Fixed files overwriting in installer; added OWASP CRS.

2025-10-01 03:57:47 +03:00 · 2013-02-05 16:36:29 -08:00
parent 635a573894
commit c1ba71ab16
134 changed files with 33445 additions and 0 deletions
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_bad_robots.data
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_bad_robots.data
@@ -0,0 +1,145 @@
+webmole
+wisenutbot
+prowebwalker
+hanzoweb
+email
+toata dragostea mea pentru diavola
+gameBoy, powered by nintendo
+missigua
+poe-component-client
+emailsiphon
+adsarobot
+under the rainbow 2.
+nessus
+floodgate
+email extractor
+webaltbot
+contactbot/
+butch__2.1.1
+pe 1.4
+indy library
+autoemailspider
+mozilla/3.mozilla/2.01
+fantombrowser
+digout4uagent
+panscient.com
+telesoft
+; widows
+converacrawler
+www.weblogs.com
+murzillo compatible
+isc systems irc search 2.1
+emailmagnet
+microsoft url control
+datacha0s
+emailwolf
+production bot
+sitesnagger
+webbandit
+web by mail
+faxobot
+grub crawler
+jakarta
+eirgrabber
+webemailextrac
+extractorpro
+attache
+educate search vxb
+8484 boston project
+franklin locator
+nokia-waptoolkit
+mailto:craftbot@yahoo.com
+full web bot
+pcbrowser
+psurf
+user-Agent
+pleasecrawl/1.
+kenjin spider
+gecko/25
+no browser
+webster pro
+wep Search 00
+grub-client
+fastlwspider
+this is an exploit
+contentsmartz
+teleport pro
+dts agent
+nikto
+morzilla
+via
+atomic_email_hunter
+program shareware 1.0.
+ecollector
+emailcollect
+china local browse 2.
+backdoor
+stress test
+foobar/
+emailreaper
+xmlrpc exploit
+compatible ; msie
+s.t.a.l.k.e.r.
+compatible-
+webvulnscan
+nameofagent
+copyrightcheck
+advanced email extractor
+surveybot
+compatible ;.
+searchbot admin@google
+wordpress/4.01
+webemailextract
+larbin@unspecified
+turing machine
+zeus
+windows-update-agent
+morfeus fucking scanner
+user-agent:
+voideye
+mosiac 1
+chinaclaw
+newt activeX; win32
+web downloader
+safexplorer tl
+agdm79@mail.ru
+cheesebot
+hhjhj@yahoo
+fiddler
+psycheclone
+microsoft internet explorer/5.0
+core-project/1
+atspider
+copyguard
+neuralbot/0.2
+wordpress hash grabber
+amiga-aweb/3.4
+packrat
+rsync
+crescent internet toolpak
+security scan
+vadixbot
+concealed defense
+a href=
+bwh3_user_agent
+internet ninja
+microsoft url
+emailharvest
+shai
+wisebot
+internet exploiter sux
+wells search ii
+webroot
+digimarc webreader
+botversion
+black hole
+windows xp 5
+w3mir
+pmafind
+athens
+hl_ftien_spider
+ injection
+takeout
+eo browse
+cherrypicker
+internet-exprorer
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_scanners.data
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_35_scanners.data
@@ -0,0 +1,35 @@
+grabber
+cgichk
+bsqlbf
+mozilla/4.0 (compatible)
+sqlmap
+mozilla/4.0 (compatible; msie 6.0; win32)
+mozilla/5.0 sf//
+nessus
+arachni
+metis
+sql power injector
+bilbo
+absinthe
+black widow
+n-stealth
+brutus
+webtrends security analyzer
+netsparker
+python-httplib2
+jaascois
+pmafind
+.nasl
+nsauditor
+paros
+dirbuster
+pangolin
+nmap nse
+sqlninja
+nikto
+webinspect
+blackwidow
+grendel-scan
+havij
+w3af
+hydra
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_40_generic_attacks.data
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_40_generic_attacks.data
@@ -0,0 +1,445 @@
+set-cookie
+.cookie
+expiressys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+mysql.
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_name
+sqrt
+insert
+date
+instr
+floor
+autonomous_transaction
+print
+encode
+coalesce
+if
+degrees
+release_lock
+procedure_analyse
+password
+least
+cr32
+subdate
+xp_filelist
+owa_util
+trim
+xp_regenumkeys
+charset
+ciel
+bit_or
+delete
+time
+month
+xp_execresultset
+round
+dba_users
+is
+master_pos_wait
+decode
+unhex
+char_length
+strcmp
+rtrim
+'sa'
+version
+ord
+xp_makecab
+truncate
+last
+concat
+coercibility
+right
+length
+ascii
+var_samp
+char
+extract
+get_
+bit_length
+xp_regread
+export_set
+aes_decrypt
+name_const
+left
+conv
+bin
+not_in
+infile
+substr
+uuid
+is_srvrolemember
+var_pop
+ln
+aes_encrypt
+outfile
+current_date
+quote
+in
+user
+locate
+@@version
+exp
+current_timestamp
+sql_longvarchar
+values
+subtime
+xp_loginconfig
+sin
+xp_regaddmultistring
+replace
+tan
+xmltype
+character_length
+cast
+current_time
+varchar
+position
+to_number
+addtime
+mid
+found_rows
+stddev
+xp_availablemedia
+substring
+dumpfile
+isnull
+cot
+select
+concat_ws
+convert
+uncompress
+radians
+uncompressed_length
+acos
+'sqloledb'
+dbms_pipe.receive_message
+utl_http
+cieling
+row_count
+benchmark
+sec_to_time
+sysdate
+hour
+current_user
+utc_
+curdate
+nvarchar
+schema
+data_type
+lcase
+inner
+make_set
+day
+tbcreator
+sum
+sign
+adddate
+ltrim
+variance
+weight_string
+second
+microsecond
+system_user
+abs
+ifnull
+minute
+unix_timestamp
+collation
+curtime
+lower
+repeat
+sp_oacreate
+group_concat
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+quarter
+local
+str_to_date
+nullif
+from_
+old_password
+xp_regdeletevalue
+asin
+oct
+load_file
+sp_password
+bit_xor
+xp_regremovemultistring
+chr
+avg
+std
+openquery
+makedate
+database
+updatexml
+datediff
+now
+year
+mod
+bit_and
+lpad
+xp_enumdsn
+max
+period_
+soundex
+shutdown
+bit_count
+field
+connection_id
+sha
+default
+interval
+xp_dirtree
+reverse
+ucase
+compress
+xp_terminate_process
+md5
+rpad
+session_user
+find_in_set
+dump
+convert_tz
+having
+des_
+greatest
+xp_regenumvalues
+utl_file
+cos
+log
+pi
+sql_variant
+encrypt
+upper
+rand
+week
+min
+xp_cmdshell
+'msdasql'
+space
+sp_executesql
+elt
+pow
+'dbo'
+sp_makewebtask
+dbms_java
+to_
+format
+xp_regwrite
+sp_helpjscript
+onsubmit
+copyparentfolder
+document
+javascript
+meta
+onchange
+onmove
+onkeydown
+onkeyup
+activexobject
+onerror
+onmouseup
+ecmascript
+bexpression
+onmouseover
+vbscript:
+<![cdata[
+http:
+.innerhtml
+settimeout
+shell:
+onabort
+asfunction:
+onkeypress
+onmousedown
+onclick
+.fromcharcode
+background-image:
+x-javascript
+ondragdrop
+onblur
+mocha:
+javascript:
+onfocus
+lowsrc
+getparentfolder
+onresize
+@import
+alert
+script
+onselect
+onmouseout
+application
+onmousemove
+background
+.execscript
+livescript:
+vbscript
+getspecialfolder
+.addimport
+iframe
+onunload
+createtextrange
+<input
+onload.www_acl
+.htpasswd
+.htaccess
+httpd.conf
+boot.ini
+/etc/
+.htgroup
+global.asa
+.wwwaclnet.exe
+cmd.exe
+cmd
+telnet.exe
+wguest.exe
+ftp.exe
+nmap.exe
+wsh.exe
+rcmd.exe
+nc.exe
+cmd32.exechgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++chgrp
+cmd32
+uname
+kill
+localgroup
+wguest.exe
+nasm
+rcmd.exe
+nc.exe
+id
+nc
+tclsh
+finger
+tftp
+cmd
+chown
+chsh
+ping
+nmap.exe
+ps
+net.exe
+telnet.exe
+ls
+tclsh8
+ftp.exe
+ftp
+lsof
+xterm
+mail
+echo
+tracert
+nmap
+cmd.exe
+rm
+python
+cd
+traceroute
+chmod
+perl
+passwd
+wsh.exe
+cpp
+telnet
+gcc
+g++<?
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_41_sql_injection_attacks.data
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_41_sql_injection_attacks.data
@@ -0,0 +1,282 @@
+sys.user_objects
+sys.user_triggers
+@@spid
+msysaces
+instr
+sys.user_views
+mysql.
