Apache Server Information

Subpages: Configuration Files, Server Settings, Module List, Active Hooks

Sections: Server Settings, Startup Hooks, Request Hooks

Loaded Modules: mod_webcatalog.cpp, mod_ssl.c, mod_proxy_ajp.c, mod_php5.c, mod_unique_id.c, mod_security2.c, mod_evasive20.c, mod_cgi.c, mod_disk_cache.c, mod_suexec.c, mod_cache.c, mod_proxy_connect.c, mod_proxy_http.c, mod_proxy_ftp.c, mod_proxy_balancer.c, mod_proxy.c, mod_rewrite.c, mod_alias.c, mod_userdir.c, mod_speling.c, mod_actions.c, mod_dir.c, mod_negotiation.c, mod_vhost_alias.c, mod_dav_fs.c, mod_info.c, mod_autoindex.c, mod_status.c, mod_dav.c, mod_mime.c, mod_setenvif.c, mod_usertrack.c, mod_headers.c, mod_deflate.c, mod_expires.c, mod_mime_magic.c, mod_ext_filter.c, mod_env.c, mod_logio.c, mod_log_config.c, mod_include.c, mod_authnz_ldap.c, util_ldap.c, mod_authz_default.c, mod_authz_dbm.c, mod_authz_groupfile.c, mod_authz_owner.c, mod_authz_user.c, mod_authz_host.c, mod_authn_default.c, mod_authn_dbm.c, mod_authn_anon.c, mod_authn_alias.c, mod_authn_file.c, mod_auth_digest.c, mod_auth_basic.c, mod_so.c, http_core.c, prefork.c, core.c

Server Settings

Server Version: Apache/2.2.15 (Unix) DAV/2 PHP/5.2.13 mod_ssl/2.2.22 OpenSSL/1.0.1u
Server Built: Apr 6 2010 22:30:54
Server loaded APR Version: 1.3.9
Compiled with APR Version: 1.3.9
Server loaded APU Version: 1.3.9
Compiled with APU Version: 1.3.9
Module Magic Number: 20051115:24
Hostname/port: dwagent.com:80
Timeouts: connection: 60 keep-alive: 10
MPM Name: Prefork
MPM Information: Max Daemons: 256 Threaded: no Forked: yes
Server Architecture: 64-bit
Server Root: /etc/httpd
Config File: /etc/httpd/conf/httpd.conf
Server Built With: -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT="/etc/httpd" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf"

Startup Hooks

Pre-Config:
-10 prefork.c -10 mod_log_config.c -10 mod_logio.c 00 mod_security2.c 10 mod_headers.c 10 mod_rewrite.c 10 mod_proxy.c 10 mod_php5.c 10 mod_ssl.c
Test Configuration:
10 mod_so.c 10 mod_ssl.c
Post Configuration:
-10 core.c -10 mod_include.c -10 mod_cache.c -10 mod_cgi.c 00 mod_mime_magic.c 10 mod_auth_digest.c 10 util_ldap.c 10 mod_authnz_ldap.c 10 mod_ext_filter.c 10 mod_headers.c 10 mod_mime.c 10 mod_dav.c 10 mod_status.c 10 mod_rewrite.c 10 mod_proxy.c 10 mod_proxy_balancer.c 10 mod_suexec.c 10 mod_unique_id.c 10 mod_php5.c 10 mod_ssl.c 30 mod_security2.c
Open Logs:
10 prefork.c -10 core.c 10 mod_log_config.c
Child Init:
10 core.c 10 mod_auth_digest.c 10 util_ldap.c 10 mod_log_config.c 10 mod_status.c 10 mod_rewrite.c 10 mod_proxy.c 10 mod_proxy_balancer.c 10 mod_security2.c 10 mod_unique_id.c 10 mod_php5.c 10 mod_ssl.c

Request Hooks

Pre-Connection:
10 mod_logio.c 10 mod_ssl.c 30 core.c
Create Connection:
30 core.c
Process Connection:
30 http_core.c
Create Request:
10 core.c 30 http_core.c
Post-Read Request:
10 mod_unique_id.c -10 mod_security2.c 00 mod_headers.c 00 mod_proxy.c 10 mod_auth_digest.c 10 mod_setenvif.c 10 mod_ssl.c
Header Parse:
10 mod_setenvif.c
HTTP Scheme:
10 mod_ssl.c 30 http_core.c
Default Port:
10 mod_ssl.c 30 http_core.c
Quick Handler:
00 mod_cache.c
Translate Name:
00 mod_rewrite.c 00 mod_proxy.c 10 mod_alias.c 10 mod_userdir.c 10 mod_vhost_alias.c 30 core.c
Map to Storage:
00 mod_proxy.c 10 http_core.c 10 http_core.c 30 core.c
Check Access:
10 mod_authz_host.c 10 mod_evasive20.c 10 mod_ssl.c 30 core.c
Verify User ID:
00 mod_ssl.c 10 mod_auth_basic.c 10 mod_auth_digest.c 20 mod_authn_default.c
Verify User Access:
10 mod_authnz_ldap.c 10 mod_authz_user.c 10 mod_authz_owner.c 10 mod_authz_groupfile.c 10 mod_authz_dbm.c 10 mod_ssl.c 20 mod_authz_default.c
Check Type:
00 mod_negotiation.c 10 mod_mime.c 10 mod_mime_magic.c 30 core.c
Fixups:
-10 core.c -10 mod_security2.c 00 mod_usertrack.c 00 mod_proxy.c 00 mod_rewrite.c 10 mod_auth_digest.c 10 mod_env.c 10 mod_dav.c 10 mod_negotiation.c 10 mod_alias.c 10 mod_ssl.c 20 mod_include.c 20 mod_headers.c 20 mod_dir.c 20 mod_speling.c 20 mod_rewrite.c
Insert Filters:
00 mod_security2.c 10 core.c 10 mod_expires.c 10 mod_ssl.c 20 mod_headers.c
Content Handlers:
00 mod_proxy.c 00 mod_proxy_balancer.c 10 util_ldap.c 10 mod_dav.c 10 mod_status.c 10 mod_autoindex.c 10 mod_info.c 10 mod_negotiation.c 10 mod_rewrite.c 10 mod_cgi.c 10 mod_php5.c 10 mod_webcatalog.cpp 20 mod_actions.c 30 core.c
Logging:
10 mod_log_config.c 10 mod_logio.c 10 mod_security2.c
Insert Errors:
10 mod_expires.c 20 mod_headers.c

