- diary.php delete ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_My_Datebook'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:delete/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC My Datebook SQL Injection Attempt -- diary.php delete ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004099) ET WEB_SPECIFIC My Little Forum SQL Injection Attempt -- user.php id 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004099,rev:4,msg:'ET WEB_SPECIFIC My Little Forum SQL Injection Attempt -- user.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_My_Little_Forum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC My Little Forum SQL Injection Attempt -- user.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004746) ET WEB_SPECIFIC Nabopoll SQL Injection Attempt -- result.php surv 
+SecRule REQUEST_URI_RAW "(?i:\/result\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004746,rev:4,msg:'ET WEB_SPECIFIC Nabopoll SQL Injection Attempt -- result.php surv ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Nabopoll'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:surv/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Nabopoll SQL Injection Attempt -- result.php surv ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006884) ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id 
+SecRule REQUEST_URI_RAW "(?i:\/users\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006884,rev:4,msg:'ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neochrome'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006740) ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/ipsearch\/ipsearch\.admin\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006740,rev:4,msg:'ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neocrome'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2006746) ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php 
+SecRule REQUEST_URI_RAW "(?i:\/pfs\/pfs\.edit\.inc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006746,rev:4,msg:'ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neocrome'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2006752) ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- users.register.inc.php 
+SecRule REQUEST_URI_RAW "(?i:\/system\/core\/users\/users\.register\.inc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006752,rev:4,msg:'ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neocrome'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2006758) ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- polls.php id 
+SecRule REQUEST_URI_RAW "(?i:\/polls\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006758,rev:4,msg:'ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- polls.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neocrome'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- polls.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007292) ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- users.php id 
+SecRule REQUEST_URI_RAW "(?i:\/users\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007292,rev:3,msg:'ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- users.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neocrome'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neocrome Seditio SQL Injection Attempt -- users.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006551) ET WEB_SPECIFIC NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id 
+SecRule REQUEST_URI_RAW "(?i:\/ViewCat\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006551,rev:4,msg:'ET WEB_SPECIFIC NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NetClassifieds'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:s_user_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004162) ET WEB_SPECIFIC NetVIOS Portal SQL Injection Attempt -- page.asp NewsID 
+SecRule REQUEST_URI_RAW "(?i:\/News\/page\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004162,rev:4,msg:'ET WEB_SPECIFIC NetVIOS Portal SQL Injection Attempt -- page.asp NewsID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NetVIOS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC NetVIOS Portal SQL Injection Attempt -- page.asp NewsID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004940) ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentname 
+SecRule REQUEST_URI_RAW "(?i:\/pages\/addcomment2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004940,rev:4,msg:'ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neuron_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:commentname/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004947) ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail 
+SecRule REQUEST_URI_RAW "(?i:\/pages\/addcomment2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004947,rev:4,msg:'ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neuron_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:commentmail/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004953) ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite 
+SecRule REQUEST_URI_RAW "(?i:\/pages\/addcomment2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004953,rev:4,msg:'ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neuron_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:commentwebsite/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004959) ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php comment 
+SecRule REQUEST_URI_RAW "(?i:\/pages\/addcomment2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004959,rev:4,msg:'ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php comment ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Neuron_Blog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:comment/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Neuron Blog SQL Injection Attempt -- addcomment2.php comment ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005679) ET WEB_SPECIFIC Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category 
+SecRule REQUEST_URI_RAW "(?i:\/shared\/code\/cp_functions_downloads\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005679,rev:4,msg:'ET WEB_SPECIFIC Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Nicola_Asuni'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:download_category/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005019) ET WEB_SPECIFIC Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id 
+SecRule REQUEST_URI_RAW "(?i:\/view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005019,rev:4,msg:'ET WEB_SPECIFIC Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Noname_Media_Gallerie'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006595) ET WEB_SPECIFIC Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid 
+SecRule REQUEST_URI_RAW "(?i:\/dagent\/downloadreport\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006595,rev:4,msg:'ET WEB_SPECIFIC Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Novell_Zenworks'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:agentid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006601) ET WEB_SPECIFIC Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass 
+SecRule REQUEST_URI_RAW "(?i:\/dagent\/downloadreport\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006601,rev:4,msg:'ET WEB_SPECIFIC Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Novell_Zenworks'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004311) ET WEB_SPECIFIC NukeSentinel SQL Injection Attempt -- nukesentinel.php 
+SecRule REQUEST_URI_RAW "(?i:\/nukesentinel\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004311,rev:4,msg:'ET WEB_SPECIFIC NukeSentinel SQL Injection Attempt -- nukesentinel.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NukeSentinel'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004734) ET WEB_SPECIFIC NukeSentinel SQL Injection Attempt -- nukesentinel.php 
+SecRule REQUEST_URI_RAW "(?i:\/nukesentinel\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004734,rev:4,msg:'ET WEB_SPECIFIC NukeSentinel SQL Injection Attempt -- nukesentinel.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NukeSentinel'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004740) ET WEB_SPECIFIC NukeSentinel SQL Injection Attempt -- nsbypass.php 
+SecRule REQUEST_URI_RAW "(?i:\/includes\/nsbypass\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004740,rev:4,msg:'ET WEB_SPECIFIC NukeSentinel SQL Injection Attempt -- nsbypass.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_NukeSentinel'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2006811) ET WEB_SPECIFIC Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid 
+SecRule REQUEST_URI_RAW "(?i:\/viewthread\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006811,rev:4,msg:'ET WEB_SPECIFIC Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_O2PHP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005601) ET WEB_SPECIFIC Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/etkinlikbak\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005601,rev:4,msg:'ET WEB_SPECIFIC Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Okul'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004454) ET WEB_SPECIFIC Omegasoft SQL Injection Attempt -- OmegaMw7.asp 
+SecRule REQUEST_URI_RAW "(?i:\/OmegaMw7\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004454,rev:4,msg:'ET WEB_SPECIFIC Omegasoft SQL Injection Attempt -- OmegaMw7.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Omegasoft'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004849) ET WEB_SPECIFIC Online Web Building SQL Injection Attempt -- page.asp art_id 
+SecRule REQUEST_URI_RAW "(?i:\/user_pages\/page\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004849,rev:4,msg:'ET WEB_SPECIFIC Online Web Building SQL Injection Attempt -- page.asp art_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Online_Web_Building'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:art_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Online Web Building SQL Injection Attempt -- page.asp art_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005941) ET WEB_SPECIFIC Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate 
+SecRule REQUEST_URI_RAW "(?i:\/login\/register\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005941,rev:4,msg:'ET WEB_SPECIFIC Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Outfront'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:UserUpdate/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005947) ET WEB_SPECIFIC Outfront Spooky Login SQL Injection Attempt -- a_register.asp 
+SecRule REQUEST_URI_RAW "(?i:\/includes\/a_register\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005947,rev:4,msg:'ET WEB_SPECIFIC Outfront Spooky Login SQL Injection Attempt -- a_register.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Outfront'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004245) ET WEB_SPECIFIC PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip 
+SecRule REQUEST_URI_RAW "(?i:\/php\-stats\.recphp\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004245,rev:4,msg:'ET WEB_SPECIFIC PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP-Stats'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ip/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006514) ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006514,rev:4,msg:'ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPAccounts'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Outgoing_Type_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006520) ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006520,rev:4,msg:'ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPAccounts'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Outgoing_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006526) ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Project_ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006526,rev:4,msg:'ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Project_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPAccounts'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Project_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Project_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006532) ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Client_ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006532,rev:4,msg:'ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Client_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPAccounts'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Client_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Client_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006538) ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Invoice_ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006538,rev:4,msg:'ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPAccounts'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Invoice_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006544) ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Vendor_ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006544,rev:4,msg:'ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPAccounts'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Vendor_ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005971) ET WEB_SPECIFIC phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/admin_acronyms\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005971,rev:4,msg:'ET WEB_SPECIFIC phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPBB'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006973) ET WEB_SPECIFIC phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id 
+SecRule REQUEST_URI_RAW "(?i:\/admin_hacks_list\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006973,rev:4,msg:'ET WEB_SPECIFIC phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPBB'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:hack_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004045) ET WEB_SPECIFIC PHPEcho CMS SQL Injection Attempt -- gallery.php id 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/admin\/modules\/gallery\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004045,rev:4,msg:'ET WEB_SPECIFIC PHPEcho CMS SQL Injection Attempt -- gallery.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPEcho'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPEcho CMS SQL Injection Attempt -- gallery.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003809) ET WEB_SPECIFIC phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER 
+SecRule REQUEST_URI_RAW "(?i:\/admin\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003809,rev:4,msg:'ET WEB_SPECIFIC phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPHoo3'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ADMIN_USER/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003815) ET WEB_SPECIFIC phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS 
+SecRule REQUEST_URI_RAW "(?i:\/admin\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003815,rev:4,msg:'ET WEB_SPECIFIC phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPHoo3'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ADMIN_PASS/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004699) ET WEB_SPECIFIC PHPKit SQL Injection Attempt -- include.php catid 
+SecRule REQUEST_URI_RAW "(?i:\/include\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004699,rev:4,msg:'ET WEB_SPECIFIC PHPKit SQL Injection Attempt -- include.php catid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPKit'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPKit SQL Injection Attempt -- include.php catid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005788) ET WEB_SPECIFIC PHPKIT SQL Injection Attempt -- comment.php subid 
+SecRule REQUEST_URI_RAW "(?i:\/comment\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005788,rev:4,msg:'ET WEB_SPECIFIC PHPKIT SQL Injection Attempt -- comment.php subid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPKit'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:subid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHPKIT SQL Injection Attempt -- comment.php subid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004704) ET WEB_SPECIFIC PHPWind SQL Injection Attempt -- admin.php 
+SecRule REQUEST_URI_RAW "(?i:\/admin\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004704,rev:4,msg:'ET WEB_SPECIFIC PHPWind SQL Injection Attempt -- admin.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHPWind'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004329) ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- mainfile.php lang 
+SecRule REQUEST_URI_RAW "(?i:\/mainfile\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004329,rev:4,msg:'ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- mainfile.php lang ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:lang/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- mainfile.php lang ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004855) ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php category_id 
+SecRule REQUEST_URI_RAW "(?i:\/modules\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004855,rev:4,msg:'ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php category_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php category_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005460) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active 
+SecRule REQUEST_URI_RAW "(?i:\/admin\/modules\/modules\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005460,rev:4,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:active/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005466) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/Advertising\/admin\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005466,rev:4,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ad_class/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005472) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/Advertising\/admin\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005472,rev:4,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:imageurl/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005478) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/Advertising\/admin\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005478,rev:4,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:clickurl/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005484) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/Advertising\/admin\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005484,rev:4,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ad_code/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005491) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/Advertising\/admin\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005491,rev:4,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:position/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005589) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat 
+SecRule REQUEST_URI_RAW "(?i:\/blocks\/block\-Old_Articles\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005589,rev:4,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006931) ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php cid 
+SecRule REQUEST_URI_RAW "(?i:\/modules\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006931,rev:4,msg:'ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006937) ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php pid 
+SecRule REQUEST_URI_RAW "(?i:\/modules\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006937,rev:4,msg:'ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php pid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Nuke SQL Injection Attempt -- modules.php pid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007180) ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid 
+SecRule REQUEST_URI_RAW "(?i:\/modules\/News\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007180,rev:3,msg:'ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Nuke'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005905) ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newmessage 
+SecRule REQUEST_URI_RAW "(?i:\/code\/guestadd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005905,rev:4,msg:'ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newmessage ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Update'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newmessage/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newmessage ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005911) ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newname 
+SecRule REQUEST_URI_RAW "(?i:\/code\/guestadd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005911,rev:4,msg:'ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newname ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Update'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newname/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newname ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005917) ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newwebsite 
+SecRule REQUEST_URI_RAW "(?i:\/code\/guestadd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005917,rev:4,msg:'ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newwebsite ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Update'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newwebsite/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newwebsite ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005923) ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newemail 
+SecRule REQUEST_URI_RAW "(?i:\/code\/guestadd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005923,rev:4,msg:'ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newemail ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PHP_Update'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newemail/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PHP-Update SQL Injection Attempt -- guestadd.php newemail ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004610) ET WEB_SPECIFIC PNphpBB2 SQL Injection Attempt -- index.php c 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004610,rev:4,msg:'ET WEB_SPECIFIC PNphpBB2 SQL Injection Attempt -- index.php c ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PNphpBB2'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:c/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PNphpBB2 SQL Injection Attempt -- index.php c ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004934) ET WEB_SPECIFIC PSY Auction SQL Injection Attempt -- item.php id 
+SecRule REQUEST_URI_RAW "(?i:\/item\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004934,rev:4,msg:'ET WEB_SPECIFIC PSY Auction SQL Injection Attempt -- item.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PSY_Auction'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PSY Auction SQL Injection Attempt -- item.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006734) ET WEB_SPECIFIC PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006734,rev:4,msg:'ET WEB_SPECIFIC PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PWP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:main/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004263) ET WEB_SPECIFIC Particle Blogger SQL Injection Attempt -- post.php postid 
+SecRule REQUEST_URI_RAW "(?i:\/post\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004263,rev:4,msg:'ET WEB_SPECIFIC Particle Blogger SQL Injection Attempt -- post.php postid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Particle_Blogger'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:postid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Particle Blogger SQL Injection Attempt -- post.php postid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005220) ET WEB_SPECIFIC Particle Blogger SQL Injection Attempt -- archives.php month 
+SecRule REQUEST_URI_RAW "(?i:\/archives\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005220,rev:4,msg:'ET WEB_SPECIFIC Particle Blogger SQL Injection Attempt -- archives.php month ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Particle_Blogger'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:month/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Particle Blogger SQL Injection Attempt -- archives.php month ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004622) ET WEB_SPECIFIC Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment 
+SecRule REQUEST_URI_RAW "(?i:\/viewimage\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004622,rev:4,msg:'ET WEB_SPECIFIC Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Particle_Gallery'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:editcomment/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004093) ET WEB_SPECIFIC Phil-a-Form SQL Injection Attempt -- index.php form_id 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004093,rev:4,msg:'ET WEB_SPECIFIC Phil-a-Form SQL Injection Attempt -- index.php form_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Phil-A-Form'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:form_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Phil-a-Form SQL Injection Attempt -- index.php form_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004928) ET WEB_SPECIFIC Philboard SQL Injection Attempt -- philboard_forum.asp forumid 
+SecRule REQUEST_URI_RAW "(?i:\/philboard_forum\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004928,rev:4,msg:'ET WEB_SPECIFIC Philboard SQL Injection Attempt -- philboard_forum.asp forumid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Philboard'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:forumid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Philboard SQL Injection Attempt -- philboard_forum.asp forumid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004909) ET WEB_SPECIFIC PollMentor SQL Injection Attempt -- pollmentorres.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/pollmentorres\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004909,rev:4,msg:'ET WEB_SPECIFIC PollMentor SQL Injection Attempt -- pollmentorres.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PollMentor'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC PollMentor SQL Injection Attempt -- pollmentorres.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005625) ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- archive.php blogid 
+SecRule REQUEST_URI_RAW "(?i:\/simplog\/archive\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005625,rev:4,msg:'ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- archive.php blogid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Portix'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- archive.php blogid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005631) ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- archive.php pid 
+SecRule REQUEST_URI_RAW "(?i:\/simplog\/archive\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005631,rev:4,msg:'ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- archive.php pid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Portix'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- archive.php pid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005637) ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- index.php blogid 
+SecRule REQUEST_URI_RAW "(?i:\/simplog\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005637,rev:4,msg:'ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- index.php blogid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Portix'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:blogid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Portix-PHP SQL Injection Attempt -- index.php blogid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003803) ET WEB_SPECIFIC v4bJournal module PostNuke SQL Injection Attempt -- index.php id 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003803,rev:4,msg:'ET WEB_SPECIFIC v4bJournal module PostNuke SQL Injection Attempt -- index.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_PostNuke'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC v4bJournal module PostNuke SQL Injection Attempt -- index.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006355) ET WEB_SPECIFIC ProNews SQL Injection Attempt -- lire-avis.php aa 
+SecRule REQUEST_URI_RAW "(?i:\/lire\-avis\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006355,rev:4,msg:'ET WEB_SPECIFIC ProNews SQL Injection Attempt -- lire-avis.php aa ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ProNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:aa/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ProNews SQL Injection Attempt -- lire-avis.php aa ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005685) ET WEB_SPECIFIC Rapid Classified SQL Injection Attempt -- viewad.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/viewad\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005685,rev:4,msg:'ET WEB_SPECIFIC Rapid Classified SQL Injection Attempt -- viewad.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rapid_Classified'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rapid Classified SQL Injection Attempt -- viewad.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005025) ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- login.asp user 
+SecRule REQUEST_URI_RAW "(?i:\/login\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005025,rev:4,msg:'ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- login.asp user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Raymond_Berthou'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- login.asp user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005031) ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- login.asp password 
+SecRule REQUEST_URI_RAW "(?i:\/login\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005031,rev:4,msg:'ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- login.asp password ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Raymond_Berthou'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:password/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- login.asp password ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005097) ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/user_confirm\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005097,rev:4,msg:'ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Raymond_Berthou'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005103) ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass 
+SecRule REQUEST_URI_RAW "(?i:\/user_confirm\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005103,rev:4,msg:'ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Raymond_Berthou'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006943) ET WEB_SPECIFIC Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid 
+SecRule REQUEST_URI_RAW "(?i:\/recipe\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006943,rev:3,msg:'ET WEB_SPECIFIC Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Recipes_Complete'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:recipeid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006949) ET WEB_SPECIFIC Recipes Complete Website SQL Injection Attempt -- list.php categoryid 
+SecRule REQUEST_URI_RAW "(?i:\/list\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006949,rev:3,msg:'ET WEB_SPECIFIC Recipes Complete Website SQL Injection Attempt -- list.php categoryid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Recipes_Complete'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:categoryid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Recipes Complete Website SQL Injection Attempt -- list.php categoryid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003833) ET WEB_SPECIFIC ResManager SQL Injection Attempt -- edit_day.php id_reserv 