+sys.tab
+charindex
+locate
+sys.user_catalog
+constraint_type
+msysobjects
+attnotnull
+select
+sys.user_tables
+sys.user_constraints
+sys.user_tab_columns
+waitfor
+sys.all_tables
+msysrelationships
+msyscolumns
+msysqueriessubstr
+xtype
+textpos
+all_objects
+rownum
+sysfilegroups
+sysprocesses
+user_group
+sysobjects
+systables
+user_tables
+pg_attribute
+column_id
+user_password
+user_users
+attrelid
+user_tab_columns
+table_name
+pg_class
+user_constraints
+user_objects
+object_type
+sysconstraints
+mb_users
+column_name
+atttypid
+substring
+object_id
+syscat
+sysibm
+user_ind_columns
+syscolumns
+sysdba
+object_name
+sqrt
+insert
+date
+instr
+floor
+autonomous_transaction
+print
+encode
+coalesce
+if
+degrees
+release_lock
+procedure_analyse
+password
+least
+cr32
+subdate
+xp_filelist
+owa_util
+trim
+xp_regenumkeys
+charset
+ciel
+bit_or
+delete
+time
+month
+xp_execresultset
+round
+dba_users
+is
+master_pos_wait
+decode
+unhex
+char_length
+strcmp
+rtrim
+'sa'
+version
+ord
+xp_makecab
+truncate
+last
+concat
+coercibility
+right
+length
+ascii
+var_samp
+char
+extract
+get_
+bit_length
+xp_regread
+export_set
+aes_decrypt
+name_const
+left
+conv
+bin
+not_in
+infile
+substr
+uuid
+is_srvrolemember
+var_pop
+ln
+aes_encrypt
+outfile
+current_date
+quote
+in
+user
+locate
+@@version
+exp
+current_timestamp
+sql_longvarchar
+values
+subtime
+xp_loginconfig
+sin
+xp_regaddmultistring
+replace
+tan
+xmltype
+character_length
+cast
+current_time
+varchar
+position
+to_number
+addtime
+mid
+found_rows
+stddev
+xp_availablemedia
+substring
+dumpfile
+isnull
+cot
+select
+concat_ws
+convert
+uncompress
+radians
+uncompressed_length
+acos
+'sqloledb'
+dbms_pipe.receive_message
+utl_http
+cieling
+row_count
+benchmark
+sec_to_time
+sysdate
+hour
+current_user
+utc_
+curdate
+nvarchar
+schema
+data_type
+lcase
+inner
+make_set
+day
+tbcreator
+sum
+sign
+adddate
+ltrim
+variance
+weight_string
+second
+microsecond
+system_user
+abs
+ifnull
+minute
+unix_timestamp
+collation
+curtime
+lower
+repeat
+sp_oacreate
+group_concat
+sp_execute
+xp_ntsec
+xp_regdeletekey
+drop
+quarter
+local
+str_to_date
+nullif
+from_
+old_password
+xp_regdeletevalue
+asin
+oct
+load_file
+sp_password
+bit_xor
+xp_regremovemultistring
+chr
+avg
+std
+openquery
+makedate
+database
+updatexml
+datediff
+now
+year
+mod
+bit_and
+lpad
+xp_enumdsn
+max
+period_
+soundex
+shutdown
+bit_count
+field
+connection_id
+sha
+default
+interval
+xp_dirtree
+reverse
+ucase
+compress
+xp_terminate_process
+md5
+rpad
+session_user
+find_in_set
+dump
+convert_tz
+having
+des_
+greatest
+xp_regenumvalues
+utl_file
+cos
+log
+pi
+sql_variant
+encrypt
+upper
+rand
+week
+min
+xp_cmdshell
+'msdasql'
+space
+sp_executesql
+elt
+pow
+'dbo'
+sp_makewebtask
+dbms_java
+to_
+format
+xp_regwrite
+sp_help
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound.data
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound.data
@@ -0,0 +1,92 @@
+<TITLE>Index of
+><br>
+<title>Index ofMicrosoft VBScript runtime (0x8
+error '800
+Application uses a value of the wrong type for the current operation
+Microsoft VBScript compilation (0x8
+Microsoft VBScript compilation error
+Microsoft .NET Framework Version:
+A trappable error occurred in an external object. The script cannot continue running
+rror
+Microsoft VBScript runtime Error
+>Syntax error in string in query expression
+ADODB.Command
+Object required: '
+<b>Version Information:</b> does not match with a table name or alias name used in the query
+You have an error in your SQL syntax near '
+Wora_
+Wpg_
+select list because it is not contained in either an aggregate function or the GROUP BY clause
+Syntax error converting the 
+supplied argument is not a valid MS SQL
+supplied argument is not a valid Oracle
+Unclosed quotation mark before the character string
+Warning: mysql_connect():
+Unable to connect to PostgreSQL server:
+SQL Server does not exist or access denied
+supplied argument is not a valid PostgreSQL result
+Microsoft OLE DB Provider for 
+Access Database Engine
+Either BOF or EOF is True, or the current record has been deleted
+supplied argument is not a valid ODBC
+supplied argument is not a valid MySQL
+WRoadhouse
+You have an error in your SQL syntax
+error '800a01b8'
+ data type as an argument.
+SQL syntax
+select list because it is not contained in an aggregate function and there is no GROUP BY clause
+' in sysservers. execute sp_addlinkedserver
+incorrect syntax near These statistics were produced by PeLAB
+This analysis was produced by
+These statistics were produced by getstats
+This report was generated by WebLog
+ebalizer
+This summary was generated byfgets
+ftp_put
+ftp_nb_put
+fopen
+readdir
+$_post
+ftp_nb_fput
+ftp_get
+scandir
+readgzfile
+proc_open
+ftp_fput
+fwrite
+session_start
+gzopen
+$_session
+move_uploaded_file
+readfile
+ftp_fget
+gzencode
+bzopen
+gzread
+call_user_func
+ftp_nb_fget
+$_get
+fscanf
+fread
+fgetc
+ftp_nb_get
+fgetss
+gzwrite
+gzcompressserver.urlencode
+server.createobject
+scripting.filesystemobject
+server.execute
+wscript.shell
+<jsp:
+.createtextfile
+.addheader
+wscript.network
+javax.servlet
+.loadfromfile
+server.mappath
+vbscript.encode
+server.htmlencode
+response.write
+response.binarywrite
+.getfile
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound_malware.data
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_50_outbound_malware.data
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_20_protocol_violations.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_20_protocol_violations.conf
@@ -0,0 +1,539 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Some protocol violations are common in application layer attacks. 
+# Validating HTTP requests eliminates a large number of application layer attacks.
+#
+# The purpose of this rules file is to enforce HTTP RFC requirements that state how 
+# the client is supposed to interact with the server.
+# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
+#
+
+#
+# Validate request line against the format specified in the HTTP RFC
+#
+# -=[ Rule Logic ]=-
+#
+# Uses rule negation against the regex for positive security.  The regex specifies the proper
+# construction of URI request lines such as:
+#
+# 	"http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] 
+#
+# It also outlines proper construction for CONNECT, OPTIONS and GET requests.  
+#
+# -=[ References ]=-
+# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
+# http://capec.mitre.org/data/definitions/272.html
+# 
+SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$"\
+  "msg:'Invalid HTTP Request Line',\
+  severity:'4',\
+  id:'960911',\
+  ver:'OWASP_CRS/2.2.6',\
+  rev:'2',\
+  maturity:'9',\
+  accuracy:'9',\
+  logdata:'%{request_line}',\
+  phase:1,\
+  block,\
+  t:none,\
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
+  tag:'CAPEC-272',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Identify Invalid URIs Blocked by Apache 
+#
+# -=[ Rule Logic ]=-
+#
+# There are some request violations that Apache will handle internally, prior to the
+# ModSecurity phase:1 POST-READ-REQUEST hook.  For these requests, we can still get
+# visibility by running a check in phase:5 logging to look for the Apache error msg.
+#
+# -=[ References ]=-
+#
+SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" \
+  "msg:'Apache Error: Invalid URI in Request.', \
+  severity:'4', \
+  id:'981227', \
+  ver:'OWASP_CRS/2.2.6', \
+  rev:'1', \
+  maturity:'9', \
+  accuracy:'9', \
+  logdata:'%{request_line}', \
+  phase:5, \
+  pass, \
+  t:none, \
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
+  tag:'CAPEC-272', \
+  setvar:'tx.msg=%{rule.msg}', \
+  setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+#
+# Identify multipart/form-data name evasion attempts 
+#
+# There are possible impedance mismatches between how
+# ModSecurity interprets multipart file names and how
+# a destination app server such as PHP might parse the
+# Content-Disposition data:
+#
+#       filename-parm := "filename" "=" value
+#
+# -=[ Rule Logic ]=-
+# These rules check for the existence of the ' " ; = meta-characters in
+# either the file or file name variables.
+#
+# -=[ References ]=-
+# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000
+# http://www.ietf.org/rfc/rfc2183.txt
+#
+SecRule FILES_NAMES|FILES "['\";=]" \
+  "msg:'Attempted multipart/form-data bypass', \
+  severity:'2', \
+  id:'960000', \
+  ver:'OWASP_CRS/2.2.6', \
+  rev:'1', \
+  maturity:'9', \
+  accuracy:'7', \
+  logdata:'%{matched_var}', \
+  phase:2, \
+  block, \
+  t:none,t:urlDecodeUni, \
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
+  tag:'CAPEC-272', \
+  setvar:'tx.msg=%{rule.msg}', \
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Verify that we've correctly processed the request body.
+#
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+# -=[ Rule Logic ]=-
+# Checks for the existence of the REQBODY_ERROR variable that is created
+# by the request body processor if it encounters errors.
+#
+# -=[ References ]=-
+# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#REQBODY_ERROR
+# 
+SecRule REQBODY_ERROR "!@eq 0" \
+  "msg:'Failed to parse request body.', \
+  severity:'2', \
+  id:'960912', \
+  ver:'OWASP_CRS/2.2.6', \
+  rev:'1', \
+  maturity:'9', \
+  accuracy:'9', \
+  logdata:'%{REQBODY_ERROR_MSG}', \
+  phase:2, \
+  block, \
+  t:none, \
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
+  tag:'CAPEC-272', \
+  setvar:'tx.msg=%{rule.msg}', \
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Strict Multipart Parsing Checks
+#
+# -=[ Rule Logic ]=-
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+#
+# -=[ References ]=-
+# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_STRICT_ERROR
+#
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+  "msg:'Multipart request body failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_SEMICOLON_MISSING}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}', \
+  severity:'2', \
+  id:'960914', \
+  ver:'OWASP_CRS/2.2.6', \
+  rev:'1', \
+  maturity:'8', \
+  accuracy:'7', \
+  phase:2, \
+  block, \
+  t:none, \
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
+  tag:'CAPEC-272', \
+  setvar:'tx.msg=%{rule.msg}', \
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Multipart Unmatched Boundary Check
+#
+# -=[ Rule Logic ]=-
+# Check for the MULTIPART_UNMATCHED_BOUNDARY flag and alert
+#
+# -=[ References ]=-
+# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_UNMATCHED_BOUNDARY
+#
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+  "msg:'Multipart parser detected a possible unmatched boundary.', \
+  severity:'2', \
+  id:'960915', \
+  ver:'OWASP_CRS/2.2.6', \
+  rev:'1', \
+  maturity:'8', \
+  accuracy:'8', \
+  phase:2, \
+  block, \
+  t:none, \
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ', \
+  tag:'CAPEC-272', \
+  setvar:'tx.msg=%{rule.msg}', \
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, \
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Accept only digits in content length 
+#
+# -=[ Rule Logic ]=-
+# This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header
+# is NOT all digits, then it will match.