Module Name: mod_webcatalog.cpp
Content handlers: yes
Configuration Phase Participation: none
Request Phase Participation: Content Handlers
Module Directives: none

Module Name: mod_ssl.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs
Request Phase Participation: Pre-Connection, Post-Read Request, HTTP Scheme, Default Port, Check Access, Verify User ID, Verify User Access, Fixups, Insert Filters
Module Directives:: SSLMutex - Valid SSLMutex mechanisms are: `none', `default', `flock:/path/to/file', `fcntl:/path/to/file', `sysvsem', `posixsem', `pthread', `file:/path/to/file', `sem'; SSLPassPhraseDialog - SSL dialog mechanism for the pass phrase query (`builtin', `|/path/to/pipe_program`, or `exec:/path/to/cgi_program'); SSLSessionCache - SSL Session Cache storage (`none', `nonenotnull', `dbm:/path/to/file'); SSLCryptoDevice - SSL external Crypto Device usage (`builtin', `...'); SSLRandomSeed - SSL Pseudo Random Number Generator (PRNG) seeding source (`startup|connect builtin|file:/path|exec:/path [bytes]'); SSLEngine - SSL switch for the protocol engine (`on', `off'); SSLFIPS - Enable FIPS-140 mode (`on', `off'); SSLCipherSuite - Colon-delimited list of permitted SSL Ciphers (`XXX:...:XXX' - see manual); SSLCertificateFile - SSL Server Certificate file (`/path/to/file' - PEM or DER encoded); SSLCertificateKeyFile - SSL Server Private Key file (`/path/to/file' - PEM or DER encoded); SSLCertificateChainFile - SSL Server CA Certificate Chain file (`/path/to/file' - PEM encoded); SSLCACertificatePath - SSL CA Certificate path (`/path/to/dir' - contains PEM encoded files); SSLCACertificateFile - SSL CA Certificate file (`/path/to/file' - PEM encoded); SSLCADNRequestPath - SSL CA Distinguished Name path (`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request); SSLCADNRequestFile - SSL CA Distinguished Name file (`/path/to/file' - PEM encoded to derive acceptable CA names to request); SSLCARevocationPath - SSL CA Certificate Revocation List (CRL) path (`/path/to/dir' - contains PEM encoded files); SSLCARevocationFile - SSL CA Certificate Revocation List (CRL) file (`/path/to/file' - PEM encoded); SSLVerifyClient - SSL Client verify type (`none', `optional', `require', `optional_no_ca'); SSLVerifyDepth - SSL Client verify depth (`N' - number of intermediate certificates); SSLSessionCacheTimeout - SSL Session Cache object lifetime (`N' - number of seconds); SSLProtocol - Enable or disable various SSL protocols ('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual); SSLHonorCipherOrder - Use the server's cipher ordering preference; SSLCompression - Enable SSL level compression(`on', `off'); SSLInsecureRenegotiation - Enable support for insecure renegotiation; SSLUserName - Set user name to SSL variable value; SSLStrictSNIVHostCheck - Strict SNI virtual host checking; SSLProxyEngine - SSL switch for the proxy protocol engine (`on', `off'); SSLProxyProtocol - SSL Proxy: enable or disable SSL protocol flavors ('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual); SSLProxyCipherSuite - SSL Proxy: colon-delimited list of permitted SSL ciphers (`XXX:...:XXX' - see manual); SSLProxyVerify - SSL Proxy: whether to verify the remote certificate (`on' or `off'); SSLProxyVerifyDepth - SSL Proxy: maximum certificate verification depth (`N' - number of intermediate certificates); SSLProxyCACertificateFile - SSL Proxy: file containing server certificates (`/path/to/file' - PEM encoded certificates); SSLProxyCACertificatePath - SSL Proxy: directory containing server certificates (`/path/to/dir' - contains PEM encoded certificates); SSLProxyCARevocationPath - SSL Proxy: CA Certificate Revocation List (CRL) path (`/path/to/dir' - contains PEM encoded files); SSLProxyCARevocationFile - SSL Proxy: CA Certificate Revocation List (CRL) file (`/path/to/file' - PEM encoded); SSLProxyMachineCertificateFile - SSL Proxy: file containing client certificates (`/path/to/file' - PEM encoded certificates); SSLProxyMachineCertificatePath - SSL Proxy: directory containing client certificates (`/path/to/dir' - contains PEM encoded certificates); SSLProxyCheckPeerExpire - SSL Proxy: check the peers certificate expiration date; SSLProxyCheckPeerCN - SSL Proxy: check the peers certificate CN; SSLOptions - Set one or more options to configure the SSL engine(`[+-]option[=value] ...' - see manual); SSLRequireSSL - Require the SSL protocol for the per-directory context (no arguments); SSLRequire - Require a boolean expression to evaluate to true for granting access(arbitrary complex boolean expression - see manual); SSLRenegBufferSize - Configure the amount of memory that will be used for buffering the request body if a per-location SSL renegotiation is required due to changed access control requirements; SSLLog - SSLLog directive is no longer supported - use ErrorLog.; SSLLogLevel - SSLLogLevel directive is no longer supported - use LogLevel.
