FILE: C:\Program Files (x86)\Plesk\ModSecurity\rules\atomic\modsec\10_asl_rules.conf
--
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
#Block compressed encoding
SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" \
"capture,log,auditlog,phase:1,t:none,deny,status:501,msg:'Atomicorp.com WAF Rules: ModSecurity does not support content encodings and can not detect attacks using it, therefore it must be blocked.',id:'340362',rev:1,severity:'3',logdata:'%{TX.0}'"
#check methods
SecRule REQUEST_METHOD "@pm TRACE TRACK CONNECT" \
"phase:1,id:'333793',t:none,pass,nolog,skip:1"
SecAction phase:1,id:334358,t:none,pass,nolog,skipAfter:END_METHOD_CHECKS
# Rule 340002: deny TRACE method
SecRule REQUEST_METHOD "@pm TRACE TRACK" \
"phase:1,deny,log,auditlog,status:403,t:none,id:340002,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: TRACE/TRACK method denied'"
# Rule 340361: deny CONNECT method
SecRule REQUEST_METHOD "CONNECT" \
"deny,status:403,log,auditlog,t:none,capture,phase:1,id:340361,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: CONNECT method denied',logdata:'%{TX.0}'"
SecMarker END_METHOD_CHECKS
#protocol violation
SecRule REQUEST_METHOD "POST" "deny,status:403,log,auditlog,t:none,chain,rev:2,id:'390616',rev:2,phase:2,msg:'Atomicorp.com WAF Rules: POST request must have a Content-Length header',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
# Check for the expect header w/ HTTP/1.1 protocol
#
SecRule REQUEST_HEADERS:Expect "100-continue" \
"deny,status:403,t:none,chain,phase:2,log,auditlog,msg:'Atomicorp.com WAF Rules: Expect Header Not Allowed for HTTP 1.0. This is an HTTP 1.1 feature.',severity:'5',id:'390706',rev:1"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.0"
# Rule 340012:
#Proxy Protection with our added MATCHED_VAR enhancement
SecRule REQUEST_URI_RAW "^\w+:/" \
"chain,phase:2,t:none,t:lowercase,capture,deny,log,auditlog,msg:'Atomicorp.com WAF Rules: Unauthorized Proxy access attempt',severity:'2',id:'340012',rev:3,logdata:'%{TX.0}'"
SecRule MATCHED_VAR "!@rx ://%{SERVER_NAME}/"
#Apache Range DOS attack protection rules
SecRule REQUEST_HEADERS:Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:2,log,auditlog,t:none,deny,status:403,msg:'Atomicorp.com WAF Rules: Range: Invalid Last Byte Value. This may be a DOS attack',logdata:'%{matched_var}',severity:'5',id:353012"
SecRule TX:2 "!@ge %{tx.1}"
SecRule REQUEST_FILENAME "\.pdf$" phase:2,id:334359,pass,t:none,t:lowercase,nolog,skipAfter:END_RANGE_DOS
SecRule REQUEST_HEADERS:Range "^bytes=(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\,(\d+)?\-(\d+)?\," \
"phase:2,log,auditlog,capture,rev:2,t:none,t:lowercase,deny,msg:'Atomicorp.com WAF Rules: Range: Too many fields, this may be a DOS attack',logdata:'%{matched_var}',severity:'5',id:353013"
SecMarker END_RANGE_DOS
#Webdav doesnt always include Content-Length
SecRule REQUEST_METHOD "^(?:CHECKOUT|PUT)" \
phase:1,id:364359,pass,t:none,nolog,skipAfter:END_TYPE_CHECK_1
SecRule REMOTE_ADDR "127\.0\.0\.1*" \
phase:1,id:364459,pass,t:none,nolog,skipAfter:END_TYPE_CHECK_1
#Request Body must define Content-Type per RFC, so application knows how to parse
#Prevents impedence mismatch attacks
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
"chain,phase:1,rev:7,t:none,drop,status:403,msg:'Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header',id:'392301',severity:'5',tag:'no_ar'"
SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none"
SecMarker END_TYPE_CHECK_1
# This one has limited utility as a fixed rule, this probably needs to be generated by the customer
# Restrict the maximum number of arguments in a request
SecRule &ARGS "@gt 1000" \
"chain,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Too many arguments in request (max set to 1000, increase as necessary for your system)',id:'390707',severity:'4',rev:7"
SecRule REQUEST_FILENAME "!((?:/(?:imaclean|massdelete)/)|^/cgi-bin/dada/mail\.cgi$|^/index\.php/mageworx/customoptions_options|^/za/|^/backoffice/|/moderate\.php)" "t:none,t:lowercase"
SecRule &REQUEST_COOKIES_NAMES "@gt 1000" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Too many cookies in request (max set to 1000, increase as necessary for your system)',id:'330707',severity:'4',rev:2"
Secrule REQUEST_URI "(?:/ajax-tab\.php|^/eprocservice/supplierinboundservice)" \
phase:2,id:344358,t:none,t:lowercase,pass,nolog,skipAfter:END_CHAR_CHECK
SecRule ARGS|ARGS_NAMES|!ARGS:/msg/|!ARGS:message|!ARGS:templatecode|!ARGS:areas|!ARGS:/illegalusernames/|!ARGS:/^jform/|!ARGS:/image/|!ARGS:resolution|!ARGS:post|!ARGS:depth|!ARGS:email|!ARGS:/comment/|!ARGS:mailbox|!ARGS:/description/|!ARGS:/txt/|!ARGS:/text/|!ARGS:body|!ARGS:/message/|!ARGS:/content/|!ARGS:/password/|!ARGS:FoxyData|!ARGS:sent_mail_folder "@validateByteRange 1-255" \
"pass,nolog,noauditlog,phase:2,rev:23,id:390617,t:none,t:urlDecodeUni,setvar:tx.invalidarg=1,setvar:tx.invalidarg2=%{matched_var_name}'"
#Is this a known spammer?
SecRule TX:INVALIDARG "@eq 1" \
"chain,t:none,deny,status:403,phase:2,msg:'Atomicorp.com WAF Rules: Spammer attempting to defeat recapatcha',rev:1,id:'395614',severity:'2'"
SecRule TX:INVALIDARG2 "ARGS:recaptcha_response_field"
SecRule TX:INVALIDARG "@eq 1" \
"chain,deny,status:403,phase:2,msg:'Atomicorp.com WAF Rules: Invalid character in ARGS',rev:23,id:'390614',severity:'2'"
SecRule TX:INVALIDARG2 "!@rx recaptcha_response_field"
SecMarker END_CHAR_CHECK
#block nulls and invalid characters
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:templateCode|!ARGS:areas|!ARGS:/password/|!ARGS:FoxyData|!ARGS:sent_mail_folder \
"@validateByteRange 1-255" \
"deny,status:403,phase:2,msg:'Atomicorp.com WAF Rules: Invalid character in request or headers',rev:10,id:'390613',severity:'2',t:none,t:urlDecodeUni"
#Check for digits in content length header
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,status:403,capture,phase:2,t:none,msg:'Atomicorp.com WAF Rules: Content-Length HTTP header is not numeric', severity:'2',rev:1,id:'390618',logdata:'%{TX.0}'"
#Response splitting attacks
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|REQUEST_URI "(?:\bhttp\/(?:0\.9|1\.[01])|< ?(?:html|meta)\b)" \
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Atomicorp.com WAF Rules: Possible HTTP Response Splitting Attack',id:'390712',logdata:'%{TX.0}',severity:'1',rev:5"
#SecMarker END_SPLIT_CHECKS
#Vpatching add on
#Prevent Impedence mismatches on ARG names
#SecRule ARGS_NAMES "!^[\^\$0-9a-zA-Z\#_-\.@\{\}\[\]\(\)]+$" \
#SecRule REQUEST_URI "\.php" \
#"capture,t:none,t:lowercase,phase:2,log,deny,id:390720,rev:2,msg:'Atomicorp.com WAF Rules: Possible Impedence Mismatch attack on PHP appliction using space to start argument name',logdata:'%{TX.0}',severity:'2'"
#SecRule ARGS_NAMES "^ "
#"t:none,capture,phase:2,log,deny,id:390720,rev:2,msg:'Atomicorp.com WAF Rules: Possible Impedence Mismatch attack by using space in argument name',logdata:'%{TX.0}',severity:'2'"
#"capture,t:none,t:urlDecodeUni,phase:2,log,deny,id:390720,rev:1,msg:'Atomicorp.com WAF Rules: Possible Impedence Mismatch attack on ARGUMENT NAME by using invalid character in argument name',logdata:'%{TX.0}',severity:'2'"
###############FILE PROTECTION RULES####################
#
Secrule REQUEST_URI "^/eprocservice/supplierinboundservice" \
phase:2,id:344359,t:none,t:lowercase,pass,nolog,skipAfter:END_FILE_PROTECTION_2
SecRule REQUEST_URI_RAW|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|REQUEST_FILENAME|!ARGS:templatecode|!ARGS:area|!ARGS:php|!ARGS:/form_data/ "@pm ../.. ... /etc /proc /var/tmp /usr /opt /sbin /bin /dev /tmp /kern /root /boot /sys /windows /winnt inetpub localstart.asp boot.ini ~root ~ftp ~bin ~nobody ~named ~guest ~logs ~sshd ~admin ~mysql ~postgres ~oracle ////////" \
"id:334399,rev:2,phase:2,t:none,t:urlDecodeUni,t:cmdLine,t:replaceNulls,pass,nolog,skip:1"
SecAction phase:2,id:334361,t:none,pass,nolog,skipAfter:END_FILE_PROTECTION_1
#potentially malicious recursion
#../../../../..
SecRule REQUEST_URI_RAW|REQUEST_FILENAME|ARGS|!ARGS:/text/|!ARGS:/txt/|!ARGS:/body/|!ARGS:/message/|!ARGS:data|!ARGS:/content/|!ARGS:/resolution/|!ARGS:/post/|!ARGS:/comment/|!ARGS:/desc/|!ARGS:/subject/|!ARGS:/content/|!ARGS:/keywords/|!ARGS:/note/|!ARGS:/title/ "^/?\.?\./\.\./\.\./\.\./\.\." \
"phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,id:347008,rev:14,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious deep path recursion denied'"
SecRule REQUEST_URI "!(?:/site-builder/|/node/(?:[0-9]+/(?:edit|add)|add/))" "t:none,t:lowercase"
SecRule REQUEST_URI "(^/node/(?:[0-9]+/(?:edit|add)|add)/)" "t:none,t:lowercase,phase:2,id:323714,pass,nolog,skipAfter:END_RULE_340008"
# Rule 340008: generic bogus path sigs
SecRule REQUEST_URI_RAW|REQUEST_FILENAME|REQUEST_HEADERS|ARGS|!ARGS:myDevEditControl_html|!ARGS:/^currentValue/|!ARGS:/message/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/summary/|!ARGS:resolution|!ARGS:prefix|!ARGS:/post/|!ARGS:/comment/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/content/|!ARGS:/keywords/|!ARGS:/note/|!ARGS:/title/|!ARGS:/msg/|!ARGS:suffix "/\.{3,}/" \
"capture,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdline,t:replaceNulls,id:340008,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Bogus Path denied',logdata:'%{TX.0},%{matched_var_name}'"
SecMarker END_RULE_340008
# Rule 340142: Special account protection
SecRule REQUEST_URI "~(?:root|ftp|bin|admin|nobody|shutdown|named|guest|logs|sshd|mysql|postgres|mysql|oracle|tortix|atomic)/" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdLine,t:replaceNulls,t:normalisePath,id:340142,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Special account protection'"
SecRule SERVER_PORT "^(?:30000|8443)$" phase:2,id:323712,pass,t:none,nolog,skipAfter:END_ASL_3
SecRule REQUEST_URI "(?:alt_mod_frameset.php|checkout_shipping.php|^/components/com_zoom/etc/|/admin\.swf\?nick=|/editor/filemanager/browser/default/browser\.html\?(type=image&)?Connector=\.\./\.\./connectors|/phpthumb\.php\?((?:w|h)=[0-9]+&)?((?:w|h)=[0-9]+&)?src=\.\./\.\./(?:uploads|images)|^/etc/[a-z0-9-_]+\.(css|html?|jpe?g|gif|png|te?xt)$|^/\?cx=|^/wizard/edit/html$|/mancgi/cronrun\?command|^/index\.php\?module=asl&event=|^/site/index\.php\?do=/admincp/setting/edit/|^/plesk/server/migration/|^/smb/web/)" "t:none,t:lowercase,phase:2,id:323716,pass,nolog,skipAfter:END_RULE_340009"
# Rule 340009: generic recursion signatures
SecRule REQUEST_HEADERS|!REQUEST_HEADERS:X-PageView|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:REFERER|ARGS|!ARGS:dictionaryPath|!ARGS:shell|!ARGS:/zip_path/|!ARGS:server_path|!ARGS:php|!ARGS:/^civicrm/|!ARGS:/imagemagick/|!ARGS:/^gvid_/|!ARGS:/app_path/|!ARGS:/script/|!ARGS:/bin_path/|!ARGS:/ffmpeg_path/|!ARGS:/exiftool_path/|!ARGS:/antiword/|!ARGS:/pdftotext/|!ARGS:/^SystemProperties/|!ARGS:/bin_path/|!ARGS:/IMConfig/|!ARGS:imagemagick_path|!ARGS:/referer/|!ARGS:/referrer/|!ARGS:response|!ARGS:data|!ARGS:cte_cmd|!ARGS:/setting/|!ARGS:MailPath|!ARGS:file_temporary_path|!ARGS:article|!ARGS:/shell/|!ARGS:/content/|!ARGS:/tx_extensionmanager/|!ARGS:/aspell/|!ARGS:title|!ARGS:/sidebar/|!ARGS:/^p_process/|!ARGS:prefix|!ARGS:suffix|!ARGS:resolution|!ARGS:/^w2Pcfg/|!ARGS:returnto|!ARGS:/url/|!ARGS:lnk|!ARGS:/gplus/|!ARGS:/pinterest/|!ARGS:/redirect/|!ARGS:name|!ARGS:/redirect/|!ARGS:/path_to_file_cmd/|!ARGS:timezone|!ARGS:ZM_EXTRA_DEBUG_LOG|!ARGS:/ZM_PATH/|!ARGS:/device/|!ARGS:/sendmail/|!ARGS:/txt/|!ARGS:/summary/|!ARGS:/text/|!ARGS:/^config/|!ARGS:/^dPcfg/|!ARGS:g2_prefix|!ARGS:g2_form[path]|!ARGS:/keyword/|!ARGS:field_id_29|!ARGS:/highlight/|!ARGS:/search/|!ARGS:/msg/|!ARGS:/comment/|!ARGS:/hilit/|!ARGS:/uri/|!ARGS:/url/|!ARGS:lnk|!ARGS:/gplus/|!ARGS:/pinterest/|!ARGS:/redirect/|!ARGS:product[media_gallery][images]|!ARGS:/subject/|!ARGS:/comment/|!ARGS:/data/|!ARGS:/txt/|!ARGS:csum|!ARGS:/post/|!ARGS:LiveURLSegment|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:/desc/|!ARGS:note_title|!ARGS:/^xjxargs/|!ARGS:backPath|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:/body/ "(?:(\.\.|^| )/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\/|\\\\)+inetpub|localstart\.asp|boot\.ini)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdLine,t:replaceNulls,capture,id:340009,rev:66,severity:2,msg:'Atomicorp.com WAF Rules: Protected Path Access denied in URI/ARGS',logdata:'%{TX.0},%{matched_var_name}',multimatch"
SecMarker END_RULE_340009
#Facebook does this odd HEAD or GET ../.. image queries from these net spaces
#66.220.144.0 - 66.220.159.255
#66.220.144.0/20
##173.252.64.0 - 173.252.127.255
SecRule REQUEST_METHOD "^(?:HEAD|GET)$" \
phase:2,id:335361,rev:2,t:none,chain,pass,nolog,skipAfter:END_FACEBOOK
SecRule REMOTE_ADDR "^(?:66\.220\.1(?:4[4-9]|5[0-9])\.|173\.252\.(?:[6-9][0-9]|1[0-2][0-7])\.)"