+SecRule REQUEST_URI_RAW "(?i:\/edit_day\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003833,rev:4,msg:'ET WEB_SPECIFIC ResManager SQL Injection Attempt -- edit_day.php id_reserv ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ResManager'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_reserv/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ResManager SQL Injection Attempt -- edit_day.php id_reserv ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004604) ET WEB_SPECIFIC RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php 
+SecRule REQUEST_URI_RAW "(?i:\/inc\/class_users\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004604,rev:4,msg:'ET WEB_SPECIFIC RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_RevokeSoft'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005691) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- listfull.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/listfull\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005691,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- listfull.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- listfull.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005697) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- printmain.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/printmain\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005697,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- printmain.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- printmain.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005703) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- listmain.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/listmain\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005703,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- listmain.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- listmain.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005709) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/searchoption\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005709,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005715) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchmain.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/searchmain\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005715,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchmain.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchmain.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005721) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchkey.asp Keyword 
+SecRule REQUEST_URI_RAW "(?i:\/searchkey\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005721,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchkey.asp Keyword ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Keyword/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchkey.asp Keyword ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005727) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchmain.asp area 
+SecRule REQUEST_URI_RAW "(?i:\/searchmain\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005727,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchmain.asp area ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:area/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchmain.asp area ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005733) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp area 
+SecRule REQUEST_URI_RAW "(?i:\/searchoption\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005733,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp area ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:area/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp area ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005740) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchkey.asp searchin 
+SecRule REQUEST_URI_RAW "(?i:\/searchkey\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005740,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchkey.asp searchin ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:searchin/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchkey.asp searchin ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005746) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cost1 
+SecRule REQUEST_URI_RAW "(?i:\/searchoption\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005746,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cost1 ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cost1/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cost1 ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005752) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cost2 
+SecRule REQUEST_URI_RAW "(?i:\/searchoption\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005752,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cost2 ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cost2/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp cost2 ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005758) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp acreage1 
+SecRule REQUEST_URI_RAW "(?i:\/searchoption\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005758,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp acreage1 ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:acreage1/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp acreage1 ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005764) ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 
+SecRule REQUEST_URI_RAW "(?i:\/searchoption\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005764,rev:4,msg:'ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rialto'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:squarefeet1/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004664) ET WEB_SPECIFIC Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004664,rev:4,msg:'ET WEB_SPECIFIC Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Rigter_portal'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:categoria/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003821) ET WEB_SPECIFIC RunCms SQL Injection Attempt -- debug_show.php executed_queries 
+SecRule REQUEST_URI_RAW "(?i:\/class\/debug\/debug_show\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003821,rev:4,msg:'ET WEB_SPECIFIC RunCms SQL Injection Attempt -- debug_show.php executed_queries ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_RunCMS'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:executed_queries/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC RunCms SQL Injection Attempt -- debug_show.php executed_queries ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003862) ET WEB_SPECIFIC RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/devami\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003862,rev:4,msg:'ET WEB_SPECIFIC RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_RunawaySoft'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004467) ET WEB_SPECIFIC SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp 
+SecRule REQUEST_URI_RAW "(?i:\/cgi\-bin\/reorder2\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004467,rev:4,msg:'ET WEB_SPECIFIC SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Salescart'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004497) ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php name 
+SecRule REQUEST_URI_RAW "(?i:\/add2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004497,rev:4,msg:'ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php name ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Savas'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:name/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php name ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004503) ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php country 
+SecRule REQUEST_URI_RAW "(?i:\/add2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004503,rev:4,msg:'ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php country ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Savas'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:country/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php country ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004509) ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php email 
+SecRule REQUEST_URI_RAW "(?i:\/add2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004509,rev:4,msg:'ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php email ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Savas'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:email/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php email ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004515) ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php website 
+SecRule REQUEST_URI_RAW "(?i:\/add2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004515,rev:4,msg:'ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php website ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Savas'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:website/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php website ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004521) ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php message 
+SecRule REQUEST_URI_RAW "(?i:\/add2\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004521,rev:4,msg:'ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php message ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Savas'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:message/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Savas Guestbook SQL Injection Attempt -- add2.php message ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004120) ET WEB_SPECIFIC ScriptMagix Jokes SQL Injection Attempt -- index.php catid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004120,rev:4,msg:'ET WEB_SPECIFIC ScriptMagix Jokes SQL Injection Attempt -- index.php catid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ScriptMagix'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ScriptMagix Jokes SQL Injection Attempt -- index.php catid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006313) ET WEB_SPECIFIC ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid 
+SecRule REQUEST_URI_RAW "(?i:\/utilities\/usermessages\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006313,rev:4,msg:'ET WEB_SPECIFIC ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ScriptMate'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:mesid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004419) ET WEB_SPECIFIC Serendipity SQL Injection Attempt -- index.php serendipity 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004419,rev:4,msg:'ET WEB_SPECIFIC Serendipity SQL Injection Attempt -- index.php serendipity ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Serendipity'"
+SecRule REQUEST_URI_RAW "@contains serendipity[multiCat][" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005794) ET WEB_SPECIFIC ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID 
+SecRule REQUEST_URI_RAW "(?i:\/orange\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005794,rev:4,msg:'ET WEB_SPECIFIC ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ShopStoreNow'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:CatID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003856) ET WEB_SPECIFIC SimpNews SQL Injection Attempt -- print.php newsnr 
+SecRule REQUEST_URI_RAW "(?i:\/print\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003856,rev:4,msg:'ET WEB_SPECIFIC SimpNews SQL Injection Attempt -- print.php newsnr ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SimpleNews'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newsnr/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SimpNews SQL Injection Attempt -- print.php newsnr ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004783) ET WEB_SPECIFIC Simple PHP Forum SQL Injection Attempt -- logon_user.php username 
+SecRule REQUEST_URI_RAW "(?i:\/logon_user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004783,rev:4,msg:'ET WEB_SPECIFIC Simple PHP Forum SQL Injection Attempt -- logon_user.php username ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Simple_PHP_Portal'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Simple PHP Forum SQL Injection Attempt -- logon_user.php username ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004789) ET WEB_SPECIFIC Simple PHP Forum SQL Injection Attempt -- update_profile.php username 
+SecRule REQUEST_URI_RAW "(?i:\/update_profile\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004789,rev:4,msg:'ET WEB_SPECIFIC Simple PHP Forum SQL Injection Attempt -- update_profile.php username ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Simple_PHP_Portal'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:username/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Simple PHP Forum SQL Injection Attempt -- update_profile.php username ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005875) ET WEB_SPECIFIC Simple Web Content Management System SQL Injection Attempt -- page.php id 
+SecRule REQUEST_URI_RAW "(?i:\/page\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005875,rev:4,msg:'ET WEB_SPECIFIC Simple Web Content Management System SQL Injection Attempt -- page.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Simple_Web_CMS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Simple Web Content Management System SQL Injection Attempt -- page.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005522) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php ps 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005522,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php ps ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ps/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php ps ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005528) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php us 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005528,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php us ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:us/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php us ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005534) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php f 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005534,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php f ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:f/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php f ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005540) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php code 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005540,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php code ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:code/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- index.php code ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005546) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php code 
+SecRule REQUEST_URI_RAW "(?i:\/dl\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005546,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php code ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:code/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php code ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005552) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php f 
+SecRule REQUEST_URI_RAW "(?i:\/dl\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005552,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php f ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:f/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php f ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005558) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php us 
+SecRule REQUEST_URI_RAW "(?i:\/dl\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005558,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php us ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:us/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php us ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005564) ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php ps 
+SecRule REQUEST_URI_RAW "(?i:\/dl\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005564,rev:4,msg:'ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php ps ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SmE'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ps/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SmE FileMailer SQL Injection Attempt -- dl.php ps ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004867) ET WEB_SPECIFIC Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/pop_profile\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004867,rev:4,msg:'ET WEB_SPECIFIC Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Snitz'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006133) ET WEB_SPECIFIC Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent 
+SecRule REQUEST_URI_RAW "(?i:\/list\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006133,rev:4,msg:'ET WEB_SPECIFIC Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Softwebs'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:agent/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006484) ET WEB_SPECIFIC Solar Empire SQL Injection Attempt -- game_listing.php 
+SecRule REQUEST_URI_RAW "(?i:\/game_listing\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006484,rev:4,msg:'ET WEB_SPECIFIC Solar Empire SQL Injection Attempt -- game_listing.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Solar_Empire'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2004383) ET WEB_SPECIFIC Triexa SonicMailer Pro SQL Injection Attempt -- index.php list 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004383,rev:4,msg:'ET WEB_SPECIFIC Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SonicMailer'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:list/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004820) ET WEB_SPECIFIC Sphider SQL Injection Attempt -- search.php category 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004820,rev:4,msg:'ET WEB_SPECIFIC Sphider SQL Injection Attempt -- search.php category ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Sphider'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:category/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Sphider SQL Injection Attempt -- search.php category ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005156) ET WEB_SPECIFIC SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines 
+SecRule REQUEST_URI_RAW "(?i:\/rss\/show_webfeed\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005156,rev:4,msg:'ET WEB_SPECIFIC SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_SpoonLabs'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:wcHeadlines/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004826) ET WEB_SPECIFIC Super Link Exchange Script SQL Injection Attempt -- directory.php cat 
+SecRule REQUEST_URI_RAW "(?i:\/directory\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004826,rev:4,msg:'ET WEB_SPECIFIC Super Link Exchange Script SQL Injection Attempt -- directory.php cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Super_Link_Exchange'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Super Link Exchange Script SQL Injection Attempt -- directory.php cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006637) ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp 
+SecRule REQUEST_URI_RAW "(?i:\/sendarticle\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006637,rev:4,msg:'ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Superfreaker'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2006643) ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp 
+SecRule REQUEST_URI_RAW "(?i:\/printarticle\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006643,rev:4,msg:'ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Superfreaker'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:.+\(.+SELECT)"
+
+# (sid 2006649) ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006649,rev:4,msg:'ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Superfreaker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006655) ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID 
+SecRule REQUEST_URI_RAW "(?i:\/preferences\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006655,rev:4,msg:'ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Superfreaker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005571) ET WEB_SPECIFIC ThWboard SQL Injection Attempt -- index.php board 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005571,rev:4,msg:'ET WEB_SPECIFIC ThWboard SQL Injection Attempt -- index.php board ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ThWboard'"
+SecRule REQUEST_URI_RAW "@contains board[" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2006007) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php lastname 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006007,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php lastname ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:lastname/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php lastname ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006013) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php firstname 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006013,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php firstname ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:firstname/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php firstname ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006019) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php passwordOld 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006019,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php passwordOld ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:passwordOld/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php passwordOld ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006025) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php passwordNew 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006025,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php passwordNew ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:passwordNew/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php passwordNew ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006031) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php id 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006031,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006037) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php language 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006037,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php language ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:language/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php language ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006043) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php defaultLetter 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006043,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php defaultLetter ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:defaultLetter/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php defaultLetter ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006049) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserPass 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006049,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserPass ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newuserPass/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserPass ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006055) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserType 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006055,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserType ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newuserType/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserType ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006061) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserEmail 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006061,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserEmail ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newuserEmail/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- user.php newuserEmail ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006067) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- search.php goTo 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006067,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- search.php goTo ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:goTo/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- search.php goTo ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006073) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- search.php search 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006073,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- search.php search ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:search/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- search.php search ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006079) ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- save.php groupAddName 
+SecRule REQUEST_URI_RAW "(?i:\/save\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006079,rev:4,msg:'ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- save.php groupAddName ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_The_Address_Book'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:groupAddName/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC The Address Book SQL Injection Attempt -- save.php groupAddName ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004873) ET WEB_SPECIFIC Turuncu Portal SQL Injection Attempt -- h_goster.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/h_goster\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004873,rev:4,msg:'ET WEB_SPECIFIC Turuncu Portal SQL Injection Attempt -- h_goster.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Turuncu'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Turuncu Portal SQL Injection Attempt -- h_goster.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004676) ET WEB_SPECIFIC Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug 
+SecRule REQUEST_URI_RAW "(?i:\/ViewReport\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004676,rev:4,msg:'ET WEB_SPECIFIC Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Tyger_Bug_Tracker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:bug/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004681) ET WEB_SPECIFIC Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s 
+SecRule REQUEST_URI_RAW "(?i:\/ViewBugs\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004681,rev:4,msg:'ET WEB_SPECIFIC Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Tyger_Bug_Tracker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:s/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005237) ET WEB_SPECIFIC Unique Ads (UDS) SQL Injection Attempt -- banner.php bid 
+SecRule REQUEST_URI_RAW "(?i:\/banner\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005237,rev:4,msg:'ET WEB_SPECIFIC Unique Ads (UDS) SQL Injection Attempt -- banner.php bid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_UDS'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:bid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Unique Ads (UDS) SQL Injection Attempt -- banner.php bid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006890) ET WEB_SPECIFIC Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci 
+SecRule REQUEST_URI_RAW "(?i:\/slideshow\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006890,rev:4,msg:'ET WEB_SPECIFIC Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Uapplication'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ci/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006896) ET WEB_SPECIFIC Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci 
+SecRule REQUEST_URI_RAW "(?i:\/thumbnails\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006896,rev:4,msg:'ET WEB_SPECIFIC Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Uapplication'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ci/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005007) ET WEB_SPECIFIC Ublog Reload SQL Injection Attempt -- badword.asp 
+SecRule REQUEST_URI_RAW "(?i:\/badword\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005007,rev:4,msg:'ET WEB_SPECIFIC Ublog Reload SQL Injection Attempt -- badword.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Ublog'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2007203) ET WEB_SPECIFIC Ultimate Survey Pro SQL Injection Attempt -- index.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007203,rev:3,msg:'ET WEB_SPECIFIC Ultimate Survey Pro SQL Injection Attempt -- index.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Ultimate_Survey'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Ultimate Survey Pro SQL Injection Attempt -- index.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007209) ET WEB_SPECIFIC Ultimate Survey Pro SQL Injection Attempt -- index.asp did 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007209,rev:3,msg:'ET WEB_SPECIFIC Ultimate Survey Pro SQL Injection Attempt -- index.asp did ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Ultimate_Survey'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Ultimate Survey Pro SQL Injection Attempt -- index.asp did ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005673) ET WEB_SPECIFIC VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname 
+SecRule REQUEST_URI_RAW "(?i:\/shopgiftregsearch\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005673,rev:4,msg:'ET WEB_SPECIFIC VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_VP-ASP'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:LoginLastname/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006607) ET WEB_SPECIFIC Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user 
+SecRule REQUEST_URI_RAW "(?i:\/vf_memberdetail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006607,rev:4,msg:'ET WEB_SPECIFIC Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_VT_Forum'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006283) ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- repass.php nick_mod 
+SecRule REQUEST_URI_RAW "(?i:\/repass\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006283,rev:4,msg:'ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- repass.php nick_mod ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Verliadmin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- repass.php nick_mod ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006289) ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- repass.php nick 
+SecRule REQUEST_URI_RAW "(?i:\/repass\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006289,rev:4,msg:'ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- repass.php nick ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Verliadmin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:nick/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- repass.php nick ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006295) ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- verify.php nick 