Current Configuration:: In file: /etc/httpd/conf.d/ssl.conf; 32: SSLPassPhraseDialog builtin; 38: SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000); 39: SSLSessionCacheTimeout 300; 44: SSLMutex default; 56: SSLRandomSeed startup file:/dev/urandom 256; 57: SSLRandomSeed connect builtin; 69: SSLCryptoDevice builtin; 76: <VirtualHost _default_:443>; 90: SSLEngine on; 95: SSLProtocol all -SSLv2; 100: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW; 107: SSLCertificateFile /etc/pki/tls/certs/localhost.crt; 114: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key; 182: <Files ~ "\.(cgi|shtml|phtml|php3?)$">; 183: SSLOptions +StdEnvVars; : </Files>; 185: <Directory "/var/www/cgi-bin">; 186: SSLOptions +StdEnvVars; : </Directory>; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/adgs.com.conf; 2: <VirtualHost 209.236.236.33:443>; 12: SSLEngine on; 13: SSLProtocol +All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1; 15: SSLHonorCipherOrder on; 16: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:!AES256-SHA:!DH-RSA-AES256-SHA:!DH-RSA-AES256-SHA:!AES128-SHA256:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA256-SHA:!AES128-SHA:!IDEA-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!SEED-SHA:!CAMELLIA128-SHA; 18: SSLCertificateFile conf/ssl.crt/adgs.com.crt; 19: SSLCACertificateFile conf/ssl.crt/adgs.com.ca; 20: SSLCertificateKeyFile conf/ssl.crt/adgs.com.key; 22: <FilesMatch "\.(cgi|shtml|phtml|php3?)$">; 23: SSLOptions +StdEnvVars; : </FilesMatch>; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/mginterface.com.conf; 3: <VirtualHost 209.236.236.52:443>; 13: SSLEngine On; 14: SSLProtocol +All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1; 16: SSLHonorCipherOrder on; 17: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:!AES256-SHA:!DH-RSA-AES256-SHA:!DH-RSA-AES256-SHA:!AES128-SHA256:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA256-SHA:!AES128-SHA:!IDEA-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!SEED-SHA:!CAMELLIA128-SHA; 20: SSLCertificateFile conf/ssl.crt/dwpsignup.com.crt; 21: SSLCACertificateFile conf/ssl.crt/dwpsignup.com.ca; 22: SSLCertificateKeyFile conf/ssl.key/dwpsignup.com.key; 24: <FilesMatch "\.(cgi|shtml|phtml|php3?)$">; 25: SSLOptions +StdEnvVars; : </FilesMatch>; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/possessionstudios.com.conf; 4: <VirtualHost 209.236.236.49:443>; 13: SSLEngine on; 14: SSLProtocol +All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1; 16: SSLHonorCipherOrder on; 17: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:!AES256-SHA:!DH-RSA-AES256-SHA:!DH-RSA-AES256-SHA:!AES128-SHA256:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA256-SHA:!AES128-SHA:!IDEA-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!SEED-SHA:!CAMELLIA128-SHA; 19: SSLCertificateFile conf/ssl.crt/possessionstudios.com.crt; 20: SSLCACertificateFile conf/ssl.crt/possessionstudios.com.ca; 21: SSLCertificateKeyFile conf/ssl.key/possessionstudios.com.key; 23: <FilesMatch "\.(cgi|shtml|phtml|php3?)$">; 24: SSLOptions +StdEnvVars; : </FilesMatch>; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/stocktonproducts.com.conf; 4: <VirtualHost 209.236.236.58:443>; 13: SSLEngine on; 14: SSLProtocol +All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1; 16: SSLHonorCipherOrder on; 17: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:!AES256-SHA:!DH-RSA-AES256-SHA:!DH-RSA-AES256-SHA:!AES128-SHA256:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA256-SHA:!AES128-SHA:!IDEA-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!SEED-SHA:!CAMELLIA128-SHA; 19: SSLCertificateFile conf/ssl.crt/stocktonproducts.com.crt; 20: SSLCACertificateFile conf/ssl.crt/stocktonproducts.com.ca; 21: SSLCertificateKeyFile conf/ssl.key/stocktonproducts.com.key; 23: <FilesMatch "\.(cgi|shtml|phtml|php3?)$">; 24: SSLOptions +StdEnvVars; : </FilesMatch>; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/ventcovercreations.com.conf; 1: <VirtualHost 209.236.236.46:443>; 9: SSLEngine on; 10: SSLProtocol +All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1; 12: SSLHonorCipherOrder on; 13: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:!AES256-SHA:!DH-RSA-AES256-SHA:!DH-RSA-AES256-SHA:!AES128-SHA256:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA256-SHA:!AES128-SHA:!IDEA-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!SEED-SHA:!CAMELLIA128-SHA; 15: SSLCertificateFile conf/ssl.crt/ventcovercreations.com.crt; 16: SSLCACertificateFile conf/ssl.crt/ventcovercreations.com.ca; 17: SSLCertificateKeyFile conf/ssl.key/ventcovercreations.com.key; 18: <FilesMatch "\.(cgi|shtml|phtml|php3?)$">; 19: SSLOptions +StdEnvVars; : </FilesMatch>; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/vicenzadesigns.com.conf; 1: <VirtualHost 209.236.236.47:443>; 9: SSLEngine on; 10: SSLProtocol +All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1; 12: SSLHonorCipherOrder on; 13: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL:!ECDHE-RSA-RC4-SHA:!RC4-SHA:!RC4-MD5:!AES256-SHA:!DH-RSA-AES256-SHA:!DH-RSA-AES256-SHA:!AES128-SHA256:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA256-SHA:!AES128-SHA:!IDEA-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!SEED-SHA:!CAMELLIA128-SHA; 15: SSLCertificateFile conf/ssl.crt/vicenzadesigns.com.crt; 16: SSLCACertificateFile conf/ssl.crt/vicenzadesigns.com.ca; 17: SSLCertificateKeyFile conf/ssl.key/vicenzadesigns.com.key; 18: <FilesMatch "\.(cgi|shtml|phtml|php3?)$">; 19: SSLOptions +StdEnvVars; : </FilesMatch>; : </VirtualHost>