#Apps that need to recurse
SecRule REQUEST_URI "(?:alt_mod_frameset.php|checkout_shipping.php|^/components/com_zoom/etc/|/admin\.swf\?nick=|/editor/filemanager/browser/default/browser\.html\?(type=image&)?connector=\.\./\.\./connectors|/phpthumb\.php\?((?:w|h)=[0-9]+&)?((?:w|h)=[0-9]+&)?src=\.\./.{0,32}(?:pics|uploads|images)|/admin/(?:structure/views/|[a-z]+/(?:edit|add))|^/site-(?:builder|content)/|/node/(?:[0-9]+/(?:edit|add)|add/)|^/([a-z0-9]+/)?site-(?:builder|content/)|^/administrator/index\.php\?option=com_templates)" \
phase:2,id:335461,rev:1,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skipAfter:END_FACEBOOK
# Rule 340006: generic recursion signatures
SecRule REQUEST_FILENAME|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|ARGS|!ARGS:Answer|!ARGS:/ultra_/|!ARGS:/icon/|!ARGS:Inhalt|!ARGS:/fields_prev/|!ARGS:Details|!ARGS:Lead|!ARGS:changes|!ARGS:/editfile/|!ARGS:thecode|!ARGS:/sourcedir/|!ARGS:elm1|!ARGS:/EditorZone/|!ARGS:file_private_path|!ARGS:/form_data/|!ARGS:code|!ARGS:/^wpm_o_plugin/|!ARGS:/^jform/|!ARGS:/^resp/|!ARGS:rpath|!ARGS:data|!ARGS:/template/|!ARGS:/content/|!ARGS:/sidebar/|!ARGS:editor1|!ARGS:resolution|!ARGS:/logo/|!ARGS:/^style_options/|!ARGS:manager_image_path|!ARGS:prefix|!ARGS:suffix|!ARGS:/CACHE_PATH/|!ARGS:connector|!ARGS:/comment/|!ARGS:/desc/|!ARGS:videoplayer|!ARGS:css_data|!ARGS:/txt/|!ARGS:/body/|!ARGS:wysiwyg_input|!ARGS:backPath|!ARGS:/text/|!ARGS:/message/|!ARGS:/^fck_/|!ARGS:htmlSource|!ARGS:path_to_lzx|!ARGS:trk "\.\./\.\./" \
"deny,status:403,t:none,t:urlDecodeUni,t:cmdline,capture,id:340006,rev:68,severity:2,msg:'Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS',logdata:'%{TX.0},%{matched_var_name}'"
SecMarker END_FACEBOOK
SecMarker END_FILE_PROTECTION_1
SecRule REQUEST_URI "(?:/products/index\.php\?gallery=|connector=\.\./\.\./connectors|/admin/(?:structure/views/|[a-z]+/(?:edit|add)|d/1/)|/phpthumb\.php\?((?:w|h)=[0-9]+&)?((?:w|h)=[0-9]+&)?src=\.\./.{0,32}(?:pics|uploads|images)|/site-(?:builder|content)/|/node/(?:[0-9]+/(?:edit|add)|add/)|^/typo3/sysext/rtehtmlarea/mod3/browse_links\.php\?@rtetsconfigparams|^/eprocservice/supplierinboundservice)" "t:none,t:lowercase,phase:2,id:323715,pass,nolog,skipAfter:END_RULE_340007"
#Rule 340007: generic recursion signatures
SecRule ARGS|!ARGS:/background/|!ARGS:/^ultra_/|!ARGS:/form_data/|!ARGS:/srcFile/|!ARGS:/^curUrl/|!ARGS:elm1|!ARGS:/EditorZone/|!ARGS:file_private_path|!ARGS:code|!ARGS:/^resp/|!ARGS:rpath|!ARGS:backpath|!ARGS:data|!ARGS:/body/|!ARGS:editor1|!ARGS:/sidebar/|!ARGS:/template/|!ARGS:/desc/|!ARGS:resolution|!ARGS:/problem/|!ARGS:/solution/|!ARGS:/^style_options/|!ARGS:/CACHE_PATH/|!ARGS:connector|!ARGS:/comment/|!ARGS:obrazek|!ARGS:/txt/|!ARGS:keywords|!ARGS:/icon/|!ARGS:/logo/|!ARGS:Details|!ARGS:/fields_prev/|!ARGS:Lead|!ARGS:/editfile/|!ARGS:/wysiwyg/|!ARGS:/ajax/|!ARGS:css_data|!ARGS:/text/|!ARGS:/message/|!ARGS:body|!ARGS:pagecontent|!ARGS:/html/|!ARGS:filecontent|!ARGS:content|!ARGS:filename|!ARGS:fck_body|!ARGS:text|!ARGS:/content/ "(?i)(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))(?:%(?:2(?:(?:52)?e|%45)|(?:e0%8|c)0%ae|u(?:002e|2024)|%32(?:%45|E))|\.){2}(?:\x5c|(?:%(?:2(?:5(?:2f|5c)|%46|f)|c(?:0%(?:9v|af)|1%1c)|u(?:221[56]|002f)|%32(?:%46|F)|e0%80%af|1u|5c)|\/))" \
"phase:2,deny,status:403,t:none,capture,id:340007,rev:44,severity:2,msg:'Atomicorp.com WAF Rules: Generic Path Recursion denied',logdata:'%{TX.0},%{matched_var_name}'"
SecMarker END_RULE_340007
SecRule SERVER_PORT "@streq 30000" phase:2,id:323710,pass,t:none,nolog,skipAfter:END_ASL_3
#Protected file upload protection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!ARGS:templatecode|!ARGS:areas|!ARGS:title "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl .history sh_history" \
"phase:2,id:'333796',t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,skip:1"
SecAction phase:2,id:334362,t:none,pass,nolog,skipAfter:END_FILE_PROTECTION_2
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:resolution|!ARGS:tiny_vals|!ARGS:/description/|!ARGS:title|!ARGS:/content/|!ARGS:/title/|!ARGS:parent_name|!ARGS:/^config_setting/|!ARGS:name|!ARGS:v_zZ_ConfDir|!ARGS:/keyword/|!ARGS:/desc/|!ARGS:/summary/|!ARGS:csum|!ARGS:suffix|!ARGS:prefix|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/search/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/|!ARGS:/data/ "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|( |^|\.\.)/etc/|/\.(?:history|bash_history|sh_history)$)" \
"phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:cmdLine,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Atomicorp.com WAF Rules: Attempt to access protected file remotely',id:'390709',rev:26,logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_URI "!(^/file\?file=/etc/cccam\.cfg$|event=update_asl_config|^/etc/(?:js/|\?)|^/index\.php\?module=asl&event=|^/etc/img/)" "t:none,t:urlDecodeUni,t:lowercase"
SecMarker END_ASL_3
SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/|/\.(?:history|bash_history|sh_history)$)" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:cmdLine,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Atomicorp.com WAF Rules: Attempt to access protected file remotely',id:'390719',rev:6,logdata:'%{TX.0}',severity:'2'"
#
SecMarker END_FILE_PROTECTION_2
################ SQL injection rules #########################
#Always SQL injection cases w/ antievasion
SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|flv|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df|s)|gif|js|css|ico|avi|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt|wbk)$" phase:2,pass,id:'333797',t:none,t:lowercase,nolog,setvar:tx.static=1,skipAfter:END_SQL_CHECKS
SecRule REQUEST_URI "(^/node/add/|/admin/content/|/todo\?action=edit$|^/eprocservice/supplierinboundservice)" \
phase:2,pass,id:'333798',t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS
SecRule ARGS:module "^modulebuilder$" \
phase:2,pass,id:'353799',t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS
SecRule REQUEST_URI "^/adminer/adminer\.php\?server=" \
phase:2,pass,id:'375798',t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS_PM1
SecRule ARGS|!ARGS:/^cms_partial/|!ARGS:/type/|!ARGS:/searchClause/|!ARGS:import|!ARGS:DR|!ARGS:SAMLResponse|!ARGS:/wizArray/|!ARGS:/^Cms_Page/|!ARGS:search|!ARGS:pagetext|!ARGS:/database/|!ARGS:/^vpinfo/|!ARGS:website|!ARGS:suffix|!ARGS:Body|!ARGS:wikitext|!ARGS:type|!ARGS:content|!ARGS:areas|!ARGS:templatecode|!ARGS:website|!ARGS:/insertstring/|!ARGS:signature|!ARGS:/description/|!ARGS:Db_submit|!ARGS:text|!ARGS:code|!ARGS:comment|!ARGS:/sql/|!ARGS:prefix|!ARGS:/message/|!ARGS:query|!ARGS:/sql/|!ARGS:prefix|!ARGS:resolution|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/ "@pmFromFile sql.txt" \
"phase:2,deny,status:403,capture,id:340155,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,rev:24,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL Injection protection',logdata:'%{TX.0}'"
SecMarker END_SQL_CHECKS_PM1
#Always SQL injection cases w/ antievasion
#SecRule ARGS|!ARGS:/installcode/|!ARGS:/sql/|!ARGS:prefix|!ARGS:s_manifest|!ARGS:/database/|!ARGS:content|!ARGS:newcontent|!ARGS:query|!ARGS:/description/|!ARGS:/text/|!ARGS:Db_submit|!ARGS:/table/|!ARGS:EXPORTTABLE|!ARGS:/message/|!ARGS:previous_field|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:X-PageView|!ARGS_NAMES:/varchar/|!ARGS_NAMES:cfg_xsp_password|!ARGS:/body/|!ARGS:runQuery|!ARGS:field_type[]|!ARGS:/^field_type/|!ARGS:/^fieldtype_/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/subject/ "@pmFromFile sql.txt" \
# "phase:2,deny,status:403,capture,id:340160,t:none,t:hexDecode,t:replaceComments,t:compressWhiteSpace,rev:30,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL Injection protection',logdata:'%{TX.0}',chain"
#SecRule ARGS:module "!(^modulebuilder$)" "t:none,t:lowercase"
#SecRule REQUEST_URI "/index\.php\?module=administration"
#Always SQL injection cases w/ antievasion
SecRule ARGS|!ARGS:pagetext|!ARGS:/wizArray/|!ARGS:/database/|!ARGS:/installcode/|!ARGS:areas|!ARGS:templatecode|!ARGS:s_manifest|!ARGS:Db_submit|!ARGS:/database/|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|ARGS_NAMES|!ARGS:/description/|!ARGS:/insertstring/|!ARGS_NAMES:/conf_varchar/|!ARGS_NAMES:table_name|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|!REQUEST_COOKIES_NAMES:/sql/ "@pmFromFile sql.txt" \
"phase:2,deny,status:403,capture,id:380023,t:none,t:base64Decode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL Injection protection',logdata:'%{TX.0}'"
#Always SQL injection cases w/ antievasion
SecRule ARGS|!ARGS:pagetext|!ARGS:message|!ARGS:/wizArray/|!ARGS:/database/|!ARGS:Db_submit|!ARGS:areas|!ARGS:templatecode|!ARGS:/description/|!ARGS:/sql/|!ARGS:prefix|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:query|ARGS_NAMES|!ARGS_NAMES:table_name|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|!REQUEST_COOKIES:/utm/ "@pmFromFile sql.txt" \
"phase:2,deny,status:403,capture,id:380024,t:none,t:hexDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL Injection protection',logdata:'%{TX.0}'"
SecMarker END_SQL_CHECKS
####################################
#First major set
Secrule REQUEST_URI "^/eprocservice/supplierinboundservice" \
phase:2,id:344356,t:none,t:lowercase,pass,nolog,skipAfter:END_INJECTION_RULES_ALL
SecRule REQUEST_URI|REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|REQUEST_HEADERS|ARGS|!ARGS:/^Cms_Page/|!ARGS:/database/|!ARGS:templatecode|!ARGS:/insertstring/|!ARGS:areas|XML:/* "@pm select having grant delete insert drop alter replace truncate update create rename describe table database dba index into from convert bulk column update set union or = ' -- procedure declare serialize passthru outfile =1 null =2 =3 <=> <> != eval system exec trucate" \
"phase:2,id:'333799',t:none,t:urlDecodeUni,t:removeComments,pass,nolog,skip:1"
SecAction phase:2,id:334363,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_1
#allow for truevault
SecRule REQUEST_URI "^/([a-z0-9]+/)?wp-load\.php\?vaultpress=true" \
phase:2,id:336317,t:none,t:lowercase,pass,nolog,skipAfter:END_380122
#SQL stored procedure injection
SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|XML:/*|ARGS|!ARGS:/^Cms_Page/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:/database/|!ARGS:comment|!ARGS:templatecode|!ARGS:areas|!ARGS:content|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:/text/|!ARGS:/message/|!ARGS:/body/ "(?:procedure\s+analyse\s.{0,100}\(|create\s+(procedure|function)\s.{0,100}\w+\s.{0,100}\(\s.{0,200}\)\s.{0,100}declare[^\w]+[@#]\s.{0,100}\w+|exec\s.{0,100}\(\s.{0,200}@)" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,msg:'Atomicorp.com WAF Rules: MySQL and PostgreSQL stored procedure/function injections',id:380122,rev:4,logdata:'%{TX.0}',severity:'2'"
SecMarker END_RULE_380122
#PHP shell code SQL injection
SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|XML:/*|ARGS|!ARGS:/database/|!ARGS:SAMLResponse|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|!ARGS:areas|!ARGS:/database/|!ARGS:comment|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:/prefix/|!ARGS:/suffix/|!ARGS:definition "(?:\bunion\b.{1,100}?\bselect\b.{1,100}?php.{1,100}?(?:passthru|serialize|system|eval|preg_\w+|exec|shell_exec ?(?:\(|\: ?'?))|select.{1,100}?(?:php|perl).{1,100}?into outfile)" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,msg:'Atomicorp.com WAF Rules: SQL injection with PHP/PERL payload',id:380025,rev:6,logdata:'%{TX.0}',severity:'2'"
# Rule 340013:
#Prevent SQL injection in cookies
SecRule REQUEST_COOKIES|REQUEST_HEADERS:User-Agent|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|!REQUEST_COOKIES:/temp_widdit/ "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\}|\{|\,\(\)]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\bunion\b.{1,100}?\bselect\b.[a-z0-9]|select (?:load_file|char\()|(?:insert|remark)test;)" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,id:340013,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL injection in cookie or UA',logdata:'%{TX.0}'"
# Rule 340015:
#Prevent SQL injection in UA
#SecRule REQUEST_HEADERS:User-Agent "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|union select [a-z0-9])"\
# "t:replaceComments,t:compressWhiteSpace,id:340015,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL injection in User Agent header'"
#
SecRule REQUEST_URI "(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:downloads|submit_news)|/admin\.php\?module=ns\-addStory\&op=|/index\.php\?name=pnphpbb2&file=posting&mode=reply|/phpmyadmin/|/pnphpbb2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/node/[0-9]+/edit|/editcode/)" "t:none,t:lowercase,pass,nolog,id:340015,skipAfter:END_RULE_340016"
# Rule 340016:
SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|!REQUEST_COOKIES:/temp_widdit/|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|ARGS|XML:/*|!ARGS:/^Cms_Page/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:/brief/|!ARGS:templatecode|!ARGS:area|!ARGS:/changelog/|!ARGS:permissions|!ARGS:/^p_posts/|!ARGS:data|!ARGS:contenido|!ARGS:content|!ARGS:panels_data|!ARGS:source|!ARGS:/calotropis/|!ARGS:/searchclause/|!ARGS:resolution|!ARGS:SAMLResponse|!ARGS:/^info/|!ARGS:/narrative/|!ARGS:/FCKeditor/|!ARGS:/txt/|!ARGS:inc|!ARGS:op|!ARGS:_signature|!ARGS:/^label_/|!ARGS:/teaser/|!ARGS:bio|!ARGS:/installcode/|!ARGS:UserData|!ARGS:code|!ARGS:/report/|!ARGS:/^gcaption/|!ARGS:/^p_process_chats/|!ARGS:/database/|!ARGS:/^para/|!ARGS:/comment/|!ARGS:/keywords/|!ARGS:cf85|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:/desc/|!ARGS:movie_brief|!ARGS:/text/|!ARGS:/message/|!ARGS:ncontent|!ARGS:/body/|!ARGS:/content/|!ARGS:searchword|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:edited|!ARGS:content|!ARGS:Post|!ARGS:body|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:response[14]|!ARGS:/article/ "(?:(?:select|truncate|grant|drop|alter|replace|truncate|create|rename|describe)[[:space:]]+[a-z|0-9|\*|\,\(\)]+[[:space:]]+(?:into|from|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,|\{]|\bunion\b.{1,256}?select.{1,256}[a-z0-9].{1,256}(?:from|#|, ?[0-9a-z])|\bselect\b.{1,256}?(?:load_file|char\()|(?:insert|remark)test ?;|insert [a-z|0-9|\*|\,]+ (?:from|into|table|database|index|view|\{|\'|\`)[[:space:]]+\(|update [a-z0-9]+set |insert into (?:\{|\'|\`)|\btruncate table|delete from [a-z0-9]+ where|\' or true --)" \
"phase:2,deny,status:403,capture,multimatch,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:removecomments,t:compressWhiteSpace,id:340016,rev:35,severity:2,msg:'Atomicorp.com WAF Rules: Possible SQL injection attempt detected',logdata:'%{TX.0}'"
SecMarker END_RULE_340016
#bypass for these, no args
SecRule TX:STATIC "@eq 1" \
phase:2,id:'333800',pass,t:none,nolog,skipAfter:END_SQL_CHECKS_2
#SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" \
#phase:2,id:'333800',pass,t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS_2
# Rule 340017:
SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES:/temp_widdit/|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|ARGS|!ARGS:SAMLResponse|!ARGS:/^Cms_Page/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:ncontent|!ARGS:/body/|!ARGS:/installcode/|!ARGS:code|!ARGS:/content/|!ARGS:/database/|!ARGS:searchword|!ARGS:add_keywords|!ARGS:comment|!ARGS:comments|!ARGS:text|!ARGS:/description/|!ARGS:contenido|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:contactMessage|!ARGS:cts|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:introtext|!ARGS:Post|!ARGS:itembigtext|!ARGS:/article/|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:/message/|!ARGS:content_en|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1|!ARGS:/narrative/|!ARGS:/FCKeditor/|!ARGS:data "(?:insert into values|select from [a-z|0-9]+!( and)|bulk insert|union select|union all select|convert \(.{1,256}from|select (?:load_file|char\(|\* from)|(?:insert|remark)test;)" \
"phase:2,deny,status:403,capture,t:none,t:lowercase,t:replaceComments,t:compressWhiteSpace,chain,id:340017,rev:49,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL injection protection in ARGS',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(?:^/edit_page$|/node/[0-9]+/edit|^/forum/posting\.php|^/admins/wnedit\.php|modules\.php\?name=morums&file=posting&mode=|^/joomla/administrator/index2\.php|^/wiki/index\.php?.*action=submit|^/imp/compose\.php|^/horde/imp/compose\.php|/sql.php|/tbl_(?:change|s(?:ql|tructure))\.php|/admincp/template\.php\?do=(?:insert|update)template|admin/area/save-page\.php$|^/cgi-bin/cookmail\.exe$|^/catalog/secure_admin/categories\.php\?cpath=)" "t:none,t:lowercase"
# Rule 340144: Generic SQL sigs
SecRule REQUEST_URI "!(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=pnphpbb2&file=posting&mode=reply|/phpmyadmin/|/pnphpbb2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/node/[0-9]+/edit|/joomla/administrator/index2\.php|module=admin&act=dispLayoutAdminEdit&layout_srl=|upgrade.php?step=|^/ubbthreads/install/|^/projects/csb/milestone$|^/backoffice/index\.php\?controller=admintranslations)" \