+#
+# -=[ References ]=-
+# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
+#
+SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \
+  "msg:'Content-Length HTTP header is not numeric.',\
+  severity:'2',\
+  id:'960016',\
+  ver:'OWASP_CRS/2.2.6',\
+  rev:'1',\
+  maturity:'9',\
+  accuracy:'9',\
+  phase:1,\
+  block,\
+  logdata:'%{matched_var}',\
+  t:none,\
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
+  tag:'CAPEC-272',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Do not accept GET or HEAD requests with bodies
+# HTTP standard allows GET requests to have a body but this
+# feature is not used in real life. Attackers could try to force
+# a request body on an unsuspecting web applications.
+#
+# -=[ Rule Logic ]=-
+# This is a chained rule that first checks the Request Method.  If it is a
+# GET or HEAD method, then it checks for the existence of a Content-Length
+# header.  If the header exists and its payload is either not a 0 digit or not
+# empty, then it will match.
+#
+# -=[ References ]=-
+# http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3
+#
+SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
+  "msg:'GET or HEAD Request with Body Content.',\
+  severity:'2',\
+  id:'960011',\
+  ver:'OWASP_CRS/2.2.6',\
+  rev:'1',\
+  maturity:'9',\
+  accuracy:'9',\
+  phase:1,\
+  block,\
+  logdata:'%{matched_var}',\
+  t:none,\
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
+  tag:'CAPEC-272',\
+  chain"
+	SecRule REQUEST_HEADERS:Content-Length "!^0?$"\
+	  "t:none,\
+	  setvar:'tx.msg=%{rule.msg}',\
+	  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+	  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Require Content-Length to be provided with every POST request.
+#
+# -=[ Rule Logic ]=-
+# This chained rule checks if the request method is POST, if so, it checks that a Content-Length
+# header is also present.
+#
+# -=[ References ]=-
+# http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
+# 
+SecRule REQUEST_METHOD "^POST$" \
+  "msg:'POST request missing Content-Length Header.',\
+  severity:'4',\
+  id:'960012',\
+  ver:'OWASP_CRS/2.2.6',\
+  rev:'1',\
+  maturity:'9',\
+  accuracy:'9',\
+  phase:1,\
+  block,\
+  logdata:'%{matched_var}',\
+  t:none,\
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
+  tag:'CAPEC-272',\
+  chain"
+        SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
+          "t:none,\
+          setvar:'tx.msg=%{rule.msg}',\
+          setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
+          setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Deny inbound compressed content
+# identity The default (identity) encoding; the use of no transformation whatsoever. 
+# This content-coding is used only in the Accept- Encoding header, and SHOULD NOT be 
+# used in the Content-Encoding header. 
+#
+# -=[ Rule Logic ]=-
+# This rule inspects the Content-Encoding request header to ensure that Identity
+# is not specified. 
+#
+# -=[ References ]=-
+# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html 
+#
+SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" \
+  "msg:'Invalid Use of Identity Encoding.',\
+  severity:'4',\
+  id:'960902',\
+  ver:'OWASP_CRS/2.2.6',\
+  rev:'2',\
+  maturity:'9',\
+  accuracy:'9',\
+  phase:1,\
+  block,\
+  logdata:'%{matched_var}',\
+  t:none,\
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
+  tag:'CAPEC-272',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
+  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Expect header is an HTTP/1.1 protocol feature
+# Automated programs and bots often do not obey the HTTP RFC
+#
+# -=[ Rule Logic ]=-
+# This chained rule looks for the Expect request header, and if it is found then it
+# checks the HTTP protocol version supplied by the client.  If it is version 1.0, the
+# rule matches.
+#
+# -=[ References ]=-
+# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
+#
+SecRule REQUEST_HEADERS:Expect "@contains 100-continue" \
+  "msg:'Expect Header Not Allowed for HTTP 1.0.',\
+  severity:'5',\
+  id:'960022',\
+  ver:'OWASP_CRS/2.2.6',\
+  rev:'2',\
+  maturity:'7',\
+  accuracy:'9',\
+  phase:1,\
+  block,\
+  logdata:'%{matched_var}',\
+  t:none,\
+  tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
+  tag:'CAPEC-272',\
+  chain"
+	SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" \
+	  "t:none,\
+	  setvar:'tx.msg=%{rule.msg}',\
+	  setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
+	  setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Pragma Header requires a Cache-Control Header
+# Automated programs and bots often do not obey the HTTP RFC
+#
+# -=[ Rule Logic ]=-
+# This chained rule first checks for the existence of a Pragma request header.  If it is found,
+# then it checks for a corresponding Cache-Control header (as the HTTP 1.1 RFC states clients should submit
+# one).  If this is also missing, then it verifies the HTTP protocol version.  If it is 1.1 then the rule
+# matches. 
+#
+# -=[ References ]=-
+# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
+#	
+SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ'"
+	SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain"
+		SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+#
+# Range Header Checks
+#
+# 1. Range Header exists and begins with 0 - normal browsers don't do this.
+# Automated programs and bots often do not obey the HTTP RFC
+#
+# -=[ Rule Logic ]=-
+# This rule inspects the Range request header to see if it starts with 0. 
+#
+# -=[ References ]=-
+# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
+#
+# 2. Per RFC 2616 -
+#    "If the last-byte-pos value is present, it MUST be greater than or equal to the first-byte-pos in that byte-range-spec, 
+#    or the byte- range-spec is syntactically invalid."
+# -=[ Rule Logic ]=-
+# This rule compares the first and second byte ranges and flags when the first value is greater than the second.
+#
+# -=[ References ]=-
+# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
+# http://seclists.org/fulldisclosure/2011/Aug/175 
+#
+# 3. Identifies an excessive number of byte range fields within one request
+#  		
+SecRule REQUEST_HEADERS:Range "@beginsWith bytes=0-" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}',severity:'4',id:'958291',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:'%{matched_var}',severity:'4',id:'958230',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+        SecRule TX:2 "!@ge %{tx.1}"
+
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\," "phase:2,capture,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Too many fields',logdata:'%{matched_var}',severity:'4',id:'958231',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Broken/Malicous clients often have duplicate or conflicting headers
+# Automated programs and bots often do not obey the HTTP RFC
+#
+# -=[ Rule Logic ]=-
+# This rule inspects the Connection header and looks for duplicates of the
+# keep-alive and close options.
+#
+# -=[ References ]=-
+# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
+#
+SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',logdata:'%{matched_var}',id:'958295',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+
+#
+# Check URL encodings
+#
+# -=[ Rule Logic ]=-
+# There are two different chained rules.  We need to separate them as we are inspecting two
+# different variables - REQUEST_URI and REQUEST_BODY.  For REQUEST_BODY, we only want to 
+# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding. 
+#
+# -=[ References ]=-
+# http://www.ietf.org/rfc/rfc1738.txt
+#
+SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+	"chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'"
+	SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple URL Encoding Detected',id:'950109',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+        "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'"
+        SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
+                SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Check UTF enconding
+# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
+# it will result in false positives.
+#
+# -=[ Rule Logic ]=-
+# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING
+# variable in the modsecurity_crs_10_config.conf file.
+#
+SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'"
+	SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Disallow use of full-width unicode as decoding evasions my be possible.
+#
+# -=[ Rule Logic ]=-
+# This rule looks for full-width encoding by looking for %u following by 2 f characters
+# and then 2 hex characters. 
+# 
+# -=[ References ]=-
+# http://www.kb.cert.org/vuls/id/739224
+#
+SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \
+  "t:none,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+#
+# Proxy access attempt
+# NOTE Apache blocks such access by default if not set as a proxy. The rule is 
+#      included in case Apache proxy is misconfigured.
+# NOTE There are some clients (mobile devices) that will send a full URI even when connecting to
+#      your local application and this rule allows it.
+# NOTE Need to have UseCanonicalName On in Apache config to properly set the SERVER_NAME variable.
+#      If you have set UseCanonicalName, the you can uncomment this rule.
+#
+# -=[ Rule Logic ]=-
+# This chained rule first inspects the URI to see if a full domain name is specified.
+# If it is, then this data is compared against the Cononical SERVER_NAME.  If it does
+# not match, then the client is making a request for an off-site location.
+# 
+#SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Proxy access attempt',severity:'3',id:'960014',tag:'OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS'"
+#SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Restrict type of characters sent
+# NOTE In order to be broad and support localized applications this rule
+#      only validates that NULL Is not used.
+#
+#	   The strict policy version also validates that protocol and application 
+#	   generated fields are limited to printable ASCII. 
+#
+# -=[ Rule Logic ]=-
+# This rule uses the @validateByteRange operator to look for Nul Bytes.
+# If you set Paranoid Mode - it will check if your application use the range 32-126 for parameters.
+#
+# -=[ References ]=-
+# http://i-technica.com/whitestuff/asciichart.html
+#
+
+SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',block,msg:'Invalid character in request',id:'960901',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'7',block,msg:'Invalid character in request',id:'960018',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni"
+	SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA \
+		"@validateByteRange 32-126" \
+			"t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
@@ -0,0 +1,108 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Some common HTTP usage patterns are indicative of attacks but may also be used by non-browsers for legitimate uses.
+# 
+# Do not accept requests without common headers.
+# All normal web browsers include Host, User-Agent and Accept headers.
+# Implies either an attacker or a legitimate automation client.
+#
+
+#
+# Missing/Empty Host Header
+#
+# -=[ Rule Logic ]=-
+# These rules will first check to see if a Host header is present.
+# The second check is to see if a Host header exists but is empty.
+#
+SecMarker BEGIN_HOST_CHECK
+
+	SecRule &REQUEST_HEADERS:Host "@eq 0" \
+    		"skipAfter:END_HOST_CHECK,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:Host "^$" \
+    		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Empty Host Header',id:'960007',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_HOST_CHECK
+    
+
+#
+# Missing/Empty Accept Header
+#
+# -=[ Rule Logic ]=-
+# These rules will first check to see if an Accept header is present.
+# The second check is to see if an Accept header exists but is empty.
+#
+
+SecMarker BEGIN_ACCEPT_CHECK
+
+	SecRule REQUEST_METHOD "!^OPTIONS$" \
+    		"skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing an Accept Header',severity:'5',id:'960015',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'"
+		SecRule &REQUEST_HEADERS:Accept "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_METHOD "!^OPTIONS$" \
+    		"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Has an Empty Accept Header',severity:'5',id:'960021',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
+		SecRule REQUEST_HEADERS:Accept "^$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_ACCEPT_CHECK
+
+#
+# Missing/Empty User-Agent Header
+#
+# -=[ Rule Logic ]=-
+# These rules will first check to see if a User-Agent header is present.