Module Name: mod_proxy_ajp.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: none
Module Directives: none

Module Name: mod_php5.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Content Handlers
Module Directives:: php_value - PHP Value Modifier; php_flag - PHP Flag Modifier; php_admin_value - PHP Value Modifier (Admin); php_admin_flag - PHP Flag Modifier (Admin); PHPINIDir - Directory containing the php.ini file
Current Configuration:

Module Name: mod_unique_id.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: Post-Read Request
Module Directives: none

Module Name: mod_security2.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Post-Read Request, Fixups, Insert Filters, Logging
Module Directives:: SecAction - an action list; SecArgumentSeparator - character that will be used as separator when parsing application/x-www-form-urlencoded content.; SecAuditEngine - On, Off or RelevantOnly to determine the level of audit logging; SecAuditLog - filename of the primary audit log file; SecAuditLog2 - filename of the secondary audit log file; SecAuditLogParts - list of audit log parts that go into the log.; SecAuditLogRelevantStatus - regular expression that will be used to determine if the response status is relevant for audit logging; SecAuditLogType - whether to use the old audit log format (Serial) or new (Concurrent); SecAuditLogStorageDir - path to the audit log storage area; absolute, or relative to the root of the server; SecAuditLogDirMode - octal permissions mode for concurrent audit log directories; SecAuditLogFileMode - octal permissions mode for concurrent audit log files; SecCacheTransformations - whether or not to cache transformations. Defaults to true.; SecChrootDir - path of the directory to which server will be chrooted; SecComponentSignature - component signature to add to ModSecurity signature.; SecContentInjection - On or Off; SecCookieFormat - version of the Cookie specification to use for parsing. Possible values are 0 and 1.; SecDataDir - path to the persistent data storage area; SecDebugLog - path to the debug log file; SecDebugLogLevel - debug log level, which controls the verbosity of logging. Use values from 0 (no logging) to 9 (a *lot* of logging).; SecDefaultAction - default action list; SecGeoLookupDB - database for geographical lookups module.; SecGuardianLog - The filename of the filter debugging log file; SecMarker - marker for a skipAfter target; SecPcreMatchLimit - PCRE match limit; SecPcreMatchLimitRecursion - PCRE match limit recursion; SecPdfProtect - enable PDF protection module.; SecPdfProtectSecret - secret that will be used to construct protection tokens.; SecPdfProtectTimeout - duration for which protection tokens will be valid.; SecPdfProtectTokenName - name of the protection token. The name 'PDFTOKEN' is used by default.; SecPdfProtectInterceptGETOnly - whether or not to intercept only GET and HEAD requess. Defaults to true.; SecPdfProtectMethod - protection method to use. Can be 'TokenRedirection' (default) or 'ForcedDownload'; SecRequestBodyAccess - On or Off; SecRequestBodyInMemoryLimit - maximum request body size that will be placed in memory (except for POST urlencoded requests).; SecRequestBodyLimit - maximum request body size ModSecurity will accept.; SecRequestBodyNoFilesLimit - maximum request body size ModSecurity will accept, but excluding the size of uploaded files.; SecRequestEncoding - character encoding used in request.; SecResponseBodyAccess - On or Off; SecResponseBodyLimit - byte limit for response body; SecResponseBodyLimitAction - what happens when the response body limit is reached; SecResponseBodyMimeType - adds given MIME types to the list of types that will be buffered on output; SecResponseBodyMimeTypesClear - clears the list of MIME types that will be buffered on output; SecRule - rule target, operator and optional action list; SecRuleEngine - On or Off; SecRuleInheritance - On or Off; SecRuleScript - rule script and optional actionlist; SecRuleRemoveById - rule ID for removal; SecRuleRemoveByMsg - rule message for removal; SecRuleUpdateActionById - updated action list; SecServerSignature - the new signature of the server; SecTmpDir - path to the temporary storage area; SecUploadDir - path to the file upload area; SecUploadFileLimit - limit the number of uploaded files processed; SecUploadFileMode - octal permissions mode for uploaded files; SecUploadKeepFiles - On or Off; SecWebAppId - id
Current Configuration:: In file: /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf; 14: SecComponentSignature "core ruleset/2.0.5"; 21: SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"; 44: SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"; 64: SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"; 65: SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"; 91: SecAction "phase:1,t:none,nolog,pass, setvar:tx.critical_anomaly_score=20, setvar:tx.error_anomaly_score=15, setvar:tx.warning_anomaly_score=10, setvar:tx.notice_anomaly_score=5"; 104: SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"; 131: SecAction "phase:1,t:none,nolog,pass, setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml', setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log .mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd .xsx', setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'"; 148: SecDefaultAction "phase:2,pass"; 156: SecRuleEngine On; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_20_protocol_violations.conf; 34: SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" "t:none,t:lowercase,phase:2,rev:'2.0.5',pass,nolog,auditlog,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"; 52: SecRule FILES_NAMES|FILES "['\";=]" "phase:2,id:'960000',rev:'2.0.5',pass,t:none,nolog,auditlog,capture,msg:'Attempted multipart/form-data bypass',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}"; 64: SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"; 81: SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3'"; 82: SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"; 94: SecRule REQUEST_METHOD "^POST$" "chain,phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5'"; 95: SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"; 110: SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.5',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"; 124: SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,rev:'2.0.5',t:none,nolog,pass,auditlog,msg:'Expect Header Not Allowed.',severity:'5',id:'960021',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'"; 125: SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"; 140: SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'"; 141: SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain"; 142: SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"; 154: SecRule REQUEST_HEADERS:Range "@contains =0-" "phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'Range: field exists and begins with 0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"; 167: SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,status:400,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"; 181: SecRule REQUEST_URI "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain,phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"; 182: SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"; 185: SecRule REQUEST_HEADERS:Content-Type "^application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" "chain,phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"; 186: SecRule REQUEST_BODY "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"; 187: SecRule REQUEST_BODY "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"; 198: SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',severity:'5'"; 199: SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"; 213: SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" "t:none,phase:2,rev:'2.0.5',pass,nolog,auditlog,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',tag:'http://www.kb.cert.org/vuls/id/739224',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"; 249: SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" "phase:2,rev:'2.0.5',pass,nolog,auditlog,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',tag:'http://i-technica.com/whitestuff/asciichart.html',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"; 251: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',pass,nolog,auditlog,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,tag:'http://i-technica.com/whitestuff/asciichart.html'"; 254: SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 32-126" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf; 25: SecMarker BEGIN_HOST_CHECK; 28: SecRule &REQUEST_HEADERS:Host "@eq 0" "skipAfter:END_HOST_CHECK,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"; 30: SecRule REQUEST_HEADERS:Host "^$" "phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"; 32: SecMarker END_HOST_CHECK; 43: SecMarker BEGIN_ACCEPT_CHECK; 46: SecRule &REQUEST_HEADERS:Accept "@eq 0" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'"; 47: SecRule REQUEST_METHOD "!^OPTIONS$" "skipAfter:END_ACCEPT_CHECK,t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"; 49: SecRule REQUEST_HEADERS:Accept "^$" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Has an Empty Accept Header', severity:'2',id:'960021',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"; 50: SecRule REQUEST_METHOD "!^OPTIONS$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"; 52: SecMarker END_ACCEPT_CHECK; 62: SecMarker BEGIN_UA_CHECK; 65: SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "skipAfter:END_UA_CHECK,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"; 67: SecRule REQUEST_HEADERS:User-Agent "^$" "t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"; 69: SecMarker END_UA_CHECK; 83: SecRule &REQUEST_HEADERS:Content-Type "@eq 0" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"; 84: SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"; 97: SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_23_request_limits.conf; 22: SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.0.5'"; 23: SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"; 26: SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument value too long',id:'960208',severity:'4',rev:'2.0.5'"; 27: SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"; 30: SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.0.5'"; 31: SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"; 34: SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2.0.5'"; 35: SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"; 41: SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2.0.5'"; 42: SecRule FILES_SIZES "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"; 45: SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2.0.5'"; 46: SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf; 30: SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:2,t:none,pass,nolog,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"; 63: SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}'"; 64: SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "capture"; 65: SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"; 77: SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,pass,nolog,auditlog,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"; 87: SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'"; 88: SecRule TX:0 "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"; 99: SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_35_bad_robots.conf; 19: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" "phase:2,rev:'2.0.5',t:none,t:lowercase,pass,nolog,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"; 21: SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" "phase:2,rev:'2.0.5',t:none,t:lowercase,pass,nolog,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"; 23: SecRule REQUEST_FILENAME "^/nessustest" "phase:2,rev:'2.0.5',t:none,t:lowercase,pass,nolog,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"; 26: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" "phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"; 28: SecMarker END_ROBOT_CHECK; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf; 24: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" "phase:2,rev:'2.0.5',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"; 26: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"; 29: SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" "t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"; 31: SecMarker END_COMMAND_INJECTION1; 43: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"; 45: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"; 47: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" "capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0}"; 49: SecMarker END_CF_INJECTION; 61: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:$(?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|$[^\w\x80-\xFF]*?$[^\w\x80-\xFF]*?[\!