+SecRule REQUEST_URI_RAW "(?i:\/verify\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006295,rev:4,msg:'ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- verify.php nick ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Verliadmin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:nick/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- verify.php nick ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006301) ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- verify.php nick_mod 
+SecRule REQUEST_URI_RAW "(?i:\/verify\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006301,rev:4,msg:'ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- verify.php nick_mod ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Verliadmin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:nick_mod/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC VerliAdmin SQL Injection Attempt -- verify.php nick_mod ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005497) ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid 
+SecRule REQUEST_URI_RAW "(?i:\/virtuemart_parser\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005497,rev:4,msg:'ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Virtuemart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:Itemid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005503) ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id 
+SecRule REQUEST_URI_RAW "(?i:\/virtuemart_parser\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005503,rev:4,msg:'ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Virtuemart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:product_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005509) ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id 
+SecRule REQUEST_URI_RAW "(?i:\/virtuemart_parser\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005509,rev:4,msg:'ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Virtuemart'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:category_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003997) ET WEB_SPECIFIC Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/default\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003997,rev:4,msg:'ET WEB_SPECIFIC Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vizayn'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005893) ET WEB_SPECIFIC Vizayn Haber SQL Injection Attempt -- haberdetay.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/haberdetay\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005893,rev:4,msg:'ET WEB_SPECIFIC Vizayn Haber SQL Injection Attempt -- haberdetay.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vizayn'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Vizayn Haber SQL Injection Attempt -- haberdetay.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007420) ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- cat.asp cat 
+SecRule REQUEST_URI_RAW "(?i:\/cat\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007420,rev:3,msg:'ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- cat.asp cat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vspin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- cat.asp cat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007426) ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp keyword 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007426,rev:3,msg:'ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp keyword ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vspin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:keyword/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp keyword ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007432) ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp order 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007432,rev:3,msg:'ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp order ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vspin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp order ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007438) ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp sort 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007438,rev:3,msg:'ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp sort ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vspin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sort/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp sort ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007444) ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007444,rev:3,msg:'ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vspin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:menuSelect/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007450) ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp state 
+SecRule REQUEST_URI_RAW "(?i:\/search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007450,rev:3,msg:'ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp state ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Vspin'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:state/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC vSpin.net Classified System SQL Injection Attempt -- search.asp state ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004132) ET WEB_SPECIFIC w-Agora SQL Injection Attempt -- search.php search_forum 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004132,rev:4,msg:'ET WEB_SPECIFIC w-Agora SQL Injection Attempt -- search.php search_forum ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_W-Agora'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:search_forum/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC w-Agora SQL Injection Attempt -- search.php search_forum ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004138) ET WEB_SPECIFIC w-Agora SQL Injection Attempt -- search.php search_user 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004138,rev:4,msg:'ET WEB_SPECIFIC w-Agora SQL Injection Attempt -- search.php search_user ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_W-Agora'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:search_user/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC w-Agora SQL Injection Attempt -- search.php search_user ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004651) ET WEB_SPECIFIC W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/urunbak\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004651,rev:4,msg:'ET WEB_SPECIFIC W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_W1L3D4_WEBmarlet'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005308) ET WEB_SPECIFIC W2B Online Banking SQL Injection Attempt -- mailer.w2b draft 
+SecRule REQUEST_URI_RAW "(?i:\/mailer\.w2b)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005308,rev:4,msg:'ET WEB_SPECIFIC W2B Online Banking SQL Injection Attempt -- mailer.w2b draft ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_W2B'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:draft/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC W2B Online Banking SQL Injection Attempt -- mailer.w2b draft ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005190) ET WEB_SPECIFIC W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay 
+SecRule REQUEST_URI_RAW "(?i:\/DocPay\.w2b)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005190,rev:4,msg:'ET WEB_SPECIFIC W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_W2B'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:listDocPay/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004318) ET WEB_SPECIFIC WBBlog SQL Injection Attempt -- index.php e_id 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004318,rev:4,msg:'ET WEB_SPECIFIC WBBlog SQL Injection Attempt -- index.php e_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WBBlog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:e_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WBBlog SQL Injection Attempt -- index.php e_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005953) ET WEB_SPECIFIC Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key 
+SecRule REQUEST_URI_RAW "(?i:\/coupon_detail\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005953,rev:4,msg:'ET WEB_SPECIFIC Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WDFL'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:key/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003768) ET WEB_SPECIFIC WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid 
+SecRule REQUEST_URI_RAW "(?i:\/viewcat\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003768,rev:4,msg:'ET WEB_SPECIFIC WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WF-Links'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004257) ET WEB_SPECIFIC WSN Guest SQL Injection Attempt -- comments.php id 
+SecRule REQUEST_URI_RAW "(?i:\/comments\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004257,rev:4,msg:'ET WEB_SPECIFIC WSN Guest SQL Injection Attempt -- comments.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WSN'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WSN Guest SQL Injection Attempt -- comments.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006459) ET WEB_SPECIFIC WSPortal SQL Injection Attempt -- content.php page 
+SecRule REQUEST_URI_RAW "(?i:\/content\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006459,rev:4,msg:'ET WEB_SPECIFIC WSPortal SQL Injection Attempt -- content.php page ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WSPortal'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:page/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WSPortal SQL Injection Attempt -- content.php page ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005959) ET WEB_SPECIFIC While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num 
+SecRule REQUEST_URI_RAW "(?i:\/phonemessage\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005959,rev:4,msg:'ET WEB_SPECIFIC While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WYWO'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:num/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005965) ET WEB_SPECIFIC While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode 
+SecRule REQUEST_URI_RAW "(?i:\/faqDsp\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005965,rev:4,msg:'ET WEB_SPECIFIC While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WYWO'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006979) ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- process.php login 
+SecRule REQUEST_URI_RAW "(?i:\/process\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006979,rev:4,msg:'ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- process.php login ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wallpaper_Complete'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:login/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- process.php login ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006985) ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- process.php password 
+SecRule REQUEST_URI_RAW "(?i:\/process\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006985,rev:4,msg:'ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- process.php password ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wallpaper_Complete'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:password/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- process.php password ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006991) ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid 
+SecRule REQUEST_URI_RAW "(?i:\/dlwallpaper\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006991,rev:4,msg:'ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wallpaper_Complete'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006997) ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid 
+SecRule REQUEST_URI_RAW "(?i:\/wallpaper\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006997,rev:4,msg:'ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wallpaper_Complete'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:wallpaperid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007074) ET WEB_SPECIFIC WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID 
+SecRule REQUEST_URI_RAW "(?i:\/item\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007074,rev:3,msg:'ET WEB_SPECIFIC WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Warhound'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ItemID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004758) ET WEB_SPECIFIC WebMplayer SQL Injection Attempt -- index.php strid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004758,rev:4,msg:'ET WEB_SPECIFIC WebMplayer SQL Injection Attempt -- index.php strid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WebMplayer'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:strid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WebMplayer SQL Injection Attempt -- index.php strid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004764) ET WEB_SPECIFIC WebMplayer SQL Injection Attempt -- filecheck.php id 
+SecRule REQUEST_URI_RAW "(?i:\/filecheck\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004764,rev:4,msg:'ET WEB_SPECIFIC WebMplayer SQL Injection Attempt -- filecheck.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WebMplayer'"
+SecRule REQUEST_URI_RAW "@contains id[" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004915) ET WEB_SPECIFIC WebTester SQL Injection Attempt -- directions.php testID 
+SecRule REQUEST_URI_RAW "(?i:\/directions\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004915,rev:4,msg:'ET WEB_SPECIFIC WebTester SQL Injection Attempt -- directions.php testID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_WebTester'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:testID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WebTester SQL Injection Attempt -- directions.php testID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004776) ET WEB_SPECIFIC Ban SQL Injection Attempt -- connexion.php id 
+SecRule REQUEST_URI_RAW "(?i:\/connexion\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004776,rev:4,msg:'ET WEB_SPECIFIC Ban SQL Injection Attempt -- connexion.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Web_Ban'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Ban SQL Injection Attempt -- connexion.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004228) ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- functions_filters.asp 
+SecRule REQUEST_URI_RAW "(?i:\/functions\/functions_filters\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004228,rev:4,msg:'ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- functions_filters.asp ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Web_Wiz'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004439) ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name 
+SecRule REQUEST_URI_RAW "(?i:\/forum\/pop_up_member_search\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004439,rev:4,msg:'ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Web_Wiz'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:name/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004239) ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- page.asp NewsID 
+SecRule REQUEST_URI_RAW "(?i:\/News\/page\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004239,rev:4,msg:'ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- page.asp NewsID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Web_Wiz'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:NewsID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Web Wiz Forums SQL Injection Attempt -- page.asp NewsID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005231) ET WEB_SPECIFIC Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID 
+SecRule REQUEST_URI_RAW "(?i:\/eWebQuiz\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005231,rev:4,msg:'ET WEB_SPECIFIC Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Website_Baker'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:QuizID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004144) ET WEB_SPECIFIC Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order 
+SecRule REQUEST_URI_RAW "(?i:\/check_vote\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004144,rev:4,msg:'ET WEB_SPECIFIC Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Weekly_Drawing'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:order/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004251) ET WEB_SPECIFIC Woltlab Burning Board SQL Injection Attempt -- usergroups.php 
+SecRule REQUEST_URI_RAW "(?i:\/usergroups\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004251,rev:4,msg:'ET WEB_SPECIFIC Woltlab Burning Board SQL Injection Attempt -- usergroups.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Woltlab'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005001) ET WEB_SPECIFIC Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid 
+SecRule REQUEST_URI_RAW "(?i:\/pms\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005001,rev:4,msg:'ET WEB_SPECIFIC Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Woltlab'"
+SecRule REQUEST_URI_RAW "@contains pmid[" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005284) ET WEB_SPECIFIC Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005284,rev:4,msg:'ET WEB_SPECIFIC Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Woltlab'"
+SecRule REQUEST_URI_RAW "@contains boardids[" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005290) ET WEB_SPECIFIC Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board 
+SecRule REQUEST_URI_RAW "(?i:\/search\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005290,rev:4,msg:'ET WEB_SPECIFIC Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Woltlab'"
+SecRule REQUEST_URI_RAW "@contains board[" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2006925) ET WEB_SPECIFIC Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit 
+SecRule REQUEST_URI_RAW "(?i:\/thread\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006925,rev:4,msg:'ET WEB_SPECIFIC Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Woltlab'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:threadvisit/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004015) ET WEB_SPECIFIC WordPress SQL Injection Attempt -- admin-ajax.php cookie 
+SecRule REQUEST_URI_RAW "(?i:\/wp\-admin\/admin\-ajax\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004015,rev:4,msg:'ET WEB_SPECIFIC WordPress SQL Injection Attempt -- admin-ajax.php cookie ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cookie/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC WordPress SQL Injection Attempt -- admin-ajax.php cookie ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004407) ET WEB_SPECIFIC WordPress SQL Injection Attempt -- admin-functions.php 
+SecRule REQUEST_URI_RAW "(?i:\/wp\-admin\/admin\-functions\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004407,rev:4,msg:'ET WEB_SPECIFIC WordPress SQL Injection Attempt -- admin-functions.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004658) ET WEB_SPECIFIC Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php 
+SecRule REQUEST_URI_RAW "(?i:\/xmlrpc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004658,rev:4,msg:'ET WEB_SPECIFIC Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005661) ET WEB_SPECIFIC WordPress SQL Injection Attempt -- wp-trackback.php 
+SecRule REQUEST_URI_RAW "(?i:\/wp\-trackback\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005661,rev:4,msg:'ET WEB_SPECIFIC WordPress SQL Injection Attempt -- wp-trackback.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005869) ET WEB_SPECIFIC WordPress SQL Injection Attempt -- wp-trackback.php 
+SecRule REQUEST_URI_RAW "(?i:\/wp\-trackback\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005869,rev:4,msg:'ET WEB_SPECIFIC WordPress SQL Injection Attempt -- wp-trackback.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2004347) ET WEB_SPECIFIC X-Ice News System SQL Injection Attempt -- devami.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/devami\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004347,rev:4,msg:'ET WEB_SPECIFIC X-Ice News System SQL Injection Attempt -- devami.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_X-Ice_News'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC X-Ice News System SQL Injection Attempt -- devami.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005121) ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php id 
+SecRule REQUEST_URI_RAW "(?i:\/classes\/class\.news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005121,rev:4,msg:'ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_X-dev'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005127) ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php from 
+SecRule REQUEST_URI_RAW "(?i:\/classes\/class\.news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005127,rev:4,msg:'ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php from ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_X-dev'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:from/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php from ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005133) ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php q 
+SecRule REQUEST_URI_RAW "(?i:\/classes\/class\.news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005133,rev:4,msg:'ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php q ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_X-dev'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:q/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC X-dev xNews SQL Injection Attempt -- class.news.php q ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004861) ET WEB_SPECIFIC XLAtunes SQL Injection Attempt -- view.php album 
+SecRule REQUEST_URI_RAW "(?i:\/view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004861,rev:4,msg:'ET WEB_SPECIFIC XLAtunes SQL Injection Attempt -- view.php album ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_XLAtunes'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:album/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC XLAtunes SQL Injection Attempt -- view.php album ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005382) ET WEB_SPECIFIC Xoops SQL Injection Attempt -- group.php id 
+SecRule REQUEST_URI_RAW "(?i:\/kernel\/group\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005382,rev:4,msg:'ET WEB_SPECIFIC Xoops SQL Injection Attempt -- group.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Xoops'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Xoops SQL Injection Attempt -- group.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005388) ET WEB_SPECIFIC Xoops SQL Injection Attempt -- table_broken.php lid 
+SecRule REQUEST_URI_RAW "(?i:\/class\/table_broken\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005388,rev:4,msg:'ET WEB_SPECIFIC Xoops SQL Injection Attempt -- table_broken.php lid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Xoops'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:lid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Xoops SQL Injection Attempt -- table_broken.php lid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006490) ET WEB_SPECIFIC Xoops SQL Injection Attempt -- print.php id 
+SecRule REQUEST_URI_RAW "(?i:\/print\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006490,rev:4,msg:'ET WEB_SPECIFIC Xoops SQL Injection Attempt -- print.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Xoops'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Xoops SQL Injection Attempt -- print.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006217) ET WEB_SPECIFIC Xt-News SQL Injection Attempt -- show_news.php id_news 
+SecRule REQUEST_URI_RAW "(?i:\/show_news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006217,rev:4,msg:'ET WEB_SPECIFIC Xt-News SQL Injection Attempt -- show_news.php id_news ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Xt-News'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_news/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Xt-News SQL Injection Attempt -- show_news.php id_news ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005613) ET WEB_SPECIFIC Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder 
+SecRule REQUEST_URI_RAW "(?i:\/displaypic\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005613,rev:4,msg:'ET WEB_SPECIFIC Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Xtreme'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:sortorder/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004807) ET WEB_SPECIFIC Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id 
+SecRule REQUEST_URI_RAW "(?i:\/functions\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004807,rev:4,msg:'ET WEB_SPECIFIC Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_ZephyrSoft'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005196) ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/mezungiris\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005196,rev:4,msg:'ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zindizayn'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005202) ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass 
+SecRule REQUEST_URI_RAW "(?i:\/mezungiris\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005202,rev:4,msg:'ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zindizayn'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005208) ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass 
+SecRule REQUEST_URI_RAW "(?i:\/ogretmenkontrol\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005208,rev:4,msg:'ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zindizayn'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:pass/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005214) ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id 
+SecRule REQUEST_URI_RAW "(?i:\/ogretmenkontrol\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005214,rev:4,msg:'ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zindizayn'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003985) ET WEB_SPECIFIC Zomplog SQL Injection Attempt -- mp3playlist.php speler 
+SecRule REQUEST_URI_RAW "(?i:\/plugins\/mp3playlist\/mp3playlist\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003985,rev:4,msg:'ET WEB_SPECIFIC Zomplog SQL Injection Attempt -- mp3playlist.php speler ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Zomplog'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:speler/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC Zomplog SQL Injection Attempt -- mp3playlist.php speler ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005983) ET WEB_SPECIFIC aFAQ SQL Injection Attempt -- faqDsp.asp catcode 
+SecRule REQUEST_URI_RAW "(?i:\/faqDsp\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005983,rev:4,msg:'ET WEB_SPECIFIC aFAQ SQL Injection Attempt -- faqDsp.asp catcode ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_aFAQ'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:catcode/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC aFAQ SQL Injection Attempt -- faqDsp.asp catcode ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005328) ET WEB_SPECIFIC bbPress SQL Injection Attempt -- formatting-functions.php 
+SecRule REQUEST_URI_RAW "(?i:\/bb\-includes\/formatting\-functions\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005328,rev:4,msg:'ET WEB_SPECIFIC bbPress SQL Injection Attempt -- formatting-functions.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_bbPress'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005770) ET WEB_SPECIFIC bitweaver SQL Injection Attempt -- edition.php tk 
+SecRule REQUEST_URI_RAW "(?i:\/newsletters\/edition\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005770,rev:4,msg:'ET WEB_SPECIFIC bitweaver SQL Injection Attempt -- edition.php tk ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_bitweaver'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:tk/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC bitweaver SQL Injection Attempt -- edition.php tk ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006175) ET WEB_SPECIFIC chatwm SQL Injection Attempt -- SelGruFra.asp txtUse 
+SecRule REQUEST_URI_RAW "(?i:\/SelGruFra\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006175,rev:4,msg:'ET WEB_SPECIFIC chatwm SQL Injection Attempt -- SelGruFra.asp txtUse ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_chatwm'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:txtUse/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC chatwm SQL Injection Attempt -- SelGruFra.asp txtUse ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006181) ET WEB_SPECIFIC chatwm SQL Injection Attempt -- SelGruFra.asp txtPas 
+SecRule REQUEST_URI_RAW "(?i:\/SelGruFra\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006181,rev:4,msg:'ET WEB_SPECIFIC chatwm SQL Injection Attempt -- SelGruFra.asp txtPas ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_chatwm'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:txtPas/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC chatwm SQL Injection Attempt -- SelGruFra.asp txtPas ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004057) ET WEB_SPECIFIC cpCommerce SQL Injection Attempt -- category.php id_category 
+SecRule REQUEST_URI_RAW "(?i:\/category\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004057,rev:4,msg:'ET WEB_SPECIFIC cpCommerce SQL Injection Attempt -- category.php id_category ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_cpCommerce'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_category/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC cpCommerce SQL Injection Attempt -- category.php id_category ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004105) ET WEB_SPECIFIC cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer 
+SecRule REQUEST_URI_RAW "(?i:\/manufacturer\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004105,rev:4,msg:'ET WEB_SPECIFIC cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_cpCommerce'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_manufacturer/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005037) ET WEB_SPECIFIC dB Masters Curium CMS SQL Injection Attempt -- news.php c_id 
+SecRule REQUEST_URI_RAW "(?i:\/news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005037,rev:4,msg:'ET WEB_SPECIFIC dB Masters Curium CMS SQL Injection Attempt -- news.php c_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_dB_Masters'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:c_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC dB Masters Curium CMS SQL Injection Attempt -- news.php c_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006955) ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php seite_id 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006955,rev:4,msg:'ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php seite_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_dev4u'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:seite_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php seite_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006961) ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php gruppe_id 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006961,rev:4,msg:'ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php gruppe_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_dev4u'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:gruppe_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php gruppe_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006967) ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php go_target 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006967,rev:4,msg:'ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php go_target ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_dev4u'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:go_target/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC dev4u CMS SQL Injection Attempt -- index.php go_target ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006619) ET WEB_SPECIFIC dol storye SQL Injection Attempt -- dettaglio.asp id_doc 