+# The second check is to see if a User-Agent header exists but is empty.
+#
+
+SecMarker BEGIN_UA_CHECK
+
+	SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
+    		"skipAfter:END_UA_CHECK,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+	SecRule REQUEST_HEADERS:User-Agent "^$" \
+    		"phase:2,t:none,block,msg:'Empty User Agent Header',id:'960006',rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_UA_CHECK
+
+#
+# Missing Content-Type Header with Request Body 
+#
+# -=[ Rule Logic ]=-
+# These rules will first check to see if a Content-Type header is missing.
+# The second check is to see if a Content-Length header is present and is
+# not empty or contains a 0.  If the Content-Length header contains other data
+# than this means that there is a request body and the RFC states that there
+# MUST be a Content-Type header so that the app knows how to parse the data.
+#
+
+SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
+    "chain,phase:1,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
+	SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+# Check that the host header is not an IP address 
+# This is not an HTTP RFC violation but it is indicative of automated client access.
+# Many web-based worms propagate by scanning IP address blocks.
+#
+# -=[ Rule Logic ]=-
+# This rule triggers if the Host header contains all digits (and possible port)
+#
+# -=[ References ]=-
+# http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
+#
+
+SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Host header is a numeric IP address',logdata:'%{matched_var}',severity:'4',id:'960017',tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
+
+# Log a security event when the request is rejected by apache
+#
+# You must patch mod_unique_id for this to work correctly.  See the following
+# mod-security-users mail-list post for the patch details -
+# http://article.gmane.org/gmane.comp.apache.mod-security.user/5808
+#
+#SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,block,msg:'Invalid request',id:'960913',severity:'4'"
+#SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.leakage_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_23_request_limits.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_23_request_limits.conf
@@ -0,0 +1,49 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# In most cases, you should expect a certain volume of each a request on your
+# website. For example, a request with 400 arguments, can be suspicious.
+# This file creates limitations on the request.
+#
+# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
+#      Note that most of the rules are commented out by default.
+#      Uncomment the rules you need
+#
+
+## -- Arguments limits --
+
+# Limit argument name length
+SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
+	SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit value name length
+SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
+	SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Maximum number of arguments in request limited
+SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
+	SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Limit arguments total length
+SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
+	SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+
+## -- File upload limits --
+
+# Individual file size is limited
+SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:1,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
+        SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data" "chain"
+                SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
+# Combined file size is limited
+SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'"
+	SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_30_http_policy.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_30_http_policy.conf
@@ -0,0 +1,102 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# HTTP policy enforcement
+# The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
+
+# Few applications require the breadth and depth of the HTTP protocol. On the 
+# other hand many attacks abuse valid but rare HTTP use patterns. Restricting 
+# HTTP protocol usage is effective in therefore effective in blocking many 
+# application layer attacks. 
+#
+# TODO Many automation programs use non standard HTTP requests. While you may 
+#      want to allow some of those, try not to create exceptions only for the
+#      automated program based on properties such as their source IP address or
+#      the URL they access.
+#
+
+# allow request methods
+#
+# TODO Most applications only use GET, HEAD, and POST request
+#      methods. If that is not the case with your environment, you are advised 
+#      to edit the line or uncomment it.
+#
+SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 
+
+
+# Restrict which content-types we accept.
+#
+# TODO Most applications support only two types for request bodies
+#      because that is all browsers know how to produce. If you are using
+#      automated tools to talk to the application you may be using other
+#      content types and would want to change the list of supported types.
+# 
+#      Note though that ModSecurity parses only three content types:
+#      application/x-www-form-urlencoded, multipart/form-data request and 
+#      text/xml. The protection provided for any other type is inferior.
+#
+# TODO There are many applications that are not using multipart/form-data
+#      types (typically only used for file uploads). This content type
+#      can be disabled if not used.  
+#
+# NOTE We allow any content type to be specified with GET or HEAD
+#      because some tools incorrectly supply content type information
+#      even when the body is not present. There is a rule further in
+#      the file to prevent GET and HEAD requests to have bodies to we're
+#      safe in that respect.
+#
+# NOTE Use of WebDAV requires "text/xml" content type.
+#
+# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
+#      applications running on the PocketPC and AvantGo platforms use
+#      non-standard content types:
+#
+#      M-Business iAnywhere      application/x-mal-client-data
+#      UltraLite iAnywhere       application/octet-stream
+#
+SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'" 
+	SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
+		SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
+
+# Restrict protocol versions.
+#
+# TODO All modern browsers use HTTP version 1.1. For tight security, allow only 
+#      this version. 
+#
+# NOTE Automation programs, both malicious and non malicious many times use 
+#      other HTTP versions. If you want to allow a specific automated program
+#      to use your site, try to create a narrower expection and not allow any 
+#      client to send HTTP requests in a version lower than 1.1  
+#       
+SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 
+
+# Restrict file extension
+#
+# TODO the list of file extensions below are virtually always considered unsafe
+#      and not in use in any valid program. If your application uses one of 
+#      these extensions, please remove it from the list of blocked extensions.
+#      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
+#      comment the whole rule.       
+#
+SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension=.%{tx.1}/,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960035',tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'" 
+	SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
+
+
+
+# Restricted HTTP headers 
+#
+# TODO the list of HTTP headers below are considered unsafe for your environment.
+#      If your application uses one of these directories, please remove it from 
+#      the list of blocked extensions. You may need to use ModSecurity Core Rule 
+#      Set Templates to do so, otherwise comment the whole rule.       
+#
+SecRule REQUEST_HEADERS_NAMES "^(.*)$" "chain,phase:2,t:none,block,msg:'HTTP header is restricted by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960038',tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',tag:'OWASP_CRS/POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',capture,setvar:'tx.header_name=/%{tx.0}/'"
+	SecRule TX:HEADER_NAME "@within %{tx.restricted_headers}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" 
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_35_bad_robots.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_35_bad_robots.conf
@@ -0,0 +1,30 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE Bad robots detection is based on checking elements easily 
+#      controlled by the client. As such a determined attacked can bypass
+#      those checks. Therefore bad robots detection should not be viewed as
+#      a security mechanism against targeted attacks but rather as a nuisance
+#      reduction, eliminating most of the random attacks against your web
+#      site. 
+
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990002',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990901',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
+        "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'OWASP_CRS/AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}'"
+	SecRule REQUEST_HEADERS:User-Agent "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by mail)|(?:(?:altb|ro)o|bandi)t|emailextract?|vulnscan|mole)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent| xp 5)|se(?:nut)?bot)|ordpress(?: hash grabber|\/4\.01)|3mir)|m(?:o(?:r(?:feus fucking scanner|zilla)|zilla\/3\.mozilla\/2\.01$|siac 1.)|i(?:crosoft (?:internet explorer\/5\.0$|url control)|ssigua)|ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:ro(?:gram shareware 1\.0\.|duction bot|webwalker)|a(?:nscient\.com|ckrat)|oe-component-client|s(?:ycheclone|urf)|leasecrawl\/1\.|cbrowser|e 1\.4|mafind)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|(siphon|spider)|siphon|wolf)|(?:collecto|irgrabbe)r|ducate search vxb|xtractorpro|o browse)|t(?:(?: ?h ?a ?t ?' ?s g ?o ?t ?t ?a ? h ?u ?r ?|his is an exploi|akeou)t|oata dragostea mea pentru diavola|ele(?:port pro|soft)|uring machine)|a(?:t(?:(?:omic_email_hunt|spid)er|tache|hens)|d(?:vanced email extractor|sarobot)|gdm79\@mail\.ru|miga-aweb\/3\.4|utoemailspider| href=)|^(?:(google|i?explorer?\.exe|(ms)?ie( [0-9.]+)?\ ?(compatible( browser)?)?)$|www\.weblogs\.com|(?:jakart|vi)a|microsoft url|user-Agent)|s(?:e(?:archbot admin@google.com|curity scan)|(?:tress tes|urveybo)t|\.t\.a\.l\.k\.e\.r\.|afexplorer tl|itesnagger|hai)|n(?:o(?:kia-waptoolkit.* googlebot.*googlebot| browser)|e(?:(?:wt activeX; win3|uralbot\/0\.)2|ssus)|ameofagent|ikto)|f(?:a(?:(?:ntombrows|stlwspid)er|xobot)|(?:ranklin locato|iddle)r|ull web bot|loodgate|oobar/)|i(?:n(?:ternet(?: (?:exploiter sux|ninja)|-exprorer)|dy library)|sc systems irc search 2\.1)|g(?:ameBoy, powered by nintendo|rub(?: crawler|-client)|ecko\/25)|(myie2|libwen-us|murzillo compatible|webaltbot|wisenutbot)|b(?:wh3_user_agent|utch__2\.1\.1|lack hole|ackdoor)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|(?:(script|sql) inject|$botname/$botvers)ion|(msie .+; .*windows xp|compatible \; msie)|h(?:l_ftien_spider|hjhj@yahoo|anzoweb)|(?:8484 boston projec|xmlrpc exploi)t|u(?:nder the rainbow 2\.|ser-agent:)|(sogou develop spider|sohu agent)|(?:(?:d|e)browse|demo bot)|zeus(?: .*webster pro)?|[a-z]surf[0-9][0-9]|v(?:adixbot|oideye)|larbin@unspecified|\bdatacha0s\b|kenjin spider|; widows|rsync|\\\r))" "capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" 
+SecMarker END_ROBOT_CHECK
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_40_generic_attacks.conf
@@ -0,0 +1,236 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# OS Command Injection Attacks
+#
+# -=[ Rule Logic ]=-
+# These rules look for attempts to access OS commands such as curl, wget and cc
+# These commands are often used in injection attacks to force the victim web
+# application to initiate a connection out to a hacker site to download, compile
+# and install malicious toolkits such as those to participate in Botnets.
+#
+# -=[ References ]=- 
+# http://projects.webappsec.org/OS-Commanding
+# http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
+
+SecMarker END_COMMAND_INJECTION1
+
+
+#
+# -=[ Heuristic Checks ]=-
+#
+# [ Repeatative Non-Word Chars ]
+#
+# This rule attempts to identify when multiple (4 or more) non-word characters are repeated in sequence
+#
+SecRule ARGS "\W{4,}" "phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+
+#
+# Coldfusion Injection
+#
+# -=[ Rule Logic ]=-
+# These rules look for the existence of undocumented ColdFusion Admin functions on input
+#
+# -=[ References ]=-
+# http://www.adobe.com/devnet/security/security_zone/asb99-10.html
+#  
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
+
+SecMarker END_CF_INJECTION
+
+#
+# LDAP Injection
+#
+# -=[ Rule Logic ]=-
+# These rules look for common LDAP data constructions.