\&\|])" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"; 63: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,id:'950912',severity:'4',msg:'LDAP Injection Attack',logdata:'%{TX.0}',tag:WEB_ATTACK/LDAP_INJECTION,ctl:auditLogParts=+E,pass,nolog,auditlog"; 65: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|$[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" "capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0}"; 67: SecMarker END_LDAP_INJECTION; 79: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "|\/\*|\*\/|\/\/\W*\w+\s*$)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973002',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 31: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973003',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 32: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 34: SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^-]*-)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973004',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 36: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973005',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 37: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:--[^-]*-)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 39: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973006',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 41: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973007',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 42: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 44: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973008',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 46: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973009',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 47: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 49: SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^-]*-)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973010',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 51: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973011',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 52: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:--[^-]*-)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 54: SecRule ARGS|ARGS_NAMES|XML:/* "(<\w+)\/+(\w+=?)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973012',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 56: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973013',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 57: SecRule REQUEST_BODY|REQUEST_URI_RAW "(<\w+)\/+(\w+=?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 59: SecRule ARGS|ARGS_NAMES|XML:/* "[^\\\:]\/\/(.*)$" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973014',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 61: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973015',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 62: SecRule REQUEST_BODY|REQUEST_URI_RAW "[^\\\:]\/\/(.*)$" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 68: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973016',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 70: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973017',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 71: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 75: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[\\\]+\d+[ \t]*){8,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Octal Charcode Pattern Found',id:'973018',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 77: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Octal Charcode Pattern Found',id:'973019',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"; 78: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[\\\]+\d+[ \t]*){8,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 82: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[\\\]+\w+\s*){8,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',id:'973020',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; 84: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',id:'973021',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'; 85: SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[\\\]+\w+\s*){8,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf; 1: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'900033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 3: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'900033',tag:'WEB_ATTACK/XSS'"; 4: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 6: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[^\w\s=]on(?!g\>)\w+[^=_+-]*=[^$]+(?:\W|\>)?)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'900032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 8: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'900032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 9: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[^\w\s=]on(?!g\>)\w+[^=_+-]*=[^$]+(?:\W|\>)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 11: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common mail header injections',id:'900063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 13: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common mail header injections',id:'900063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM'"; 14: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 16: SecRule ARGS|ARGS_NAMES|XML:/* "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects very basic XSS probings',id:'900021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 18: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects very basic XSS probings',id:'900021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 19: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 21: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with$[^)]*$\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'90007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 23: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'90007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 24: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with$[^)]*$\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 26: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'900026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 28: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'900026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 29: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 31: SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'900018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 33: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'900018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 34: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 36: SecRule ARGS|ARGS_NAMES|XML:/* "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'900016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 38: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'900016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 39: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 41: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'900044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 43: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'900044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 44: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 46: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*$[^$]*)|(?:\";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*$)|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'900055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 48: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'900055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 49: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^$]*)|(?:\";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 51: SecRule ARGS|ARGS_NAMES|XML:/* "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'900027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 53: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'900027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE'"; 54: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 56: SecRule ARGS|ARGS_NAMES|XML:/* "(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections',id:'900057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 58: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections',id:'900057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 59: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 61: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'900061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 63: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'900061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"; 64: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 66: SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'900020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 68: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'900020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 69: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 71: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:\/|\\\\)?\.+(\/|\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic directory traversal',id:'900010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 73: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic directory traversal',id:'900010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 74: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:\/|\\\\\\\\)?\.+(\/|\\\\\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 76: SecRule ARGS|ARGS_NAMES|XML:/* "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'900031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 78: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'900031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 79: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 81: SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common comment types',id:'900035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 83: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common comment types',id:'900035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"; 84: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 86: SecRule ARGS|ARGS_NAMES|XML:/* "(?:%c0%ae\/)|(?:(?:\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\))|(?:(?:\/|\\\\)inetpub|localstart\.asp|boot\.ini)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'900011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 88: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'900011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 89: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:%c0%ae\/)|(?:(?:\/|\\\\\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\\\\\))|(?:(?:\/|\\\\\\\\)inetpub|localstart\.asp|boot\.ini)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 91: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*[\"=(])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'900048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 93: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'900048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 94: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+$)|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*[\"=(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 96: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+$)|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+$\w+$)|(?:(.)\1{128,})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'900065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 98: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'900065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS'"; 99: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*$[^;]+;+$)|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+$\w+$)|(?:(.)