+SecRule REQUEST_URI_RAW "(?i:\/dettaglio\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006619,rev:4,msg:'ET WEB_SPECIFIC dol storye SQL Injection Attempt -- dettaglio.asp id_doc ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_dol_storye'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_doc/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC dol storye SQL Injection Attempt -- dettaglio.asp id_doc ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006625) ET WEB_SPECIFIC dol storye SQL Injection Attempt -- dettaglio.asp id_aut 
+SecRule REQUEST_URI_RAW "(?i:\/dettaglio\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006625,rev:4,msg:'ET WEB_SPECIFIC dol storye SQL Injection Attempt -- dettaglio.asp id_aut ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_dol_storye'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id_aut/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC dol storye SQL Injection Attempt -- dettaglio.asp id_aut ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005929) ET WEB_SPECIFIC eNdonesia SQL Injection Attempt -- mod.php did 
+SecRule REQUEST_URI_RAW "(?i:\/mod\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005929,rev:4,msg:'ET WEB_SPECIFIC eNdonesia SQL Injection Attempt -- mod.php did ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eNdonesia'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:did/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC eNdonesia SQL Injection Attempt -- mod.php did ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005935) ET WEB_SPECIFIC eNdonesia SQL Injection Attempt -- mod.php cid 
+SecRule REQUEST_URI_RAW "(?i:\/mod\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005935,rev:4,msg:'ET WEB_SPECIFIC eNdonesia SQL Injection Attempt -- mod.php cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_eNdonesia'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC eNdonesia SQL Injection Attempt -- mod.php cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007378) ET WEB_SPECIFIC fipsGallery SQL Injection Attempt -- index1.asp which 
+SecRule REQUEST_URI_RAW "(?i:\/index1\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007378,rev:3,msg:'ET WEB_SPECIFIC fipsGallery SQL Injection Attempt -- index1.asp which ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_fips'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:which/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC fipsGallery SQL Injection Attempt -- index1.asp which ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007384) ET WEB_SPECIFIC fipsForum SQL Injection Attempt -- default2.asp kat 
+SecRule REQUEST_URI_RAW "(?i:\/default2\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007384,rev:3,msg:'ET WEB_SPECIFIC fipsForum SQL Injection Attempt -- default2.asp kat ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_fips'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:kat/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC fipsForum SQL Injection Attempt -- default2.asp kat ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2007390) ET WEB_SPECIFIC fipsCMS SQL Injection Attempt -- index.asp fid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2007390,rev:3,msg:'ET WEB_SPECIFIC fipsCMS SQL Injection Attempt -- index.asp fid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_fips'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:fid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC fipsCMS SQL Injection Attempt -- index.asp fid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004112) ET WEB_SPECIFIC gCards SQL Injection Attempt -- getnewsitem.php newsid 
+SecRule REQUEST_URI_RAW "(?i:\/getnewsitem\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004112,rev:4,msg:'ET WEB_SPECIFIC gCards SQL Injection Attempt -- getnewsitem.php newsid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_gCards'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:newsid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC gCards SQL Injection Attempt -- getnewsitem.php newsid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005809) ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- display_review.php id 
+SecRule REQUEST_URI_RAW "(?i:\/display_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005809,rev:4,msg:'ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- display_review.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_iGeneric'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- display_review.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005815) ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie 
+SecRule REQUEST_URI_RAW "(?i:\/display_review\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005815,rev:4,msg:'ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_iGeneric'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user_login_cookie/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005821) ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- compare_product.php id 
+SecRule REQUEST_URI_RAW "(?i:\/compare_product\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005821,rev:4,msg:'ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- compare_product.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_iGeneric'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC iGeneric iG Shop SQL Injection Attempt -- compare_product.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005827) ET WEB_SPECIFIC iGeneric iG Calendar SQL Injection Attempt -- user.php id 
+SecRule REQUEST_URI_RAW "(?i:\/user\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005827,rev:4,msg:'ET WEB_SPECIFIC iGeneric iG Calendar SQL Injection Attempt -- user.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_iGeneric'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC iGeneric iG Calendar SQL Injection Attempt -- user.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2006613) ET WEB_SPECIFIC iWare Professional SQL Injection Attempt -- index.php D 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2006613,rev:4,msg:'ET WEB_SPECIFIC iWare Professional SQL Injection Attempt -- index.php D ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_iWare_Pro'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:D/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC iWare Professional SQL Injection Attempt -- index.php D ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004844) ET WEB_SPECIFIC mcRefer SQL Injection Attempt -- install.php bgcolor 
+SecRule REQUEST_URI_RAW "(?i:\/install\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004844,rev:4,msg:'ET WEB_SPECIFIC mcRefer SQL Injection Attempt -- install.php bgcolor ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_mcRefer'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:bgcolor/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC mcRefer SQL Injection Attempt -- install.php bgcolor ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004472) ET WEB_SPECIFIC myBloggie SQL Injection Attempt -- index.php cat_id 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004472,rev:4,msg:'ET WEB_SPECIFIC myBloggie SQL Injection Attempt -- index.php cat_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_myBloggie'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC myBloggie SQL Injection Attempt -- index.php cat_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004478) ET WEB_SPECIFIC myBloggie SQL Injection Attempt -- index.php year 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004478,rev:4,msg:'ET WEB_SPECIFIC myBloggie SQL Injection Attempt -- index.php year ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_myBloggie'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:year/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC myBloggie SQL Injection Attempt -- index.php year ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004009) ET WEB_SPECIFIC ol\'bookmarks SQL Injection Attempt -- index.php id 
+SecRule REQUEST_URI_RAW "(?i:\/read\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004009,rev:4,msg:'ET WEB_SPECIFIC ol\'bookmarks SQL Injection Attempt -- index.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_olboolmarks'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC ol\'bookmarks SQL Injection Attempt -- index.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004903) ET WEB_SPECIFIC phpCC SQL Injection Attempt -- nickpage.php npid 
+SecRule REQUEST_URI_RAW "(?i:\/nickpage\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004903,rev:4,msg:'ET WEB_SPECIFIC phpCC SQL Injection Attempt -- nickpage.php npid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpCC'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:npid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpCC SQL Injection Attempt -- nickpage.php npid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004174) ET WEB_SPECIFIC phpx SQL Injection Attempt -- gallery.php image_id 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004174,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- gallery.php image_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:image_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- gallery.php image_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004180) ET WEB_SPECIFIC phpx SQL Injection Attempt -- gallery.php cat_id 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004180,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- gallery.php cat_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- gallery.php cat_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004186) ET WEB_SPECIFIC phpx SQL Injection Attempt -- news.php news_id 
+SecRule REQUEST_URI_RAW "(?i:\/news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004186,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- news.php news_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- news.php news_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004192) ET WEB_SPECIFIC phpx SQL Injection Attempt -- print.php news_id 
+SecRule REQUEST_URI_RAW "(?i:\/print\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004192,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- print.php news_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:news_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- print.php news_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004198) ET WEB_SPECIFIC phpx SQL Injection Attempt -- news.php news_cat_id 
+SecRule REQUEST_URI_RAW "(?i:\/news\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004198,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- news.php news_cat_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:news_cat_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- news.php news_cat_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004204) ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php cat_id 
+SecRule REQUEST_URI_RAW "(?i:\/forums\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004204,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php cat_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cat_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php cat_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004210) ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php topic_id 
+SecRule REQUEST_URI_RAW "(?i:\/forums\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004210,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php topic_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:topic_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php topic_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004216) ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php post_id 
+SecRule REQUEST_URI_RAW "(?i:\/forums\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004216,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php post_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:post_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- forums.php post_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004222) ET WEB_SPECIFIC phpx SQL Injection Attempt -- users.php user_id 
+SecRule REQUEST_URI_RAW "(?i:\/users\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004222,rev:4,msg:'ET WEB_SPECIFIC phpx SQL Injection Attempt -- users.php user_id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_phpx'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:user_id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC phpx SQL Injection Attempt -- users.php user_id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2003786) ET WEB_SPECIFIC pnFlashGames SQL Injection Attempt -- index.php cid 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2003786,rev:4,msg:'ET WEB_SPECIFIC pnFlashGames SQL Injection Attempt -- index.php cid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_pnFlashGames'"
+SecRule REQUEST_URI_RAW "@contains (" "chain"
+SecRule &TX:'/SQL_INJECTION.*ARGS:cid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC pnFlashGames SQL Injection Attempt -- index.php cid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005667) ET WEB_SPECIFIC uniForum SQL Injection Attempt -- wbsearch.aspx 
+SecRule REQUEST_URI_RAW "(?i:\/wbsearch\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005667,rev:4,msg:'ET WEB_SPECIFIC uniForum SQL Injection Attempt -- wbsearch.aspx ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_uniForm'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005352) ET WEB_SPECIFIC vBSupport SQL Injection Attempt -- vBSupport.php 
+SecRule REQUEST_URI_RAW "(?i:\/vBSupport\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005352,rev:4,msg:'ET WEB_SPECIFIC vBSupport SQL Injection Attempt -- vBSupport.php ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_vBSupport'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\(.+SELECT)"
+
+# (sid 2005358) ET WEB_SPECIFIC vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid 
+SecRule REQUEST_URI_RAW "(?i:\/vBSupport\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005358,rev:4,msg:'ET WEB_SPECIFIC vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_vSupport'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:ticketid/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004752) ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- printview.php topic 
+SecRule REQUEST_URI_RAW "(?i:\/printview\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004752,rev:4,msg:'ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- printview.php topic ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_webSPELL'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:topic/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- printview.php topic ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2004885) ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- index.php showonly 
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2004885,rev:4,msg:'ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- index.php showonly ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_webSPELL'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:showonly/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- index.php showonly ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005243) ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php picID 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005243,rev:4,msg:'ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php picID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_webSPELL'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:picID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php picID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005249) ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php id 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005249,rev:4,msg:'ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_webSPELL'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005254) ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php galleryID 
+SecRule REQUEST_URI_RAW "(?i:\/gallery\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005254,rev:4,msg:'ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php galleryID ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_webSPELL'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:galleryID/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC webSPELL SQL Injection Attempt -- gallery.php galleryID ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+# (sid 2005162) ET WEB_SPECIFIC xNews SQL Injection Attempt -- xNews.php id 
+SecRule REQUEST_URI_RAW "(?i:\/xNews\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX.0}',id:sid2005162,rev:4,msg:'ET WEB_SPECIFIC xNews SQL Injection Attempt -- xNews.php id ',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_xNews'"
+SecRule &TX:'/SQL_INJECTION.*ARGS:id/' "@gt 0" "setvar:'tx.msg=ET WEB_SPECIFIC xNews SQL Injection Attempt -- xNews.php id ',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_ET_SQLI_RULES
diff --git a/rules/base_rules/modsecurity_crs_46_et_web_rules.conf b/rules/base_rules/modsecurity_crs_46_et_web_rules.conf
new file mode 100644
index 00000000..8f804085
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_46_et_web_rules.conf
@@ -0,0 +1,601 @@
+SecRule REQUEST_FILENAME "!@pmFromFile modsecurity_46_et_web_rules.data" "phase:2,nolog,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES"
+
+# (sid 2003897) ET WEB Adobe RoboHelp XSS Attempt whstart.js
+SecRule REQUEST_URI_RAW "(?i:\/whstart\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003897,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whstart.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whstart.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003898) ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm
+SecRule REQUEST_URI_RAW "(?i:\/whcsh_home\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003898,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt whcsh_home.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003899) ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js
+SecRule REQUEST_URI_RAW "(?i:\/wf_startpage\.js)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003899,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startpage.js',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003900) ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm
+SecRule REQUEST_URI_RAW "(?i:\/wf_startqs\.htm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003900,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt wf_startqs.htm',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003901) ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll
+SecRule REQUEST_URI_RAW "(?i:\/WindowManager\.dll)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003901,rev:4,msg:'ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Adobe'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Adobe RoboHelp XSS Attempt WindowManager.dll',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001945) ET WEB WebAPP Apage.CGI Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/apage\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001945,rev:6,msg:'ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache.cgi'"
+SecRule ARGS:f "(?i:(\.\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebAPP Apage.CGI Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001669) ET WEB Proxy GET Request
+SecRule REQUEST_URI_RAW "@contains GET http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001669,rev:6,msg:'ET WEB Proxy GET Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy GET Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001670) ET WEB Proxy HEAD Request
+SecRule REQUEST_URI_RAW "@contains HEAD http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001670,rev:7,msg:'ET WEB Proxy HEAD Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy HEAD Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001674) ET WEB Proxy POST Request
+SecRule REQUEST_URI_RAW "@contains POST http\://" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001674,rev:6,msg:'ET WEB Proxy POST Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy POST Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001675) ET WEB Proxy CONNECT Request
+SecRule REQUEST_URI_RAW "@contains CONNECT " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001675,rev:6,msg:'ET WEB Proxy CONNECT Request',tag:'bad-unknown',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Proxy CONNECT Request',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003156) ET WEB Crewbox Proxy Scan
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003156,rev:3,msg:'ET WEB Crewbox Proxy Scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy'"
+SecRule REQUEST_URI_RAW "@contains crewbox.by.ru/crew/" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Crewbox Proxy Scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002900) ET WEB CGI AWstats Migrate Command Attempt
+SecRule REQUEST_URI_RAW "(?i:\/awstats\.pl)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002900,rev:3,msg:'ET WEB CGI AWstats Migrate Command Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Awstats'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:migrate\s*=\s*\|)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB CGI AWstats Migrate Command Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002711) ET WEB includer.cgi Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "@contains /includer.cgi?|7c|" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002711,rev:5,msg:'ET WEB includer.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_CGI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB includer.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002129) ET WEB Cacti Input Validation Attack
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002129,rev:7,msg:'ET WEB Cacti Input Validation Attack',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(config_settings|top_graph_header)\.php\?.*=(http|https)\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti Input Validation Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002313) ET WEB Cacti graph_image.php Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/graph_image\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002313,rev:6,msg:'ET WEB Cacti graph_image.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(graph_start=%0a.+%0a))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti graph_image.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003334) ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/cmd\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003334,rev:3,msg:'ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule REQUEST_URI_RAW "@contains UNION" "chain"
+SecRule REQUEST_URI_RAW "@contains SELECT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007889) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007889,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007890) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007890,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007891) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007891,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007892) ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE
+SecRule REQUEST_URI_RAW "(?i:graph_view\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007892,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:graph_list "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability graph_view graph_list UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007893) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007893,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007894) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007894,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007895) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007895,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id INSERT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007896) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007896,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id DELETE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007897) ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE
+SecRule REQUEST_URI_RAW "(?i:tree\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007897,rev:3,msg:'ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cacti'"
+SecRule ARGS:leaf_id "(?i:.+UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2004556) ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern
+SecRule REQUEST_URI_RAW "(?i:\/CCMAdmin\/serverlist\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004556,rev:4,msg:'ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Cisco'"
+SecRule ARGS:pattern "(?i:.*<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Cisco CallManager XSS Attempt serverlist.asp pattern',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002376) ET WEB IBM Lotus Domino BaseTarget XSS attempt
+SecRule REQUEST_URI_RAW "@contains OpenForm" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002376,rev:7,msg:'ET WEB IBM Lotus Domino BaseTarget XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:BaseTarget=.*?\x22)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino BaseTarget XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002377) ET WEB IBM Lotus Domino Src XSS attempt
+SecRule REQUEST_URI_RAW "@contains OpenFrameSet" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002377,rev:6,msg:'ET WEB IBM Lotus Domino Src XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Domino_XSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:src=.*\x22><\/FRAMESET>.*<script>.*<\/script>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IBM Lotus Domino Src XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009361) ET WEB cmd.exe In URI - Possible Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/cmd\.exe)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009361,rev:2,msg:'ET WEB cmd.exe In URI - Possible Command Execution Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB cmd.exe In URI - Possible Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009362) ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt
+SecRule REQUEST_URI_RAW "@contains /system32/" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009362,rev:2,msg:'ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB /system32/ in Uri - Possible Protected Directory Access Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009363) ET WEB Suspicious Chmod Usage in URI
+SecRule QUERY_STRING|REQUEST_BODY "(?i:chmod.([r|w|x|1-7]))" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009363,rev:2,msg:'ET WEB Suspicious Chmod Usage in URI',tag:'attempted-admin',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_General',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Suspicious Chmod Usage in URI',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008171) ET WEB HP OpenView Network Node Manager CGI Directory Traversal
+SecRule REQUEST_URI_RAW "(?i:\/OpenView5\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008171,rev:2,msg:'ET WEB HP OpenView Network Node Manager CGI Directory Traversal',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_HP_Openview'"
+SecRule REQUEST_URI_RAW "@contains GET " "chain"
+SecRule REQUEST_URI_RAW "@contains /OvCgi/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains Action=../../" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains  HTTP/1" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB HP OpenView Network Node Manager CGI Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002897) ET WEB Horde README access probe
+SecRule REQUEST_URI_RAW "@contains /horde" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002897,rev:5,msg:'ET WEB Horde README access probe',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Horde'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Horde README access probe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001365) ET WEB-MISC Alternate Data Stream source view attempt
+SecRule REQUEST_URI_RAW "@contains |3A 3A|$DATA" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001365,rev:8,msg:'ET WEB-MISC Alternate Data Stream source view attempt',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_ADS_Source_Code_Exposure',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Alternate Data Stream source view attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001342) ET WEB IIS ASP.net Auth Bypass / Canonicalization
+SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001342,rev:21,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001343) ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C
+SecRule REQUEST_URI_RAW "(?i:\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001343,rev:19,msg:'ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_IIS_Canonicalization_Bypass'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\\x5C)" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "@contains aspx" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB IIS ASP.net Auth Bypass / Canonicalization % 5 C',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009510) ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt
+SecRule REQUEST_URI_RAW "@contains .jsp\:\:$DATA" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009510,rev:2,msg:'ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Java',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Sun Java System Web Server .jsp Source Code Disclosure Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001546) ET WEB-MISC LINK Method
+SecRule QUERY_STRING|REQUEST_BODY "@contains LINK " "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001546,rev:7,msg:'ET WEB-MISC LINK Method',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_LINK_Method',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC LINK Method',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002777) ET WEB Light Weight Calendar 'date' Arbitrary Remote Code Execution
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002777,rev:3,msg:'ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Light_Weight_Calendar'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:date=\d{8}\)\;.+)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Light Weight Calendar \'date\' Arbitrary Remote Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001075) ET WEB-MISC cross site scripting attempt IMG onerror or onload
+SecRule QUERY_STRING|REQUEST_BODY "@contains <IMG" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001075,rev:5,msg:'ET WEB-MISC cross site scripting attempt IMG onerror or onload',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\bonerror\b[\s]*=)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt IMG onerror or onload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001077) ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001077,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-javascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001078) ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/jscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001078,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/jscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + JSCRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001079) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001079,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001080) ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains application/x-vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001080,rev:8,msg:'ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]application\/x-vbscript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001081) ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT
+SecRule QUERY_STRING|REQUEST_BODY "@contains text/ecmascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001081,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:TYPE\s*=\s*['\x22]text\/ecmascript)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + ECMACRIPT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001082) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001082,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:STYLE[\s]*=[\s]*[^>]expression[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001083) ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains expression" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001083,rev:7,msg:'ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001084) ET WEB-MISC cross site scripting attempt using XML
+SecRule QUERY_STRING|REQUEST_BODY "@contains <XML" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001084,rev:5,msg:'ET WEB-MISC cross site scripting attempt using XML',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains <![CDATA[<]]>SCRIPT" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt using XML',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001085) ET WEB-MISC cross site scripting attempt executing hidden Javascript 1
+SecRule QUERY_STRING|REQUEST_BODY "@contains innerhtml" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001085,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 1',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001086) ET WEB-MISC cross site scripting attempt executing hidden Javascript 2
+SecRule QUERY_STRING|REQUEST_BODY "@contains window.execscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001086,rev:7,msg:'ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:window.execScript[\s]*\()" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt executing hidden Javascript 2',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001087) ET WEB-MISC cross site scripting attempt to execute Javascript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains javascript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001087,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*javascript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001088) ET WEB-MISC cross site scripting attempt to execute VBScript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains vbscript" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001088,rev:6,msg:'ET WEB-MISC cross site scripting attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*vbscript[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001089) ET WEB-MISC cross site scripting attempt to access SHELL\:
+SecRule QUERY_STRING|REQUEST_BODY "@contains shell" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001089,rev:6,msg:'ET WEB-MISC cross site scripting attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*shell[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001090) ET WEB-MISC cross site scripting stealth attempt to execute Javascript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001090,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute Javascript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001091) ET WEB-MISC cross site scripting stealth attempt to execute VBScript code
+SecRule QUERY_STRING|REQUEST_BODY "@contains =" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001091,rev:7,msg:'ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to execute VBScript code',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001092) ET WEB-MISC cross site scripting stealth attempt to access SHELL\:
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:])" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001092,rev:8,msg:'ET WEB-MISC cross site scripting stealth attempt to access SHELL:',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Misc_CSS',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC cross site scripting stealth attempt to access SHELL:',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002361) ET WEB Netquery Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/nquser\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002361,rev:4,msg:'ET WEB Netquery Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netquery'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(host=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netquery Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007936) ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability
+SecRule REQUEST_URI_RAW "(?i:webmail\.exe)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007936,rev:4,msg:'ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Netwin'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GET" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[%n%s]{2,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Netwin Webmail SurgeMail Mail Server Format String Vulnerability',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002997) ET WEB PHP Remote File Inclusion (monster list http)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002997,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list http)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule REQUEST_URI_RAW "@contains http" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*https?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list http)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003098) ET WEB PHP Remote File Inclusion (monster list ftp)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003098,rev:4,msg:'ET WEB PHP Remote File Inclusion (monster list ftp)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule REQUEST_URI_RAW "@contains ftp\:" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*ftp)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list ftp)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003935) ET WEB PHP Remote File Inclusion (monster list php)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003935,rev:3,msg:'ET WEB PHP Remote File Inclusion (monster list php)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(path|page|lib|dir|file|root|icon|lang(uage)?|folder|type|agenda|gallery|domain|calendar|settings|news|name|auth|prog|config|cfg|incl|ext|fad|mod|sbp|rf|id|df|[a-z](\[.*\])+)\s*=\s*php)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Remote File Inclusion (monster list php)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002730) ET WEB PHPGedView Remote Script Code Execution attempt
+SecRule REQUEST_URI_RAW "(?i:\/help_text_vars\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002730,rev:6,msg:'ET WEB PHPGedView Remote Script Code Execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPGedView'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:PGV_BASE_DIRECTORY=(f|ht)tp\:\/)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPGedView Remote Script Code Execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002314) ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/prod\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002314,rev:5,msg:'ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHPOutsourcing'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(argv[1]=\|.+))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001344) ET WEB PHP EasyDynamicPages exploit
+SecRule ARGS_NAMES "(?i:edp_relative_path)" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001344,rev:7,msg:'ET WEB PHP EasyDynamicPages exploit',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_EasyDynamicPages_Exploit',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP EasyDynamicPages exploit',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009336) ET WEB Possible Web Backdoor cfexec.cfm access
+SecRule REQUEST_URI_RAW "(?i:\/cfexec\.cfm)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009336,rev:2,msg:'ET WEB Possible Web Backdoor cfexec.cfm access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cfexec.cfm access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009337) ET WEB Possible Web Backdoor cmdasp.asp access
+SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009337,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009338) ET WEB Possible Web Backdoor cmdasp.aspx access
+SecRule REQUEST_URI_RAW "(?i:\/cmdasp\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009338,rev:2,msg:'ET WEB Possible Web Backdoor cmdasp.aspx access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdasp.aspx access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009339) ET WEB Possible Web Backdoor simple-backdoor.php access
+SecRule REQUEST_URI_RAW "(?i:\/simple\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009339,rev:2,msg:'ET WEB Possible Web Backdoor simple-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor simple-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009340) ET WEB Possible Web Backdoor php-backdoor.php access
+SecRule REQUEST_URI_RAW "(?i:\/php\-backdoor\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009340,rev:2,msg:'ET WEB Possible Web Backdoor php-backdoor.php access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor php-backdoor.php access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009341) ET WEB Possible Web Backdoor jsp-reverse.jsp access
+SecRule REQUEST_URI_RAW "(?i:\/jsp\-reverse\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009341,rev:2,msg:'ET WEB Possible Web Backdoor jsp-reverse.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor jsp-reverse.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009342) ET WEB Possible Web Backdoor perlcmd.cgi access
+SecRule REQUEST_URI_RAW "(?i:\/perlcmd\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009342,rev:2,msg:'ET WEB Possible Web Backdoor perlcmd.cgi access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor perlcmd.cgi access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009343) ET WEB Possible Web Backdoor cmdjsp.jsp access
+SecRule REQUEST_URI_RAW "(?i:\/cmdjsp\.jsp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009343,rev:2,msg:'ET WEB Possible Web Backdoor cmdjsp.jsp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmdjsp.jsp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009344) ET WEB Possible Web Backdoor cmd-asp-5.1.asp access
+SecRule REQUEST_URI_RAW "(?i:\/cmd\-asp\-5\.1\.asp)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009344,rev:2,msg:'ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',tag:'trojan-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_Shells'"
+SecRule REQUEST_URI_RAW "@contains GET " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible Web Backdoor cmd-asp-5.1.asp access',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002972) ET WEB PHP ZeroBoard .htaccess upload
+SecRule QUERY_STRING|REQUEST_BODY "@contains filename=" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002972,rev:3,msg:'ET WEB PHP ZeroBoard .htaccess upload',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_ZeroBoard'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:^\s*\.htaccess)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP ZeroBoard .htaccess upload',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2001738) ET WEB PHP vBulletin Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:forumdisplay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2001738,rev:9,msg:'ET WEB PHP vBulletin Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
+SecRule ARGS:comma "(?i:(\.system\(.+\)\.))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP vBulletin Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002388) ET WEB vBulletin misc.php Template Name Arbitrary Code Execution
+SecRule REQUEST_URI_RAW "(?i:\/misc\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002388,rev:5,msg:'ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PHP_vBulletin'"
+SecRule REQUEST_URI_RAW "@contains &template=.*{${" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB vBulletin misc.php Template Name Arbitrary Code Execution',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002837) ET WEB PmWiki Globals Variables Overwrite Attempt
+SecRule REQUEST_URI_RAW "(?i:\/pmwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002837,rev:3,msg:'ET WEB PmWiki Globals Variables Overwrite Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PMWiki'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains GLOBALS[FarmD]=" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:GLOBALS\x5bFarmD\x5d\x3d)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PmWiki Globals Variables Overwrite Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008687) ET WEB PassWiki site_id Parameter Local File Inclusion
+SecRule REQUEST_URI_RAW "(?i:\/passwiki\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008687,rev:2,msg:'ET WEB PassWiki site_id Parameter Local File Inclusion',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_PassWiki'"
+SecRule REQUEST_URI_RAW "@contains GET " "chain"
+SecRule ARGS:site_id "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PassWiki site_id Parameter Local File Inclusion',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007871) ET WEB Philips VOIP841 Web Server Directory Traversal
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007871,rev:2,msg:'ET WEB Philips VOIP841 Web Server Directory Traversal',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Philips_VOIP'"
+SecRule REQUEST_URI_RAW "@contains /etc/passwd" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Philips VOIP841 Web Server Directory Traversal',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002331) ET WEB Piranha default passwd attempt
+SecRule REQUEST_URI_RAW "(?i:\/piranha\/secure\/control\.php3)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002331,rev:3,msg:'ET WEB Piranha default passwd attempt',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Piranha'"
+SecRule QUERY_STRING|REQUEST_BODY "@contains Authorization\: Basic cGlyYW5oYTp" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Piranha default passwd attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008622) ET WEB Pritlog index.php filename File Disclosure
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008622,rev:2,msg:'ET WEB Pritlog index.php filename File Disclosure',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Pritlog'"
+SecRule REQUEST_URI_RAW "@contains /index.php?option=viewEntry" "chain"
+SecRule ARGS:&filename "(?i:(\.\.\/){1,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Pritlog index.php filename File Disclosure',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009152) ET WEB PHP Generic Remote File Include Attempt (HTTPS)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009152,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (HTTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =https\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (HTTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009153) ET WEB PHP Generic Remote File Include Attempt (FTP)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009153,rev:4,msg:'ET WEB PHP Generic Remote File Include Attempt (FTP)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =ftp\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTP)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2009155) ET WEB PHP Generic Remote File Include Attempt (FTPS)
+SecRule REQUEST_URI_RAW "(?i:\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2009155,rev:5,msg:'ET WEB PHP Generic Remote File Include Attempt (FTPS)',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RFI_Generic'"
+SecRule REQUEST_URI_RAW "@contains =ftps\:/" "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB PHP Generic Remote File Include Attempt (FTPS)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002660) ET WEB RSA Web Auth Exploit Attempt - Long URL
+SecRule REQUEST_URI_RAW "(?i:\?Redirect)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002660,rev:5,msg:'ET WEB RSA Web Auth Exploit Attempt - Long URL',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_RSA'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:url=.{8000})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB RSA Web Auth Exploit Attempt - Long URL',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006443) ET WEB Possible SQL Injection Attempt DELETE FROM
+SecRule REQUEST_URI_RAW "@contains DELETE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006443,rev:6,msg:'ET WEB Possible SQL Injection Attempt DELETE FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:DELETE.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt DELETE FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006444) ET WEB Possible SQL Injection Attempt INSERT INTO
+SecRule REQUEST_URI_RAW "@contains INSERT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006444,rev:6,msg:'ET WEB Possible SQL Injection Attempt INSERT INTO',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  INTO " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:INSERT.+INTO)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt INSERT INTO',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006445) ET WEB Possible SQL Injection Attempt SELECT FROM
+SecRule REQUEST_URI_RAW "@contains SELECT " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006445,rev:6,msg:'ET WEB Possible SQL Injection Attempt SELECT FROM',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  FROM " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:SELECT.+FROM)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt SELECT FROM',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006446) ET WEB Possible SQL Injection Attempt UNION SELECT
+SecRule REQUEST_URI_RAW "@contains UNION " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006446,rev:6,msg:'ET WEB Possible SQL Injection Attempt UNION SELECT',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  SELECT " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UNION SELECT',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2006447) ET WEB Possible SQL Injection Attempt UPDATE SET
+SecRule REQUEST_URI_RAW "@contains UPDATE " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2006447,rev:7,msg:'ET WEB Possible SQL Injection Attempt UPDATE SET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_SQL_Injection_Monster_List'"
+SecRule REQUEST_URI_RAW "@contains  SET " "chain"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:[&\?].*UPDATE.+SET)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Possible SQL Injection Attempt UPDATE SET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003903) ET WEB Microsoft SharePoint XSS Attempt default.aspx
+SecRule REQUEST_URI_RAW "(?i:\/default\.aspx)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003903,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt default.aspx',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt default.aspx',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003904) ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]
+SecRule REQUEST_URI_RAW "(?i:\/contact\/contact\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003904,rev:5,msg:'ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Sharepoint'"
+SecRule ARGS:form[mail] "(?i:<?(java|vb)?script>?.*<.+\/script>?)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Microsoft SharePoint XSS Attempt index.php form[mail]',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003705) ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe
+SecRule REQUEST_URI_RAW "(?i:\/site_conf\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003705,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:ordnertiefe)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion site_conf.php ordnertiefe',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003706) ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/class\.csv\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003706,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion class.csv.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003707) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003707,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003708) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/functionen\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003708,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003709) ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/hg_referenz_jobgalerie\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003709,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003710) ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/surfer_anmeldung_NWL\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003710,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003711) ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/produkte_nach_serie_alle\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003711,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003712) ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/surfer_aendern\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003712,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003715) ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/ref_kd_rubrik\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003715,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003713) ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/module\/referenz\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003713,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion referenz.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003714) ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/standard\/1\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003714,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003867) ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot
+SecRule REQUEST_URI_RAW "(?i:\/standard\/3\/lay\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003867,rev:3,msg:'ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_TellTarget_CMS'"
+SecRule ARGS_NAMES "(?i:tt_docroot)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TellTarget CMS Remote Inclusion 3_lay.php tt_docroot',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002662) ET WEB TWiki INCLUDE remote command execution attempt
+SecRule QUERY_STRING|REQUEST_BODY "(?i:%INCLUDE\s*{.*rev=\x22\d+\|.+\x22.*}\s*%)" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002662,rev:5,msg:'ET WEB TWiki INCLUDE remote command execution attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki INCLUDE remote command execution attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003085) ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt
+SecRule QUERY_STRING|REQUEST_BODY "(?i:&TYPEOF\:.+system\s*\()" "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003085,rev:4,msg:'ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Twiki',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB TWiki Configure Script TYPEOF Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003099) ET WEB-MISC Poison Null Byte
+SecRule REQUEST_URI_RAW "@contains |00|" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003099,rev:4,msg:'ET WEB-MISC Poison Null Byte',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_URI',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB-MISC Poison Null Byte',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002494) ET WEB Versatile Bulletin Board SQL Injection Attack
+SecRule REQUEST_URI_RAW "(?i:\/index\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002494,rev:5,msg:'ET WEB Versatile Bulletin Board SQL Injection Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_VersatileBB'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:select=.+UNION\s+SELECT)" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB Versatile Bulletin Board SQL Injection Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002100) ET WEB WPS wps_shop.cgi Remote Command Execution Attempt
+SecRule REQUEST_URI_RAW "(?i:\/wps_shop\.cgi)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002100,rev:4,msg:'ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WPS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(art=\|.+\|))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WPS wps_shop.cgi Remote Command Execution Attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002844) ET WEB WebDAV search overflow
+SecRule QUERY_STRING|REQUEST_BODY "@contains SEARCH " "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002844,rev:4,msg:'ET WEB WebDAV search overflow',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Webdav',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WebDAV search overflow',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2004574) ET WEB WikyBlog XSS Attempt sessionRegister.php
+SecRule REQUEST_URI_RAW "(?i:\/include\/sessionRegister\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2004574,rev:4,msg:'ET WEB WikyBlog XSS Attempt sessionRegister.php',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WikyBlog'"
+SecRule REQUEST_URI_RAW "@contains | 3C |" "chain"
+SecRule REQUEST_URI_RAW "@contains SCRIPT" "chain"
+SecRule REQUEST_URI_RAW "@contains | 3E |" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WikyBlog XSS Attempt sessionRegister.php',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007872) ET WEB WinIPDS Directory Traversal Vulnerabilities GET
+SecRule REQUEST_URI_RAW "@contains GET " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007872,rev:2,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities GET',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities GET',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2007873) ET WEB WinIPDS Directory Traversal Vulnerabilities POST
+SecRule REQUEST_URI_RAW "@contains POST " "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2007873,rev:3,msg:'ET WEB WinIPDS Directory Traversal Vulnerabilities POST',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_WinIPDS'"
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\.\.[\\/]){1,}.+\.(com|exe|bat|dll|cab|ini))" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WinIPDS Directory Traversal Vulnerabilities POST',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2008553) ET WEB WordPress Random Password Generation Insufficient Entropy Attack
+SecRule REQUEST_URI_RAW "(?i:\/wp\-login\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2008553,rev:2,msg:'ET WEB WordPress Random Password Generation Insufficient Entropy Attack',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Wordpress'"
+SecRule REQUEST_URI_RAW "@contains POST " "chain"
+SecRule ARGS:action "(?i:\w+(%20){60,})" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB WordPress Random Password Generation Insufficient Entropy Attack',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002408) ET WEB phpMyAdmin Suspicious Activity
+SecRule REQUEST_URI_RAW "(?i:\/grab_globals\.lib\.php)" "chain,phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002408,rev:7,msg:'ET WEB phpMyAdmin Suspicious Activity',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin'"
+SecRule REQUEST_URI_RAW "@contains POST " "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Suspicious Activity',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002409) ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)
+SecRule QUERY_STRING|REQUEST_BODY "@contains [redirect]" "phase:2,pass,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002409,rev:5,msg:'ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',tag:'web-application-activity',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_phpMyAdmin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB phpMyAdmin Local File Inclusion (2.6.4-pl1)',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2002667) ET WEB sumthin scan
+SecRule REQUEST_URI_RAW "@contains GET /sumthin HTTP/1." "phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2002667,rev:3,msg:'ET WEB sumthin scan',tag:'attempted-recon',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_sumthin',ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB sumthin scan',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+# (sid 2003167) ET WEB tikiwiki featured link XSS attempt
+SecRule REQUEST_URI_RAW "(?i:\/tiki\-featured_link\.php)" "chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,capture,nolog,auditlog,logdata:'%{TX.0}',id:sid2003167,rev:4,msg:'ET WEB tikiwiki featured link XSS attempt',tag:'web-application-attack',tag:'url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_tikiwiki'"
+SecRule ARGS_NAMES "(?i:type)" "chain"
+SecRule REQUEST_URI_RAW "@contains /iframe>" "ctl:auditLogParts=+E,setvar:'tx.msg=ET WEB tikiwiki featured link XSS attempt',setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}'"
+
+
+SecMarker END_SNORT_RULES
diff --git a/rules/base_rules/modsecurity_crs_47_common_exceptions.conf b/rules/base_rules/modsecurity_crs_47_common_exceptions.conf
new file mode 100644
index 00000000..81cac0e5
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_47_common_exceptions.conf
@@ -0,0 +1,28 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used as an exception mechanism to remove common false positives
+# that may be encountered.
+#
+# Exception for Apache SSL pinger
+#
+SecRule REQUEST_LINE "^GET /$" "chain,phase:2,t:none,pass,nolog"
+        SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+                SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# Exception for Apache internal dummy connection
+#
+SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,t:none,pass,nolog"
+	SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+		SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none,t:none,chain"
+                	SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        	SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
diff --git a/rules/base_rules/modsecurity_crs_48_local_exceptions.conf b/rules/base_rules/modsecurity_crs_48_local_exceptions.conf
new file mode 100644
index 00000000..b7f82406
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_48_local_exceptions.conf
@@ -0,0 +1,110 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used to allow custom checks and exclusions for the transactional
+# variable rules.  Place rules in this file so that you may influence what happens
+# in the 49 - Enforcement File. 
+
+# In previous ModSecurity rules, the TARGET list would have to be updated in
+# order to exclude a specific paramater like this -
+#
+# SecRule ARGS_NAMES|ARGS|!ARGS:foo
+# 
+# With the new transactional variable rules, parameter exceptions can now
+# be handled AFTER the initial inspection as the rules now use setvars to 
+# capture meta-data with each rule match.  They use this syntax -  
+#
+# 	setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}
+#
+# When the transactional rules trigger, they will set a TX variable similar to this 
+# for an SQL Injection attack -
+#
+# 	Set variable "tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments" to "1' or select * from users where username = admin ".
+# 
+# With this data now available, the user can implement flexible exceptions.
+# 
+# Exception example - exclude a parameter
+#
+# In this example, we are inspecting
+# the TX collections to see if there is a current variable that has matched
+# for the 950001 SQL Injection rule ID and for the "comments" parameter.  If
+# so, then we are going to remove the collection entirely by using the 
+# setvar:!tx. syntax.  By doing this, the TX collection is removed before final
+# inspection at the end of phase 2 in the enforcement file.