"phase:2,deny,status:403,capture,t:none,t:lowercase,id:340144,rev:37,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL injection protection 2',chain,logdata:'%{TX.0}'"
SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES:/temp_widdit/|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|ARGS|!ARGS:shortcode|!ARGS:/description/|!ARGS:/sys_template/|!ARGS:/^Cms_Page/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|!ARGS:areas|!ARGS:body|!ARGS:/teaser/|!ARGS:/content/|!ARGS:wpSummary|!ARGS:ncontent|!ARGS:/installcode/|!ARGS:/database/|!ARGS:code|!ARGS:/report/|!ARGS:/database/|!ARGS:/text/|!ARGS:comment|!ARGS:/txt/|!ARGS:blogText|!ARGS:sendDescription|!ARGS:exec[text]|!ARGS:keywords|!ARGS:tiny_vals|!ARGS:postpagetext|!ARGS:display_query|!ARGS:Db_submit|!ARGS:Post|!ARGS:text|!ARGS:action|!ARGS:op|!ARGS:setup_db|!ARGS:wptextbox1|!ARGS:/message/|!ARGS:contenido|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:query_string|!ARGS:query|!ARGS:description|!ARGS:/^para/|!ARGS:/narrative/|!ARGS:/FCKeditor/|!ARGS:/^info/|!ARGS:content|!ARGS:data|!ARGS:/^p_posts/ "(?:(?:alter|create|drop)[[:space:]].{0,100}/b(?:column|database|procedure|table)/b|delete[[:space:]] .{1,100}+ update [a-z0-9]+ set .{1,100}+=|union all select |\bunion\b.{1,100}?\bselect\b.{0,200}[a-z0-9]+ from |select (?:load_file|char ?\()|(?:insert|remark)test;)" "t:none,t:urlDecodeUni,t:lowercase,t:replaceComments,t:compressWhiteSpace"
SecMarker END_SQL_CHECKS_2
# Rule 340145: Generic SQL sigs
SecRule REQUEST_URI|ARGS|XML:/*|!ARGS:SAMLResponse|!ARGS:/cleandata/|!ARGS:FCKeditor|!ARGS:output|!ARGS:/^parabola_settings/|!ARGS:explanation|!ARGS:/^wp_meta_box/|!ARGS:/post/|!ARGS:product[name]|!ARGS:cookie|!ARGS:/^field\[6\]$/|!ARGS:UserData|!ARGS:serData|!ARGS:/^Cms_Page/|!ARGS:/^autoDS/|!ARGS:/^pages/|!ARGS:prefix|!ARGS:suffix|!ARGS:qa_answer|!ARGS:areas|!ARGS:templatecode|!ARGS:featured_ids|!ARGS:/teksti/|!ARGS:/^jform/|!ARGS:callforprice|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:condition|!ARGS:/^chronofield/|!ARGS:resolution|!ARGS:/desc/|!ARGS:/^cforms/|!ARGS:special|!ARGS:/email|!ARGS:/body/|!ARGS:/installcode/|!ARGS:contenido|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:/comment/|!ARGS:/content/|!ARGS:newcontent|!ARGS:/text/|!ARGS:/txt/|!ARGS:khxc_incphp--filename|!ARGS:/file_content/|!ARGS:filecontent|!ARGS:/message/|!ARGS:defaultParamList|!ARGS:body|!ARGS:gbu0_proddetdisp--incdisp|!ARGS:gbu0_prodcatdisp--incdisp "(?:or [0-9] ?= ?[0-9]|admin'(?: --| #)|or (?:'|\")? ?(?:0|1|2|3|a|b) ?(?:'|\")? ?= ?(?:'|\")? ?(/:0|1|2|3|a|b) ?(?:'|\")?|having 1 ?= ?1 ?--|null is null ?--| \b(\d+) ?(?:=|<>|<=>|\!=) ?[0-3]\b)" \
"phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:replaceComments,t:replaceNulls,t:compressWhitespace,t:lowercase,capture,id:340145,rev:43,severity:2,msg:'Atomicorp.com WAF Rules: Possible SQL injection probe',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(?:/index\.php/admin/catalog_category/save|(?:/admin/stats|/css/gallery-css)\.php\?1=1|/admin\.php\?tile=mail$|/catalog_category/save/key/|/\?op=admin_settings|^/\?openpage=|/^admin/extra)" "t:none,t:lowercase"
# Rule 390572: Generic SQL sigs
SecRule ARGS|XML:/*|!ARGS:SAMLResponse|!ARGS:/cleandata/|!ARGS:serData|!ARGS:explanation|!ARGS:/post/|!ARGS:/^wp_meta_box/|!ARGS:cookie|!ARGS:/^field\[6\]$/|!ARGS:/^autoDS/|!ARGS:pagetext|!ARGS:featured_ids|!ARGS:/^pages/|!ARGS:/^Cms_Page/|!ARGS:qa_answer|!ARGS:/teksti/|!ARGS:areas|!ARGS:templatecode|!ARGS:/^jform/|!ARGS:callforprice|!ARGS:condition|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:prefix|!ARGS:pagetext|!ARGS:suffix|!ARGS:special|!ARGS:description|!ARGS:resolution|!ARGS:/^chronofield/|!ARGS:memo|!ARGS:/^cforms/|!ARGS:/email|!ARGS:/body/|!ARGS:contenido|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:/comment/|!ARGS:content|!ARGS:/descr/|!ARGS:newcontent|!ARGS:/text/|!ARGS:/txt/|!ARGS:/installcode/|!ARGS:/database/|!ARGS:khxc_incphp--filename|!ARGS:/file_content/|!ARGS:filecontent|!ARGS:/message/|!ARGS:defaultParamList|!ARGS:body|!ARGS:/^gbu0/ "(?:or.{1,100}1[[:space:]].{,100}=[[:space:]]1|or 1=[0-9]|admin'(?: --| #)| or '1'='1--|having 1 ?= ?1 --|or\+1=[0-9]|null is null ?--|(?:and|or) ?(\d+) ?(?:=|<>|<=>|!=) ?[1-3]\b)" \
"phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:lowercase,t:replaceComments,t:compressWhitespace,capture,id:390572,rev:22,severity:2,msg:'Atomicorp.com WAF Rules: Possible SQL injection probe',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(?:/(?:catalog_category|featured)/save|(?:/admin/stats|/css/gallery-css)\.php\?1=1|/admin\.php\?tile=mail$|/\?op=admin_settings|^/\?openpage=|^/node/[0-9]+/(?:edit|webform/))" "t:none,t:lowercase"
# Rule 340146: Meta character SQL injection
SecRule REQUEST_URI "(?:insert[[:space:]]+into.+values|select (\*|[a-z0-9]+) from.+[a-z|0-9|\{]|select.+from|bulk[[:space:]]+insert|union.+select|select (?:load_file|char\()|convert ?\(from|and.{1,256}char\(|(?:insert|remark)test ?;)" \
"phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:lowercase,id:340146,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL metacharacter URI injection protection',logdata:'%{TX.0}'"
SecRule ARGS:boattype "!(^select)" "t:none,t:lowercase"
SecMarker END_SQL_INJECTION_RULE_1
####################### Second Set
#
SecRule TX:STATIC "@eq 1" \
phase:2,id:'333801',pass,t:none,nolog,skipAfter:END_SQL_CHECKS_3
#SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,id:333801,pass,t:none,t:lowercase,nolog,skipAfter:END_SQL_CHECKS_3
SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:SAMLResponse|!ARGS:contenido|!ARGS:/sql/|!ARGS:/^Cms_Page/|!ARGS:prefix|!ARGS:/database/|!ARGS:pagetext|!ARGS:query|REQUEST_HEADERS|!ARGS:/FCKeditor/|!ARGS:/narrative/|!ARGS:/insertstring/|!ARGS:templatecode|!ARGS:areas "@pm select outfile exec passthru serialize preg_ eval union concat file_put_contents" \
"phase:2,id:333802,t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments,t:compressWhiteSpace,multimatch,pass,nolog,skip:1"
SecAction phase:2,id:333701,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_2
#shell code SQL injection
SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:/sql/|!ARGS:prefix|!ARGS:contenido|!ARGS:query|!ARGS:/message/|!ARGS:templatecode|!ARGS:/^Cms_Page/|!ARGS:areas|!ARGS:pagetext|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|!ARGS:/narrative/|!ARGS:templatecode|!ARGS:areas "(?:(?:\bunion\b.{1,100}?\bselect\b.{1,100}?php.{1,100}?(?:system|eval ?\(|shell_exec|passthru|serialize|preg_\w+|exec).{1,100}?into)|select.{1,100}?(?:php|perl).{1,100}?into outfile|union select all|concat ?\(user_|insert into.{1,100}file_put_contents)" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments,t:compressWhiteSpace,t:lowercase,multimatch,msg:'Atomicorp.com WAF Rules: SQL injection with payload - base64 encoded',id:381025,rev:4,logdata:'%{TX.0}',severity:'2'"
SecMarker END_SQL_INJECTION_RULE_2
SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:contenido|!ARGS:/sql/|!ARGS:/^Cms_Page/|!ARGS:prefix|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:query|!ARGS:/message/|!ARGS:/narrative/|!ARGS:areas|!ARGS:templatecode "@pm file_put_contents select outfile exec passthru serialize" \
"phase:2,id:333803,t:none,t:urlDecodeUni,t:hexDecode,t:removeComments,pass,nolog,skip:1"
SecAction phase:2,id:334364,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_3
#PHP shell code SQL injection
SecRule REQUEST_URI|XML:/*|ARGS|!ARGS:/insertstring/|!ARGS:contenido|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:/narrative/|!ARGS:templatecode|!ARGS:/^Cms_Page/|!ARGS:pagetext|!ARGS:/database/|!ARGS:areas "(?:(?:\bunion\b.{1,100}?\bselect\b.{1,100}?php.{1,100}?(?:system|eval ?\(|shell_exec|preg_\w+|passthru|serialize|exec).{1,100}?into)|select.{1,100}?(?:php|perl).{1,100}?into outfile|insert into.{1,100}file_put_contents)" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:hexDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,msg:'Atomicorp.com WAF Rules: SQL injection with PHP/PERL payload - hex encoded',id:381026,rev:3,logdata:'%{TX.0}',severity:'2'"
SecMarker END_SQL_INJECTION_RULE_3
#SQL inline command attack with more AE cases
SecRule ARGS|XML:/*|!ARGS:SAMLResponse|!ARGS:areas|!ARGS:templatecode|!ARGS:/^Cms_Page/|!ARGS:/txt/|!ARGS:/text/|!ARGS:/teaser/|!ARGS:wpSummary|!ARGS:/narrative/|!ARGS:templatecode|!ARGS:/insertstring/|!ARGS:areas|!ARGS:contenido|!ARGS:/sql/|!ARGS:prefix|!ARGS:content|!ARGS:file_content|!ARGS:query|!ARGS:/descr/|!ARGS:/body/|!ARGS:/text/|!ARGS:fck_tw_body|!ARGS:sub|!ARGS:msg_body|!ARGS:saved_data|!ARGS:fck_body|!ARGS:text|!ARGS:form[pagina_text]|!ARGS:description|!ARGS:/message/|!ARGS:content|!ARGS:/report/ "@pm char execute convert delete insert select drop create table declare null accesslevel user_name concat( union case xecresultset ;set @ cast" \
"phase:2,id:333804,t:none,t:base64Decode,t:hexDecode,t:replaceNulls,t:urlDecodeUni,t:compressWhiteSpace,t:replaceComments,t:compressWhiteSpace,multiMatch,pass,nolog,skip:1"
SecAction phase:2,id:334365,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_4
SecRule ARGS|XML:/*|!ARGS:/replaceAll/|!ARGS:areas|!ARGS:actionFilter|!ARGS:Error|!ARGS:code|!ARGS:thecode|!ARGS:param[DEFAULTVALUE]|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:data|!ARGS:resolution|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/prevObject/|!ARGS:/^Cms_Page/|!ARGS:json|!ARGS:/php/|!ARGS:wpSummary|!ARGS:/teaser/|!ARGS:fdata|!ARGS:file_content|!ARGS:/narrative/|!ARGS:data|!ARGS:/database/|!ARGS:/sql/|!ARGS:prefix|!ARGS:contenido|!ARGS:query|!ARGS:/descr/|!ARGS:/body/|!ARGS:/text/|!ARGS:/txt/|!ARGS:fck_tw_body|!ARGS:sub|!ARGS:msg_body|!ARGS:saved_data|!ARGS:fck_body|!ARGS:description|!ARGS:/message/|!ARGS:/content/|!ARGS:comment|!ARGS:p_action|!ARGS:/report/|!ARGS:/narrative/|!ARGS:/FCKeditor/ "(?:\w ?(?:user|and) {1,100}. char\([0-9]| \b(?:execute|convert)\(|; ?\bdelete\b.{1,100}?;(?:insert|declare ?\@|varchar) ?|and .{1,100} \( ?select .{1,100} from |(?:drop|create) {1,100}. table |(?:declare|convert) .{1,100} varchar\(|null ?, ?(?:null ?, ?(?:null|accesslevel|user_name)) ?,|concat\(|union select |union all select|\bcast\b .{1,50}\( as |xecresultset|' ?; ?declare\b @|; ?set @|select (?:load_file|char\()|(?:insert|remark)test ?;)" \
"chain,phase:2,deny,status:403,capture,id:340159,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:38,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL inline command protection (MM)',logdata:'%{TX.0}',multiMatch"
SecRule REQUEST_URI "!(/install/index\.php|/admin/fetch_data_af\.php\?action=create_txt_file_from_af_table$|/admin/structure/feeds/edit|^/([a-z]+/)?wp-admin/(?:admin|options-general)\.php\?page=wpsc-settings|/horde/services/ajax\.php/kronolith)" "t:none,t:lowercase"
SecMarker END_SQL_INJECTION_RULE_4
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:SAMLResponse|!ARGS:/^Cms_Page/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:areas|!ARGS:templatecode|!ARGS:/narrative/|!ARGS:wpSummary|!ARGS:/database/|!ARGS:/text/|!ARGS:pass|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1 "@pm cast xecresults declare" \
"phase:2,id:333805,t:none,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,id:334366,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_5
#SQL Injection cases
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|!REQUEST_COOKIES_NAMES:/utm/|!REQUEST_COOKIES_NAMES:/_pk_ref/|REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:/^Cms_Page/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:code|!ARGS:wpSummary|!ARGS:areas|!ARGS:templatecode|!ARGS:comment|!ARGS:/database/|!ARGS:/text/|!ARGS:pass|!ARGS:meta_descr|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:mytextarea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:/message/|!ARGS:content_en|!ARGS:general[description]|!ARGS:response[14]|!ARGS:article|!ARGS:wptextbox1 "(?:\bcast\b .{1.100} ?\(.{1,100} as |xecresultset|; ?declare\b ?\@)" \
"phase:2,deny,status:403,capture,id:340164,t:none,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:11,severity:2,msg:'Atomicorp.com WAF Rules: SQL Injection Attack',logdata:'%{TX.0}'"
SecMarker END_SQL_INJECTION_RULE_5
SecRule ARGS|REQUEST_URI|XML:/*|REQUEST_HEADERS|ARGS_NAMES|!ARGS:SAMLResponse|!ARGS:/^Cms_Page/|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:contenido|!ARGS:/report/|!ARGS:wpSummary|!ARGS:/teaser/|!ARGS:/txt/|!ARGS:/narrative/|!ARGS:/text/|!ARGS:areas|!ARGS:templatecode "@pm = char( varchar execute convert delete insert declare select drop create table convert( null accesslevel user_name concat( union cast xecresultset" \
"phase:2,id:333806,t:none,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:334367,t:none,pass,nolog,skipAfter:END_SQL_INJECTION_RULE_6
#Always bad SQL injection case w/ antievasion
#SecRule ARGS|!ARGS:/^fulltext/|!ARGS:message|ARGS_NAMES|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:topicseen|!ARGS_NAMES:posted_data[product_substring]|!REQUEST_HEADERS:X-PageView "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
SecRule ARGS|!ARGS:Db_submit|!ARGS:/installcode/|!ARGS:/^fulltext/|!ARGS:contenido|!ARGS:/sql/|!ARGS:prefix|!ARGS:wpSummary|!ARGS:query|!ARGS:message|ARGS_NAMES|!ARGS:/narrative/|REQUEST_HEADERS|!ARGS:/^Cms_Page/|!ARGS:areas|!ARGS:/database/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:templatecode|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:comment|!ARGS:topicseen|!ARGS_NAMES:posted_data[product_substring]|!REQUEST_HEADERS:X-PageView "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
"phase:2,deny,status:403,capture,id:340156,capture,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:14,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL injection protection',logdata:'%{TX.0}',logdata:'%{TX.0}'"
SecRule REQUEST_URI "(?:/install/index\.php|/index\.php\?mode=install&sub=create_table$|^/admin/test/examples/txtsqladmin/index\.php|^/store/images/|^/([a-z]+/)?wp-admin/(?:admin|options-general)\.php\?page=wpsc-settings|/horde/services/ajax\.php/kronolith)" "phase:2,t:none,t:lowercase,id:344368,pass,nolog,skipAfter:END_RULE_340157"
#SQL inline command attac
SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_COOKIES|XML:/*|ARGS|!ARGS:error|!ARGS:thecode|!ARGS:/template/|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/^Cms_Page/|!ARGS:/insertstring/|!ARGS:pagetext|!ARGS:/appendTo/|!ARGS:json|!ARGS:data|!ARGS:areas|!ARGS:/^field_aut_content/|!ARGS:/^field_id/|!ARGS:actionFilter|!ARGS:post_excerpt|!ARGS:post_content|!ARGS:/^body/|!ARGS:response|!ARGS:/wp_autosave/|!ARGS:SAMLResponse|!ARGS:templatecode|!ARGS:contenido|!ARGS:/txt/|!ARGS:/text/|!ARGS:/teaser/|!ARGS:wpSummary|!ARGS:/narrative/|!ARGS:/installcode/|!ARGS:/php/|!ARGS:content|!ARGS:file_content|!ARGS:faqs_answer|!ARGS:/^para/|!ARGS:keywords|!ARGS:code|!ARGS:/sql/|!ARGS:prefix|!ARGS:data|!ARGS:/database/|!ARGS:/description/|!ARGS:alternate1|!ARGS:comment|!ARGS:body|!ARGS:fulldescr|!ARGS:article_content|!ARGS:query|!ARGS:/text/|!ARGS:txt|!ARGS:action|!ARGS:Db_submit|!ARGS:saved_data|!ARGS:form[pagina_text]|!ARGS:/message/|!ARGS:steps|!ARGS:fck_body|!ARGS:p_action|!ARGS:newcontent|!ARGS:/report/|!ARGS:/narrative/|!ARGS:/FCKeditor/ "(?:\w ?(?:user|and)(\w+)char ?\([0-9]| \b(?:execute|convert) ?\(|; ?\bdelete\b.{1,100}?; ?(?:insert|declare @|varchar) ?|and .{1,100} \(select |(?:drop|create) .{1,100} table |(?:declare|convert) .{1,100} varchar\(|null ?, ?null ?, ?(accesslevel|user_?name) ?,|concat\(|union select |union all select|xecresultset|' ?; ?declare\b ?@|; ?set @|select (?:load_file|char ?\()|(?:insert|remark)test;)" \
"phase:2,deny,status:403,capture,id:340157,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:38,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL inline command protection',logdata:'%{TX.0},%{matched_var_name}'"
SecMarker END_RULE_340157
#additional SQL injection checks on cookies
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/utm/ "(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|\b(?:execute|convert)\(|; ?\bdelete\b.{1,100}?; ?(?:insert|declare @|varchar) ?|and .{1,100} \(select |(?:drop|create)(\w+)table |(?:declare|convert) .{1,100} varchar\(|null ?, ?null ?, ?(?:accesslevel|user_?name) ?,|concat\(|union select |union all select|\bcast\b ?\(.{1,100} as |xecresultset|' ?; ?declare\b ?@|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)" \
"phase:2,deny,status:403,capture,id:340181,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Generic SQL inline command protection',logdata:'%{TX.0}'"
SecMarker END_SQL_INJECTION_RULE_6
SecMarker END_SQL_CHECKS_3
############ COMMAND INJECTION RULES #########################
SecRule REQUEST_URI|REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|ARGS|!ARGS:title|!ARGS:templatecode|!ARGS:areas|!ARGS:/template/ "@pm cmd cd ls pwd perl echo uname curl kill sh cpp python chown rm ping rsync rdiff-backup scp wget links g++ chgrp chown passwd bash telnet wguest wsh rcmd ftp cmd32 nmap net nc \# \| \; \`" \
"phase:2,id:333807,rev:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1"