\1{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 101: SecRule ARGS|ARGS_NAMES|XML:/* "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'900029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 103: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'900029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE'"; 104: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\\\\\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 106: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'900050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 108: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'900050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 109: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 111: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'900039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 113: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'900039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS'"; 114: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\\\\\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 116: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|$\w+=\*)|(?:\*\s*$+\s*;)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'900064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 118: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'900064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE'"; 119: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|$\w+=\*)|(?:\*\s*$+\s*;)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 121: SecRule ARGS|ARGS_NAMES|XML:/* "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'900058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 123: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'900058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"; 124: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:@[\w-]+\s*$)|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 126: SecRule ARGS|ARGS_NAMES|XML:/* "(?:$\s*like\s*$)|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'900041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 128: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'900041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 129: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:$\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 131: SecRule ARGS|ARGS_NAMES|XML:/* "(?:etc\/\W*passwd)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'900012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 133: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'900012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 134: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:etc\/\W*passwd)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 136: SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'900015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 138: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'900015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 139: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 141: SecRule ARGS|ARGS_NAMES|XML:/* "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'900052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 143: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'900052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 144: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 146: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'900060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 148: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'900060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"; 149: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 151: SecRule ARGS|ARGS_NAMES|XML:/* "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'900056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 153: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'900056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 154: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 156: SecRule ARGS|ARGS_NAMES|XML:/* "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'900045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 158: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'900045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 159: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 161: SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'900019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 163: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'900019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 164: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 166: SecRule ARGS|ARGS_NAMES|XML:/* "(?:function[^(]*$[^)]*$)|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:$\s*new\s+\w+\s*$\.)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'900062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 168: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'900062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"; 169: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:function[^(]*$[^)]*$)|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:$\s*new\s+\w+\s*$\.)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 171: SecRule ARGS|ARGS_NAMES|XML:/* "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'900054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 173: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'900054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 174: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 176: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'900067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 178: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'900067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"; 179: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 181: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\s\/\"]+[-\w\/\\\\\*]+\s*=.+(?:\/\s*>))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'900068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 183: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'900068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 184: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[\s\/\"]+[-\w\/\\\\\\\\\*]+\s*=.+(?:\/\s*>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 186: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[$])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'90002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 188: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'90002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 189: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+$[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 191: SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%,.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'900017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 193: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'900017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 194: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 196: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'90001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 198: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'90001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 199: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 201: SecRule ARGS|ARGS_NAMES|XML:/* "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*$\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*$\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'900030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 203: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'900030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 204: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*$\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*$\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 206: SecRule ARGS|ARGS_NAMES|XML:/* "(?:=\s*[$\w]\s*[$\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*$)|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*$)|(?:=\s*\(\s*\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'900025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 208: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'900025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 209: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*$)|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 211: SecRule ARGS|ARGS_NAMES|XML:/* "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'900028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 213: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'900028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF'"; 214: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 216: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'900040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 218: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'900040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 219: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*$\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 221: SecRule ARGS|ARGS_NAMES|XML:/* "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+$)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'900014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 223: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'900014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 224: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*$[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+$)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 226: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'900069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 228: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'900069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 229: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 231: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'900059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 233: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'900059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"; 234: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 236: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'900049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 238: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'900049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 239: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 241: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'900024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 243: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'900024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 244: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[\".]script\s*$)|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 246: SecRule ARGS|ARGS_NAMES|XML:/* "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*$\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*$\s*@)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'900053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 248: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'900053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 249: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*$\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 251: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'900022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 253: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'900022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"; 254: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 256: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'900042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 258: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'900042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 259: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\\\\\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\\\\\".+(?<!\\\\\\\\)\")|(?:(?:^[\"\\\\\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 261: SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'900046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 263: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'900046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 264: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*$|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 266: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+$)|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*$\s*\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'900023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 268: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'900023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 269: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+$)|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 271: SecRule ARGS|ARGS_NAMES|XML:/* "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'900013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 273: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'900013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 274: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 276: SecRule ARGS|ARGS_NAMES|XML:/* "(?:with\s*$\s*.+\s*$\s*\w+\s*$)|(?:(?:do|while|for)\s*\([^)]*$\s*\{)|(?:\/[\w\s]*\[\W*\w)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'90006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 278: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'90006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 279: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:with\s*$\s*.+\s*$\s*\w+\s*$)|(?:(?:do|while|for)\s*\([^)]*$\s*\{)|(?:\/[\w\s]*\[\W*\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 281: SecRule ARGS|ARGS_NAMES|XML:/* "(?:^>[\w\s]*<\/?\w{2,}>)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'90003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 283: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'90003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 284: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:^>[\w\s]*<\/?\w{2,}>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 286: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\d{2,3})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'90009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 288: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'90009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 289: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\\\\\\\\u00[a-f0-9]{2})|(?:\\\\\\\\x0*[a-f0-9]{2})|(?:\\\\\\\\\d{2,3})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 291: SecRule ARGS|ARGS_NAMES|XML:/* "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'900051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 293: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'900051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"; 294: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 296: SecRule ARGS|ARGS_NAMES|XML:/* "(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?