+# 
+# -=[ References ]=-
+# http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
+
+SecMarker END_LDAP_INJECTION
+
+#
+# SSI injection
+#
+# -=[ Rule Logic ]=-
+# These rules look for common Server-Site Include format data on input.
+#
+# -=[ References ]=-
+# http://projects.webappsec.org/SSI-Injection
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'SSI injection Attack',id:'950011',tag:'OWASP_CRS/WEB_ATTACK/SSI_INJECTION',tag:'WASCTC/WASC-36',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION"
+
+SecMarker END_SSI_INJECTION
+
+#
+# UPDF XSS
+#
+# -=[ Rule Logic ]=-
+# This rule looks for a link being submitted that contains the # fragment in a query_string.
+#
+# -=[ References ]=-
+# http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Universal PDF XSS URL Detected.',id:'950018',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}"
+
+
+#
+# Email Injection
+#
+# -=[ References ]=-
+# http://projects.webappsec.org/Mail-Command-Injection
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Email Injection Attack',id:'950019',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+#
+# HTTP Request Smuggling
+#
+# -=[ Rule Logic ]=-
+# This rule looks for a comma character in either the Content-Length or Transfer-Encoding
+# request headers.  This character would indicate that there were more than one request header
+# with this same name.  In these instances, Apache treats the data in a similar manner as 
+# multiple cookie values.
+#
+# -=[ References ]=-
+# http://projects.webappsec.org/HTTP-Request-Smuggling
+# http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
+#
+SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:1,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
+
+#
+# HTTP Response Splitting
+#
+# -=[ Rule Logic ]=-
+# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
+# These characters may cause problems if the data is returned in a respones header and
+# may be interpreted by an intermediary proxy server and treated as two separate 
+# responses.
+# 
+# -=[ References ]=-
+# http://projects.webappsec.org/HTTP-Response-Splitting
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r](?:content-(type|length)|set-cookie|location):" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
+
+
+#
+# RFI Attack
+#
+# -=[ Rule Logic ]=-
+# These rules look for common types of Remote File Inclusion (RFI) attack methods.
+#	- URL Contains an IP Address
+#	- The PHP "include()" Function
+#	- RFI Data Ends with Question Mark(s) (?)
+#	- RFI Host Doesn't Match Local Host
+#
+# -=[ References ]=-
+# http://projects.webappsec.org/Remote-File-Inclusion
+# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
+#
+SecRule ARGS "^(?i)(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950117',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
+
+SecRule QUERY_STRING|REQUEST_BODY "(?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" \
+        "phase:2,rev:'3',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950118',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
+
+SecRule ARGS "^(?i)(?:ft|htt)ps?(.*?)\?+$" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950119',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
+
+SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" \
+        "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
+        SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
+
+#
+# Prequalify Request Matches
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \
+	"phase:2,id:'981133',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"
+
+SecRule TX:PM_SCORE "@eq 0" "phase:2,id:'981134',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,pass,skipAfter:END_PM_CHECK,nolog"
+
+#
+# Begin RegEx Checks for target locations that matched the prequalifier checks
+#
+	#
+	# Session fixation
+	# 
+	# -=[ References ]=-
+	# http://projects.webappsec.org/Session-Fixation
+	#	
+	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
+		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation Attack',id:'950009',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
+
+
+	SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
+		"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950003',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
+		SecRule REQUEST_HEADERS:Referer	"^(?:ht|f)tps?://(.*?)\/" "chain,capture" 
+        		SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" 
+
+
+        SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
+                "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950000',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
+                SecRule &REQUEST_HEADERS:Referer "@eq 0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
+
+
+	SecMarker END_SESSION_FIXATION
+	
+	
+	#
+	# File Injection
+	#
+	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
+		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Remote File Access Attempt',id:'950005',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
+
+	SecMarker END_FILE_INJECTION
+
+	#
+	# Command access
+	#
+	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c))" \
+		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Access',id:'950002',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
+
+	SecMarker END_COMMAND_ACCESS
+
+	#
+	# Command injection
+	#
+	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:\.exe|32)\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b)))" \
+		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950006',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
+
+	SecMarker END_COMMAND_INJECTION
+		
+	#
+	# PHP injection
+	#
+	
+	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<\?(?!xml)" \
+	        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'959151',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
+		
+	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
+	        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958976',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
+	
+
+SecMarker END_PM_CHECK
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
@@ -0,0 +1,245 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# References:
+# 
+# SQL Injection Pocket Reference (via @LightOS) -
+# https://docs.google.com/Doc?docid=0AZNlBave77hiZGNjanptbV84Z25yaHJmMjk
+#
+# SQLi Filter Evasion Cheat Sheet -
+# http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
+#
+# SQL Injection Cheat Sheet -
+# http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
+#
+# SQLMap's Tamper Scripts (for evasions)
+# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/
+#
+
+#
+# -=[ Detect SQL Comment Sequences ]=-
+#
+# Example Payloads Detected:
+# -------------------------
+# OR 1#
+# DROP sampletable;--
+# admin'--
+# DROP/*comment*/sampletable
+# DR/**/OP/*bypass blacklisting*/sampletable
+# SELECT/*avoid-spaces*/password/**/FROM/**/Members
+# SELECT /*!32302 1/0, */ 1 FROM tablename
+# ‘ or 1=1#
+# ‘ or 1=1-- -
+# ‘ or 1=1/*
+# ' or 1=1;\x00
+# 1='1' or-- -
+# ' /*!50000or*/1='1
+# ' /*!or*/1='1
+# 0/**/union/*!50000select*/table_name`foo`/**/
+# -------------------------
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+#
+# -=[ SQL Hex Evasion Methods ]=-
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" "phase:2,id:'981260',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Hex Encoding Identified',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+#
+# -=[ String Termination/Statement Ending Injection Testing ]=-
+#
+# Identifies common initial SQLi probing requests where attackers insert/append
+# quote characters to the existing normal payload to see how the app/db responds.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(^[\"'`´’‘;]+|[\"'`´’‘;]+$)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:'981318',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+#
+# -=[ SQL Operators ]=-
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>|rlike(?:\s+binary)?)|(?:regexp\s+binary))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:'981319',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+#
+# -=[ SQL Tautologies ]=-
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:([\s'\"`´’‘\(\)]*?)([\d\w]++)([\s'\"`´’‘\(\)]*?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'\"`´’‘\(\)]*?)\2|(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'\"`´’‘\(\)]*?)(?!\2)([\d\w]+)))" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,multiMatch,t:none,t:urlDecodeUni,t:replaceComments,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: SQL Tautology Detected.',id:'950901',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+#
+# -=[ Detect DB Names ]=-
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)|s(?:ys(?:\.database_name|aux)|chema(?:\W*\(|_name)|qlite(_temp)?_master)|d(?:atabas|b_nam)e\W*\(|information_schema|pg_(catalog|toast)|northwind|tempdb))" \
+                "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+
+#
+# SQL Keyword Anomaly Scoring
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select show top distinct from dual where group by order having limit offset union rownum as (case" "phase:2,id:'981300',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,nolog,setvar:'tx.sqli_select_statement=%{tx.sqli_select_statement} %{matched_var}'"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains select" "phase:2,id:'981301',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains show" "phase:2,id:'981302',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains top" "phase:2,id:'981303',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains distinct" "phase:2,id:'981304',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains from" "phase:2,id:'981305',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains dual" "phase:2,id:'981306',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains where" "phase:2,id:'981307',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains group by" "phase:2,id:'981308',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains order by" "phase:2,id:'981309',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains having" "phase:2,id:'981310',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains limit" "phase:2,id:'981311',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains offset" "phase:2,id:'981312',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains union" "phase:2,id:'981313',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains union all" "phase:2,id:'981314',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains rownum as" "phase:2,id:'981315',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT "@contains (case" "phase:2,id:'981316',t:none,pass,nolog,setvar:tx.sqli_select_statement_count=+1,setvar:tx.sql_injection_score=+1"
+SecRule TX:SQLI_SELECT_STATEMENT_COUNT "@ge 3" "phase:2,t:none,block,id:'981317',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',msg:'SQL SELECT Statement Anomaly Detection Alert',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+
+#
+# Blind SQL injection
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|users?|ascii))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.(db|user))|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)|\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|xtype\W+\bchar|mb_users|rownum)\b|t(?:able_name\b|extpos\W+\()))" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'Blind SQL Injection Attack',id:'950007',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+	
+
+
+#
+# SQL injection
+#
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*\(|llation\W*\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'950001',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+	
+
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.*?)case|from(.*?)limit|order\sby)))|exists\s(\sselect|select\Sif(null)?\s\(|select\Stop|select\Sconcat|system\s\(|\b(?i:having)\b\s+(\d{1,10})|'[^=]{1,10}')" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959070',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:\bor\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>])" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959071',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"        
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+	
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|!REQUEST_HEADERS:via "(?i:\b(?:coalesce\b|root\@))" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,id:'950908',msg:'SQL Injection Attack.',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv6|not_null|not|null|used_lock))?|n(?:et6?_(aton|ntoa)|s(?:ert|tr)|terval)?|f(null)?)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(date|time|timestamp)|p(?:datexml|per)|uid(_short)?|case|ser)|l(?:o(?:ca(?:l(timestamp)?|te)|g(2|10)?|ad_file|wer)|ast(_day|_insert_id)?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|t(?:ime(stamp|stampadd|stampdiff|diff|_format|_to_sec)?|o_(base64|days|seconds|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|o(?:w_count|und)|a(?:dians|nd)|ight|trim|pad)|f(?:i(?:eld(_in_set)?|nd_in_set)|rom_(base64|days|unixtime)|o(?:und_rows|rmat)|loor)|a(?:es_(?:de|en)crypt|s(?:cii(str)?|in)|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|p(?:o(?:sition|w(er)?)|eriod_(add|diff)|rocedure_analyse|assword|i)|b(?:i(?:t_(?:length|count|x?or|and)|n(_to_num)?)|enchmark)|e(?:x(?:p(?:ort_set)?|tract(value)?)|nc(?:rypt|ode)|lt)|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|g(?:r(?:oup_conca|eates)t|et_(format|lock))|o(?:(?:ld_passwo)?rd|ct(et_length)?)|we(?:ek(day|ofyear)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|(rawton?)?hex(toraw)?|qu(?:arter|ote)|(pg_)?sleep|year(week)?|d?count|xmltype|hour)\W*?\(|\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:sqlexec|sp_replwritetovarbin|sp_help|addextendedproc|is_srvrolemember|prepare|sp_password|execute(?:sql)?|makewebtask|oacreate)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|terminate|xp_servicecontrol|xp_ntsec_enumdomains|xp_terminate_process|e(?:xecresultset|numdsn)|availablemedia|loginconfig|cmdshell|filelist|dirtree|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|d(?:b(?:a_users|ms_java)|elete\b\W*?\bfrom)|group\b.*?\bby\b.{1,100}?\bhaving|open(?:rowset|owa_util|query)|load\b\W*?\bdata\b.*?\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|print\b\W*?\@\@|cast\b\W*?\()|c(?:(?:ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)\W*?\(|o(?:(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|alesce|t)\W*?\(|llation\W*?\(a))|d(?:(?:a(?:t(?:e(?:(_(add|format|sub))?|diff)|abase)|y(name|ofmonth|ofweek|ofyear)?)|e(?:(?:s_(de|en)cryp|faul)t|grees|code)|ump)\W*?\(|bms_pipe\.receive_message\b)|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)'))" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959073',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+
+#
+# [ SQL Injection Character Anomaly Usage ]
+#
+# These rules attempted to gauge when there is an exccesive use of
+# meta-characters within a single parameter payload.