+#
+#SecRule TX:'/^950001.*ARGS:comments/' ".*" "chain,phase:2,t:none,nolog,pass"
+#	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# This is an example exclusion for the entire SQL Injection category of rules
+#
+#SecRule TX:'/SQL_INJECTION/' ".*" "phase:2,t:none,nolog,pass,chain,setvar:tx.sql_injection=+1,setvar:tx.sql_injection_%{tx.sql_injection}=%{matched_var_name}"
+#	SecRule TX:'/^SQL_INJECTION_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# This is an example exclusion that combines the URL and parameter and removes
+# a specific SQL Injection ID only if the parameter foo payload matches
+#
+#SecRule REQUEST_FILENAME "@streq /path/to/file.php" "chain,phase:2,t:none,nolog,pass"
+#	SecRule TX:'/^950001.*ARGS:foo/' "@streq Item 1=1" "chain,t:none"
+#       	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+# allow request methods
+#
+#SecAction "phase:1,setvar:tx.e60032=1"
+#SecRule REQUEST_METHOD "^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
+#    "phase:1,pass,nolog,t:none,setvar:tx.m60032=1"
+
+
+# restrict request methods
+#
+#SecRule REQUEST_METHOD "^()$" \
+#    "phase:1,pass,nolog,t:none,t:urlDecodeUni,setvar:tx.m60033=1"
+
+
+# allow content type
+#
+#SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
+#	"phase:1,pass,nolog,t:none,chain,setvar:tx.e60010=1"
+#SecRule HTTP_HEADERS:Content-Type "(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" \
+#    "t:lowercase,setvar:tx.m60010=1"
+
+
+# allow file extensions
+#
+#SecAction "setvar:tx.e60036=1"
+#SecRule REQUEST_BASENAME "\.$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60036=1"
+
+
+# Restrict file extension
+#
+#SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60035=1"
+
+
+# Restrict directories and patterns in path
+#
+#SecRule REQUEST_FILENAME  "" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60037=1"
+
+
+# Allow directories and patterns in path
+#
+#SecAction "setvar:tx.e60039=1"
+#SecRule REQUEST_FILENAME "" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:normalisePathWin,t:lowercase,setvar:tx.m60039=1"
+
+
+# Restricted HTTP headers 
+#
+#SecAction "setvar:tx.e60038=1"
+#SecRule REQUEST_HEADERS_NAMES "^(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" \
+#    "phase:1,pass,nolog,t:urlDecodeUni,t:lowercase,setvar:tx.m60038=1"
+
diff --git a/rules/base_rules/modsecurity_crs_49_enforcement.conf b/rules/base_rules/modsecurity_crs_49_enforcement.conf
new file mode 100644
index 00000000..c700087c
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_49_enforcement.conf
@@ -0,0 +1,41 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# Uncomment the anomaly sections you wish to use.
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Alert and Deny on High Anomaly Scores
+#
+SecRule TX:ANOMALY_SCORE "@ge 20" \
+    "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
+
+# Alert on any anomalies
+#
+#SecRule TX:ANOMALY_SCORE "@ge 0" \
+#    "phase:2,t:none,nolog,auditlog,pass,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
+
+# Alert on SQL Injection anomalies
+#
+#SecRule TX:SQLI_SCORE "@gt 0" \
+#    "phase:2,t:none,log,deny,msg:'SQL Injection Detected (score %{TX.SQLI_SCORE}): %{tx.msg}'"
+
+# Alert on XSS anomalies
+#
+#SecRule TX:XSS_SCORE "!@eq 0" \
+#    "phase:2,t:none,log,deny,msg:'XSS Detected (score %{TX.XSS_SCORE}): %{tx.msg}'"
+
diff --git a/rules/base_rules/modsecurity_crs_50_outbound.conf b/rules/base_rules/modsecurity_crs_50_outbound.conf
new file mode 100644
index 00000000..8057b15b
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_50_outbound.conf
@@ -0,0 +1,306 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE   By default the status code sent is 501, which implies that the web 
+#        server does not support the required operation. This is a non standard
+#        of this status code which normally refers to unsupported HTTP methods. 
+#        It is used in order to confuse automated clients and scanners. 
+
+
+# Zope Information Leakage
+SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# CF Information Leakage
+SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# PHP Information Leakage
+SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# ISA server existence revealed
+SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ISA server existence revealed',id:'970010',tag:'MISCONFIGURATION',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{matched_var}"
+
+# Microsoft Office document properties leakage
+SecRule RESPONSE_BODY "<o:documentproperties>" \
+        "phase:4,t:none,nolog,auditlog,msg:'Microsoft Office document properties leakage',id:'970012',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+
+SecRule RESPONSE_BODY "\<\%" "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE',severity:'3'"
+SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+          
+# CF source code leakage
+SecRule RESPONSE_BODY "<cf" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'Cold Fusion source code leakage',id:'970016',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# IIS default location
+SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
+        "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,nolog,auditlog,msg:'IIS installed in default location',id:'970018',severity:'3',chain"
+SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15"
+
+# The application is not available
+SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970901',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970118',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{matched_var}"
+
+# Weblogic information disclosure
+SecRule RESPONSE_STATUS "^500$" "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'WebLogic information disclosure',id:'970021',severity:'3'"
+SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# File or Directory Names Leakage
+SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,chain,capture,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'File or Directory Names Leakage',id:'970011',tag:'LEAKAGE/INFO',severity:'3'"
+SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+#
+# IFrame Injection
+#
+SecRule RESPONSE_BODY "!@pm iframe" \
+				"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \
+				"t:replaceComments,phase:4,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Possibly malicious iframe tag in output',id:'981000',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \
+				"t:replaceComments,phase:4,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'Possibly malicious iframe tag in output',id:'981001',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{matched_var}"				
+SecMarker END_IFRAME_CHECK 
+
+#
+# Run PM check against response body data before running any RegEx Checks
+# If nothing matches, then we skip the remainder of phase:4 
+#
+SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
+        "phase:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,nolog,allow"
+
+# ASP/JSP source code leakage
+SecRule RESPONSE_BODY "\bwscript\.shell\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971379',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<jsp:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971300',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.addheader\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971360',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.execute\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971373',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.mappath\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971375',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bresponse\.binarywrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971369',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.createobject\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971372',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.createtextfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971361',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bwscript\.network\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971378',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bvbscript\.encode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971377',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.htmlencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971374',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bjavax\.servlet" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971301',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bscripting\.filesystemobject\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971371',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bserver\.urlencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971376',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.getfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971362',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\.loadfromfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971363',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bresponse\.write\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971370',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# PHP source code leakage
+SecRule RESPONSE_BODY "\bproc_open\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958976',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzread\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958972',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_fget\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958963',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958965',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfscanf\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958959',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breadfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958978',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgetss\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958955',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_post\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958941',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsession_start\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958982',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breaddir\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958977',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzwrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958973',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bscandir\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958981',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958962',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfread\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958958',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\breadgzfile\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958979',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_put\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958967',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfwrite\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958968',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzencode\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958970',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958957',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_session\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958942',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_fput\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958964',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_fput\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958961',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzcompress\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958969',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bbzopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958946',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bgzopen\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958971',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgetc\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958953',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bmove_uploaded_file\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958975',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_nb_put\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958966',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\$_get\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958940',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bfgets\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958954',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bftp_fget\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958960',tag:'LEAKAGE/SOURCE_CODE',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+SecMarker 900771
+SecRule RESPONSE_BODY "<\?(?!xml)" \
+        "phase:4,chain,t:none,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'970902',tag:'LEAKAGE/SOURCE_CODE',severity:'3'"
+SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{matched_var}"
+
+# Statistics pages revealed
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?webcruncher\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971019',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThese statistics were produced by PeLAB\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971011',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?analog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971020',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?Jware\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971018',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?wwwstat\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971014',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?calamaris\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971022',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis report was generated by WebLog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971013',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\b[gG]enerated by.{0,100}?[Ww]ebalizer\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971024',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThese statistics were produced by getstats\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971010',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?EasyStat\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971023',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?analog\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:404,msg:'Statistics Information Leakage',id:'971021',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+
+
+# SQL Errors leakage
+SecRule RESPONSE_BODY "\bCould not find server \'\w+\' in sysservers\. execute sp_addlinkedserver\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971154',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bSyntax error converting the \w+ value .*? to a column of data type\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971153',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bORA-\d{5}\: " \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971198',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bUnclosed quotation mark before the character string\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971092',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\[Microsoft\]\[ODBC " \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971197',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\berror \'800a01b8\'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971069',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax near \'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971094',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bmicrosoft jet database engine error \'8" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971072',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bselect list because it is not contained in an aggregate function and there is no GROUP BY clause\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971086',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bUnable to connect to PostgreSQL server\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971091',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bPostgreSQL query failed\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971068',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid MS SQL\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971158',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid Oracle\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971157',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bWarning: mysql_connect\(\)\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971093',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid ODBC\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971159',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft OLE DB Provider for .{0,30} [eE]rror '" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971076',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bSQL Server does not exist or access denied\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971096',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted; the operation\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971099',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bcannot take a \w+ data type as an argument\." \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971060',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bselect list because it is not contained in either an aggregate function or the GROUP BY clause\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971087',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bThe column prefix .{0,50}? does not match with a table name or alias name used in the query\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971155',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid PostgreSQL result\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971088',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax;" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971150',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bsupplied argument is not a valid MySQL\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971156',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted. Requested\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971067',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bincorrect syntax near (?:\'|the\b|\@\@error\b)" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'SQL Information Leakage',id:'971152',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+
+# IIS Errors leakage
+SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?:&nbsp;|\s)Microsoft \.NET Framework Version\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971123',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY ">error \'ASP\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971111',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\berror \'800" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971116',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?:&nbsp;|\s)ASP\.NET Version\:" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971124',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bA trappable error occurred in an external object\. The script cannot continue running\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971122',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime Error\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971125',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation \(0x8\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971121',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.aspx\?[Ee]rror\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971113',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime \(0x8\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971126',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bObject required\: \'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971112',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\bApplication uses a value of the wrong type for the current operation\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971115',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.asp\?[Ee]rror\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971127',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\berror\'" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971114',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation error\b" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'971119',tag:'LEAKAGE/ERRORS',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
+        "phase:4,chain,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',tag:'LEAKAGE/ERRORS',severity:'3'"
+SecRule RESPONSE_STATUS "!^404$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
+# Directory Listing
+SecRule RESPONSE_BODY ">[To Parent Directory]</[Aa]><br>" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971202',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<TITLE>Index of.*?<H1>Index of" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971201',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "<title>Index of.*?<h1>Index of" \
+        "phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,status:403,msg:'Directory Listing',id:'971200',tag:'LEAKAGE/INFO',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{matched_var}"
+             
diff --git a/rules/base_rules/modsecurity_crs_60_correlation.conf b/rules/base_rules/modsecurity_crs_60_correlation.conf
new file mode 100644
index 00000000..ca9b79dd
--- /dev/null
+++ b/rules/base_rules/modsecurity_crs_60_correlation.conf
@@ -0,0 +1,43 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Correlated Successful Attack
+#
+SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
+    "chain,phase:5,t:none,log,pass,severity:'0',msg:'Correlated Successful Attack Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Data Leakage (%{tx.msg}) - (Transactional Anomaly Score: %{TX.ANOMALY_SCORE})'"
+        SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
+
+# Correlated Attack Attempt 
+#
+SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
+    "chain,phase:5,t:none,log,pass,severity:'1',msg:'Correlated Attack Attempt Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Application Error (%{tx.msg}) - (Transactional Anomaly Score %{TX.ANOMALY_SCORE})'"
+	SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
+
+# Alert on High Anomaly Scores
+#
+#SecRule TX:ANOMALY_SCORE "@ge 40" \
+#    "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
+
+# Alert on any anomalies
+#
+SecRule TX:ANOMALY_SCORE "@ge 5" \
+    "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
+
+SecMarker END_CORRELATION
diff --git a/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf b/rules/base_rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
similarity index 100%
rename from rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
rename to rules/base_rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
diff --git a/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/base_rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
similarity index 100%
rename from rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
rename to rules/base_rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
diff --git a/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf b/rules/base_rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
similarity index 100%
rename from rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
rename to rules/base_rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
diff --git a/rules/base_rules/optional_rules/modsecurity_crs_42_comment_spam.conf b/rules/base_rules/optional_rules/modsecurity_crs_42_comment_spam.conf
new file mode 100644
index 00000000..b0ff0297
--- /dev/null
+++ b/rules/base_rules/optional_rules/modsecurity_crs_42_comment_spam.conf
@@ -0,0 +1,42 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Comment spam is an attack against blogs, guestbooks, wikis and other types of
+#   interactive web sites that accept and display hyperlinks submitted by
+#   visitors. The spammers automatically post specially crafted random comments
+#   which include links that point to the spammer's web site. The links
+#   artificially increas the site's search engine ranking and may make the site
+#   more noticable in search results.
+#
+
+SecRule &IP:SPAMMER "@eq 0" "chain,phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',skipAfter:END_RBL_CHECK"
+	SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" \
+        "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}',setvar:ip.spammer=1,expirevar:ip.spammer=86400"
+
+SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
+
+SecMarker END_RBL_CHECK
+
+SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla(?:\/4\.0\+?\()?|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy|<sc|")" \
+        "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
+
+# Prequalifier. Look for <http> first
+SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'"
+
+SecAction phase:2,pass,nolog,skipAfter:END_COMMENT_SPAM
+
+	# Look for 2 ways of posting a link
+	SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
+		SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
+
+	# Look for too many links in an argument (Prone to FPs)
+	SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
+
+SecMarker END_COMMENT_SPAM 
diff --git a/rules/optional_rules/modsecurity_crs_42_tight_security.conf b/rules/base_rules/optional_rules/modsecurity_crs_42_tight_security.conf
similarity index 58%
rename from rules/optional_rules/modsecurity_crs_42_tight_security.conf
rename to rules/base_rules/optional_rules/modsecurity_crs_42_tight_security.conf
index 13667049..8ef16162 100644
--- a/rules/optional_rules/modsecurity_crs_42_tight_security.conf
+++ b/rules/base_rules/optional_rules/modsecurity_crs_42_tight_security.conf
@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -19,15 +19,9 @@
 # Directory Traversal
 #
 SecRule REQUEST_URI "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
-        "phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
+        "phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
 
 # Weaker signature
-SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
+#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
 
 
-#
-# RFI Attack
-#
-SecRule ARGS "^(?:ht|f)tp:/" \
-        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"
-
diff --git a/rules/optional_rules/modsecurity_crs_55_marketing.conf b/rules/base_rules/optional_rules/modsecurity_crs_55_marketing.conf
similarity index 64%
rename from rules/optional_rules/modsecurity_crs_55_marketing.conf
rename to rules/base_rules/optional_rules/modsecurity_crs_55_marketing.conf
index 3a49e4c6..6008b9f9 100644
--- a/rules/optional_rules/modsecurity_crs_55_marketing.conf
+++ b/rules/base_rules/optional_rules/modsecurity_crs_55_marketing.conf
@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -12,10 +12,10 @@
 # --
 
 SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
-        "phase:2,t:none,t:lowercase,log,auditlog,msg:'MSN robot activity',id:'910008',severity:'5'"
+        "phase:2,t:none,t:lowercase,nolog,auditlog,msg:'MSN robot activity',id:'910008',severity:'6'"
 
 SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \
-        "phase:2,t:none,t:lowercase,log,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'5'"
+        "phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'6'"
 
 SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \
-        "phase:2,t:none,t:lowercase,log,auditlog,msg:'Google robot activity',id:'910006',severity:'5'"
+        "phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Google robot activity',id:'910006',severity:'6'"
diff --git a/rules/modsecurity_crs_10_config.conf b/rules/modsecurity_crs_10_config.conf
index 66ad7b7a..c686b3d0 100644
--- a/rules/modsecurity_crs_10_config.conf
+++ b/rules/modsecurity_crs_10_config.conf
@@ -1,12 +1,15 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
 # ---------------------------------------------------------------
 
 
+# The directives within this file can be included within
+# Virtual Host containers.
+#
 # Configuration contained in this file should be customized
 # for your specific requirements before deployment.
 #
@@ -75,6 +78,9 @@ SecResponseBodyAccess On
 SecResponseBodyMimeType (null) text/html text/plain text/xml
 SecResponseBodyLimit 524288
 
+# The following directive will not block large response bodies, but rather will
+# only inspect data up to the size SecResponseBodyLimit setting.
+SecResponseBodyLimitAction ProcessPartial
 
 # Initiate XML Processor in case of xml content-type
 #
@@ -92,6 +98,14 @@ SecResponseBodyLimit 524288
 # This is a reasonable setting to start with because you do not
 # want to reject legitimate requests with an untuned rule set.
 #
+# The following line's settings will be inherited by rules that
+# either do not specify an action at all, or if they use the 
+# "block" action. This will also allow the rules to use 
+# Anomaly Scoring (must use the
+# modsecurity_crs_49_anomaly_scoring.conf file).
+#
+SecDefaultAction "phase:2,pass"
+
 # If, after monitoring the performance of the rule set after a
 # sufficient period, you determine the rules never (or rarely
 # trigger on legitimate requests) you can change to something
@@ -100,21 +114,7 @@ SecResponseBodyLimit 524288
 # to only configure some rules to reject requests, leaving most
 # of them to work in detection mode.
 #
-#SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"
-
-# Set web server identification string
-#
-# TODO In case you use Apache, you may want specify a simple server signature
-#      instead of the detailed Apache default signature that list most modules
-#      used on the specific Apache deployment:
-#      "Apache/2.2.0 (Fedora)"   
-#      For this directive to work, you need to set Apache ServerTokens
-#      to Full (this is the default option)
-SecServerSignature "Apache/2.2.0 (Fedora)"
-
-# Add ruleset identity to the logs
-#
-SecComponentSignature "core ruleset/1.6.1"
+#SecDefaultAction "phase:2,deny"
 
 ## -- File uploads configuration -----------------------------------------------
 # Temporary file storage path.
@@ -243,19 +243,6 @@ SecAuditLogParts "ABIFHKZ"
 # modifications unless 
 
  
-# Parameters separator
-#
-# Specifies which character to use as separator for 
-# application/x-www-form-urlencoded content. 
-# Defaults to "&". Applications are sometimes (very rarely) written to use 
-# a semicolon (";").
-#
-# NOTE Changing the value for this directive has significant influence on how
-#      ModSecurity works. Make the change only if you are absolutely sure it
-#      is required.
-SecArgumentSeparator "&" 
-
-
 # Selects the cookie format that will be used in the current configuration 
 # context. 
 #
@@ -285,16 +272,5 @@ SecRequestBodyInMemoryLimit 131072
 SecDebugLog             logs/modsec_debug.log
 SecDebugLogLevel        3
 
-# Path where persistent data (e.g. IP address data, session data, etc) is to
-# be stored. Must be writable by the web server user.