$?)|(?:end\s*$;)|(\"\s+regexp\W)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'900047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 298: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'900047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 299: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?$?)|(?:end\s*$;)|(\"\s+regexp\W)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 301: SecRule ARGS|ARGS_NAMES|XML:/* "(?:$[\w\s]+\([\w\s]+$[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))$[^)[]+\[[^\]]+\][^)]*$)|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'90008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 303: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'90008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 304: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:$[\w\s]+\([\w\s]+$[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))$[^)[]+\[[^\]]+\][^)]*$)|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 306: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'900038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 308: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'900038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"; 309: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 311: SecRule ARGS|ARGS_NAMES|XML:/* "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'90004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 313: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'90004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 314: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 316: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'900034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 318: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'900034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 319: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 321: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'900037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 323: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'900037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"; 324: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 326: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'900043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 328: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'900043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"; 329: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 331: SecRule ARGS|ARGS_NAMES|XML:/* "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'90005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; 333: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'90005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"; 334: SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; 24: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_41_sql_injection_attacks.data" "phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,nolog,pass,setvar:tx.pm_sqli_score=+1"; 26: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,nolog,pass"; 28: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "@pmFromFile modsecurity_41_sql_injection_attacks.data" "t:none,t:urlDecode,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:tx.pm_sqli_score=+1"; 30: SecRule TX:PM_SQLI_SCORE "@eq 0" "phase:2,rev:'2.0.5',t:none,pass,skipAfter:END_SQL_INJECTION_PM,nolog"; 40: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_catalog\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 43: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bconstraint_type\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959503',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 46: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_tables\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959521',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 49: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmsysqueries\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959509',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 52: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmsysaces\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959506',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 55: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\@\@spid\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959500',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 58: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcharindex\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959502',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 61: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.all_tables\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959515',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 64: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_constraints\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959518',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 67: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{0,40}buser\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959514',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 70: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bwaitfor\b\W*?\bdelay\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959538',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 73: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmsyscolumns\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959507',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 76: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{0,40}\bsubstring\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959513',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 79: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_triggers\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959522',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 82: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\blocate\W+\(" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959505',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 85: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmsysrelationships\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959510',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 88: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_tab_columns\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959520',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 91: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\battnotnull\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959501',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 94: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmsysobjects\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959508',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 97: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.tab\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959516',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 100: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{0,40}\bascii\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959512',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 103: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_views\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959523',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 106: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\binstr\W+\(" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959504',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 109: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_objects\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959519',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 112: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmysql\.user\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959511',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 116: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_tables\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959918',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 119: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_tab_columns\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959536',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 122: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\ball_objects\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959900',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 125: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bpg_class\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959910',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 128: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsyscat\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959524',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 131: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsubstr\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959912',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 134: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsysdba\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959527',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 137: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btextpos\W+\(" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959533',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 140: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\battrelid\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 143: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bpg_attribute\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959909',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 146: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_password\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959917',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 149: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_users\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959919',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 152: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_constraints\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959534',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 155: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxtype\W+\bchar\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959537',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 158: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_objects\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959916',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 161: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcolumn_name\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 164: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsysfilegroups\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959528',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 167: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsyscolumns\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959525',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 170: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsubstring\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959913',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 173: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsysobjects\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959530',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 176: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bobject_type\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 179: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bobject_id\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 182: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsysibm\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959529',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 185: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_ind_columns\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959535',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 188: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcolumn_id\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 191: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsysprocesses\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959531',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 194: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmb_users\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 197: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btable_name\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959914',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 200: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsystables\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959532',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 203: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bobject_name\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959907',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 206: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\brownum\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959911',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 209: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsysconstraints\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959526',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 212: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\batttypid\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959902',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 215: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_group\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'959915',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 224: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\'msdasql\'" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959020',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 227: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_makecab\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959058',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 230: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\butl_http\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959049',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 233: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.