SecAction phase:2,id:334368,t:none,pass,nolog,skipAfter:END_CMD_INJECTION_RULE_1
# Rule 340014:
#Prevent command injection through cookies
SecRule REQUEST_URI|REQUEST_COOKIES|!REQUEST_COOKIES:/utm/|!REQUEST_COOKIES:/_pk_ref/|ARGS|!ARGS:message|!ARGS:SAMLResponse|!ARGS:areas|!ARGS:/template/|!ARGS:site_first|!ARGS:sendDescription|!ARGS:templatecode|!ARGS:areas|!ARGS:wpSummary|!ARGS:/keyword/ "(?:; ?curl |(?:&|;) ?(?:cmd|command) ?= ?(?:chdir|mkdir|rm) |cd /(?:tmp|/var/tmp|/etc/|/proc|\.\.) |\|id ?\; ?echo.{1,200}\||\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c)))" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:cmdline,t:replaceNulls,t:compressWhitespace,multimatch,chain,id:340014,rev:11,severity:2,msg:'Atomicorp.com WAF Rules: CMD injection',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(?:/count\.cgi|^/magento/index\.php/admin/dashboard/|^/images/stories/|^/content/pdf/media/print)" "t:none,t:lowercase"
# Rule 340018:
#Generic command line attack filter
#SecRule REQUEST_URI "\|.*;.*;.*\|" \
# "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,chain,id:340018,rev:10,severity:2,msg:'Atomicorp.com WAF Rules: Generic command line attack filter',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "!(?:/count\.cgi|^/magento/index\.php/admin/dashboard/|^/images/stories/|^/content/pdf/media/print)" "t:none,t:lowercase"
# Rule 340029: script, perl, etc. code
SecRule REQUEST_URI|ARGS|!ARGS:/_edit_/|!ARGS:/details/|!ARGS:/block_value/|!ARGS:/News/|!ARGS:/products_/|!ARGS:/article/|!ARGS:/template/|!ARGS:editor1|!ARGS:prefix|!ARGS:suffix|!ARGS:/info/|!ARGS:payment_extrainfo|!ARGS:file|!ARGS:thecode|!ARGS:/chat/|!ARGS:snippet|!ARGS:/phpcode/|!ARGS:intro|!ARGS:/title/|!ARGS:/data_parent/|!ARGS:code|!ARGS:lajmi|!ARGS:/content/|!ARGS:/desc/|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:/content/|!ARGS:/keyword/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/ "; ?\b(?:cat|ls|perl|uname|pwd|cp|kill|tclsh8?|cpp|python|chown|rm|kill|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|bash|telnet)\b " \
"phase:2,deny,status:403,capture,id:340029,t:none,t:utf8toUnicode,t:urlDecodeUni,t:replaceNulls,t:compressWhitespace,t:lowercase,rev:24,severity:2,msg:'Atomicorp.com WAF Rules: Possible command in REQUEST_URI or Argument',logdata:'%{TX.0}'"
# Rule 340030: generic command line attack
SecRule REQUEST_URI "\|*(?:id|echo|uname|pwd) ?\;" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340030,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Pipe command line probe'"
SecRule REQUEST_URI "(?:id|echo|uname) ?; ?\|"
SecMarker END_CMD_INJECTION_RULE_1
#SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|w(?:mv|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x))$" phase:2,pass,t:none,t:lowercase,nolog,skipAfter:END_CMD_INJECTION_RULE_2
#Possible command injection attack
#SecRule ARGS "`" \
#"phase:2,t:none,t:urlDecodeUni,t:base64Decode,t:htmlEntityDecode,multimatch,pass,nolog,skip:1"
#SecAction phase:2,pass,nolog,skipAfter:END_CMD_INJECTION_RULE_2
#
#SecRule ARGS "` ?`.*\+ ?\".*` ?`" \
# "capture,t:urlDecodeUni,t:base64Decode,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,multimatch,auditlog,msg:'Atomicorp.com WAF Rules: Possible Command Injection Attack',id:'380014',rev:1,severity:'2'"
#
#SecMarker END_CMD_INJECTION_RULE_2
#SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,id:333949,pass,t:none,t:lowercase,nolog,skipAfter:END_CMD_INJECTION_RULE_3
#
#SecRule ARGS|!ARGS:areas|!ARGS:/template/ "`" \
#"phase:2,id:333808,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skip:1"
#SecAction phase:2,id:334369,t:none,pass,nolog,skipAfter:END_CMD_INJECTION_RULE_3
#
#SecRule ARGS "` ?`.*\+ ?\".*` ?`" \
# "phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,auditlog,msg:'Atomicorp.com WAF Rules: Possible Command Injection Attack',id:'380015',rev:1,severity:'2'"
#SecMarker END_CMD_INJECTION_RULE_3
################# BAD FUNCTION RULES #########################
#types that do not have RFI at all
SecRule TX:STATIC "@eq 1" \
phase:2,id:'334817',pass,t:none,nolog,skipAfter:END_INJECTION_RULES_ALL
#additional types
SecRule REQUEST_FILENAME "(?:\.(?:cgi|js(?:on|f|pa?)|pl|aspx?|cfml?|do)$|/cgi-?(?:bin|cdn)/|/[a-z]+-cgi/)" phase:2,id:333810,pass,setvar:tx.nonphp=1,t:none,nolog,skipAfter:END_INJECTION_RULES_ALL
# Rule 340082: SMTP redirects
SecRule REQUEST_URI_RAW "^(?:(?:ht|f)tps?|connect):/.+:(25|465|587)" \
"phase:2,deny,status:403,t:none,t:lowercase,id:340082,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: SMTP redirect over http attempt'"
#RFI/injection rules
SecRule ARGS|REQUEST_URI|!ARGS:templatecode|!ARGS:areas|!ARGS:/url/|!ARGS:SAMLResponse "@pm http:// https:// ftp:// ftps:// ogg:// data:// php:// zlib:// gopher:// compress.zlib connect" \
"phase:2,id:333812,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:334370,t:none,pass,nolog,skipAfter:END_INJECTION_RULES_ALL
#pdf, which may have an arg as part of an XSS attack but no other RFI methods
SecRule REQUEST_FILENAME "\.pdf$" phase:2,id:333813,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES
#Bad function rules
# Rule 340019:
#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecRule ARGS "compress\.zlib ?:" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340019,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Generic PHP bad functions protection'"
SecRule REQUEST_FILENAME "\.(?:xml|html?)$" phase:2,id:333811,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1
# Rule 340162: Generic PHP code injection protection in URI w/ anti-evasion
SecRule REQUEST_URI "(?:/(?:(?:wp-admin/(page|post|widgets|link|network/site-settings\.php|options|themes/basic/themify/img\.php\?src=|admin\.php?cf/cf\.php)|admin/(?:edittemplate|webpage_update|theme-options|add_edit_)|(?:signup|cpinquiry|profile))\.php|p(?:(?:hpbb\/install\/install\.ph|l\/download\?file=htt)p|roxy\/cb_proxy\.\?a=http:\/\/)|i(?:ndex\.php\/admin\/system_config\/save\/section\/payment\/|mp\/compose\.php)|tiki-(?:objectpermissions|editpage|view_cache)|jomsocial\/[a-z]+\/(?:edit|add))|^(?:\/(?:(?:[a-z0-9\-]+\/events\?(?:utm_|trk_)|node\/[0-9]+\/(?:edit|add)|[a-z]+\/unsubscribe)|(?:mysqldumper\/dump|xmlrpc)\.php$|go\.php\?u=affilorama&t=http:\/\/|\.services\/sitelogout)|/(?:b/ss/mxmacromedia|horde/services/go|node/add|cas/))|(?:(?:jw_allvideos_player|mod_mp3player)\?(?:file|playlist)=htt|ubbthreads\/admin\/dofeatures\.ph)p|ad-?server\/adjs|\?mode=addshout|^/administrator/index\.php\?option=com_rsform|^/index\.php/profile/register/registerprofile|^/[a-z]+/edit|^/(?:elements|admin/media)/(?:s(?:ave|ettings?)|appearance)/|^/panel\?comd=nlwebform|^/cocms/index\.php\?|^/ls_javascript_combine/|^/index\.php\?option=com_rsform|^/killboard/\?a=admin_idfeedsyndication|^/api/users|^/numo/module/form_handler/|^/admin/add_edit_document)" phase:2,id:333814,rev:6,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1
#SecRule ARGS "!@pmFromFile trusted-domains.conf" chain
SecRule ARGS|!ARGS:loc_db|!ARGS:/^woo/|!ARGS:pwd|!ARGS:/^objectTo/|!ARGS:1_1_8|!ARGS:/journal/|!ARGS:username|!ARGS:video|!ARGS:website|!ARGS:replace|!ARGS:searchword|!ARGS:/cdn/|!ARGS:/^xing/|!ARGS:ads|!ARGS:directories|!ARGS:/bookmark/|!ARGS:/case_name/|!ARGS:f_success|!ARGS:f_error|!ARGS:name|!ARGS:/userOption/|!ARGS:/brochure/|!ARGS:/target/|!ARGS:/^_d$/|!ARGS:klarna_order|!ARGS:/to$/|!ARGS:/schema/|!ARGS:protocol|!ARGS:str|!ARGS:/query/|!ARGS:/from/|!ARGS:/forward/|!ARGS:/^addon-/|!ARGS:/_script/|!ARGS:/graphic/|!ARGS:/virtuemart/|!ARGS:UF_VK|!ARGS:/powermail/|!ARGS:mp4|!ARGS:/confirmation/|!ARGS:/cloudflare/|!ARGS:/^ref_/|!ARGS:/hsw_ash/|!ARGS:/_online_/|!ARGS:/home/|!ARGS:reason|!ARGS:installFull|!ARGS:b2w|!ARGS:/email/|!ARGS:term|!ARGS:/source_array/|!ARGS:/button/|!ARGS:/bestand/|!ARGS:/^request/|!ARGS:m_wb|!ARGS:/customfield/|!ARGS:/keyword/|!ARGS:embed|!ARGS:/cmsform/|!ARGS:/title/|!ARGS:social_network|!ARGS:scope|!ARGS:fb|!ARGS:/^vfb-/|!ARGS:to|!ARGS:pu|!ARGS:sima|!ARGS:/movie/|!ARGS:dns|!ARGS:contact_info|!ARGS:source_code|!ARGS:/^ninja_forms/|!ARGS:listserv|!ARGS:p_zoho|!ARGS:sugarroot|!ARGS:cyswllt|!ARGS:/^attribute/|!ARGS:/^channel/|!ARGS:/^wdf_joodb/|!ARGS:/^replacer/|!ARGS:/^option/|!ARGS:/css_frame/|!ARGS:ad_code|!ARGS:tickets|!ARGS:war|!ARGS:slug|!ARGS:/whereto/|!ARGS:/search/|!ARGS:pack|!ARGS:origem|!ARGS:/extra_info/|!ARGS:str_sitio|!ARGS:post-id|!ARGS:xml|!ARGS:/metatags/|!ARGS:radio|!ARGS:shire|!ARGS:/^svc_id/|!ARGS:RelayState|!ARGS:ds_source|!ARGS:/^si_contact_/|!ARGS:next|!ARGS:clip|!ARGS:kotisivu|!ARGS:mb|!ARGS:jibber|!ARGS:pattern_select|!ARGS:wordpress_extra|!ARGS:origin|!ARGS:fail|!ARGS:success|!ARGS:move_to|!ARGS:/^es-field/|!ARGS:/^listingfields/|!ARGS:svc_id|!ARGS:/^constant_contact/|!ARGS:hq|!ARGS:/flsrv/|!ARGS:svc_id|!ARGS:junkWords|!ARGS:/foto/|!ARGS:/^attr_/|!ARGS:name_ip|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:api|!ARGS:details|!ARGS:/^field/|!ARGS:profile_id|!ARGS:/^complete_action/|!ARGS:/buzz/|!ARGS:cc_list_id|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:/xcpr_/|!ARGS:back|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/live$/|!ARGS:/tripadvisor/|!ARGS:/itune/|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:/^input_/|!ARGS:embed_code|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:application|!ARGS:refsrc|!ARGS:hp|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:/homa/e|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:loc|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/photo/|!ARGS:/media/|!ARGS:parent_name|!ARGS:back|!ARGS:/facebook/|!ARGS:/instagram/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:/blog/|!ARGS:/vid/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:importremote|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:/^akID/|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:/callback/|!ARGS:subject|!ARGS:/sponsors/|!ARGS:want2Read|!ARGS:direct|!ARGS:/thumb/|!ARGS:fflv|!ARGS:direct|!ARGS:source_location|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:wlp|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/export/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:ucapi|!ARGS:/click/|!ARGS:rf|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:prodDownload|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:/body/|!ARGS:/^product_long_/|!ARGS:/content/|!ARGS:/banner/|!ARGS:heading|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:/host/|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:showStr|!ARGS:/http/|!ARGS:fetch|!ARGS:/txt/|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:u|!ARGS:/header/|!ARGS:action|!ARGS:cptpl_dir|!ARGS:arg6|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:/usps_label/|!ARGS:/story/|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:soundname|!ARGS:/^bbcode_/|!ARGS:/vimeo/|!ARGS:/link/|!ARGS:faqText|!ARGS:request_uri|!ARGS:/shopvk/|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:title|!ARGS:/frame/|!ARGS:l1_bdy|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:base1|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:source|!ARGS:set_static_uri_to|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:revnews_ad_120|!ARGS:newText|!ARGS:/icon/|!ARGS:/ftp/|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:prefix|!ARGS:problem|!ARGS:archive_chrono|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:lnk|!ARGS:/gplus/|!ARGS:/pinterest/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:redir|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:stories_cat|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:/signature/|!ARGS:disc|!ARGS:utmr|!ARGS:Query|!ARGS:steps|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:/^wimpy/|!ARGS:/_ref/|!ARGS:/^pr_/|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:ret|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:Store_OUI_GlobalFooter|!ARGS:/^dynafield/|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://(.*)$" \
"phase:2,deny,status:403,capture,id:340162,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:300,severity:2,msg:'Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected',logdata:'%TX:0,%{matched_var_name}'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "t:none,t:lowercase"
#SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/" "t:none,t:urlDecodeUni,t:lowercase"
#if its not encoded (which is why we dont use the transform), skip it as its already been reviewed in 340162
SecRule REQUEST_URI "=(?:ht|f)tps?://" phase:2,id:333815,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1
# Rule 340165: Generic PHP code injection protection in URI w/ anti-evasion for encoded cases where ARGS doesnt work
SecRule REQUEST_URI "://%{SERVER_NAME}/" phase:2,id:333816,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1
SecRule REQUEST_URI "(?:(?:site|ur(?:l|i)\]?|s(?:earch|itemap|earchtext|ubject|ervice|rc)|r(?:dfrom|equest)|utm_(?:source|term|c(?:tr|ontent))|owa_[a-z0-9]+|value|virtuemart|l(?:oc|ink)|off|war|youtube_id|k(?:eywords?|larna_order)|vid|next|snip?pet|feeds|name_ip|profile_id|details|go|r(?:esource|e(?:turn|f|pository|f?fer))|b(?:inary|vpage|ack|2w)|dns|media|page|hostname|filter[a-z]+|location|img|picture|path|\&u|destination|img_select|pattern_select|target|targetservice|web|referr?er|field-1|image|video|redirect|to|mp4|str|plugin_source) ?= ?https?://|/\?(?:r(?:eturn|edirect)|redirect_to)=http|=https?://localhost/|^/site-content/|^/[a-z0-9\/\-]+/(?:new|edit)/[0-9]+/(?:confirm|edit)$|^/staff/index\.php\?_m=ticket|^/ar/l\?|^/index\.php\?&eid=powermaileidmarketing)" phase:2,id:333817,rev:16,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_1
SecRule REQUEST_URI "!(^/index.php\?cmd=hbchat|^/wp-admin/admin\.php?cf/cf\.php)" \
"chain,phase:2,deny,status:403,capture,id:340165,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:284,severity:2,msg:'Atomicorp.com WAF Rules: Uniencoded possible Remote File Injection attempt in URI (AE)',logdata:'%{MATCHED_VAR}'"
SecRule REQUEST_URI "=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://" "t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase"
SecMarker END_INJECTION_RULES_1
#include injection attack
##include(http://bad)
SecRule ARGS|!ARGS:filecontent|!ARGS:/gen_header/|!ARGS:/template/|!ARGS:/content/|!ARGS:/description/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/message/ "include ?\(['\" ]?['\" ]?['\" ]? ?(?:ogg|gopher|data|php|zlib|(ht|f)tps?):/" \
"phase:2,deny,status:403,capture,id:340855,t:none,t:urlDecodeUni,t:replaceNulls,t:replaceComments,t:compressWhiteSpace,t:lowercase,chain,rev:9,severity:2,msg:'Atomicorp.com WAF Rules: Include Remote File Injection attempt in argument',logdata:'%{TX.0}'"
SecRule MATCHED_VAR "!(https?://%{SERVER_NAME}/)"
# Rule 340031: remote file inclusion generic attack signature
SecRule REQUEST_URI "\.(?:dat|gif|jpe?g|png|bmp|txt|vir|dot)\?" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340031,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Remote file inclusion'"
SecRule REQUEST_URI|ARGS "(?:(?:pm_path|pagina|path|include_location|root|page|open)=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)|(?:cmd|command|inc)=)"
SecMarker END_INJECTION_RULES
SecMarker END_INJECTION_RULES_ALL
#types that do not have RFI at all
SecRule TX:STATIC "@eq 1" \
phase:2,id:'334818',pass,t:none,nolog,skipAfter:END_INJECTION_RULES_MULTI
#additional types
SecRule TX:NONPHP "@eq 1" \
phase:2,id:'333818',pass,t:none,nolog,skipAfter:END_INJECTION_RULES_MULTI
#File types that may have args, but can not be injected
SecRule REQUEST_URI "^/eprocservice/supplierinboundservice" phase:2,id:337819,rev:2,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_MULTI
#
#RFI/injection rules
SecRule ARGS|REQUEST_URI|!ARGS:SAMLResponse|!ARGS:templatecode|!ARGS:areas "@pm http:// https:// ftp:// ftps:// ogg:// zlib:// gopher:// compress.zlib" \
"phase:2,id:333819,t:none,t:replaceNulls,t:compressWhitespace,t:urlDecodeUni,t:base64Decode,t:hexDecode,multimatch,pass,nolog,skip:1"
SecAction phase:2,id:334371,t:none,pass,nolog,skipAfter:END_INJECTION_RULES_MULTI
# Rule 340163: Generic PHP code injection protection in URI w/ anti-evasion and multimatch
SecRule REQUEST_URI "(?:\/(?:(?:wp-admin\/(page|post|widgets|network/site-settings\.php|link|options|themes/basic/themify/img\.php\?src=|admin\.php?cf/cf\.php)|admin\/(?:edittemplate|webpage_update|theme-options|add_edit_)|(?:signup|cpinquiry|profile))\.php|p(?:(?:hpbb\/install\/install\.ph|l\/download\?file=htt)p|roxy\/cb_proxy\.\?a=http:\/\/)|i(?:ndex\.php\/admin\/system_config\/save\/section\/payment\/|mp\/compose\.php)|tiki-(?:objectpermissions|editpage|view_cache)|jomsocial\/[a-z]+\/(?:edit|add))|^(?:\/(?:(?:[a-z0-9\-]+\/events\?(?:utm_|trk_)|node\/[0-9]+\/(?:edit|add)|[a-z]+\/unsubscribe)|(?:mysqldumper\/dump|xmlrpc)\.php$|go\.php\?u=affilorama&t=http:\/\/|\.services\/sitelogout)|/(?:b/ss/mxmacromedia|horde/services/go|node/add|cas/))|(?:(?:jw_allvideos_player|mod_mp3player)\?(?:file|playlist)=htt|ubbthreads\/admin\/dofeatures\.ph)p|ad-?server\/adjs|\?mode=addshout|^/administrator/index\.php\?option=com_rsform|^/index\.php/profile/register/registerprofile|^/[a-z]+/edit|^/(?:admin/media|elements)/(?:s(?:ave|ettings?)|appearance)/|^/index\.php\?loginerror=incorrectpassword$|^/panel\?comd=nlwebform|^/cocms/index\.php\?s=|^/ls_javascript_combine/|^/index\.php\?option=com_rsform|^/killboard/\?a=admin_idfeedsyndication|^/api/users|^/numo/module/form_handler/|^/admin/add_edit_document)" phase:2,id:333702,rev:6,pass,t:none,t:lowercase,nolog,skipAfter:END_INJECTION_RULES_MULTI
