###########################################
#Generic SQL injection rule exclusions
###########################################
#generic PHP forum posting exclusion
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
#PhpMyadmin
SecRuleRemoveById 300016
SecRuleRemoveById 300016
#/xde/managecontent.php
SecRuleRemoveById 300016
SecRuleRemoveById 300016
#PhpBB posting
SecRuleRemoveById 300013
#postnuke admin
SecRuleRemoveById 300016
#Postnuke uploads
SecRuleRemoveById 300013
#Tikiwiki forum
SecRuleRemoveById 300013
#Squirrel mail and Horde postings
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
#Provided by Todd Holforty
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
#Phorum posting
SecRuleRemoveById 300013
#Tikiwiki edit
SecRuleRemoveById 300013
SecRuleRemoveById 300013
SecRuleRemoveById 300016
###########################################
#Double pipe exclusion rules
###########################################
SecRuleRemoveById 300014
###########################################
#Front page exclusions
###########################################
SecRuleInheritance Off
SecRuleRemoveById 300016
SecRuleRemoveById 300016
###########################################
#Mambo/Joomla exclusions
###########################################
SecRuleRemoveById 380000
SecRuleRemoveById 300013
SecRuleRemoveById 300013
SecRuleRemoveById 300016
SecRuleRemoveById 380000
SecRuleRemoveById 360001
#Added 27AUG2006
#Courtesy of Tom Donovan
#ColdFusion RDS
SecRuleRemoveById 360001
#servlet/webacc
SecRuleRemoveById 300013
#WordPRess
SecRuleRemoveById 300015
#/profile.php
SecRuleRemoveById 300015
#Open-Exchange
SecRuleRemoveById 300015
#owl intranet
SecRuleRemoveById 300015
###################
#deny TRACE method
SecRule REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"
#XSS insertion into headers
SecRule REQUEST_HEADERS "(
.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"
#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"
#Code injection via content length
SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"
##generic recursion signatures
#SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
#SecRule REQUEST_URI "\.\./\.\./"
#generic path recurision sig
#generic recursion signatures
SecRule REQUEST_URI "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'"
#generic bogus path sigs
SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "
.*(script|about|applet|activex|chrome)[[:space:]]*>"
#XSS in referrer and UA headers
SecRule HTTP_REFERER|HTTP_USER_AGENT "
.*(script|about|applet|activex|chrome)[[:space:]]*>"
#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php" chain
SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
#Generic PHP remote file inclusion attack signature
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file inclusion attack signature with command
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#really broad furl_fopen attack sig
#tune this for your system
#SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
#SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
#SecRule ARGS "(ht|f)tps?:/"
#SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
#SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#script, perl, etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"
#generic command line attack
SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"
#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#Bogus file extensions generic signature
SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"
#PHP remote path attach generic signature
SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a"
#Generic argument protection rule against bad meta characters
#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI "/usr/bin/id" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI "/bin/echo" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI "/bin/kill" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI "/bin/chmod" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI "gcc" chain
SecRule REQUEST_URI "x20-o"
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI "g\+\+\x20" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI "bin/python" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI "/bin/ping" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI "/bin/mail" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI "\.htpasswd"
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI "/etc/passwd"
# WEB-MISC nessus 1.X 404 probe
SecRule REQUEST_URI "/nessus_is_probing_you_"
# WEB-MISC nessus 2.x 404 probe
SecRule REQUEST_URI "/NessusTest"
# WEB-MISC ls%20-l
SecRule REQUEST_URI "ls" chain
SecRule REQUEST_URI "\x20-l"
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////"
#musicat empower attempt
SecRule REQUEST_URI "/empower\?DB="
# WEB-MISC *%0a.pl access
SecRule REQUEST_URI "/*\x0a\.pl"
#PHPBB worm sigs
SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
#PHP defenses
SecRule ARGS:PHPSESSID "!^[0-9a-z]*$"
#PHP defenses
SecRule ARGS "^(globals($|\[)|php:/)"
#PHP defenses
#SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"
#PHP defenses
#SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
# TIKIWIKI
SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./"
#SMTP redirects
SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25
#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
#Command inline detection
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
#Commands, also need a major rework, these also have issues
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;"
#SecRule REQUEST_URI "echo\x20"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20"
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$"
#generic block for fwrite fopen uploads
SecRule REQUEST_URI "fwrite" chain
SecRule REQUEST_URI "fopen"
#generic sig for more bad PHP functions
SecRule REQUEST_URI "chr\(([0-9]{1,3})\)"
SecRule ARGS_NAMES "^php:/"
# WEB-MISC Tomcat view source attempt
SecRule REQUEST_URI "\x252ejsp"
# WEB-MISC whisker HEAD/./
#SecRule "HEAD/./"
# WEB-FRONTPAGE .... request
SecRule REQUEST_URI "\.\.\.\./"
#experimental CSS rule
#SecRule REQUEST_URI "/(\x3C|
)"
#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI "\
]expression[\s]*\("
#cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*
"
# cross site scripting attempt using XML
SecRule REQUEST_URI "
SCRIPT"
#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"
#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "window\.execScript[\s]*\("
#cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"
#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
#generic Common HTTP vulnerability
SecRule REQUEST_URI "/\?cwd=/"
#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"
#Experimental XML-RPC generic attack sigs
SecRule REQUEST_BODY "\'\,\'\'\)\)\;"
SecRule REQUEST_BODY "\
\
.*\'\)\;"
#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\
"
#Specific XML-RPC attacks on xmlrpc.php
SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
SecRule REQUEST_BODY "(\
.*
.*
.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"
#generic remote file inclusion vulns
SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"
#catch smuggling attacks
#SecRule "^(GET|POST).*Host:.*^(GET|POST)"
#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecRule REQUEST_BODY "\
"
#Slightly stronger version of the above
SecRule REQUEST_BODY "\
"
#Generic PHP attack sig
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
#Generic Nessus request filter
SecRule REQUEST_URI "NessusTest*\.html"
#Generic PHP payload command injection and upload vulnerabilities
SecRule REQUEST_BODY "
"
#Fake image file shell attacvk
SecRule REQUEST_HEADERS:Content-Type "image/.*"
SecRule REQUEST_BODY "chr\("
#bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"
#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
#Special account protection
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
#Generic PHP fopen sig
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
#### ROOTKITS ####
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI "/iblis\.htm\?"
SecRule REQUEST_URI "/gif\.gif\?"
SecRule REQUEST_URI "/go\.php\.txt\?"
SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/zehir\.asp"
SecRule REQUEST_URI "/aflast\.txt\?"
SecRule REQUEST_URI "/sikat\.txt\?&cmd"
SecRule REQUEST_URI "/t\.gif\?"
SecRule REQUEST_URI "/phpbb_patch\?&"
SecRule REQUEST_URI "/phpbb2_patch\?&"
SecRule REQUEST_URI "/lukka\?&"
#new kit
SecRule REQUEST_URI "/c99shell\.txt"
SecRule REQUEST_URI "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\
"
#mailman 2.x path recursion attack
SecRule REQUEST_URI|REQUEST_BODY "mailman/private/.*\.\.\./\.\.\.\.///"
SecRule REQUEST_URI|REQUEST_BODY "/mailman/.*\.\.\./"
#ftp.pl attempt
SecRule REQUEST_URI "/ftp\.pl\?dir=\.\./\.\."
#Tomcat server snoop access
SecRule REQUEST_URI "/jsp/snp/.*\.snp"
### PHPNUKE ####
#PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12
SecRule REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecRule REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
#PHP-Nuke Input Validation Flaws in Search, FAQ, and Banners Modules Permit Cross-Site Scripting Attacks
SecRule REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecRule REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecRule REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecRule REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1<r=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
#PHP-Nuke "querylang" SQL Injection Vulnerability
SecRule REQUEST_URI "/modules\.php\?name=Top&querylang=.*(UNION|SELECT|DELETE|INSERT).*\,"
#PHP-Nuke Web_Links Multiple Variable SQL Injection
SecRule SCRIPT_FILENAME "modules\.php" chain
SecRule ARGS:email|ARGS:ratenum|ARGS:min|ARGS:show|ARGS:orderby|ARGS:url "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
#PHP-Nuke Blind SQL Injection
SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&title=.*&url=.*&description=.*&email=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=.*&url=\'\,*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=viewsdownload&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*]+(from|into|table|database|index|view)"
SecRule REQUEST_URI "/modules\.php\?name=Downloads&d_op=search&min=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe|select)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
#### REGLAS ANTI SPAM ####
#Rule 300055: Hidden spam links
#examples:
#
#overflow:auto;width:0;height:0
SecRule REQUEST_BODY|ARGS "
.*