-#
-# TODO It is advisable to create a directory structure for ModSecurity such as
-#      /var/log/msa and create sub directories for SecDataDir, SecTmpDir,
-#      SecUploadDir, SecAuditLog and SecAuditLogStorageDir
-#      underneath it and set the permission for read and write only by the
-#      Apache user.
-
-SecDataDir /tmp
-
 # Configures the directory where temporary files will be created.
 SecTmpDir /tmp
diff --git a/rules/modsecurity_crs_10_global_config.conf b/rules/modsecurity_crs_10_global_config.conf
new file mode 100644
index 00000000..c62f51c2
--- /dev/null
+++ b/rules/modsecurity_crs_10_global_config.conf
@@ -0,0 +1,64 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.0
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
+#
+# The ModSecuirty Core Rule Set is distributed under GPL version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# Configuration contained in this file should be included 
+# in the MAIN Apache config section as these directives
+# can not be included within Virtual Host containers.
+#
+
+# Set web server identification string
+#
+# If you want to spoof another web server type, you can specify it like this -
+#
+# SecServerSignature "Microsoft-IIS/6.0"
+#  or
+# SecServerSignature "Sun-ONE-Web-Server/6.1"
+#
+# Spoofing the Server token data is considered by some to be "Security by Obscurity"
+# and that may be true when it is the *only* security measure taken.  There is
+# a security benefit, however, with changing this data and that is to help
+# protect against automated banner-grabbing tools, exploit code and worms that
+# decide to send the attack payload based on the target platform data in the
+# Server token.
+#
+# For this directive to work, you need to set Apache ServerTokens
+# to Full (this is the default option)
+#
+# The default setting is to server a blank Server banner
+SecServerSignature " "
+
+# Add ruleset identity to the logs
+#
+SecComponentSignature "core ruleset/2.0"
+
+# Parameters separator
+#
+# Specifies which character to use as separator for 
+# application/x-www-form-urlencoded content. 
+# Defaults to "&". Applications are sometimes (very rarely) written to use 
+# a semicolon (";").
+#
+# NOTE Changing the value for this directive has significant influence on how
+#      ModSecurity works. Make the change only if you are absolutely sure it
+#      is required.
+SecArgumentSeparator "&" 
+
+# Path where persistent data (e.g. IP address data, session data, etc) is to
+# be stored. Must be writable by the web server user.
+#
+# TODO It is advisable to create a directory structure for ModSecurity such as
+#      /var/log/msa and create sub directories for SecDataDir, SecTmpDir,
+#      SecUploadDir, SecAuditLog and SecAuditLogStorageDir
+#      underneath it and set the permission for read and write only by the
+#      Apache user.
+
+SecDataDir /tmp
+
+# Create both Global and IP collections for rules to use
+SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
diff --git a/rules/modsecurity_crs_20_protocol_violations.conf b/rules/modsecurity_crs_20_protocol_violations.conf
deleted file mode 100644
index df1f1f52..00000000
--- a/rules/modsecurity_crs_20_protocol_violations.conf
+++ /dev/null
@@ -1,92 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# TODO in some cases a valid client (usually automated) generates requests that
-#      violates the HTTP protocol. Create exceptions for those clients, but try
-#      to limit the exception to a source IP or other additional properties of 
-#      the request such as URL and not allow the violation generally. 
-#  
-#
-
-# Validate request line
-#
-SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
-    "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'"
-
-
-# HTTP Request Smuggling
-#
-SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'"
-
-# Block request with malformed content.
-# ModSecurity will not inspect these, but the server application might do so
-#
-SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'"
-
-
-# Accept only digits in content length 
-#
-SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
-
-# Do not accept GET or HEAD requests with bodies
-# HTTP standard allows GET requests to have a body but this
-# feature is not used in real life. Attackers could try to force
-# a request body on an unsuspecting web applications.
-#
-SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
-SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
-
-# Require Content-Length to be provided with every POST request.
-#
-SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
-SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
-
-# Don't accept transfer encodings we know we don't know how to handle
-#
-# NOTE ModSecurity does not support chunked transfer encodings at
-#      this time. You MUST reject all such requests.
-#
-SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"
-
-# Check encodings
-SecRule REQUEST_BODY|REQUEST_URI|XML:/* "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
-	"chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
-SecRule REQUEST_BODY|REQUEST_URI|XML:/* "@validateUrlEncoding"
-
-# Check UTF enconding
-# Uncomment this rule if your system uses UTF encoding.
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "phase:2,t:none,deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
-
-# Disallow use of full-width unicode
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
-  "t:none,phase:2,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4'"
-
-# Proxy access attempt
-# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
-#      included in case Apache proxy is misconfigured.
-SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
-
-#
-# Restrict type of characters sent
-#
-# NOTE In order to be broad and support localized applications this rule
-#      only validates that NULL Is not used.
-#
-#	   The strict policy version also validates that protocol and application 
-#	   generated fields are limited to printable ASCII. 
-#
-# TODO If your application use the range 32-126 for parameters.
-#
-SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
-	"@validateByteRange 1-255" \
-	"phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"
-
-SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
-	"phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"
diff --git a/rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/modsecurity_crs_21_protocol_anomalies.conf
deleted file mode 100644
index 82d01419..00000000
--- a/rules/modsecurity_crs_21_protocol_anomalies.conf
+++ /dev/null
@@ -1,67 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# TODO in some cases a valid client (usually automated) generates requests that
-#      violates the HTTP protocol. Create exceptions for those clients, but try
-#      to limit the exception to a source IP or other additional properties of 
-#      the request such as URL and not allow the violation generally. 
-#
-
-# Do not accept requests without common headers. 
-# Implies either an attacker or a legitimate automation client. 
-#
-# Exception for Apache SSL pinger
-
-SecRule REQUEST_LINE "^GET /$" "chain,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999210',severity:'5'"
-SecRule REMOTE_ADDR "^127\.0\.0\.1$" t:none
-
-# Exception for Apache internal dummy connection
-SecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999211',severity:'5'"
-SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain,t:none"
-SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"
-
-
-# Detect HTTP/0.9 Requests
-SecRule REQUEST_PROTOCOL ^http/0.9$ "t:none,t:lowercase,phase:2,log,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4'"
-
-SecRule &REQUEST_HEADERS:Host "@eq 0" \
-    "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
-SecRule REQUEST_HEADERS:Host "^$" \
-    "phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"    
-
-
-SecRule &REQUEST_HEADERS:Accept "@eq 0" \
-    "chain,phase:2,skip:1,t:none,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
-SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
-SecRule REQUEST_HEADERS:Accept "^$" \
-    "chain,phase:2,t:none,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
-SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
-
-SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
-    "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
-SecRule REQUEST_HEADERS:User-Agent "^$" \
-    "t:none,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
-
-
-SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
-    "chain,phase:2,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'4'"
-SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none"
-
-
-# Check that the host header is not an IP address 
-#
-SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST'"
-
-
-# Log a security event when the request is rejected by apache
-#
-SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,pass,msg:'Invalid request',id:'960913',severity:'2'"
-SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none"
-
diff --git a/rules/modsecurity_crs_23_request_limits.conf b/rules/modsecurity_crs_23_request_limits.conf
deleted file mode 100644
index b5d9af70..00000000
--- a/rules/modsecurity_crs_23_request_limits.conf
+++ /dev/null
@@ -1,69 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-
-# In most cases, you should expect a certain volume of each a request on your
-# website. For example, a request with 400 arguments, can be suspicious.
-# This file creates limitations on the request.
-# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
-#      Note that most of the rules are commented out by default.
-#      Uncomment the rules you need
-#
-
-## -- Arguments limits --
-
-# Limit argument name length
-#SecRule ARGS_NAMES "^.{100}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4'"
-
-# Limit value name length
-#SecRule ARGS "^.{400}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4'"
-
-# Maximum number of arguments in request limited
-SecRule &ARGS "@gt 255" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4'"
-
-# Limit arguments total length
-#SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4'"
-
-
-## -- File upload limits --
-
-# Individual file size is limited
-#SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4'"
-
-# Combined file size is limited
-#SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4'"
-
-
-
-## -- Apache Limits --
-
-# These are Apache limit directives, but we are including them here because
-# they are often forgotten. If you already have these configured leave this
-# section entirely commented-out. Otherwise review the limits and uncomment
-# the directives.
-
-# Maximum size of the request body.
-#
-# NOTE If your application allows file uploads the value below will
-#      most likely be way to low.
-#
-#LimitRequestBody 64000
-
-# Maximum number of request headers in a request.
-#
-#LimitRequestFields 32
-
-# Maximum size of request header lines.
-#
-#LimitRequestFieldSize 8000
-
-# Maximum size of the request line.
-#
-#LimitRequestLine 4000
-
diff --git a/rules/modsecurity_crs_35_bad_robots.conf b/rules/modsecurity_crs_35_bad_robots.conf
deleted file mode 100644
index d17127e7..00000000
--- a/rules/modsecurity_crs_35_bad_robots.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# NOTE Bad robots detection is based on checking elements easily 
-#      controlled by the client. As such a determined attacked can bypass
-#      those checks. Therefore bad robots detection should not be viewed as
-#      a security mechanism against targeted attacks but rather as a nuisance
-#      reduction, eliminating most of the random attacks against your web
-#      site. 
-
-SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
-SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
-SecRule REQUEST_FILENAME "^/nessustest" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
-
-SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|m(?:ozilla\/4\.0 \(compatible; advanced email extractor|ailto:craftbot\@yahoo\.com)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|\bdatacha0s\b|hhjhj@yahoo|chinaclaw|rsync|shai|zeus)" \
-        "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'2'"
-
-SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \
-        "chain,phase:2,t:none,t:lowercase,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'"
-SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase"
-
diff --git a/rules/modsecurity_crs_40_generic_attacks.conf b/rules/modsecurity_crs_40_generic_attacks.conf
deleted file mode 100644
index 0ff8d6de..00000000
--- a/rules/modsecurity_crs_40_generic_attacks.conf
+++ /dev/null
@@ -1,214 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-# 
-# TODO While some of the pattern groups such as command injection are usually
-#      safe of false positives, other pattern groups such as SQL injection and 
-#      XSS may require setting exceptions and therefore are set to log only by
-#      default. 
-#
-#      Start ModSecurity in monitoring only mode and check whether your 
-#      application requires exceptions for a specific URL, Pattern or source IP
-#      before moving to blocking mode.  
- 
-#
-# Session fixation
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959009
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
-        "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'959009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Blind SQL injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959007
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.user)|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.user)|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-				
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(?:benchmark|encode)\b" \
-#        "phase:2,chain,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,(?:[\\\(\)\%#]|--)"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,\b(?:benchmark|encode)\b" \
-#        "phase:2,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:[\\\(\)\%#]|--)" t:none
-
-SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959904
-SecRule REQUEST_FILENAME|ARGS "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# SQL injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,id:999501,skipAfter:959001
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
-#        "phase:2,chain,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:[\\\(\)\%#]|--)" "t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
-#        "phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:[\\\(\)\%#]|--)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
-
-SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959906
-SecRule REQUEST_FILENAME|ARGS "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# XSS
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959004
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'959004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# File Injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:959005
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'950005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'959005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Command access
-#
-SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Command injection
-#
-SecRule ARGS "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \
-        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction phase:2,pass,nolog,skipAfter:950006
-SecRule ARGS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \
-        "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction pass,nolog,skipAfter:959006
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \
-        "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-SecRule ARGS \
-		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
-		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# Coldfusion injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'959008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# LDAP injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack',id:'959010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# SSI injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'959011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# PHP injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress" \
-        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
-SecAction pass,nolog,skipAfter:959013
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'950013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'959013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# UPDF XSS
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
-        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'950018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'959018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2'"
-
-
-#
-# Email Injection
-#
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
-        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'"
-SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
-        "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'"
-
-
-#
-# HTTP Response Splitting
-#
-SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
-        "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'1'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
-        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'1'"
-
diff --git a/rules/modsecurity_crs_50_outbound.conf b/rules/modsecurity_crs_50_outbound.conf
deleted file mode 100644
index a6f276d4..00000000
--- a/rules/modsecurity_crs_50_outbound.conf
+++ /dev/null
@@ -1,89 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# NOTE   By default the status code sent is 501, which implies that the web 
-#        server does not support the required operation. This is a non standard
-#        of this status code which normally refers to unsupported HTTP methods. 
-#        It is used in order to confuse automated clients and scanners. 
-
-
-# Statistics pages revealed
-SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',id:'970002',severity:'4'"
-
-# SQL Errors leakage
-SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:(?:M(?:S |y)|Postgre)SQL|O(?:racle|DBC)))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(?:; the operation|\. Requested)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|(?:Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|(?:Warning: mysql_connect\(\)|PostgreSQL query failed):|You have an error in your SQL syntax(?: near '|;)|cannot take a \w+ data type as an argument\.|incorrect syntax near (?:\'|the\b|@@error\b)|microsoft jet database engine error '8|ORA-\d{5}: )|\[Microsoft\]\[ODBC )" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',id:'970003',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# IIS Errors leakage
-SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|(?:\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror|>error 'ASP)\b)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970004',tag:'LEAKAGE/ERRORS',severity:'4'"
-SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
-        "phase:4,chain,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',tag:'LEAKAGE/ERRORS',severity:'4'"
-SecRule RESPONSE_STATUS "!^404$" "t:none"
-
-# Zope Information Leakage
-SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# CF Information Leakage
-SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# PHP Information Leakage
-SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'4'"
-
-# ISA server existence revealed
-SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',id:'970010',tag:'MISCONFIGURATION',severity:'4'"
-
-# Microsoft Office document properties leakage
-SecRule RESPONSE_BODY "<o:documentproperties>" \
-        "phase:4,t:none,log,auditlog,msg:'Microsoft Office document properties leakage',id:'970012',tag:'LEAKAGE/INFO',severity:'4'"
-
-# Directory Listing
-SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',id:'970013',tag:'LEAKAGE/INFO',severity:'4'"
-
-# ASP/JSP source code leakage
-SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970014',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "\<\%" "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none"
-
-# PHP source code leakage
-SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970015',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "<\?(?!xml)" \
-        "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none"       
-
-# CF source code leakage
-SecRule RESPONSE_BODY "<cf" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',id:'970016',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
-
-# IIS default location
-SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
-        "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'IIS installed in default location',id:'970018',severity:'5',chain,initcol:global=global"
-SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc"
-
-# The application is not available
-SecRule RESPONSE_STATUS "^503$" "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970901',severity:'5'"
-SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
-        "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970118',severity:'5'"
-
-# Weblogic information disclosure
-SecRule RESPONSE_STATUS "^500$" "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'WebLogic information disclosure',id:'970021',severity:'4'"
-SecRule RESPONSE_BODY "t:none,<title>JSP compile error<\/title>" t:none
-
-# File or Directory Names Leakage
-SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,chain,capture,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'File or Directory Names Leakage',id:'970011',tag:'LEAKAGE/INFO',severity:'4'"
-SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,t:lowercase"
diff --git a/rules/optional_rules/modsecurity_crs_42_comment_spam.conf b/rules/optional_rules/modsecurity_crs_42_comment_spam.conf
deleted file mode 100644
index b1de7904..00000000
--- a/rules/optional_rules/modsecurity_crs_42_comment_spam.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
-#
-# The ModSecuirty Core Rule Set is distributed under GPL version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# Comment spam is an attack against blogs, guestbooks, wikis and other types of
-#   interactive web sites that accept and display hyperlinks submitted by
-#   visitors. The spammers automatically post specially crafted random comments
-#   which include links that point to the spammer's web site. The links
-#   artificially increas the site's search engine ranking and may make the site
-#   more noticable in search results.
-#
-
-# Prequalifier. Look for <http> first
-SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'5'"
-
-SecAction phase:2,pass,nolog,skipAfter:999011
-
-# Look for 2 ways of posting a link
-SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
-SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
-
-# Look for too many links in an argument (Prone to FPs)
-SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"
-
-
-SecMarker 999011
diff --git a/rules/util/httpd-guardian.pl b/rules/util/httpd-guardian.pl
new file mode 100755
index 00000000..aa684d68
--- /dev/null
+++ b/rules/util/httpd-guardian.pl
@@ -0,0 +1,518 @@
+#!/usr/bin/perl -w
+#
+# httpd-guardian - detect DoS attacks by monitoring requests
+# Apache Security, http://www.apachesecurity.net
+# Copyright (C) 2005 Ivan Ristic <ivanr@webkreator.com>
+#
+# $Id: httpd-guardian,v 1.6 2005/12/04 11:30:35 ivanr Exp $
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+
+# This script is designed to monitor all web server requests through
+# the piped logging mechanism. It keeps track of the number of requests
+# sent from each IP address. Request speed is calculated at 1 minute and
+# 5 minute intervals. Once a threshold is reached, httpd-guardian can
+# either emit a warning or execute a script to block the IP address.
+#
+# Error message will be sent to stderr, which means they will end up
+# in the Apache error log.
+#
+# Usage (in httpd.conf)
+# ---------------------
+#
+# Without mod_security, Apache 1.x:
+#
+#   LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{UNIQUE_ID}e \"-\" %T 0 \"%{modsec_message}i\" 0" guardian
+#   CustomLog "|/path/to/httpd-guardian" guardian
+#
+# or without mod_security, Apache 2.x:
+#
+#   LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{UNIQUE_ID}e \"-\" %T %D \"%{modsec_message}i\" 0" guardian
+#   CustomLog "|/path/to/httpd-guardian" guardian
+#
+# or with mod_security (better):
+#
+#   SecGuardianLog "|/path/to/httpd-guardian"
+#
+# NOTE: In order for this script to be effective it must be able to
+#       see all requests coming to the web server. This will not happen
+#       if you are using per-virtual host logging. In such cases either
+#       use the ModSecurity 1.9 SecGuardianLog directive (which was designed
+#       for this very purpose).
+#
+#
+# Usage (with Spread)
+# -------------------
+#
+# 1) First you need to make sure you have Spread running on the machine
+#    where you intend to run httpd-guardian on.
+#
+# 2) Then uncomment line "use Spread;" in this script, and change
+#    $USE_SPREAD to "1".
+#
+# 3) The default port for Spread is 3333. Change it if you want to
+#    and then start httpd-guardian. We will be looking for messages
+#    in the Spread group called "httpd-guardian".
+
+# TODO Add support to ignore certain log entries based on a
+#      regex applied script_name.
+#
+# TODO Warn about session hijacking.
+#
+# TODO Track ip addresses, sessions, and individual users.