SecRule REQUEST_URI|ARGS|!ARGS:loc_db|!ARGS:/^woo/|!ARGS:replace|!ARGS:pwd|!ARGS:/^objectTo/|!ARGS:1_1_8|!ARGS:/journal/|!ARGS:username|!ARGS:website|!ARGS:video|!ARGS:fb|!ARGS:searchword|!ARGS:/cdn/|!ARGS:/^xing/|!ARGS:directories|!ARGS:/bookmark/|!ARGS:/case_name/|!ARGS:f_success|!ARGS:f_error|!ARGS:/userOption/|!ARGS:name|!ARGS:/target/|!ARGS:/^_d$/|!ARGS:klarna_order|!ARGS:/to$/|!ARGS:/schema/|!ARGS:/brochure/|!ARGS:protocol|!ARGS:str|!ARGS:/query/|!ARGS:/from/|!ARGS:/forward/|!ARGS:/_script/|!ARGS:ads|!ARGS:/^addon-/|!ARGS:application|!ARGS:/graphic/|!ARGS:/virtuemart/|!ARGS:UF_VK|!ARGS:/powermail/|!ARGS:mp4|!ARGS:/confirmation/|!ARGS:/cloudflare/|!ARGS:/^ref_/|!ARGS:/hsw_ash/|!ARGS:/_online_/|!ARGS:/reason/|!ARGS:installFull|!ARGS:b2w|!ARGS:/^es-field/|!ARGS:term|!ARGS:/email/|!ARGS:/source_array/|!ARGS:/button/|!ARGS:/bestand/|!ARGS:/^request/|!ARGS:m_wb|!ARGS:/customfield/|!ARGS:/shopvk/|!ARGS:/keyword/|!ARGS:embed|!ARGS:/^cmsform/|!ARGS:social_network|!ARGS:scope|!ARGS:/^vfb-/|!ARGS:to|!ARGS:pu|!ARGS:/^meta/|!ARGS:sima|!ARGS:/movie/|!ARGS:dns|!ARGS:source_code|!ARGS:/^ninja_forms/|!ARGS:listserv|!ARGS:p_zoho|!ARGS:sugarroot|!ARGS:cyswllt|!ARGS:/^attribute/|!ARGS:/^channel/|!ARGS:/^wdf_joodb/|!ARGS:/^replacer/|!ARGS:options[alter][path]|!ARGS:/css_frame/|!ARGS:ad_code|!ARGS:tickets|!ARGS:war|!ARGS:slug|!ARGS:/whereto/|!ARGS:_search|!ARGS:pack|!ARGS:/extra_info/|!ARGS:origem|!ARGS:str_sitio|!ARGS:post-id|!ARGS:/metatags/|!ARGS:xml|!ARGS:radio|!ARGS:shire|!ARGS:/^svc_id/|!ARGS:/live$/|!ARGS:RelayState|!ARGS:ds_source|!ARGS:/contact_/|!ARGS:next|!ARGS:clip|!ARGS:txt|!ARGS:kotisivu|!ARGS:mb|!ARGS:jibber|!ARGS:wordpress_extra|!ARGS:origin|!ARGS:pattern_select|!ARGS:fail|!ARGS:success|!ARGS:move_to|!ARGS:/^listingfields/|!ARGS:svc_id|!ARGS:/_contact/|!ARGS:hq|!ARGS:/flsrv/|!ARGS:svc_id|!ARGS:/foto/|!ARGS:junkWords|!ARGS:name_ip|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:/^field/|!ARGS:details|!ARGS:/^complete_action/|!ARGS:profile_id|!ARGS:api|!ARGS:/^option_value/|!ARGS:button_src|!ARGS:cc_list_id|!ARGS:/buzz/|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:back|!ARGS:^/xcpr_/|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:/export/|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:embed_code|!ARGS:/^input_/|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:wlp|!ARGS:hp|!ARGS:refsrc|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:file|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:value_string_9|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:/home/|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/^obj_/|!ARGS:/photo/|!ARGS:/media/|!ARGS:/icon/|!ARGS:back|!ARGS:/facebook/|!ARGS:/instagram/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:parent_name|!ARGS:/blog/|!ARGS:/vid/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:importremote|!ARGS:/callback/|!ARGS:/sponsors/|!ARGS:/^akID/|!ARGS:want2Read|!ARGS:search_string|!ARGS:/thumb/|!ARGS:subject|!ARGS:direct|!ARGS:fflv|!ARGS:direct|!ARGS:source_location/|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:resolution|!ARGS:/search_code/|!ARGS:/link/|!ARGS:/vimeo/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:/^utm/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:ucapi|!ARGS:clickTag1|!ARGS:rf|!ARGS:/title/|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:/^clickTagFrame/|!ARGS:/^attr/|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:confirm|!ARGS:/^groups/|!ARGS:prodDownload|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:/^GARS_existing/|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:loc|!ARGS:/body/|!ARGS:/^product_long/|!ARGS:/server/|!ARGS:/content/|!ARGS:/banner/|!ARGS:heading|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:search|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:/footer/|!ARGS:FAQTitle|!ARGS:/host/|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:fetch|!ARGS:/pingback/|!ARGS:/http/|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:u|!ARGS:/header/|!ARGS:action|!ARGS:cptpl_dir|!ARGS:arg6|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:stretch|!ARGS:cat_sponsor|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:var_value[usps_labels_help_2]|!ARGS:/story/|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:soundname|!ARGS:/^bbcode_/|!ARGS:faqText|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:searchstring|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:right_frame|!ARGS:l1_bdy|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:base1|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:source|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:sm_b_style|!ARGS:/^css/|!ARGS:introduction|!ARGS:register_at|!ARGS:revnews_ad_120|!ARGS:newText|!ARGS:option[78]|!ARGS:/ftp/|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:prefix|!ARGS:clickTAG|!ARGS:problem|!ARGS:archive_chrono|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:lnk|!ARGS:/gplus/|!ARGS:/pinterest/|!ARGS:/redir/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:stories_cat|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:/signature/|!ARGS:disc|!ARGS:utmr|!ARGS:Query|!ARGS:steps|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:goto|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:/^wimpy/|!ARGS:msgpreview|!ARGS:/_ref/|!ARGS:/^pr_/|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:value_190|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:ret|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:def|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:Store_OUI_GlobalFooter|!ARGS:map|!ARGS:/^dynafield/|!ARGS:wysiwyg|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:code|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://(.*)$" \
"phase:2,deny,status:403,capture,t:none,t:urlDecodeUni,t:base64Decode,t:hexDecode,t:lowercase,multimatch,id:340163,rev:300,severity:2,msg:'Atomicorp.com WAF Rules: URL detected as argument, possible RFI attempt detected',chain"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "t:none,t:lowercase"
#SecRule MATCHED_VARS "!@rx ://%{SERVER_NAME}/"
SecMarker END_INJECTION_RULES_MULTI
#Remote command protection rules
SecRule REQUEST_URI|ARGS|!ARGS:/msg/|!ARGS:/sql/|!ARGS:prefix|!ARGS:/body/|!ARGS:/message/|!ARGS:/text/|!ARGS:templatecode|!ARGS:areas|!ARGS:/illegalusernames/|!ARGS:/image/|!ARGS:resolution|!ARGS:depth|!ARGS:/email/|!ARGS:/comment/|!ARGS:mailbox|!ARGS:/descr/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/txt/|!ARGS:body|!ARGS:/message/|!ARGS:/content/|!ARGS:/password/|!ARGS:FoxyData|!ARGS:/jform/|!ARGS:areas|!ARGS:templatecode|!ARGS:site_first|!ARGS:sendDescription|!ARGS:templatecode|!ARGS:areas|!ARGS:wpSummary|!ARGS:/keyword/ "@pm cd perl killall python rpm yum apt-get emerge lynx links mkdir elinks cmd pwd wget lwp- id uname cvs svn rcp scp ssh rsh sftp netstat netcat rexec smbclient ftp curl telnet cc g++ whoami kill rm rsync nasm" \
"phase:2,id:334820,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,skip:1"
# SecAction phase:2,id:354372,t:none,pass,nolog,skipAfter:END_CMD2_ATTACKS
# Rule 340023: Generic remote comand attack signature
SecRule REQUEST_URI|ARGS|!ARGS:/msg/|!ARGS:post|!ARGS:/sql/|!ARGS:prefix|!ARGS:/body/|!ARGS:/search/|!ARGS:/message/|!ARGS:/text/|!ARGS:templatecode|!ARGS:areas|!ARGS:/illegalusernames/|!ARGS:/image/|!ARGS:resolution|!ARGS:depth|!ARGS:/email/|!ARGS:/comment/|!ARGS:mailbox|!ARGS:/descr/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/txt/|!ARGS:body|!ARGS:/message/|!ARGS:/content/|!ARGS:/password/|!ARGS:FoxyData|!ARGS:/jform/|!ARGS:areas|!ARGS:templatecode|!ARGS:site_first|!ARGS:sendDescription|!ARGS:templatecode|!ARGS:areas|!ARGS:wpSummary|!ARGS:/keyword/ "(?:\b(?:cd|perl|killall|traceroute|python|r(?:pm|sync)|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(?:download|request|mirror|rget)|id|uname|cvs|svn|(?:s|r)(?:cp|sh)|n(?:et(?:stat|cat)|asm)|rexec|smbclient|t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|whoami)\b |\brm\b \-[a-z] |\bcat\b /)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:cmdline,multimatch,capture,id:340023,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible remote command execution',logdata:'%{TX.0}'"
SecMarker END_CMD2_ATTACKS
############ PHP URL ATTACKS ####################
#
#PHP applications
SecRule REQUEST_FILENAME "\.php" \
"phase:2,id:333820,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,id:334372,t:none,pass,nolog,skipAfter:END_PHP_GENERIC_ATTACKS
# Rule 340117: General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecRule REQUEST_URI|ARGS|!ARGS:templatecode|!ARGS:areas "\[url ?= ?(?:script|javascript|applet|about|chrome|activex):/.*\].*\[ ?/ ?url ?\]" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340117,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: General [url] php forum protections'"
# Rule 340039: generic php attack sigs
SecRule REQUEST_FILENAME "!(/mod_cmd/index\.php)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340039,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: PHP command injection attempt'"
SecRule REQUEST_URI "(?:&(?:cmd|command)=(?:id|uname) |cmd\?(?:cmd|command)=|(?:spy|cmd|cmd_out|sh)\.(?:gif|jpg|png|bmp|txt)\?&(?:cmd|command)=|\.php\?&(?:cmd|command)=)"
# Rule 340137: Generic PHP avatar upload exploits
#SecRule REQUEST_BODY "content-disposition\: form-data\; name=\"avatar\"\;" \
# "phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,phase:2,id:340137,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: PHPBB avatar exploit',chain"
#SecRule REQUEST_BODY "\<\? ?php" chain
#SecRule REQUEST_BODY "\? ?>"
#
# Rule 340021: PHP Injection Attack generic signature
#SecRule REQUEST_URI|ARGS|!ARGS:templatecode|!ARGS:areas|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/problem/ "(?:\?(?:(?:local|include|pear|squizlib)_path|action|content|dir|name|menu|pm_path|pathtoroot|cat|pagina|path|include_location|root|page|gorumdir|site|topside|pun_root|open|seite)=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:cmd|command)=(?:cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(?:download|request|mirror|rget) |uname|cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z]))" \
# "phase:2,deny,status:403,t:none,t:lowercase,t:replaceNulls,t:compressWhitespace,t:normalisePath,id:340021,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: PHP Injection Attack 1'"
#SecRule REQUEST_URI "!(/lightboxjs\.php\?path=http:/)" "t:none,t:lowercase"
# Rule 340022: PHP Injection Attack generic signature
#SecRule REQUEST_URI "\.php\?(?:(?:(?:local|include|pear|squizlib)_path|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|.*(?:cmd|command)=(?:cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(?:download|request|mirror|rget) |id|uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z]))" \
# "capture,chain,id:340022,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: PHP Injection Attack 2',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "!(/lightboxjs\.php\?path=http://)"
SecMarker END_PHP_GENERIC_ATTACKS
############## BAD FILE NAMES #########################
#ZenPhoto uses weird extensions when its using mod_rewite
#zp_user_auth
SecRule REQUEST_URI "@pm .gif.txt .gif.dat .jpeg.txt .jpeg.dat .jpg.txt .jpg.dat .png.txt .png.dat .bmp.txt .bmp.dat .php.jpg .jpg.pht .gif.pht .png.pht .php.jpeg .php.flv .php.gif .php.mp3 .php.mp4 .php.mpg .php.mpeg .php.png .php.bmp .php.tif .php.txt .php.dat .php.avi .php.wmv .php.mp3" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,id:340035,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Bogus file extensions'"
SecRule REQUEST_FILENAME "@pm .jpg.php .gif.php .png.php" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,id:341137,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Potentially Bogus PHP file'"
#SecMarker END_BAD_FILE_NAMES
############# GENERIC COMMAND ATTACK SIGS ##############
#SecRule REQUEST_URI "@pm perl ; ' | nc telnet sh exec ogg gopher http ftp lynx wget links curl ogg:// gopher:// cp @ rsync ftp cvs svn traceroute" \
# "phase:2,pass,nolog,skip:1"
#SecAction phase:2,pass,nolog,skipAfter:END_CMD_INJECTION_2
#
# Rule 340037: generic attack sig
#SecRule REQUEST_URI "(?:cd |\;|php |echo |perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |id|uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/bin/(xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail))" \
# "id:340037,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Generic command injection'"
# Rule 3400XX: Generic argument protection rule against bad meta characters
#SecRule "ARGS" "!^[a-z0-9.&/?@_%=:;, -]+$"
# Rule 340059: traceroute command attempt
#SecRule REQUEST_URI "traceroute" \
# "chain,id:340059,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Command attempt (traceroute)'"
#SecRule REQUEST_URI " (?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
# Rule 340083: very experimental generic remote download sig
# These are VERY experiemental, please report false positives/negatives, etc.
# foo IP or FQDN, or foo http/https/ftp://whatever
#SecRule REQUEST_URI "(?:(?:perl|t?ftp|links|elinks|lynx|ncftp|(?:s|r)(?:cp|sh)|wget|lwp-(?:download|request|mirror|rget)|curl|cvs|svn).* (?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|traceroute (?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" \
# "id:340083,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Generic Command attempt'"
# Rule 340084: Command inline detection
#SecRule REQUEST_URI "(?: |\;|/|\'|,|\&|\=|\.)(?:(?:s|r)(?:sh|cp)) *(?:.*\@.*|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" \
# "chain,id:340084,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Command injection attempt'"
#SecRule REQUEST_URI "!(?:/scp/tickets\.php|/cgi-bin/stats\.cgi)"
# Rule 340085: very experimental connect command sig
#SecRule REQUEST_URI "(?:(?:(?: |\;|/|\'|,|\&|\=|\.)(?:perl|nc|telnet|(?:r|s)sh|rexec) .*(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[a-z|0-9]\.[a-z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|\;perl [a-z|0-9]+;|(?:lynx|curl|wget|links) -dump |links (?:-(?:dump-(?:charset|width)|source)|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/))|(?: |\;|/|\'|,|\&|\=|\.)(?:(?:s|r)(?:sh|cp)) *(?:.*\@.*|(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(?:(?:perl|t?ftp|links|elinks|lynx|ncftp|(?:s|r)(?:cp|sh)|wget|lwp-(?:download|request|mirror|rget)|curl|cvs|svn).* (?:(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[a-z|0-9]\.[a-z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|traceroute (?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+))" \
# "capture,id:340085,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Command injection attempt',logdata:'%{TX.0}'"
#SecMarker END_CMD_INJECTION_2
########### SCANNER SIGS #######################
SecRule REQUEST_URI "@pm nessus w00tw00t hacked" \
"phase:2,id:333823,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,id:334374,t:none,pass,nolog,skipAfter:END_SCANNER_SIGS
# Rule 340069: nessus 1.X 404 probe
SecRule REQUEST_URI "(?:nessus(?:_is_probing_you_|test)|^/w00tw00t\.at\.)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340069,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Web vulnerability scanner'"
# Rule 340150: Dfind signature
# w00tw00t.at.ISC.SANS.DFind
# not likely to catch this, as it usually happens via an invalid
# HTTP/1.1 request without a hostname, which apache will reject therefore other rules
# WEB_ERROR_LOG will catch this
#SecRule REQUEST_URI "w00tw00t" \
# "phase:1,deny,status:403,t:none,t:lowercase,id:340150,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: DFind scanner attempt'"
# Rule 340141: wormsign
#SecRule REQUEST_URI "hacked ?by ?member ?of" \
# "id:340141,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: worm'"
SecMarker END_SCANNER_SIGS
################ PHP DEFENSES ########################
#
#SecRule ARGS:PHPSESSID ";www" \
# "phase:2,pass,nolog,skip:1"
#SecAction phase:2,pass,nolog,skipAfter:END_PHP_PROT_1
#
#types that do not have RFI at all
SecRule TX:STATIC "@eq 1" \
phase:2,id:'334819',pass,t:none,nolog,skipAfter:END_PHP_PROT_1
#additional types
SecRule TX:NONPHP "@eq 1" \
phase:2,id:'333824',pass,t:none,nolog,skipAfter:END_PHP_PROT_1
#SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk|(?:ht|x)ml)$" phase:2,id:333824,pass,t:none,t:lowercase,nolog,skipAfter:END_PHP_PROT_1
# Rule 340076: PHP defenses
SecRule ARGS:PHPSESSID "(?:!^[0-9a-z]*$|!^[0-9a-z]*;www)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340076,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: PHP Session attack'"