+#
+# The most likely false positive instances will be free-form text fields.
+# Adjust the the @ge operator value appropriately for your site.  Increasing
+# the score will reduce false positives but may also decrease detection of
+# obfuscated attack payloads.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){8,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981172',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
+
+SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"
+
+
+#
+# -=[ PHPIDS - Converted SQLI Filters ]=-
+#
+# https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
+#
+
+#
+# Example Payloads Detected:
+# -------------------------
+# IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))
+# SELECT pg_sleep(10);
+# IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ‘root’;
+# select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' );
+# -------------------------
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects blind sqli tests using sleep() or benchmark().',id:'981272',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+
+#
+# Example Payloads Detected:
+# -------------------------
+# ' or 1=1#
+# ') or ('1'='1--
+# 1 OR \'1\'!=0
+# aaa\' or (1)=(1) #!asd
+# aaa\' OR (1) IS NOT NULL #!asd
+# ' =+ '
+# asd' =- (-'asd') -- -a
+# aa" =+ - "0
+# aa' LIKE 0 -- -a
+# aa' LIKE md5(1) or '1
+# asd"or-1="-1
+# asd"or!1="!1
+# asd"or!(1)="1
+# asd" or ascii(1)="49
+# asd' or md5(5)^'1
+# \"asd" or 1="1
+# ' or id= 1 having 1 #1 !
+# ' or id= 2-1 having 1 #1 !
+# aa'or BINARY 1= '1
+# aa'like-'aa
+# -------------------------
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?i:\d[\"'`´’‘]\s+[\"'`´’‘]\s+\d)|(?:^admin\s*?[\"'`´’‘]|(\/\*)+[\"'`´’‘]+\s?(?:--|#|\/\*|{)?)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]?=\s*?[\"'`´’‘])|(?:[\"'`´’‘]\W*?[+=]+\W*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[!=|][\d\s!=+-]+.*?[\"'`´’‘(].*?$)|(?:[\"'`´’‘]\s*?[!=|][\d\s!=]+.*?\d+$)|(?:[\"'`´’‘]\s*?like\W+[\w\"'`´’‘(])|(?:\sis\s*?0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:[\"'`´’‘][<>~]+[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'981244',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\sexec\s+xp_cmdshell)|(?:[\"'`´’‘]\s*?!\s*?[\"'`´’‘\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?\([^\)]*?)|(?:[\"'`´’‘];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select.*?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MSSQL code execution and information gathering attempts',id:'981255',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`´’‘][\"'`´’‘](?:[\"'`´’‘].*?[\"'`´’‘]|\Z|[^\"'`´’‘]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'981257',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:@.+=\s*?\(\s*?select)|(?:\d+\s*?(x?or|div|like|between|and)\s*?\d+\s*?[\-+])|(?:\/\w+;?\s+(?:having|and|x?or|div|like|between|and|select)\W)|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*?(?:drop|alter))|(?:(?:;|#|--)\s*?(?:update|insert)\s*?\w{2,})|(?:[^\w]SET\s*?@\w+)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)[\s(]+\w+[\s)]*?[!=+]+[\s\d]*?[\"'`´’‘=()]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 1/2',id:'981248',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2.60738585072007e-308|1e309)$))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for intiger overflow attacks, these are taken from skipfish, except 2.2.60738585072007e-308 is the \"magic number\" crash',id:'981277',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*?\(?\s*?\w+))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'981250',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects conditional SQL injection attempts',id:'981241',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:alter\s*?\w+.*?character\s+set\s+\w+)|([\"'`´’‘];\s*?waitfor\s+time\s+[\"'`´’‘])|(?:[\"'`´’‘];.*?:\s*?goto))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'981252',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´’‘])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'981256',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select)|(?:\w+\s+like\s+[\"'`´’‘])|(?:like\s*?[\"'`´’‘]\%)|(?:[\"'`´’‘]\s*?like\W*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having)|(?:[\"'`´’‘]\s*?\*\s*?\w+\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´’‘]*?\s*?\w+\W+\w)|(?:select\s*?[\[\]()\s\w\.,\"'`´’‘-]+from)|(?:find_in_set\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'981245',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:'981276',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\"'`´’‘]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'981254',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Finds basic MongoDB SQL injection attempts',id:'981270',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:\)\s*?when\s*?\d+\s*?then)|(?:[\"'`´’‘]\s*?(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*?\(\s*?\d)|(?:(?:(n?and|x?x?or|div|like|between|and|not)\s+|\|\||\&\&)\s*?\w+\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'981240',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s+and\s*?=\W)|(?:\(\s*?select\s*?\w+\s*?\()|(?:\*\/from)|(?:\+\s*?\d+\s*?\+\s*?@)|(?:\w[\"'`´’‘]\s*?(?:[-+=|@]+\s*?)+[\d(])|(?:coalesce\s*?\(|@@\w+\s*?[^\w\s])|(?:\W!+[\"'`´’‘]\w)|(?:[\"'`´’‘];\s*?(?:if|while|begin))|(?:[\"'`´’‘][\s\d]+=\s*?\d)|(?:order\s+by\s+if\w*?\s*?\()|(?:[\s(]+case\d*?\W.+[tw]hen[\s(]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects chained SQL injection attempts 2/2',id:'981249',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:procedure\s+analyse\s*?\()|(?:;\s*?(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*?\w+\s*?\(\s*?\)\s*?-)|(?:declare[^\w]+[@#]\s*?\w+)|(exec\s*?\(\s*?@))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'981253',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s*?[\"'`´’‘]?\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`´’‘]$)|(?:(?:^[\"'`´’‘\\\\]*?(?:[\d\"'`´’‘]+|[^\"'`´’‘]+[\"'`´’‘]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w\"'`´’‘][+&!@(),.-])|(?:[^\w\s]\w+\s*?[|-]\s*?[\"'`´’‘]\s*?\w)|(?:@\w+\s+(and|x?or|div|like|between|and)\s*?[\"'`´’‘\d]+)|(?:@[\w-]+\s(and|x?or|div|like|between|and)\s*?[^\w\s])|(?:[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`´’‘].)|(?:\Winformation_schema|table_name\W))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 1/2',id:'981242',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:in\s*?\(+\s*?select)|(?:(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*?\(|sounds\s+like\s*?[\"'`´’‘]|[=\d]+x))|([\"'`´’‘]\s*?\d\s*?(?:--|#))|(?:[\"'`´’‘][\%&<>^=]+\d\s*?(=|x?or|div|like|between|and))|(?:[\"'`´’‘]\W+[\w+-]+\s*?=\s*?\d\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?\d.+[\"'`´’‘]?\w)|(?:[\"'`´’‘]\|?[\w-]{3,}[^\w\s.,]+[\"'`´’‘])|(?:[\"'`´’‘]\s*?is\s*?[\d.]+\s*?\W.*?[\"'`´’‘]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'981246',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:create\s+function\s+\w+\s+returns)|(?:;\s*?(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?[\[(]?\w{2,}))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'981251',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\d\W]\s+as\s*?[\"'`´’‘\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´’‘]\s+regexp\W)|(?:[\s(]load_file\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'981247',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´’‘]\d)|(?:\^[\"'`´’‘])|(?:^[\w\s\"'`´’‘-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´’‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´’‘].*?\*\s*?\d)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´’‘][^,]))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL injection probings 2/2',id:'981243',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_41_xss_attacks.conf
@@ -0,0 +1,491 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# XSS
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm jscript onsubmit copyparentfolder document javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" \
+       "phase:2,id:'981136',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}"
+
+SecRule TX:PM_XSS_SCORE "@eq 0" "phase:2,id:'981018',t:none,pass,skipAfter:END_XSS_CHECK,nolog"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousedown\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bshell:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bmocha:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonabort\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bhttp:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseup\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*\=.*bexpression\b\W*\(" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bshell:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcreatetextrange\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bondragdrop\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcopyparentfolder\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonunload\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.execscript\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bgetspecialfolder\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bonload\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bvbscript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeydown\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmousemove\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blivescript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonblur\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmove\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsettimeout\b\W*?\(" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?iframe" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bjavascript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bbackground\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bvbscript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\becmascript\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonfocus\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bdocument\b\s*\.\s*\bcookie\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\<\!\[cdata\[" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonerror\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bjavascript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bactivexobject\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeypress\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonsubmit\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.addimport\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bjavascript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonchange\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjscript\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\balert\b\W*?\(" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?meta\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bhttp:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bvbscript\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseout\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bshell:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\basfunction:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonmouseover\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bvbscript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bjavascript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.innerhtml\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonselect\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\@import\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bvbscript:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonload\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\< ?script\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonresize\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonclick\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\biframe\b.{0,100}?\bsrc\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bbackground-image:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bonkeyup\b\W*?\=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<input\b.*?\btype\b\W*?\bimage\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bshell:" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjavascript\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\.fromcharcode\b" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecMarker END_XSS_CHECK
+
+# Detect tags that are the most common direct HTML injection points.
+#
+#     <a href=javascript:...