+#
+# TODO Detect status code anomalies.
+#
+# TODO Track accesses to specific pages.
+#
+# TODO Open proxy detection.
+#
+# TODO Check IP addresses with blacklists (e.g.
+#      http://www.spamhaus.org/XBL/).
+#
+# TODO Is there a point to keep per-vhost state?
+#
+# TODO Enhance the script to tail a log file - useful for test
+#      runs, in preparation for deployment.
+#
+# TODO Can we track connections as Apache creates and destroys them?
+#
+# TODO Command-line option to support multiple log formats. E.g. common,
+#      combined, vcombined, guardian.
+#
+# TODO Command-line option not to save state
+#
+
+use strict;
+use Time::Local;
+# SPREAD UNCOMMENT
+# use Spread;
+
+
+# -- Configuration----------------------------------------------------------
+
+my $USE_SPREAD = 0;
+my $SPREAD_CLIENT_NAME = "httpd-guardian";
+my $SPREAD_DAEMON = "3333";
+my $SPREAD_GROUP_NAME = "httpd-guardian";
+my $SPREAD_TIMEOUT = 1;
+
+# If defined, execute this command when a threshold is reached
+# block the IP address for one hour.
+# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";
+# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com";
+#my $PROTECT_EXEC;
+
+# For testing only:
+my $PROTECT_EXEC = "/usr/bin/logger Possible DoS Attack from %s";
+
+# Max. speed allowed, in requests per
+# second, measured over an 1-minute period
+#my $THRESHOLD_1MIN = 2; # 120 requests in a minute
+
+# For testing only:
+my $THRESHOLD_1MIN = 0.01;
+
+# Max. speed allowed, in requests per
+# second, measured over a 5-minute period
+my $THRESHOLD_5MIN = 1; # 360 requests in 5 minutes
+
+# If defined, httpd-guardian will make a copy
+# of the data it receives from Apache
+# $COPY_LOG = "";
+my $COPY_LOG;
+
+# Remove IP address data after a 10-minute inactivity
+my $STALE_INTERVAL = 400;
+
+# Where to save state (at this point only useful
+# for monitoring what the script does)
+my $SAVE_STATE_FILE = "/tmp/httpd-guardian.state";
+
+# How often to save state (in seconds).
+my $SAVE_STATE_INTERVAL = 10;
+
+my $DEBUG = 0;
+
+
+# -----------------------------------------------------------------
+
+my %months = (
+    "Jan" => 0,
+    "Feb" => 1,
+    "Mar" => 2,
+    "Apr" => 3,
+    "May" => 4,
+    "Jun" => 5,
+    "Jul" => 6,
+    "Aug" => 7,
+    "Sep" => 8, 
+    "Oct" => 9,
+    "Nov" => 10,
+    "Dec" => 11
+);
+
+# -- log parsing regular expression
+
+
+# 127.0.0.1 192.168.2.11 - - [05/Jul/2005:16:56:54 +0100]
+# "GET /favicon.ico HTTP/1.1" 404 285 "-"
+# "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"
+# - "-" 0 0 "-" 0
+
+my $logline_regex = "";
+
+# hostname
+$logline_regex .= "^(\\S+)";
+# remote host, remote username, local username
+$logline_regex .= "\\ (\\S+)\\ (\\S+)\\ (\\S+)";
+# date, time, and gmt offset
+$logline_regex .= "\\ \\[([^:]+):(\\d+:\\d+:\\d+)\\ ([^\\]]+)\\]";
+# request method + request uri + protocol (as one field)
+$logline_regex .= "\\ \"(.*)\"";
+# status, bytes out
+$logline_regex .= "\\ (\\d+)\\ (\\S+)";
+# referer, user_agent
+$logline_regex .= "\\ \"(.*)\"\\ \"(.*)\"";
+# uniqueid, session, duration, duration_msec
+$logline_regex .= "\\ (\\S+)\\ \"(.*)\"\\ (\\d+)\\ (\\d+)";
+# modsec_message, modsec_rating
+$logline_regex .= "\\ \"(.*)\"\\ (\\d+)";
+
+# the rest (always keep this part of the regex)
+$logline_regex .= "(.*)\$";
+
+my $therequest_regex = "(\\S+)\\ (.*?)\\ (\\S+)";
+
+# use strict
+my %ipaddresses = ();
+my %request;
+my $current_time;
+my $last_state_save;
+
+sub parse_logline {
+    $_ = shift;
+
+    my %request = ();
+    $request{"invalid"} = 0;
+
+    my @parsed_logline = /$logline_regex/x;
+    if (@parsed_logline == 0) {
+        return (0,0);
+    }
+
+    (
+        $request{"hostname"},
+        $request{"remote_ip"},
+        $request{"remote_username"},
+        $request{"username"},
+        $request{"date"},
+        $request{"time"},
+        $request{"gmt_offset"},
+        $request{"the_request"},
+        $request{"status"},
+        $request{"bytes_out"},
+        $request{"referer"},
+        $request{"user_agent"},
+        $request{"unique_id"},
+        $request{"session_id"},
+        $request{"duration"},
+        $request{"duration_msec"},
+        $request{"modsec_message"},
+        $request{"modsec_rating"},
+        $request{"the_rest"}
+    ) = @parsed_logline;
+
+    if ($DEBUG == 2) {
+        print "\n";
+        print "hostname = " . $request{"hostname"} . "\n";
+        print "remote_ip = " . $request{"remote_ip"} . "\n";
+        print "remote_username = " . $request{"remote_username"} . "\n";
+        print "username = " . $request{"username"} . "\n";
+        print "date = " . $request{"date"} . "\n";
+        print "time = " . $request{"time"} . "\n";
+        print "gmt_offset = " . $request{"gmt_offset"} . "\n";
+        print "the_request = " . $request{"the_request"} . "\n";
+        print "status = " . $request{"status"} . "\n";
+        print "bytes_out = " . $request{"bytes_out"} . "\n";
+        print "referer = " . $request{"referer"} . "\n";
+        print "user_agent = " . $request{"user_agent"} . "\n";
+        print "unique_id = " . $request{"unique_id"} . "\n";
+        print "session_id = " . $request{"session_id"} . "\n";
+        print "duration = " . $request{"duration"} . "\n";
+        print "duration_msec = " . $request{"duration_msec"} . "\n";
+        print "modsec_message = " . $request{"modsec_message"} . "\n";
+        print "modsec_rating = " . $request{"modsec_rating"} . "\n";
+        print "\n\n";
+    }
+
+    # parse the request line
+    $_ = $request{"the_request"};
+    my @parsed_therequest = /$therequest_regex/x;
+    if (@parsed_therequest == 0) {
+        $request{"invalid"} = "1";
+        $request{"request_method"} = "";
+        $request{"request_uri"} = "";
+        $request{"protocol"} = "";
+    } else {
+        (
+            $request{"request_method"},
+            $request{"request_uri"},
+            $request{"protocol"}
+        ) = @parsed_therequest;
+    }
+
+    if ($request{"bytes_out"} eq "-") {
+        $request{"bytes_out"} = 0;
+    }
+
+    # print "date=" . $request{"date"} . "\n";
+    (
+        $request{"time_mday"},
+        $request{"time_mon"},
+        $request{"time_year"}
+    ) = ( $request{"date"} =~ m/^(\d+)\/(\S+)\/(\d+)/x );
+
+    # print "time=" . $request{"time"} . "\n";
+    (
+        $request{"time_hour"},
+        $request{"time_min"},
+        $request{"time_sec"}
+    ) = ( $request{"time"} =~ m/(\d+):(\d+):(\d+)/x );
+
+    $request{"time_mon"} = $months{$request{"time_mon"}};
+
+    $request{"time_epoch"} = timelocal(
+        $request{"time_sec"},
+        $request{"time_min"},
+        $request{"time_hour"},
+        $request{"time_mday"},
+        $request{"time_mon"},
+        $request{"time_year"}
+    );
+
+    # print %request;
+
+    my $offset = index($request{"request_uri"}, "?");
+    if ($offset != -1) {
+        $request{"script_name"} = substr($request{"request_uri"}, 0, $offset);
+        $request{"query_string"} = substr($request{"request_uri"}, $offset + 1);
+    } else {
+        $request{"script_name"} = $request{"request_uri"};
+        $request{"query_string"} = "";
+    }
+
+    $request{"request_uri"} =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
+    $request{"query_string"} =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
+
+    return %request;
+}
+
+sub update_ip_address() {
+    my $ipd = $ipaddresses{$request{"remote_ip"}};
+    if (defined($$ipd{"counter"})) {
+        $$ipd{"counter"} = $$ipd{"counter"} + 1;
+
+        if ($DEBUG) {
+            print STDERR "httpd-guardian: Incrementing counter for " . $request{"remote_ip"} . " (" . $$ipd{"counter"} . ")\n";
+        }
+
+        my($exec) = 0;
+
+        # check the 1 min counter
+        if ($current_time - $$ipd{"time_1min"} > 60) {
+            # check the counters
+            my $speed = ($$ipd{"counter"} - $$ipd{"counter_1min"}) / ($current_time - $$ipd{"time_1min"});
+            if ($speed > $THRESHOLD_1MIN) {
+                print STDERR "httpd-guardian: IP address " . $ipaddresses{$request{"remote_ip"}} . " reached the 1 min threshold (speed = $speed req/sec, threshold = $THRESHOLD_1MIN req/sec)\n";
+                $exec = 1;
+            }
+
+            # reset the 1 min counter
+            $$ipd{"time_1min"} = $current_time;
+            $$ipd{"counter_1min"} = $$ipd{"counter"};
+        }
+
+        # check the 5 min counter
+        if ($current_time - $$ipd{"time_5min"} > 360) {
+            # check the counters
+            my $speed = ($$ipd{"counter"} - $$ipd{"counter_5min"}) / ($current_time - $$ipd{"time_5min"});
+            if ($speed > $THRESHOLD_5MIN) {
+                print STDERR "httpd-guardian: IP address " . $request{"remote_ip"} . " reached the 5 min threshold (speed = $speed req/sec, threshold = $THRESHOLD_5MIN req/sec)\n";
+                $exec = 1;
+            }
+
+            # reset the 5 min counter
+            $$ipd{"time_5min"} = $current_time;
+            $$ipd{"counter_5min"} = $$ipd{"counter"};
+        }
+    
+        if (($exec == 1)&&(defined($PROTECT_EXEC))) {
+            my $cmd = sprintf($PROTECT_EXEC, $request{"remote_ip"});
+            print STDERR "httpd-guardian: Executing: $cmd\n";
+            system($cmd);
+        }
+
+    } else {
+        # start tracking this email address
+        my %ipd = ();
+        $ipd{"counter"} = 1;
+        $ipd{"counter_1min"} = 1;
+        $ipd{"time_1min"} = $current_time;
+        $ipd{"counter_5min"} = 1;
+        $ipd{"time_5min"} = $current_time;
+        $ipaddresses{$request{"remote_ip"}} = \%ipd;
+    }
+}
+
+sub process_log_line {
+    update_ip_address();
+}
+
+sub remove_stale_data {
+    while(my($key, $value) = each(%ipaddresses)) {
+        if ($current_time - $$value{"time_1min"} > $STALE_INTERVAL) {
+            if ($DEBUG) {
+                print STDERR "httpd-guardian: Removing key $key\n";
+            }
+            delete($ipaddresses{$key});
+        }
+    }
+}
+
+sub save_state {
+    if (!defined($SAVE_STATE_FILE)) {
+        return;
+    }
+
+    if (!defined($last_state_save)) {
+        $last_state_save = 0;
+    }
+
+    if ($current_time - $last_state_save > $SAVE_STATE_INTERVAL) {
+        open(FILE, ">$SAVE_STATE_FILE") || die("Failed to save state to $SAVE_STATE_FILE");
+        print FILE "# $current_time\n";
+        print FILE "# IP Address\x09Counter\x09\x091min (time)\x095min (time)\n";
+        while(my($key, $value) = each(%ipaddresses)) {
+            print FILE ("$key" . "\x09" . $$value{"counter"} . "\x09\x09" . $$value{"counter_1min"} . " (" . $$value{"time_1min"} . ")\x09" . $$value{"counter_5min"} . " (" . $$value{"time_5min"} . ")\n");
+        }
+        close(FILE);
+        $last_state_save = $current_time;
+    }
+}
+
+# load state from $SAVE_STATE_FILE, store the data into $ipaddresses
+sub load_state {
+    return unless ( defined $SAVE_STATE_FILE );
+    return unless ( -e $SAVE_STATE_FILE && -r $SAVE_STATE_FILE );
+    open my $fd, "<", $SAVE_STATE_FILE
+        or die "cannot open state file for reading : $SAVE_STATE_FILE : $!";
+    while (<$fd>) {
+        s/^\s+//;
+        next if /^#/;
+        #--------------------------------------------------
+        # # 1133599679
+        # # IP Address  Counter     1min (time)         5min (time)
+        # 211.19.48.12  396         396 (1133599679)    395 (1133599379)
+        #-------------------------------------------------- 
+        my ($addr, $counter, $time1, $time5) = split /\t+/, $_; # TAB
+        my ($counter_1min, $time_1min) = split /\s+/, $time1;
+        my ($counter_5min, $time_5min) = split /\s+/, $time5;
+        $ipaddresses{$addr} = {
+            counter         => $counter,
+            counter_1min    => $counter_1min,
+            time_1min       => chop_brace($time_1min),
+            counter_5min    => $counter_5min,
+            time_5min       => chop_brace($time_5min),
+        }
+    }
+    close $fd;
+}
+
+# return strings between braces
+sub chop_brace {
+	my $str = shift;
+	$str =~ /\((.*)\)/;
+	return $1;
+}
+sub process_line {
+    my $line = shift(@_);
+
+    if (defined($COPY_LOG)) {
+        print COPY_LOG_FD $line;
+    }
+
+    if ($DEBUG) {
+        print STDERR "httpd-guardian: Received: $line";
+    }
+
+    %request = parse_logline($line);
+    if (!defined($request{0})) {
+        # TODO verify IP address is in correct format
+
+        # extract the time from the log line, to allow the
+        # script to be used for batch processing too
+        $current_time = $request{"time_epoch"};
+
+        remove_stale_data();
+        process_log_line();
+        save_state();
+    } else {
+        print STDERR "Failed to parse line: " . $line;
+    }
+}
+
+# -----------------------------------
+
+load_state();
+if (defined($COPY_LOG)) {
+    open(COPY_LOG_FD, ">>$COPY_LOG") || die("Failed to open $COPY_LOG for writing");
+    # enable autoflush on the file descriptor
+    $| = 1, select $_ for select COPY_LOG_FD;  
+}
+
+if ($USE_SPREAD) {
+    my($sperrno);
+    my %args;
+
+    $args{"spread_name"} = $SPREAD_DAEMON;
+    $args{"private_name"} = $SPREAD_CLIENT_NAME;
+
+    my($mbox, $privategroup) = Spread::connect(\%args);
+    if (!defined($mbox)) {
+        die "Failed to connect to Spread daemon: $sperrno\n";
+    }
+
+    Spread::join($mbox, $SPREAD_GROUP_NAME);
+
+    for(;;) {
+        my($st, $s, $g, $mt, $e, $msg);
+        while(($st, $s, $g, $mt, $e, $msg) = Spread::receive($mbox, $SPREAD_TIMEOUT)) {
+            if ((defined($st))&&($st == 2)&&(defined($msg))) {
+                process_line($msg . "\n");
+            }
+        }
+    }
+
+} else {
+    while(<STDIN>) {
+        process_line($_);    
+    }
+}
+
+if (defined($COPY_LOG)) {
+    close(COPY_LOG_FD);
+}
+
diff --git a/rules/util/modsec-clamscan.pl b/rules/util/modsec-clamscan.pl
new file mode 100755
index 00000000..dcf2cf60
--- /dev/null
+++ b/rules/util/modsec-clamscan.pl
@@ -0,0 +1,50 @@
+#!/usr/bin/perl
+#
+# modsec-clamscan.pl
+# ModSecurity for Apache (http://www.modsecurity.org)
+# Copyright (c) 2002-2007 Breach Security, Inc. (http://www.breach.com)
+#
+# This script is an interface between mod_security and its
+# ability to intercept files being uploaded through the
+# web server, and ClamAV
+
+# by default use the command-line version of ClamAV,
+# which is slower but more likely to work out of the
+# box
+$CLAMSCAN = "/usr/bin/clamscan";
+
+# using ClamAV in daemon mode is faster since the
+# anti-virus engine is already running, but you also
+# need to configure file permissions to allow ClamAV,
+# usually running as a user other than the one Apache
+# is running as, to access the files
+# $CLAMSCAN = "/usr/bin/clamdscan";
+
+if (@ARGV != 1) {
+    print "Usage: modsec-clamscan.pl <filename>\n";
+    exit;
+}
+
+my ($FILE) = @ARGV;
+
+$cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
+$input = `$cmd`;
+$input =~ m/^(.+)/;
+$error_message = $1;
+
+$output = "0 Unable to parse clamscan output [$1]";
+
+if ($error_message =~ m/: Empty file\.?$/) {
+    $output = "1 empty file";
+}
+elsif ($error_message =~ m/: (.+) ERROR$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: (.+) FOUND$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: OK$/) {
+    $output = "1 clamscan: OK";
+}
+
+print "$output\n";
diff --git a/rules/util/runav.pl b/rules/util/runav.pl
new file mode 100755
index 00000000..4cc245ad
--- /dev/null
+++ b/rules/util/runav.pl
@@ -0,0 +1,40 @@
+#!/usr/bin/perl
+#
+# runav.pl
+# Copyright (c) 2007 Breach Security
+#
+# This script is an interface between ModSecurity and its
+# ability to intercept files being uploaded through the
+# web server, and ClamAV
+
+
+$CLAMSCAN = "clamscan";
+
+if ($#ARGV != 0) {
+    print "Usage: modsec-clamscan.pl <filename>\n";
+    exit;
+}
+
+my ($FILE) = shift @ARGV;
+
+$cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
+$input = `$cmd`;
+$input =~ m/^(.+)/;
+$error_message = $1;
+
+$output = "0 Unable to parse clamscan output [$1]";
+
+if ($error_message =~ m/: Empty file\.?$/) {
+    $output = "1 empty file";
+}
+elsif ($error_message =~ m/: (.+) ERROR$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: (.+) FOUND$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: OK$/) {
+    $output = "1 clamscan: OK";
+}
+
+print "$output\n";
\ No newline at end of file