# Rule 340079: PHP defenses
SecRule REQUEST_COOKIES:sessionid "![0-9a-z]*$" \
"phase:2,deny,status:403,t:none,t:lowercase,id:340079,rev:10,severity:2,msg:'Atomicorp.com WAF Rules: PHP policy violation'"
SecMarker END_PHP_PROT_1
############# APACHE PROTECTIONS #####################
SecRule REQUEST_URI "@pm server-info/ server-status/ cwd= jsp desudesudesu" \
"id:333825,t:none,t:urlDecodeUni,phase:2,pass,nolog,skip:1"
SecAction phase:2,id:334375,t:none,pass,nolog,skipAfter:END_APACHE_PROT
# Rule 340114: Apache /server-info accessible
SecRule REQUEST_URI "^server-(?:info|status)/?$" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,id:340114,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Apache admin service access attempt'"
SecRule REMOTE_ADDR "!(127\.0\.0\.1*)" "t:none"
# Rule 340116: generic Common HTTP vulnerability
SecRule REQUEST_URI "(?:/\?cwd=/|a cat is fine too\.)" \
"phase:2,deny,status:403,t:none,t:lowercase,t:compresswhitespace,id:340116,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Common HTTP vulnerability'"
# Rule 340097: Tomcat view source attempt
SecRule REQUEST_URI "\x252ejsp" \
"phase:2,deny,status:403,t:none,t:lowercase,id:340097,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Tomcat view source attempt'"
SecMarker END_APACHE_PROT
################PHP CODE INJECTION ATTACKS ###################
#types that do not have RFI at all
SecRule TX:STATIC "@eq 1" \
phase:2,id:'333826',pass,t:none,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_4
#SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" phase:2,pass,t:none,t:lowercase,nolog,id:333826,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_4
SecRule REQUEST_URI "^/eprocservice/supplierinboundservice" phase:2,id:363828,pass,t:none,t:lowercase,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_4
SecRule REQUEST_FILENAME "(?:\.(?:pl|asp|f?cgi|do|exe|s?html)$|/cgi-bin/)" phase:2,id:333828,pass,t:none,t:lowercase,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_NOT_PERL
SecRule REQUEST_URI|REQUEST_BODY|ARGS|REQUEST_HEADERS|ARGS_NAMES|XML:/*|!ARGS:templatecode|!ARGS:areas "@pm chr system passthru serialize include php_uname preg_ mysql_query exec eval phpinfo decode_base64 base64_decode base64_url_decode rot13" \
"phase:2,id:334827,t:none,t:base64Decode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:334376,t:none,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_B64
SecRule REQUEST_URI "(/wp-login\.php\?vaultpress=true|/site-content/|^/admin/editform)" "t:none,t:lowercase,phase:2,id:334857,pass,nolog,skipAfter:END_PHP_CODE_INJECTION_ATTACKS_B64"
SecRule ARGS|!ARGS:templatecode|!ARGS:areas|!ARGS:/news/|!ARGS:rsargs|!ARGS:/note/|!ARGS:announcement|!ARGS:SAMLResponse|!ARGS:add_new|!ARGS:/content/|!ARGS:/wysiwyg/|!ARGS:/prefix/|!ARGS:/suffix/|!ARGS:/comment/|!ARGS:problem|!ARGS:resolution|!ARGS:subject|!ARGS:/body/|!ARGS:/^widget-section/|!ARGS:/template/|!ARGS:/^eip_/|!ARGS:/sql/|!ARGS:prefix|!ARGS:/keyword/|!ARGS:/msg/|!ARGS:metadata|!ARGS:post_content|!ARGS:parent_name|!ARGS:topic|!ARGS:file_content|!ARGS:/^serendipity/|!ARGS:comment|!ARGS:summary|!ARGS:configoptionname|!ARGS:Definition|!ARGS:/php/|!ARGS:/Metatags/|!ARGS:/footerfile/|!ARGS:/layout/|!ARGS:/message/|!ARGS:email|!ARGS:/desc/|!ARGS:body|!ARGS:content "(?:\(chr ?\( ?[0-9]{1,3} ?\)| ?= ?f(?:open|write) ?\(|\b(?:passthru|serialize|php_uname|phpinfo|shell_exec|preg_\w+|mysql_query|exec|include|eval|system|base64_decode|decode_base64|base64_url_decode|str_rot13)\b ?(?:\(|\:))" \
"phase:2,deny,status:403,t:none,t:base64Decode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,capture,id:340195,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Base64 Encoded PHP function in Argument - this may be an attack.',logdata:'%{TX.0}'"
SecMarker END_PHP_CODE_INJECTION_ATTACKS_B64
#non B64 rules
SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|ARGS_NAMES|XML:/*|!ARGS:/template/|!ARGS:areas "@pm php chr fopen fwrite globals system passthru serialize include php_uname popen proc_open mysql_query exec eval proc_nice proc_terminate proc_get_status proc_close pfsockopen leak apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid phpinfo preg_ decode_base64 base64_decode base64_url_decode rot13 ?< ?name ?>.*\'\)\;)" \
"log,auditlog,deny,status:403,t:none,t:lowercase,t:compressWhiteSpace,id:340118,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Generic XML-RPC attack'"
SecRule XML:/* "(?:(\w+)and(\w+)char\([0-9]+\)|\b(?:execute|convert) ?\(|(?:\;delete.{1,100};(?:insert|declare @|varchar)|(?:and .{1,100} \(select |(?:drop|create)(\w+)table|declare .{1,100} varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select |\bcast\b ?\({1,100} as|xecresultset|' ?; ?declare @|; ?set @)" \
"deny,status:403,log,auditlog,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:390636,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: XMLRPC SQL injection attack'"
# Rule 340121: Specific XML-RPC attacks on xmlrpc.php
SecRule XML:/* "(?:(?:(?:echo|uname) ?(?:\'|\")|; ?exit ?;)|(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzd?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|parse_ini_file|shell_exec|mysql_query|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|serialize|php_uname|preg_\w+|execute) ?(?:\(|@|\: ?'?)|; ?(?:wget|curl|fetch|lwp-(?:download|request|mirror|rget)|ncftp|ftp) ?(?:h|f)ttps?:/)" \
"capture,deny,status:403,log,auditlog,t:none,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340121,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: XML-RPC attacks on xmlrpc.php',logdata:'%{TX.0}'"
# Rule 340122: XML-RPC SQL injection generic signature
SecRule XML:/* "(?:(?:select|grant|drop|alter|replace|truncate|create|rename|describe)[[:space:]]+[a-z|0-9|\*|,]+[[:space:]](?:from|into|table|database|index|view)|union select |union all select|select (?:load_file|char\()|(?:insert|remark)test;|insert[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+\(|update [a-z0-9]+ set|delete from [a-z0-9]+ where)" \
"deny,status:403,log,auditlog,capture,t:none,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340122,rev:7,severity:2,msg:'Atomicorp.com WAF Rules: XML-RPC SQL injection ',logdata:'%{TX.0}'"
SecRule XML:/* "(?: ?eval\ ?\(|file_get_contents\ ?\(|\) ?;? exit ?;)" \
"log,deny,status:403,auditlog,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390635,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: XMLRPC encoded command injection attack'"
SecRule XML:/* "@pm select grant delete drop do alter replace truncate update create rename describe table database index view union load_file inserttest remarktest convert execute insert varchar drop table declare char exit uname define fgets move_uploaded_file readfile ftp_put ftp_fget gzd?en?code gzinflate ftp_nb_put bzopen readdir gzread fopen ftp_nb_f(put|get) ftp_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress curl_multi_exec curl_exec eval base64_decode base64_url_decode decode_base64 str_rot13 uname file_get_contents include parse_ini_file shell_exec mysql_query popen ini_ safe_mode phpinfo preg_ system exec passthru serialize file_get_contents " \
"id:333948,phase:2,t:none,t:base64Decode,pass,nolog,skip:1"
SecAction phase:2,id:334383,t:none,pass,nolog,skipAfter:END_XML_RPC_ATTACKS_B64
SecRule XML:/* "(?: ?eval\ ?\(|file_get_contents\ ?\(|\) ?;? exit ?;)" \
"log,deny,status:403,auditlog,t:none,t:base64Decode,t:compressWhiteSpace,t:lowercase,id:393635,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: XMLRPC base64 encoded command injection attack'"
# Rule 340122: XML-RPC SQL injection generic signature
SecRule XML:/* "(?:(?:select|grant|delete|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*|,]+[[:space:]](?:from|into|table|database|index|view)|union select |union all select|select (?:load_file|char\()|(?:insert|remark)test;|insert[[:space:]]+[a-z|0-9|\*|\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+\()" \
"deny,status:403,log,auditlog,capture,t:none,t:base64Decode,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340123,rev:7,severity:2,msg:'Atomicorp.com WAF Rules: XML-RPC base64 encoded SQL injection ',logdata:'%{TX.0}'"
# Rule 340120: XML-RPC generic attack sigs
SecRule XML:/* "(?:(?:(?:echo|uname) ?(?:\'|\")|; ?exit ?;)|(?:define|fgets|move_uploaded_file|readfile|ftp_put|ftp_fget|gzd?en?code|gzinflate|ftp_nb_put|bzopen|readdir|gzread|fopen|ftp_nb_f(put|get)|ftp_get|scandir|fscanf|readgzfile|fread|proc_open|fgetc|fgetss|ftp_fput|ftp_nb_get|session_start|fwrite|gzwrite|gzopen|gzcompress|curl_multi_exec|curl_exec|eval|base64_decode|base64_url_decode|decode_base64|str_rot13|php_uname|file_get_contents|include|parse_ini_file|shell_exec|mysql_query|popen|ini_(?:get|restore)|safe_mode|phpinfo|system|exec|passthru|serialize|php_uname|preg_\w+|execute) ?(?:\(|@|\: ?'?)|; ?(?:wget|curl|fetch|lwp-(?:download|request|mirror|rget)|ncftp|ftp) ?(?:h|f)ttps?:/)" \
"deny,status:403,log,auditlog,t:none,t:base64Decode,t:lowercase,t:replaceComments,t:compressWhiteSpace,id:340120,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Generic XML-RPC attack'"
SecRule XML:/* "(?:(\w+)and(\w+)char\([0-9]+\)|\b(?:execute|convert) ?\(|(?:\;delete.{1,100};(?:insert|declare @|varchar)|(?:and .{1,100} \(select |(?:drop|create)(\w+)table|declare .{1,100} varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select | \bcast\b\ ?\(.{1,100} as |xecresultset|' ?; ?declare\b @|; ?set @)" \
"deny,status:403,log,auditlog,t:none,t:base64Decode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:393636,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: XMLRPC base64 encoded SQL injection attack'"
SecMarker END_XML_RPC_ATTACKS_B64
SecMarker END_XML_RPC_ATTACKS
################ WORM SIGS ###########################
#
# Rule 340134: wormsign
SecRule REQUEST_HEADERS "xxxxxx+\: \+\+\+\+\+\+\+\+\+\+\+\+\+" \
"log,auditlog,deny,status:403,t:none,t:lowercase,id:340134,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Worm signature'"
#SecRule TX:STATIC "@eq 1" \
#phase:2,id:'333835',pass,t:none,nolog,skipAfter:END_WORM_SIGS
#SecRule REQUEST_FILENAME "\.(?:(?:m|j)pe?g4?|bmp|tiff?|p(?:(?:p|g|b)m|n(?:g|m)|df)|gif|js|css|ico|avi|flv|w(?:m(?:v|a)|ebp)|mp(?:3|4)|cgm|svg|swf|og(?:m|v|x)|doc|xls|od(?:t|s)|ppt|wbk)$" id:333835,phase:2,pass,t:none,t:lowercase,nolog,skipAfter:END_WORM_SIGS
#SecRule REQUEST_URI|ARGS|XML:/* "@pm thmc _ghc/rst_ " \
# "id:333836,t:none,t:urlDecodeUni,phase:2,pass,nolog,skip:1"
# SecAction phase:2,id:334384,t:none,pass,nolog,skipAfter:END_WORM_SIGS
# Rule 340135: THMC worm
#SecRule REQUEST_URI|ARGS|XML:/* "(?:thmc\.\$dbhost\.thmc\.\$dbname\.thmc\.\$dbuser\.thmc\.\$dbpasswd\.thmc|echo _ghc/rst_)" \
# "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340135,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: THMC or PHPBB worm'"
#SecMarker END_WORM_SIGS
################# IMAGE FILE CHECKS ######################
SecRule REQUEST_HEADERS:Content-Type "image/" \
"id:333837,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:replaceNulls,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,id:334385,t:none,pass,nolog,skipAfter:END_IMAGE_CHECKS
# Rule 340138: Fake image file shell attacvk
SecRule REQUEST_BODY "(?:(?:chr|system|passthru|serialize|eval|exec) ?\(|< ?\? php)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:340138,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Fake image file shell attack'"
# Rule 340140: bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.(?:php|txt|asp|pl|exe)" \
"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,id:340140,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Bogus graphics file'"
#SecRule REQUEST_HEADERS:Content-Type "(?:image/gif|image/jpg|image/png|image/bmp)" \
SecMarker END_IMAGE_CHECKS
##############XSS RULES################################
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|QUERY_STRING|!ARGS:areas|!ARGS:templatecode "@pm script expression html onmouse onselect onsubmit onfocus onabort onblur onchange ondragdrop onkey ?= img src onload onerror import asfunction: background-image: fromcharcode frame input lowsrc mocha onblur onchange onclick ondragdrop onkeydown onkeypress onkeyup resize select unload shell: settimeout addimport @import url window.location < > env about applet activex chrome getparentfolder getspecialfolder href object eval" \
"id:333838,phase:2,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,pass,nolog,skip:1,multimatch"
SecAction phase:2,id:334386,t:none,pass,nolog,skipAfter:END_XSS_ATTACKS
# Rule 340099: cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI|REQUEST_HEADERS "\< ?(?:img ?/? src ?=|body\b|input\b).{1,100}\bon(?:error|load|focus)\b ?=" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:lowercase,t:compressWhitespace,t:removeComments,id:340099,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting attempt',multimatch"
SecRule REQUEST_URI|REQUEST_HEADERS "\< ?(?:img ?/? src ?=|body\b|input\b).{1,100}\bon(?:error|load|focus)\b ?=" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:compressWhitespace,t:lowercase,id:341099,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting attempt'"
# Rule 340102: cross site scripting attempt STYLE + JSCRIPT
SecRule REQUEST_URI|REQUEST_HEADERS "type ?= ?[\'\"]text\/(?:j|vb|x-vb|ecma|java|x-java)script" \
"chain,phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,id:340102,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting attempt'"
SecRule REQUEST_URI "!(/(?:scripts|staff)/index\.php\?(?:action|_m)=)"
# Rule 340106: cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI|REQUEST_HEADERS "style ?= ?[\'\"]? ?x:expression ?\(" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,id:340106,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting attempt STYLE + EXPRESSION'"
# Rule 340109: cross site scripting attempt using XML
SecRule REQUEST_URI|REQUEST_HEADERS "\[ ?cdata ?\[<\]\]> ?script" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,id:340109,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting attempt using XML'"
# Rule 340110: cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI|REQUEST_HEADERS "(?:eval[\s]*\([\s]*[^\.]\.innerhtml[\s]*\)|window\.execscript[\s]*\()" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,id:340110,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting attempt executing hidden Javascript'"
# Rule 340112: cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI|REQUEST_HEADERS "(?:(?:(?:url|src|href|lowsrc)[\s]*=)|(?:url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,id:340112,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting attempt to execute Javascript code'"
# Rule 340003: XSS insertion into headers
SecRule REQUEST_HEADERS|REQUEST_URI "(?:<[[:space:]]*(?:script|about|applet|activex|chrome)|\bon(?:abort|blur|change|click|submit|dragdrop|focus|keydown|keypress|keyup|mouse(?:down|move|out|over|up))\b ?= ?(\"|\')? ?\w|>( |\+)?<( |\+)?img( |\+)?src( |\+)?=( |\+)?(ht|f)tps?:/)" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,chain,id:340003,rev:9,severity:2,msg:'Atomicorp.com WAF Rules: XSS attack in request headers'"
SecRule REQUEST_URI "!(modules/tinytinymce/tinymce/jscripts/tiny_mce/utils/validate\.js$)" "chain,t:none,t:lowercase"
SecRule REQUEST_HEADERS:Referer "!(clientscript/yui/connection/javascript\:false$)" "t:none,t:lowercase"
Secrule REQUEST_URI "^/eprocservice/supplierinboundservice" \
phase:2,id:345358,t:none,t:lowercase,pass,nolog,skipAfter:END_XSS_SPECIAL_2
# Rule 340211: stealth VBscript injection
SecRule REQUEST_URI|ARGS "(?i:(((url|src|href|lowsrc)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" \
"phase:2,deny,status:403,capture,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:normalisePathWin,t:lowercase,chain,id:340211,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting stealth attempt to access shell',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(?:\/(?:index\.php\?(?:(?:module=blocks&type=admin&func=updat|eid=tx_cms_showpic&fil)e)|node\/[0-9]+\/(?:webform\/components\/|edit))|/(?:node/add/|admin/page/edit))" "t:none,t:lowercase"
#Rule 341211
#Jsencoded window eval
SecRule REQUEST_URI|ARGS "window ?\[ ?\' ?eval" \
"phase:2,deny,status:403,capture,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,id:341211,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: potentially untrusted encoded javascript detected',logdata:'%{TX.0}'"
# Rule 340210: cross site scripting stealth attempt to access shell
SecRule REQUEST_URI|ARGS "(?i:(((url|src|href|lowsrc)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:])" \
"phase:2,deny,status:403,capture,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,t:lowercase,chain,id:340210,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: cross site scripting stealth attempt to access shell',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(?:\/(?:index\.php\?(?:(?:module=blocks&type=admin&func=updat|eid=tx_cms_showpic&fil)e))|/(?:node/add/|admin/page/edit)|node\/[0-9]+\/(?:webform\/components\/|edit|add))" "t:none,t:lowercase"