+#     <applet src="..." type=text/html>
+#     <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
+#     <base href=javascript:...
+#     <base href=... // change base URL to something else to exploit relative filename inclusion
+#     <bgsound src=javascript:...
+#     <body background=javascript:...
+#     <body onload=...
+#     <embed src=http://www.example.com/flash.swf allowScriptAccess=always
+#     <embed src="data:image/svg+xml;
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...
+#     <img src=x onerror=...
+#     <input type=image src=javascript:...
+#     <layer src=...
+#     <link href="javascript:..." rel="stylesheet" type="text/css"
+#     <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
+#     <meta http-equiv="refresh" content="0;url=javascript:..."
+#     <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
+#     <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
+#     <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
+#     <object data=http://www.example.com
+#     <object type=text/x-scriptlet data=...
+#     <object type=application/x-shockwave-flash data=xss.swf>
+#     <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
+#     <script>...</script>
+#     <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
+#     <script src="data:text/javascript,alert(1)"></script>
+#     <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
+#     <style>STYLE</style>
+#     <style type=text/css>STYLE</style>
+#     <style type=text/javascript>alert('xss')</style>
+#     <table background=javascript:...
+#     <td background=javascript:
+#
+#
+# NOTES
+#
+#  - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
+#
+#  - Not using closing brackets because they are not needed for the
+#    attacks to succeed. The following seems to work in FF: <body/s/onload=...
+#
+#  - Also, browsers sometimes tend to translate < into >, in order to "repair"
+#    what they think was a mistake made by the programmer/template designer.
+#
+#  - Browsers are flexible when it comes to what they accept as separator between
+#    tag names and attributes. The following is commonly used in payloads: <img/src=...
+#    A better example: <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^=alert("XSS")>
+#
+#  - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
+#    but I don't believe we need to look for quotes anywhere.
+#
+#  - Links do not have to be fully qualified. For example, the following works:
+#    <script src="//ha.ckers.org/.j">
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973300',capture,t:none,t:jsDecode,t:lowercase,block,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\ballowscriptaccess\b|\brel\b\W*?=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973301',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+# TODO Would evasion such as null and whitespace work here?
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* ".+application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript)).+" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973302',capture,t:none,t:htmlEntityDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+# Detect event handler names
+#
+#     <body onload=...>
+#     <img src=x onerror=...>
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973303',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+# Detect usage of common URI attributes (e.g. src)
+#
+#     <a href="javascript:...">Link</a>
+#     <base href="javascript:...">
+#     <bgsound src="javascript:...">
+#     <body background="javascript:...">
+#     <frameset><frame src="javascript:..."></frameset>
+#     <iframe src=javascript:...>
+#     <img dynsrc=javascript:...>
+#     <img lowsrc=javascript:...>
+#     <img src=javascript:...>
+#     <input type=image src=javascript:...>
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973304',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+# As above, but try to catch the other bit that is necessary to execute the attack.
+#
+#     <meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+#     <img src=jaVaScrIpt:...>
+#     <img src=&#6a;avascript:...> (not evasion)
+#     <img src="jav	ascript:..."> (embedded tab; null byte, other whitespace characters work too)
+#     <img src="jaa&#09;ascript:..."> (the combination of the above two)
+#
+# NOTES
+#
+#  - htmlEntityDecode needs to be applied because this content appears in HTML
+#    attributes, so it's not evasion.
+#
+# TODO I think asfunction only work in HTML files handled by Flash. Needs verifying.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(asfunction|javascript|vbscript|data|mocha|livescript):" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973305',capture,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+# Detect attempts to use the style attribute, which works with any tag in at
+# least one major browser.
+#
+#     <div style="background-image: url(javascript:...)">
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*?=" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973306',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+# -- JavaScript fragments --
+#
+#    TODO Need more fragments.
+#
+#    TODO What about JavaScript code hidden behind CSS?
+#
+#    TODO There is a bunch of DOM-manipulation stuff that we want to cover here.
+#
+#    alert(String.fromCharCode(88,83,83)
+#    - window.name
+#    - document.cookie
+#    - document.location
+#    - document.write
+#    - document.styleSheets[0].addImport('yourstylesheet.css', 2);
+#    - window.execScript("alert('test');", "JavaScript");
+#    - document.body.innerHTML = ''
+#    - newObj = new ActiveXObject(servername.typename[, location])
+#    - A list of keywords here: http://technet.microsoft.com/en-gb/library/bb794749.aspx
+#    - setTimeout("alert('xss')", 1000)
+#    - xmlHttp.onreadystatechange=function() {}
+#    - eval(location.hash.substr(1)) // used to execute JavaScript in fragment identifier
+#
+# NOTES:
+# 
+#  - JavaScript evasion:
+#
+#    http://www.thespanner.co.uk/2007/09/19/javascript-for-hackers/
+#    http://www.thespanner.co.uk/2007/12/12/javascript-for-hackers-part-2/
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*\(" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+
+# -- CSS attack fragments --
+
+#     <div style="background-image: url(javascript:...)">
+#     <div style="background-image: url(&#1;javascript:alert('XSS'))"> // not used
+#     <div style="width: expression(...);">
+#     <img style="x:expression(document.write(1))">
+#     <xss style="behavior: url(http://ha.ckers.org/xss.htc);">
+# -    <style>li {list-style-image: url("javascript:alert('XSS')");}</style><ul><li>xss
+#     <style>@import url(...);</style>
+#     -moz-binding:url(...)
+#     background:url("javascript:...")
+#     </xss/*-*/style=xss:e/**/xpression(alert(1337))> (comment evasion) // TODO Verify
+#     <style type="text/css">@i\m\p\o\rt url(...);</style> (css escaping evasion)
+#     <li style="behavior:url(hilite.htc)">xss
+#
+#     Interesting CSS injection: http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
+#
+# Ref: http://crawlmsdn.microsoft.com/en-us/library/ms531078(vs.85).aspx (DHTML Behaviors)
+#
+# Note: A lot of these seem to need to use the "javascript:" prefix to execute anything. Requiring
+#       a match of that before we do anything might help us reduce the FP rate.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973308',capture,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+#      <C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]></C> // evasion
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!\[cdata\[|\]\]>" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973309',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+
+# -- Misc --
+
+#    alert('xss')
+#    alert("xss")
+#    alert(/xss/)
+#    <xss>
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[/'\"<]xss[/'\">]" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973310',capture,t:none,t:lowercase,block,msg:'XSS Attack Detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+#    String.fromCharCode(88,83,83)
+# 
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(88,83,83)" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973311',capture,t:none,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+#    '';!--"<XSS>=&{()}
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "'';!--\"<xss>=&{()}" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973312',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+# Handle &{alert('xss')} which is supposed to work in Netscape 4.
+# 
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "&{" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973313',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+
+# <!DOCTYPE html [  
+#   <!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">
+# ]>
+# <html xmlns="http://www.w3.org/1999/xhtml">
+# <head>
+#   <title>Test</title>
+# </head>
+#
+# <body>
+# &inject;
+# </body>
+# </html>
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!(doctype|entity)" \
+	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973314',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:lowercase,block,msg:'XSS Attack Detected',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+#
+# XSS Filters from IE8
+# http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
+# 
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&[#\(\)=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973315',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]style[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973316',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973317',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<applet[ /+\t].*?code[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973318',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973319',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<base[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973320',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<link[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973321',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_BODY "(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973322',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<\?import[ /+\t].*?implementation[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973323',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<embed[ /+\t].*?SRC.*?=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973324',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]on\c\c\c+?[ +\t]*?=.)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973325',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<.*[:]vmlframe.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973326',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973327',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<isindex[ /+\t>])" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973328',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<form.*?>)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973329',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973330',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?>)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973331',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))).*?=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973332',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?))=)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973333',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'].*?\[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\()" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973334',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\(.*?\))" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',id:'973335',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,block,msg:'IE XSS Filters - Attack Detected.',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_42_tight_security.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_42_tight_security.conf
@@ -0,0 +1,25 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# 
+#      This ruleset file contains rules that are highly prone to FPs
+#      Enable PARANOID_MODE in the 10 config file if you want to activate this rule	
+#
+ 
+#
+# Directory Traversal
+#
+SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?i)(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\.){2}(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))" \
+        	"phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'7',t:none,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,capture,tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
+
+# Weaker signature
+#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,rev:'2.2.6',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
+
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_45_trojans.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_45_trojans.conf
@@ -0,0 +1,35 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# The trojan access detection rules detects access to known Trojans already 
+# installed on a server. Uploading of Trojans is part of the Anti-Virus rules 
+# and uses external Anti Virus program when uploading files.
+#
+# Detection of Trojans access is especially important in a hosting environment
+# where the actual Trojan upload may be done through valid methods and not
+# through hacking.
+# --
+# 
+# NOTE Trojans detection is based on checking elements controlled by the client. 
+#      A determined attacked can bypass those checks. We are working on 
+#      enchaining the checks so it would require a major change in the Trojan
+#      to overcome.
+#      
+# NOTE We found out that Trojan horses are not detected easily by Anti-Virus 
+#      software when uploading as the signature set of AV software is not tuned
+#      for this purpose. We are working on adding signature tuned to detect
+#      Trojans upload to file uploading inspection. 
+# 
+
+SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950110',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_FILENAME "root\.exe" \
+        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950921',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
+SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'8',t:none,ctl:auditLogParts=+E,block,msg:'Backdoor access',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'950922',tag:'OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_47_common_exceptions.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_47_common_exceptions.conf
@@ -0,0 +1,40 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used as an exception mechanism to remove common false positives
+# that may be encountered.
+#
+# Exception for Apache SSL pinger
+#
+SecRule REQUEST_LINE "^GET /$" "chain,phase:2,id:'981020',t:none,pass,nolog"
+        SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+                SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# Exception for Apache internal dummy connection
+#
+SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,id:'981021',t:none,pass,nolog"
+	SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"
+		SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none,t:none,chain"
+                	SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+                        	SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"
+
+#
+# Exception for Adobe Flash Player
+# https://www.modsecurity.org/tracker/browse/CORERULES-57
+#
+SecRule REQUEST_METHOD "@streq POST" "chain,phase:2,id:'981022',t:none,pass,nolog"
+        SecRule REQUEST_HEADERS:User-Agent "@contains Adobe Flash Player" "chain,t:none"
+		SecRule REQUEST_HEADERS:X-Flash-Version ".*" "chain,t:none"
+			SecRule REQUEST_HEADERS:Content-Type "@contains application/x-amf" "chain,t:none"
+                		SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"
+					SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-5"
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
@@ -0,0 +1,59 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file is used to allow custom checks and exclusions for the transactional
+# variable rules.  Place rules in this file so that you may influence what happens
+# in the 49 - Enforcement File. 