SecMarker END_XSS_SPECIAL_2
SecRule SERVER_PORT "^844[3-5]$" \
"id:333839,phase:2,t:none,pass,nolog,skipAfter:END_PLESK1"
SecRule REQUEST_URI "(?:\/(?:index\.php\?(?:(?:module=blocks&type=admin&func=updat|eid=tx_cms_showpic&fil)e))|/(?:node/add/|admin/page/edit)|\?tab=admin|/admin_2s/|^/ndxz-?studio/|node\/[0-9]+\/(?:webform\/components\/|edit|add)|/mail/composemessage|/filemanager/filemanager\.php|/html/scripts/index\.php\?ukey|^/upload/js|^/admin\.php\?templates|/typo3conf/ext/t3quixplorer/|^/eprocservice/supplierinboundservice|^/services/ajax\.php/imp/sendmessage)" \
"id:357839,phase:2,t:none,t:lowercase,pass,nolog,skipAfter:END_PLESK1"
# Rule 340113 341211: cross site scripting stealth attempt to execute Javascript code
SecRule ARGS|!ARGS:/analitic/|!ARGS:/analytic/|!ARGS:ta|!ARGS:/wpcf7/|!ARGS:/htmlcode/|!ARGS:areas|!ARGS:templatecode|!ARGS:code|!ARGS:/^jform/|!ARGS:/content/|!ARGS:/tpl/|!ARGS:/header/|!ARGS:/rawcode/|!ARGS:/^tv/|!ARGS:/footer/|!ARGS:livezillacode|!ARGS:/script/|!ARGS:p_posts_va|!ARGS:description_short_1|!ARGS:senddescription|!ARGS:widget_code|!ARGS:/fckeditor/|!ARGS:emailmessage|!ARGS:wrap|!ARGS:/template/|!ARGS:cid "(?i:(((url|src|href|lowsrc)[\s]*=)|(url[\s]*[\(]))[\s]*['\x22]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:])" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,t:lowercase,capture,id:340113,rev:34,severity:2,msg:'Atomicorp.com WAF Rules: Potential attempt to inject javascript ',logdata:'%{TX.0},%{matched_var_name}'"
SecMarker END_PLESK1
# Rule 340020:
#XSS in referrer and UA headers
#SecRule REQUEST_HEADERS:REFERER|REQUEST_HEADERS:User-Agent "(?:<[[:space:]]*(?:script|about|applet|activex|chrome)|activexobject|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parent|special)folder|< ?iframe |\.innerhtml|\|\")|>(?: |\+)?<(?: |\+)?img(?: |\+)?src(?: |\+)?=(?: |\+)?(?:ht|f)tps?:/)" \
# "phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,capture,id:340020,rev:34,severity:2,msg:'Atomicorp.com WAF Rules: XSS in referrer and UA headers',chain,logdata:'%{TX.0}'"
#SecRule REQUEST_HEADERS:REFERER "!(^http://%{SERVER_NAME}/|pagead[0-9]\.googlesyndication\.com/pagead/|/gills\.swf?txt= ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<|> ?\"? ?(>|<)|< ?/?i?frame|\%env)""t:none,t:removeNulls,t:utf8tounicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhiteSpace,t:lowercase"
#XSS generic filter and suspicious web code detector
SecRule REQUEST_URI "!(?:/(?:admin/(?:(?:build(?:/translate|language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss|(?:p(?:age_save|roduct_groups/edit/)|[a-z]+/[0-9]+/edit))|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:(/~[a-z0-9]+)?/\?q=node/[0-9]+/edit|\?(?:s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/support/agent/|^/content/item/edit/|^/index\.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/(?:p(?:age_save|roduct_groups/edit/)|[a-z]+/[0-9]+/(?:edit|add))|^/em/admin/\?page=send|^/eprocservice/supplierinboundservice|^/cp/index\.php\?controller=adminmodules)" \
"id:333840,phase:2,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skip:1,rev:7"
SecAction phase:2,id:334387,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skipAfter:END_XSS_ATTACKS_D1
#Filenames
SecRule REQUEST_FILENAME "!(/file-manager/edit/)" \
"id:366840,phase:2,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skip:1,rev:2"
SecAction phase:2,id:336687,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skipAfter:END_XSS_ATTACKS_D1
SecRule REQUEST_URI "(?:^/[a-z0-9/]+?panels/ajax/editor/edit-pane/panelizer|^/[a-z]+/media/ajax/image|^/admin/[a-z]+/[0-9]+)" \
"id:366870,phase:2,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skipAfter:END_XSS_ATTACKS_D1"
# Rule 340147: Generic XSS filter
SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:insp_code|!ARGS:/marketing_code/|!ARGS:addthis|!ARGS:/go_code/|!ARGS:/shortcodes/|!ARGS:/analitics/|!ARGS:/area_id/|!ARGS:/theme/|!ARGS:/ga_code/|!ARGS:/analytic/|!ARGS:/_js_/|!ARGS:/schema/|!ARGS:/^ifeature/|!ARGS:/^redux/|!ARGS:/analyticscode/|!ARGS:/suffix/|!ARGS:/sadrzaj/|!ARGS:js_includes|!ARGS:/m1_source/|!ARGS:/geodir/|!ARGS:/banner_block/|!ARGS:/introcopy/|!ARGS:eingabe|!ARGS:ausgabe|!ARGS:/previewdata/|!ARGS:/tracking_extra/|!ARGS:/^groups/|!ARGS:video|!ARGS:/google_map/|!ARGS:/field_map/|!ARGS:/gacode/|!ARGS:code1|!ARGS:ga_code|!ARGS:customized|!ARGS:code_analytics|!ARGS:uvod|!ARGS:/^field_video/|!ARGS:q|!ARGS:/^textarea-video/|!ARGS:leirro|!ARGS:lomake|!ARGS:vastaus|!ARGS:/^texte$/|!ARGS:vraag|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/log_code/|!ARGS:/^ADVERT_/|!ARGS:UserData|!ARGS:areas|!ARGS:templatecode|!ARGS:/prevObject/|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/mapcode/|!ARGS:googleCode|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:/^recipient/|!ARGS:optional_head|!ARGS:/^form/|!ARGS:/^var_value/|!ARGS:variable_data|!ARGS:/^instance/|!ARGS:/customfield/|!ARGS:notice|!ARGS:/formcode/|!ARGS:/ajax/|!ARGS:all|!ARGS:allowedTags|!ARGS:/google_analytics/|!ARGS:/widget/|!ARGS:ad_code|!ARGS:/keycaptcha_code/|!ARGS:/jscode/|!ARGS:postcontents|!ARGS:/adsense/|!ARGS:video1|!ARGS:/updateAds/|!ARGS:map|!ARGS:gmapcode|!ARGS:/^Sidebar/|!ARGS:/^wpTextbox/|!ARGS:paragrafo|!ARGS:/question/|!ARGS:/style/|!ARGS:tracking_code|!ARGS:whats-new|!ARGS:analyticscode|!ARGS:top_news|!ARGS:data[config]|!ARGS:fulltext|!ARGS:introtext|!ARGS:offertext|!ARGS:block|!ARGS:livezillacode|!ARGS:/embed/|!ARGS:/desc/|!ARGS:/script/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:match_report|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:embedVideo|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:text|!ARGS:txt|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|chrome)|< ?/?i?frame|\%env)" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:replaceComments,t:compressWhitespace,t:lowercase,capture,id:340147,rev:139,severity:2,msg:'Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'"
# Rule 340149: XSS injection
SecRule ARGS|!ARGS:/^asteria/|!ARGS:/^dbem/|!ARGS:insp_code|!ARGS:/marketing_code/|!ARGS:addthis|!ARGS:agreement|!ARGS:/go_code/|!ARGS:/custom/|!ARGS:/shortcodes/|!ARGS:/analitics/|!ARGS:/area_id/|!ARGS:/theme/|!ARGS:/ga_code/|!ARGS:/analytic/|!ARGS:/_js_/|!ARGS:/schema/|!ARGS:/^ifeature/|!ARGS:/^redux/|!ARGS:/analyticscode/|!ARGS:/suffix/|!ARGS:actionfilter|!ARGS:js_includes|!ARGS:/m1_source/|!ARGS:/geodir/|!ARGS:/suffix/|!ARGS:/banner_block/|!ARGS:/introcopy/|!ARGS:eingabe|!ARGS:ausgabe|!ARGS:/previewdata/|!ARGS:/tracking_extra/|!ARGS:SAMLResponse|!ARGS:/^groups/|!ARGS:video|!ARGS:/google_map/|!ARGS:/gacode/|!ARGS:code1|!ARGS:ga_code|!ARGS:customized|!ARGS:code_analytics|!ARGS:uvod|!ARGS:/^field_video/|!ARGS:q|!ARGS:/^textarea-video/|!ARGS:leirro|!ARGS:lomake|!ARGS:vastaus|!ARGS:vraag|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/log_code/|!ARGS:/^ADVERT_/|!ARGS:payment_extrainfo|!ARGS:UserData|!ARGS:clone|!ARGS:areas|!ARGS:templatecode|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/prevObject/|!ARGS:/mapcode/|!ARGS:googleCode|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:/^recipient/|!ARGS:optional_head|!ARGS:/^data\[News\]/|!ARGS:d|!ARGS:/^form/|!ARGS:/^var_value/|!ARGS:/^instance/|!ARGS:/customfield/|!ARGS:val333|!ARGS:notice|!ARGS:/formcode/|!ARGS:val333|!ARGS:all|!ARGS:allowedTags|!ARGS:/tracking/|!ARGS:/google_analytics/|!ARGS:/widget/|!ARGS:ad_code|!ARGS:/keycaptcha_code/|!ARGS:/jscode/|!ARGS:postcontents|!ARGS:/gadsense/|!ARGS:video1|!ARGS:/updateAds/|!ARGS:map|!ARGS:ide_text|!ARGS:gmapcode|!ARGS:/^Sidebar/|!ARGS:/^wpTextbox/|!ARGS:paragrafo|!ARGS:/question/|!ARGS:/style/|!ARGS:sidebar|!ARGS:text1|!ARGS:analyticscode|!ARGS:top_news|!ARGS:data[config]|!ARGS:fulltext|!ARGS:tracking_code|!ARGS:introtext|!ARGS:offertext|!ARGS:block|!ARGS:livezillacode|!ARGS:/desc/|!ARGS:/footer/|!ARGS:/embed/|!ARGS:/script/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:match_report|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:pay_inst_1|!ARGS:sml_prt_1|!ARGS:/form/|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:input[Desarrollo]|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:move2|!ARGS:hoperation|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:mes|!ARGS:signature|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/header/|!ARGS:/submit/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?i?frame ?src ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\.add|\@)import |asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|submit|select|dragdrop|focus|key(?:down|press|up)|mouse(?:down|move|out|over|up))\b ?=.|shell\:|window\.location|asfunction:_root\.launch|\%env)" \
"phase:2,deny,status:403,t:none,t:removeNulls,t:utf8tounicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhiteSpace,t:lowercase,capture,id:340149,rev:154,severity:2,msg:'Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'"
SecRule REQUEST_BODY "^< ?\??( |\+)?xml" \
phase:2,id:333704,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_XSS_ATTACKS_D1
#suspicious code
SecRule REQUEST_URI "(?:/admin/(?:[a-z]+/(?:save|module/update/|edit)|publish|\?op=edit|content/update|appearance/settings/|d/1/)|/secure/roundcube/|/backend\.php/property/save|/edit/|/home/add|/\?act=edit|/site-content/|/project/update/|/index\.php\?option=com_?(?:easyblog|resource&controller=article|comprofiler&task=my_profile|aclassif)|/index\.php/datafeedmanager/adminhtml_datafeedmanager/save|/index\.php\?mode=(?:new|edit)story|^/filemanager/filemanager\.php|^/user_info/edit_profile/|/admin/editor/|^/user\.php\?op=edituser&htmltext=|^/admin/structure/|option=com_rsform&task=forms\.edit|^/ndxz-?studio/\?a=|^/support/agent|^/elements/save|^/settings/in_place_save/|^/ndxz2/|^/([a-z]+/)?index\.php/admin/s(?:ystem_config|ubject)/|^/(a-z)+/admin/programs/update_program|^/backoffice/\?op=edit|^/za/zcadm|^/efthuko\.php\?mod=editnews|^/mm-panel/index\.php|/ndxzstudio/|destination=admin/structure|/cms/db_manage\.php|^/mod_pagespeed|^/\?q=admin/appearance/settings|^/articles/(?:save|add|edit)|^/\?ptype=|/whmadmcp/addonmodules\.php|^/sh/file/|/multimediasave\.do|^/cms/|^/panel/index\.php|^/microagility/([a-z]+/)?useredit\.php|^/content_multigroup/|^/posts/edit)" \
phase:2,id:333732,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_XSS_ATTACKS_D1
SecRule ARGS|ARGS_NAMES|!ARGS:/rules/|!ARGS:dt|!ARGS:/^utm_/|!ARGS:/^ADVERT_/|!ARGS:ad|!ARGS:/submenu/|!ARGS:/area_id/|!ARGS:/snippet/|!ARGS:/social/|!ARGS:/^system/|!ARGS:/pfield/|!ARGS:/go_code/|!ARGS:/app_list/|!ARGS:/^epp/|!ARGS:/^akID/|!ARGS:/shortcode/|!ARGS:/custom/|!ARGS:head|!ARGS:/_mail_/|!ARGS:tpl|!ARGS:/object/|!ARGS:export|!ARGS:/introcopy/|!ARGS:cont|!ARGS:/geodir/|!ARGS:omesg|!ARGS:/terms/|!ARGS:/google/|!ARGS:/pass/|!ARGS:code|!ARGS:/^custom/|!ARGS:tele|!ARGS:/color/|!ARGS:/center/|!ARGS:/widget/|!ARGS:/theme/|!ARGS:/^value/|!ARGS:/itinerary/|!ARGS:repair|!ARGS:nw_brief|!ARGS:/definition/|!ARGS:/subject/|!ARGS:process|!ARGS:/daten/|!ARGS:/Beschreibung/|!ARGS:/desc/|!ARGS:/destination/|!ARGS:ausgabe|!ARGS:eingabe|!ARGS:/included/|!ARGS:Lead|!ARGS:/training/|!ARGS:/Education/|!ARGS:/wp_autosave/|!ARGS:aname|!ARGS:datos|!ARGS:/^profile_/|!ARGS:return_to|!ARGS:ad|!ARGS:/overview/|!ARGS:/^mce_/|!ARGS:namestyle|!ARGS:/ULTIMATUM/|!ARGS:/agree/|!ARGS:/ARGS:uutinen/|!ARGS:tracklist|!ARGS:/artwork/|!ARGS:/gacode/|!ARGS:btnApply|!ARGS:/Button/|!ARGS:/^VALUE\[1\]$/|!ARGS:connectorPassword|!ARGS:sample|!ARGS:sotenson|!ARGS:/source_code/|!ARGS:/Settings/|!ARGS:code1|!ARGS:/promo/|!ARGS:view|!ARGS:record_json|!ARGS:/offer/|!ARGS:op|!ARGS:geweest|!ARGS:send|!ARGS:pressestimmen|!ARGS:name|!ARGS:imagemap|!ARGS:/^extra/|!ARGS:afbeelding|!ARGS:action_name|!ARGS:nieuwsbrief|!ARGS:/locatie/|!ARGS:ingredients|!ARGS:priceField|!ARGS:inhoud|!ARGS:f_main|!ARGS:error|!ARGS:komentar|!ARGS:uvod|!ARGS:/^field_/|!ARGS:customized|!ARGS:/fullnews/|!ARGS:vraag|!ARGS:/^textarea-video/|!ARGS:/_layout_/|!ARGS:/^FieldValue/|!ARGS:areacomum|!ARGS:lomake|!ARGS:vastaus|!ARGS:target|!ARGS:areaprivativa|!ARGS:areas|!ARGS:qti_data|!ARGS:templatecode|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/^help_/|!ARGS:quote|!ARGS:notice|!ARGS:userdata|!ARGS:source|!ARGS:/^book/|!ARGS:/leftcol/|!ARGS:mes|!ARGS:sisalto|!ARGS:reg_rules|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:json|!ARGS:wpreason|!ARGS:extended|!ARGS:/Kirjoitukset/|!ARGS:item_list|!ARGS:/x_line_item/|!ARGS:/^var_value/|!ARGS:valori|!ARGS:/rightcol/|!ARGS:/^instance/|!ARGS:/pimage/|!ARGS:/allowedTags/|!ARGS:/^zcck/|!ARGS:/includes/|!ARGS:/^button/|!ARGS:/accommodation/|!ARGS:/restaurant/|!ARGS:/^breves/|!ARGS:/testimonial/|!ARGS:feature|!ARGS:headstone|!ARGS:/formcode/|!ARGS:/log/|!ARGS:/metatags/|!ARGS:/^customfield/|!ARGS:/^fields/|!ARGS:/embed/|!ARGS:val333|!ARGS:/banner/|!ARGS:/synopsis/|!ARGS:cb_talks|!ARGS:log|!ARGS:/^bt_|!ARGS:/next/|!ARGS:changedept|!ARGS:receipt_address|!ARGS:narrative|!ARGS:/results/|!ARGS:/teaser/|!ARGS:EnTrar|!ARGS:cv|!ARGS:dati|!ARGS:/experience/|!ARGS:/plan/|!ARGS:do|!ARGS:/para/|!ARGS:do|!ARGS:perex|!ARGS:/highlight/|!ARGS:/bio/|!ARGS:/short/|!ARGS:advanced|!ARGS:/contact/|!ARGS:/google_analytics/|!ARGS:review|!ARGS:rules|!ARGS:meta|!ARGS:/observacao/|!ARGS:/caption/|!ARGS:feed_product|!ARGS:/bbclosed/|!ARGS:logoutRequest|!ARGS:video1|!ARGS:/js_payload/|!ARGS:/abstract/|!ARGS:pc_main|!ARGS:/^property/|!ARGS:/notice/|!ARGS:/config/|!ARGS:/welcome/|!ARGS:des|!ARGS:pwd|!ARGS:structure|!ARGS:/tweet/|!ARGS:/table/|!ARGS:tag|!ARGS:ad_code|!ARGS:romancode|!ARGS:model|!ARGS:thecode|!ARGS:rqst|!ARGS:/^input_/|!ARGS:dhltrack|!ARGS:reflection|!ARGS:media|!ARGS:blurb|!ARGS:Thankyou|!ARGS:/OSDCS/|!ARGS:continue|!ARGS:do|!ARGS:waarde|!ARGS:img_alt|!ARGS:notes|!ARGS:drugs|!ARGS:/writing/|!ARGS:terms|!ARGS:/announ/|!ARGS:highlights|!ARGS:/^eeta-/|!ARGS:profile|!ARGS:/^prod/|!ARGS:/^News/|!ARGS:request|!ARGS:copy|!ARGS:/MapField/|!ARGS:/email/|!ARGS:main|!ARGS:/admin/|!ARGS:/suffix/|!ARGS:/prefix/|!ARGS:validatepromo|!ARGS:payment_sel|!ARGS:/title/|!ARGS:/submit/|!ARGS:contenu|!ARGS:/xjxargs/|!ARGS:block|!ARGS:btnCheckout|!ARGS:nav|!ARGS:/instructions/|!ARGS:/info/|!ARGS:recompose|!ARGS:compose|!ARGS:/^bname/|!ARGS:groupWelcomeScreen|!ARGS:langbericht|!ARGS:next|!ARGS:xsym_sym_brief|!ARGS:creategallery|!ARGS:/^copyright/|!ARGS:lease|!ARGS:livezillacode|!ARGS:sighting|!ARGS:cleaning|!ARGS:/^gui/|!ARGS:/Import_Cell/|!ARGS:/reply/|!ARGS:/^bbcode/|!ARGS:subhead|!ARGS:_cc|!ARGS:resume|!ARGS:addtoclass|!ARGS:/intro/|!ARGS:/answer/|!ARGS:registration_prices|!ARGS:registration_discounts|!ARGS:venue|!ARGS:/opportunit/|!ARGS:agenda|!ARGS:workshop|!ARGS:/^mainman/|!ARGS:features|!ARGS:/problem/|!ARGS:/signature/|!ARGS:/question/|!ARGS:entry|!ARGS:/form/|!ARGS:/qualification/|!ARGS:/detail/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/script/|!ARGS:/^product/|!ARGS:/report/|!ARGS:/^room_/|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:/^site_/|!ARGS:/translation/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:/embed/|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:/^_qf_/|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:/solution/|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/_section_/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/|!ARGS:/tagline/ "(?:> ?< ?(?:img ?src|a ?href) ?= ?(?:ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<|> ?\"? ?(?:>|<)|< ?/?i?frame|\%env|^\"\>)" \
"chain,phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:350147,rev:152,severity:2,msg:'Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected'"
SecRule MATCHED_VARS "!@rx ((?:submit(?:\+| )?(request)?(?:\+| )?>+|<<(?:\+| )remove|(?:sign ?in|log ?(?:in|out)|next|modifier|envoyer|add|continue|weiter|account|results|select)(?:\+| )?>+)$|^< ?\??(?: |\+)?xml|^> ?$)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase"
SecMarker END_XSS_ATTACKS_D1
SecRule REQUEST_HEADERS:REFERER|REQUEST_URI "(?:/plugins/editors/tinymce/jscripts/|/modules/tinymce/tinymce/jscripts|/phpinfo_iframe\.php|^pagead[0-9]\.googlesyndication\.com/pagead/|/wp-admin/press-this\.php|&(?:loc|u)='https?://)" \
phase:2,nolog,id:343732,pass,t:none,t:urlDecodeUni,t:lowercase,skipAfter:END_XSS_ATTACKS_D2
#XSS in referrer
SecRule REQUEST_HEADERS:REFERER "(?:= ?\' ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|< ?(?:script|about|applet|activex|chrome)|activexobject|(?:\.add|\@)import|asfunction\:|background-image\:|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml||lowsrc ?=|mocha\:|<{1,200}.\bon(?:abort|blur|change|click|dragdrop|focus|keydown|move|resize|select|submit|unload|key(?:press|up)|load|mouse(?:down|move|out|over|up))\b|settimeout|shell:|< ?i(?:mg|frame) ?src ?=( |\+)?(?:\"|\')?(ht|f)tps?:/)" \
"phase:2,deny,status:403,capture,id:340158,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,rev:20,severity:2,msg:'Atomicorp.com WAF Rules: XSS in referrer',logdata:'%{TX.0}'"
SecMarker END_XSS_ATTACKS_D2
#special exclusion for drupal webforms
SecRule REQUEST_URI "node/[0-9]+/webform/components/" \