+
+# In previous ModSecurity rules, the TARGET list would have to be updated in
+# order to exclude a specific paramater like this -
+#
+# SecRule ARGS_NAMES|ARGS|!ARGS:foo
+# 
+# With the new transactional variable rules, parameter exceptions can now
+# be handled AFTER the initial inspection as the rules now use setvars to 
+# capture meta-data with each rule match.  They use this syntax -  
+#
+# 	setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}
+#
+# When the transactional rules trigger, they will set a TX variable similar to this 
+# for an SQL Injection attack -
+#
+# 	Set variable "tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments" to "1' or select * from users where username = admin ".
+# 
+# With this data now available, the user can implement flexible exceptions.
+# 
+# Exception example - exclude a parameter
+#
+# In this example, we are inspecting
+# the TX collections to see if there is a current variable that has matched
+# for the 950001 SQL Injection rule ID and for the "comments" parameter.  If
+# so, then we are going to remove the collection entirely by using the 
+# setvar:!tx. syntax.  By doing this, the TX collection is removed before final
+# inspection at the end of phase 2 in the enforcement file.
+#
+#SecRule TX:'/^950001.*ARGS:comments/' ".*" "chain,phase:2,t:none,nolog,pass"
+#	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
+
+#
+# This is an example exclusion for the entire SQL Injection category of rules
+#
+#SecRule TX:'/SQL_INJECTION/' ".*" "phase:2,t:none,nolog,pass,chain,setvar:tx.sql_injection=+1,setvar:tx.sql_injection_%{tx.sql_injection}=%{matched_var_name}"
+#	SecRule TX:'/^SQL_INJECTION_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
+
+#
+# This is an example exclusion that combines the URL and parameter and removes
+# a specific SQL Injection ID only if the parameter foo payload matches
+#
+#SecRule REQUEST_FILENAME "@streq /path/to/file.php" "chain,phase:2,t:none,nolog,pass"
+#	SecRule TX:'/^950001.*ARGS:foo/' "@streq Item 1=1" "chain,t:none"
+#       	SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
+
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
@@ -0,0 +1,35 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# Uncomment the anomaly sections you wish to use.
+# These rules use the anomaly score settings specified in the 10 config file.
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Alert and Block based on Anomaly Score and OSVDB Check
+#
+SecRule TX:ANOMALY_SCORE "@gt 0" \
+    "chain,phase:2,id:'981175',t:none,deny,log,msg:'Inbound Attack Targeting OSVDB Flagged Resource.',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
+        SecRule RESOURCE:OSVDB_VULNERABLE "@eq 1" chain
+                SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on"
+
+# Alert and Block based on Anomaly Scores
+#
+SecRule TX:ANOMALY_SCORE "@gt 0" \
+    "chain,phase:2,id:'981176',t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
+        SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain
+                SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
+                        SecRule TX:/^\d/ "(.*)"
+
+# Alert and Block on a specific attack category such as SQL Injection
+#
+#SecRule TX:SQL_INJECTION_SCORE "@gt 0" \
+#    "phase:2,t:none,log,block,msg:'SQL Injection Detected (score %{TX.SQL_INJECTION_SCORE}): %{tx.msg}'"
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_50_outbound.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_50_outbound.conf
@@ -0,0 +1,138 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# NOTE   By default the status code sent is 501, which implies that the web 
+#        server does not support the required operation. This is a non standard
+#        of this status code which normally refers to unsupported HTTP methods. 
+#        It is used in order to confuse automated clients and scanners. 
+
+
+# Zope Information Leakage
+SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Zope Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970007',tag:'OWASP_CRS/LEAKAGE/ERRORS_ZOPE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
+
+# CF Information Leakage
+SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970008',tag:'OWASP_CRS/LEAKAGE/ERRORS_CF',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
+
+# PHP Information Leakage
+SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970009',tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
+
+# ISA server existence revealed
+SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ISA server existence revealed',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970010',tag:'MISCONFIGURATION',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{tx.0}"
+
+# Microsoft Office document properties leakage
+SecRule RESPONSE_BODY "<o:documentproperties>" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,block,msg:'Microsoft Office document properties leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970012',tag:'OWASP_CRS/LEAKAGE/INFO_STATISTICS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
+
+
+SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970903',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
+SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
+
+          
+# CF source code leakage
+SecRule RESPONSE_BODY "<cf" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Cold Fusion source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970016',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_CF',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
+
+# IIS default location
+SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,t:lowercase,ctl:auditLogParts=+E,block,msg:'IIS installed in default location',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970018',severity:'3',chain"
+SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score}"
+
+# The application is not available
+SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
+SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970118',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
+
+# Weblogic information disclosure
+SecRule RESPONSE_STATUS "^500$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'WebLogic information disclosure',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970021',severity:'3'"
+SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
+
+# File or Directory Names Leakage
+SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,capture,t:none,capture,ctl:auditLogParts=+E,block,msg:'File or Directory Names Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970011',tag:'OWASP_CRS/LEAKAGE/INFO_FILE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
+SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,capture,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
+
+#
+# IFrame Injection
+#
+SecRule RESPONSE_BODY "!@pm iframe" \
+				"phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'6',id:'981177',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" \
+				"t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981000',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"
+SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" \
+				"t:replaceComments,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',ctl:auditLogParts=+E,block,msg:'Possibly malicious iframe tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981001',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"				
+
+SecRule RESPONSE_BODY "(?i:<\s*IFRAME\s*?[^>]*?src=\"javascript:)" \
+                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Malicious iframe+javascript tag in output',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',capture,id:'981003',tag:'OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME',tag:'bugtraq,13544',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"
+
+SecMarker END_IFRAME_CHECK 
+
+#
+# Generic Malicious JS Detection
+#
+SecRule RESPONSE_BODY "(?i)(String\.fromCharCode\(.*?){4,}" \
+                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Excessive fromCharCode',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981004',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
+
+SecRule RESPONSE_BODY "(?i)(eval\(.{0,15}unescape\()" \
+                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Eval+Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981005',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
+
+SecRule RESPONSE_BODY "(?i)(var[^=]+=\s*unescape\s*;)" \
+                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Unescape',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981006',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
+
+SecRule RESPONSE_BODY "(?i:%u0c0c%u0c0c|%u9090%u9090|%u4141%u4141)" \
+                                "t:none,phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',ctl:auditLogParts=+E,block,msg:'Potential Obfuscated Javascript in Output - Heap Spray',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'981007',tag:'OWASP_CRS/MALICIOUS_CODE',tag:'bugtraq,13544',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/MALICIOUS_CODE-%{matched_var_name}=%{tx.0}"
+
+
+
+#
+# Run PM check against response body data before running any RegEx Checks
+# If nothing matches, then we skip the remainder of phase:4 
+#
+SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',pass,id:'981178',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK"
+
+# ASP/JSP source code leakage
+SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'ASP/JSP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970014',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
+
+# PHP source code leakage
+SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970015',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
+
+SecRule RESPONSE_BODY "<\?(?!xml)" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'PHP source code leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970902',tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
+	SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"
+
+# Statistics pages revealed
+SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Statistics Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970002',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
+
+
+# SQL Errors leakage
+SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:PostgreSQL result|O(?:racle|DBC)|M(?:S |y)SQL))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(. Requested|; the operation)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|microsoft jet database engine error '8|Microsoft Access Driver|JET Database Engine|Access Database Engine|ORA-\d{5}: |ORA-[0-9][0-9][0-9][0-9]|Oracle error|Oracle.*Driver|Warning.*Woci_.*|Warning.*Wora_.*|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|PostgreSQL query failed:|PostgreSQL.*ERROR|Warning.*Wpg_.*|valid PostgreSQL result|Npgsql.|(?:Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|You have an error in your SQL syntax(?: near ')?|incorrect syntax near (?:\'|the\b|\@\@error\b)|cannot take a \w+ data type as an argument\.|Warning: mysql_connect\(\):)|\[Microsoft\]\[ODBC |Driver.* SQL[-_ ]*Server|OLE DB.* SQL Server|(W|A)SQL Server.*Driver|Warning.*mssql_.*|(W|A)SQL Server.*[0-9a-fA-F]{8}|Exception Details:.*WSystem.Data.SqlClient.|Exception Details:.*WRoadhouse.Cms.|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient.|SQLite\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*sqlite_.*|Warning.*SQLite3::)" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'SQL Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970003',tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
+
+
+# IIS Errors leakage
+SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970004',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
+
+SecRule RESPONSE_STATUS "!^404$" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970904',tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"
+	SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
+
+# Directory Listing
+SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
+        "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Directory Listing',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970013',tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"
+
+SecMarker END_OUTBOUND_CHECK             
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
@@ -0,0 +1,27 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match.  If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "@gt 20".  This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+# You should also set the desired disruptive action (deny, redirect, etc...).
+#
+
+# Alert and Block on High Anomaly Scores - this would block outbound data leakages
+#
+SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" \
+    "chain,phase:4,id:'981200',t:none,deny,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}'"
+	SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain
+		SecRule TX:/^\d/ "(.*)"
+
--- a/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_60_correlation.conf
+++ b/iis/ModSecurityIIS/owasp_crs/base_rules/modsecurity_crs_60_correlation.conf
@@ -0,0 +1,42 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# This file is used in post processing after the response has been sent to
+# the client (in the logging phase).  Its purpose is to provide inbound+outbound
+# correlation of events to provide a more intelligent designation as to the outcome
+# or result of the transaction - meaning, was this a successful attack?
+#
+
+
+# Correlated Successful Attack
+#
+SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
+    "chain,phase:5,id:'981201',t:none,log,pass,skipAfter:END_CORRELATION,severity:'0',msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
+        SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
+		
+
+# Correlated Attack Attempt 
+#
+SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
+    "chain,phase:5,id:'981202',t:none,log,pass,skipAfter:END_CORRELATION,severity:'1',msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"
+	SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
+
+SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
+    "chain,phase:5,id:'981203',t:none,log,noauditlog,pass,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
+	SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}"
+
+SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" \
+    "phase:5,id:'981204',t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
+
+SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" \
+    "phase:5,id:'981205',t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"
+
+SecMarker END_CORRELATION