"phase:2,deny,status:403,capture,chain,t:none,t:urlDecodeUni,t:lowercase,id:320476,rev:6,severity:2,msg:'Atomicorp.com WAF Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|!ARGS:/^extra/|!ARGS:op|!ARGS:/desc/|!ARGS:areas|!ARGS:templatecode|!ARGS:value[value]|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:quote-form|!ARGS:value|!ARGS:paepdc|!ARGS:/VB_announce/|!ARGS:/^autoDS/|!ARGS:newyddionc|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:s_query|!ARGS:bedrijfsprofiel|!ARGS:finish_survey|!ARGS:embeddump|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/tekst/|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:c_features|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:verbiage|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:usr1|!ARGS:resolution|!ARGS:problem|!ARGS:/^product_options/|!ARGS:eintrag|!ARGS:/edit/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:Returnid|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:order|!ARGS:youtube|!ARGS:business|!ARGS:/homePage/|!ARGS:/post/|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:meta_info|!ARGS:ta|!ARGS:/data/|!ARGS:search_theme_form_keys|ARGS_NAMES|!ARGS_NAMES:user[click_or_onmouseover]|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/note/|!ARGS:/xml/|!ARGS:/^doc/|!ARGS:/desc/|!ARGS:tekst|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:/submit/|!ARGS:/message/|!ARGS:/header/|!ARGS:/html/|!ARGS:/content/|!ARGS:/link/|!ARGS:text|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|\" ?> ?<|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|\.innerhtml|\< ?input|(?:java|live|j|vb)script!s|lowsrc ?=|mocha\:|\bon(?:abort|blur|change|click|select|dragdrop|focus|keydown|keypress|keyup|mouse(?:down|move|out|over|up))\b|shell\:|window\.location|asfunction:_root\.launch|\%env)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase"
#Rule 340152: IE XSS attack
#SecRule REQUEST_URI_RAW|REQUEST_BODY "(?:< ?object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=|< ?applet[ /+\t].*?code[ /+\t]*=|< ?base[ /+\t].*?href[ /+\t]*=|)" "phase:2,t:none,t:lowercase,log,auditlog,msg:'Atomicorp.com WAF Rules: Cross Site Scripting Attack (IE variant)',id:340152,rev:23"
SecMarker END_XSS_ATTACKS
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_BODY|ARGS|QUERY_STRING|!ARGS:areas|!ARGS:templatecode "@pm script expression html onmouse img src onload onerror import asfunction: background-image: fromcharcode frame input lowsrc mocha onblur onselect onchange onclick ondragdrop onkeydown onkeypress onkeyup resize select unload shell: settimeout addimport @import url window.location < > env about applet activex chrome getparentfolder getspecialfolder href object" \
"id:333841,phase:2,t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,multimatch,pass,nolog,skip:1"
SecAction phase:2,id:334388,t:none,pass,nolog,skipAfter:END_XSS_ATTACKS_2
#special exclusion for drupal webforms
SecRule REQUEST_URI "^/node/[0-9]+/webform/components/" \
"phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceComments,t:compressWhiteSpace,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:320475,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Cross Site Scripting Attack',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|!ARGS:areas|!ARGS:templatecode|ARGS_NAMES|!ARGS:/desc/|!ARGS:value|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:/^value/|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:prefix|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|(?:alert|document\.write) ?\(||\" ?> ?<|\" ?[a-z]+ ?<|> ?\"? ?>|< ?/?i?frame|\%env)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,multiMatch"
# Rule 340148: XSS injection with multimatch checks
#XSS generic filter and suspicious web code detector
SecRule REQUEST_URI "!(?:/(?:admin/(?:(?:build(?:/translate|/language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:\/\?(?:q=node\/[0-9]+\/edit|(s|v))|\?(s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/index.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/(?:p(?:age_save|roduct_groups/edit/)|[a-z]+/[0-9]+/))" \
"id:333842,rev:3,phase:2,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skip:1"
SecAction phase:2,id:334389,t:none,pass,nolog,skipAfter:END_XSS_ATTACKS_D2
#Filenames
SecRule REQUEST_FILENAME "!(/file-manager/edit/)" \
"id:366841,phase:2,t:none,t:lowercase,t:urlDecodeUni,pass,nolog,skip:1,rev:2"
SecAction phase:2,id:336688,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,skipAfter:END_XSS_ATTACKS_D2
# Rule 340148: XSS injection with multimatch checks
SecRule ARGS|ARGS_NAMES|!ARGS:/^dbem/!ARGS:insp_code|!ARGS:/marketing_code/|!ARGS:addthis|!ARGS:/option_tree/|!ARGS:/go_code/|!ARGS:/custom/|!ARGS:/shortcodes/|!ARGS:/analitics/|!ARGS:/area_id/|!ARGS:/_head_/|!ARGS:/theme/|!ARGS:/ga_code/|!ARGS:/analytic/|!ARGS:/_js_/|!ARGS:/schema/|!ARGS:/^ifeature/|!ARGS:/^redux/|!ARGS:/analyticscode/|!ARGS:/suffix/|!ARGS:/sadrzaj/|!ARGS:js_includes|!ARGS:/m1_source/|!ARGS:/geodir/|!ARGS:/suffix/|!ARGS:/banner_block/|!ARGS:/introcopy/|!ARGS:ausgabe|!ARGS:eingabe|!ARGS:/previewdata/|!ARGS:/tracking_extra/|!ARGS:SAMLResponse|!ARGS:/^groups/|!ARGS:video|!ARGS:/google_map/|!ARGS:/gacode/|!ARGS:code1|!ARGS:sotenson|!ARGS:ga_code|!ARGS:customized|!ARGS:code_analytics|!ARGS:uvod|!ARGS:/^field_video/|!ARGS:q|!ARGS:/^textarea-video/|!ARGS:leirro|!ARGS:lomake|!ARGS:vastaus|!ARGS:vraag|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/log_code/|!ARGS:/^ADVERT_/|!ARGS:UserData|!ARGS:areas|!ARGS:templatecode|!ARGS:/prevObject/|!ARGS:/replaceAll/|!ARGS:/insertBefore/|!ARGS:/insertAfter/|!ARGS:/prependTo/|!ARGS:/appendTo/|!ARGS:/mapcode/|!ARGS:googleCode|!ARGS:/^recipient/|!ARGS:optional_head|!ARGS:/^form/|!ARGS:/^var_value/|!ARGS:variable_data|!ARGS:/customfield/|!ARGS:val333|!ARGS:notice|!ARGS:/formcode/|!ARGS:/ajax/|!ARGS:all|!ARGS:allowedTags|!ARGS:/tracking/|!ARGS:/google_analytics/|!ARGS:/widget/|!ARGS:ad_code|!ARGS:/jscode/|!ARGS:postcontents|!ARGS:/keycaptcha_code/|!ARGS:/gadsense/|!ARGS:video1|!ARGS:/updateAds/|!ARGS:map|!ARGS:gmapcode|!ARGS:/^Sidebar/|!ARGS:/^wpTextbox/|!ARGS:paragrafo|!ARGS:/question/|!ARGS:/style/|!ARGS:sidebar|!ARGS:analyticscode|!ARGS:top_news|!ARGS:tracking_code|!ARGS:data[config]|!ARGS:fulltext|!ARGS:introtext|!ARGS:offertext|!ARGS:block|!ARGS:livezillacode|!ARGS:whats-new|!ARGS:/embed/|!ARGS:/desc/|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:/footer/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:/script/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:/^field_/|!ARGS:match_report|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:/^instance/|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:eip_value|!ARGS:phpcode|!ARGS:intro|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:_qf_Select_next|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:layout|!ARGS:pageset|!ARGS:contact_form_information|!ARGS:/^site_/|!ARGS:/^translations/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:move2|!ARGS:input[Desarrollo]|!ARGS:hoperation|!ARGS:arg2|!ARGS:login_form|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:embedVideo|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:embeddump|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:prefix|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/^field_id/|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?script|< ?(?:i?frame ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(ht|f)tps?)\:/|document\.write ?\(|(?:<|< ?/) ?(?:(?:java|vb)script|applet|activex|chrome)|< ?/?i?frame|\% ?env)" \
"phase:2,deny,status:403,capture,t:none,t:removeNulls,t:utf8tounicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhiteSpace,t:lowercase,multiMatch,id:340148,rev:150,severity:2,msg:'Atomicorp.com WAF Rules: Potential Cross Site Scripting Attack',logdata:'%{TX.0}'"
SecRule REQUEST_BODY "^< ?\??( |\+)?xml" \
phase:2,id:333706,pass,t:none,t:urlDecodeUni,t:lowercase,nolog,skipAfter:END_XSS_ATTACKS_D2
# Rule 350148: potentially malicious web code with multimatch checks
SecRule REQUEST_URI "!(?:/admin/(?:[a-z]+/(?:save|module/update/|edit)|publish|\?op=edit|content/update|appearance/settings/|d/1/)|/secure/roundcube/|/edit/|/backend\.php/property/save|/home/add|/\?act=edit|/site-content/|/project/update/|/index\.php\?option=com_(?:easyblog|resource&controller=article|comprofiler&task=my_profile|aclassif)|/index.php/datafeedmanager/adminhtml_datafeedmanager/save|/index\.php\?mode=(?:new|edit)story|^/filemanager/filemanager\.php|^/user_info/edit_profile/|/admin/editor/|^/user.php\?op=edituser&htmltext=|^/admin/structure/|option=com_rsform&task=forms\.edit|^/ndxz-?studio/\?a=|^/support/agent|^/elements/save|^/settings/in_place_save/|^/ndxz2/|^/([a-z]+/)?index\.php/admin/s(?:ystem_config|ubject)/|^/(a-z)+/admin/programs/update_program|^/backoffice/\?op=edit|^/za/zcadm|^/efthuko\.php\?mod=editnews|^/mm-panel/index\.php|/ndxzstudio/|destination=admin/structure|/smart_forms/live/save_section\.php|^/mod_pagespeed|^/\?q=admin/appearance/settings|^/articles/(?:save|edit|add)|^/\?ptype=|/whmadmcp/addonmodules\.php|^/sh/file/|/multimediasave\.do|^/cms/|^/panel/index\.php|^/posts/edit)" \
"capture,phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:350148,rev:152,severity:2,msg:'Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected ',logdata:'%{TX.0},%{matched_var}'"
SecRule ARGS|!ARGS:/social/|!ARGS:/pfield/|!ARGS:/rules/|!ARGS:/go_code/|!ARGS:/app_list/|!ARGS:/^epp/|!ARGS:/shortcode/|!ARGS:/^akID/|!ARGS:/area_id/|!ARGS:head|!ARGS:tpl|!ARGS:export|!ARGS:/object/|!ARGS:cont|!ARGS:/custom/|!ARGS:/terms/|!ARGS:/snippet/|!ARGS:omesg|!ARGS:/google/|!ARGS:/geodir/|!ARGS:tele|!ARGS:code|!ARGS:dt|!ARGS:/color/|!ARGS:/theme/|!ARGS:/center/|!ARGS:/widget/|!ARGS:/^value/|!ARGS:/^custom/|!ARGS:/pass/|!ARGS:repair|!ARGS:/definition/|!ARGS:/daten/|!ARGS:/subject/|!ARGS:nw_brief|!ARGS:/Beschreibung/|!ARGS:process|!ARGS:/introcopy/|!ARGS:ausgabe|!ARGS:eingabe|!ARGS:Lead|!ARGS:/desc/|!ARGS:/itinerary/|!ARGS:/included/|!ARGS:/destination/|!ARGS:/training/|!ARGS:/^room_/|!ARGS:aname|!ARGS:/Education/|!ARGS:/wp_autosave/|!ARGS:return_to|!ARGS:/^profile_/|!ARGS:/^utm_/|!ARGS:ad|!ARGS:namestyle|!ARGS:/ULTIMATUM/|!ARGS:/^mce_/|!ARGS:/uutinen/|!ARGS:/agree/|!ARGS:/artwork/|!ARGS:/overview/|!ARGS:/_section_/|!ARGS:/Button/|!ARGS:/^prod/|!ARGS:btnApply|!ARGS:/^VALUE\[1\]$/|!ARGS:/^system/|!ARGS:/gacode/|!ARGS:sample|!ARGS:/source_code/|!ARGS:/Settings/|!ARGS:code1|!ARGS:sotenson|!ARGS:view|!ARGS:record_json|!ARGS:geweest|!ARGS:send|!ARGS:pressestimmen|!ARGS:name|!ARGS:imagemap|!ARGS:/^extra/|!ARGS:afbeelding|!ARGS:action_name|!ARGS:nieuwsbrief|!ARGS:/locatie/|!ARGS:ingredients|!ARGS:priceField|!ARGS:inhoud|!ARGS:op|!ARGS:f_main|!ARGS:/error/|!ARGS:uvod|!ARGS:/^field_/|!ARGS:customized|!ARGS:/fullnews/|!ARGS:/^textarea-video/|!ARGS:komentar|!ARGS:/_layout_/|!ARGS:/^FieldValue/|!ARGS:/includes/|!ARGS:areacomum|!ARGS:lomake|!ARGS:vastaus|!ARGS:target|!ARGS:vraag|!ARGS:areaprivativa|!ARGS:qti_data|!ARGS:tracklist|!ARGS:i_google|!ARGS:quote|!ARGS:/^help_/|!ARGS:/^ADVERT_/|!ARGS:userdata|!ARGS:source|!ARGS:sisalto|!ARGS:reg_rules|!ARGS:areas|!ARGS:code_area_text|!ARGS:datos|!ARGS:templatecode|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:mes|!ARGS:json|!ARGS:wpreason|!ARGS:extended|!ARGS:/Kirjoitukset/|!ARGS:/x_line_item/|!ARGS:item_list|!ARGS:/^var_value/|!ARGS:valori|!ARGS:/pimage/|!ARGS:/^instance/|!ARGS:/allowedTags/|!ARGS:/^button/|!ARGS:/^zcck/|!ARGS:/accommodation/|!ARGS:/^breves/|!ARGS:/restaurant/|!ARGS:/testimonial/|!ARGS:headstone|!ARGS:/^book/|!ARGS:/log/|!ARGS:/metatags/|!ARGS:/^customfield/|!ARGS:/embed/|!ARGS:/leftcol/|!ARGS:/rightcol/|!ARGS:feature|!ARGS:/banner/|!ARGS:cb_talks|!ARGS:/synopsis/|!ARGS:/^fields/|!ARGS:notice|!ARGS:/formcode/|!ARGS:val333|!ARGS:receipt_address|!ARGS:changedept|!ARGS:/teaser/|!ARGS:EnTrar|!ARGS:cv|!ARGS:dati|!ARGS:/qualification/|!ARGS:/results/|!ARGS:/experience/|!ARGS:/plan/|!ARGS:/detail/|!ARGS:log|!ARGS:do|!ARGS:narrative|!ARGS:/promo/|!ARGS:/offer/|ARGS_NAMES|!ARGS:do|!ARGS:/^bt_|!ARGS:/short/|!ARGS:perex|!ARGS:/contact/|!ARGS:advanced|!ARGS:/google_analytics/|!ARGS:/bio/|!ARGS:rules|!ARGS:meta|!ARGS:/next/|!ARGS:ad_code|!ARGS:review|!ARGS:feed_product|!ARGS:/bbclosed/|!ARGS:/observacao/|!ARGS:/caption/|!ARGS:logoutRequest|!ARGS:/js_payload/|!ARGS:video1|!ARGS:/abstract/|!ARGS:/para/|!ARGS:/highlight/|!ARGS:/config/|!ARGS:/welcome/|!ARGS:des|!ARGS:/notice/|!ARGS:structure|!ARGS:/table/|!ARGS:tag|!ARGS:romancode|!ARGS:model|!ARGS:pwd|!ARGS:thecode|!ARGS:/tweet/|!ARGS:do|!ARGS:/^input_/|!ARGS:dhltrack|!ARGS:reflection|!ARGS:media|!ARGS:rqst|!ARGS:blurb|!ARGS:/OSDCS/|!ARGS:Thankyou|!ARGS:img_alt|!ARGS:waarde|!ARGS:/statement/|!ARGS:continue|!ARGS:/writing/|!ARGS:drugs|!ARGS:text1|!ARGS:terms|!ARGS:/announ/|!ARGS:/^eeta-/|!ARGS:/^News/|!ARGS:main|!ARGS:notes|!ARGS:validatepromo|!ARGS:payment_sel|!ARGS:request|!ARGS:copy|!ARGS:/MapField/|!ARGS:/email/|!ARGS:/admin/|!ARGS:profile|!ARGS:contenu|!ARGS:/suffix/|!ARGS:/prefix/|!ARGS:pc_main|!ARGS:/instructions/|!ARGS:/submit/|!ARGS:/title/|!ARGS:/xjxargs/|!ARGS:/info/|!ARGS:nav|!ARGS:recompose|!ARGS:compose|!ARGS:/^bname/|!ARGS:/^property/|!ARGS:groupWelcomeScreen|!ARGS:block|!ARGS:xsym_sym_brief|!ARGS:langbericht|!ARGS:btnCheckout|!ARGS:lease|!ARGS:/^copyright/|!ARGS:creategallery|!ARGS:cleaning|!ARGS:/reply/|!ARGS:/^gui/|!ARGS:sighting|!ARGS:/Import_Cell/|!ARGS:livezillacode|!ARGS:/^bbcode/|!ARGS:_cc|!ARGS:resume|!ARGS:next|!ARGS:addtoclass|!ARGS:/intro/|!ARGS:registration_discounts|!ARGS:/opportunit/|!ARGS:registration_prices|!ARGS:workshop|!ARGS:venue|!ARGS:/^mainman/|!ARGS:features|!ARGS:/problem/|!ARGS:subhead|!ARGS:agenda|!ARGS:/signature/|!ARGS:/question/|!ARGS:/answer/|!ARGS:entry|!ARGS:/form/|!ARGS:/footer/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/wyscms/|!ARGS:/script/|!ARGS:eventDescription|!ARGS:/^product/|!ARGS:/description/|!ARGS:/report/|!ARGS:/product_desc/|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:eip_value|!ARGS:phpcode|!ARGS:/product_benefits/|!ARGS:Snippet|!ARGS:/^_qf_/|!ARGS:move2|!ARGS:oid|!ARGS:Submit2|!ARGS:layout|!ARGS:pageset|!ARGS:/^site_/|!ARGS:/translation/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:move2|!ARGS:input[Desarrollo]|!ARGS:hoperation|!ARGS:arg2|!ARGS:login_form|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:bbcode_tpl|!ARGS:/embed/|!ARGS:/submitcode/|!ARGS:mentorhelp|!ARGS:/custom_code/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:parent_name|!ARGS:/^fck/|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:guardar|!ARGS:/VB_announce/|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:/solution/|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:/element/|!ARGS:ticket_response|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:query|!ARGS:/sql/|!ARGS:prefix|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:verbiage|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/^elm/|!ARGS:news|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:preview__hidden|!ARGS:order|!ARGS:youtube|!ARGS:/post/|!ARGS:reply|!ARGS:business|!ARGS:navig|!ARGS:/submenu/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:/page/|!ARGS:/homePage/|!ARGS:Post|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:googlemap|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(?:< ?(?:(?:img|i?frame) ?src|a ?href) ?= ?(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/|(?:alert|document\.write) ?\(||\" ?> ?(?:<|>)|\" ?[a-z]+ ?<|> ?\"? ?>|< ?/?i?frame|\%env)" "t:none,t:removeNulls,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase,multiMatch,chain"
SecRule MATCHED_VARS "!@rx ((?:submit(?:\+| )?(request)?(?:\+| )?>+|<<(?:\+| )remove|(?:sign ?in|log ?(?:in|out)|next|add|envoyer|modifier|select|continue|weiter|account|results)(?:\+| )?>+)$|^< ?\??(?: |\+)?xml|^> ?$)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace"
#SecRule MATCHED_VARS "!((submit(\+| )?(request)?(\+| )?>>$|<<(\+| )remove|(sign ?in|login|next|add|continue|weiter|account|results)?(\+| )?>>)$|^< ?\??( |\+)?xml|^)" \
"phase:2,capture,deny,status:403,t:none,id:380006,rev:11,severity:2,msg:'Atomicorp.com WAF Rules: XSS Generic attack',logdata:'%{TX.0}'"
SecMarker END_380006
# Rule 380007: generic SQL injection sigs using PCRE
SecRule REQUEST_URI "!(/immagini/)" \
"phase:2,deny,status:403,chain,t:none,t:lowercase,id:380007,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: SQL Inject Generic signature'"
SecRule REQUEST_URI|ARGS|!ARGS:areas|!ARGS:templatecode "/\w*(\x27|\’)(\x6f|o|\x4f)(\x72|r|\x52).*!(\.(jpe?g|png|bmp|gif|mpe?g|avi|flv|wmv|ico)$)" \
SecMarker END_MISC_CHECKS
################### SSI injection #############################
#
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!ARGS:areas|!ARGS:/template/ "@pm echo exec printenv include cmd"\
"id:333844,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,id:334391,t:none,pass,nolog,skipAfter:END_SSI_ATTACKS
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!ARGS:areas|!ARGS:templatecode|!ARGS:/description/|!ARGS:/text/|!ARGS:/message/|!ARGS:/msg/|!ARGS:content "