*?\bto_number\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959035',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 236: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btbcreator\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959046',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 239: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsp_execute\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959038',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 242: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgroup\b.*\bbyb.{1,100}?\bhaving\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959011',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 245: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.*?\bdata_type\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959027',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 248: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_cmdshell\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959052',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 251: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bisnull\b\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959018',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 254: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bopenrowset\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959023',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 257: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 260: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\binsert\b\W*?\binto\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959015',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 263: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959032',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 266: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\;\W*?\bdrop\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 269: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_execresultset\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959055',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 272: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regaddmultistring\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959060',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 275: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\@\@version\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959004',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 278: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regread\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959065',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 281: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bloadb\W*?\bdata\b.*\binfile\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959019',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 284: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.*?\bto_char\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959034',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 287: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bdbms_java\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959009',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 290: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_enumdsn\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959054',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 293: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_availablemedia\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959051',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 296: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsp_prepare\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959042',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 299: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnvarchar\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959021',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 302: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\butl_file\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959048',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 305: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\binner\b\W*?\bjoin\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959014',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 308: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regdeletekey\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959061',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 311: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_loginconfig\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959057',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 314: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsp_sqlexec\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959043',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 317: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bprint\b\W*?\@\@" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959024',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 320: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959031',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 323: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regremovemultistring\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959066',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 326: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regwrite\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959067',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 329: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bvarchar\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959050',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 332: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bintob\W*?\bdumpfile\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959016',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 335: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bifb\W*?\(\W*?\bbenchmark\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959012',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 338: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bopenquery\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959022',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 341: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959033',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 344: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcastb\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959006',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 347: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bdelete\b\W*?\bfrom\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959075',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 350: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regdeletevalue\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959062',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 353: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\'sqloledb\'" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959003',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 356: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsp_addextendedproc\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959037',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 359: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsql_longvarchar\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959044',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 362: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_dirtree\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959053',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 365: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regenumkeys\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959063',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 368: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.*?\bdump\b.*\bfrom\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959028',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 371: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_filelist\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959056',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 374: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\'sa\'" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959026',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 377: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_terminate\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959068',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 380: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsp_executesql\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959039',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 383: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bifnull\b\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959013',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 386: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bintob\W*?\boutfile\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959017',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 389: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsp_makewebtask\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959040',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 392: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\'dbo\'" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959010',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 395: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsql_variant\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959045',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 398: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_ntsec\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959059',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 401: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\;\W*?\bshutdown\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959002',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 404: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.*?\binstr\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959029',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 407: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bautonomous_transaction\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959005',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 410: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bdba_users\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959007',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 413: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsp_oacreate\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959041',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 416: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959036',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 419: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bxp_regenumvalues\b" "phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'959064',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 422: SecMarker END_SQL_INJECTION_PM; 425: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b(\d+) ?(?:=|<>|<=>|<|>) ?\1\b|[\'\"\`\´\’\‘](\d+)[\'\"\`\´\’\‘] ?(?:=|<>|<=>) ?[\'\"\`\´\’\‘]\2\b|[\'\"\`\´\’\‘](\w+)[\'\"\`\´\’\‘] ?(?:=|<>|<=>) ?[\'\"\`\´\’\‘]\3\b" "phase:2,rev:'2.0.5',capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 428: SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 430: SecMarker BEGIN_SQL_INJECTION_WEAK; 431: SecRule &TX:/SQL_INJECTION/ "@eq 0" "phase:2,rev:'2.0.5',t:none,nolog,pass,skipAfter:END_SQL_INJECTION_WEAK"; 434: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b(?:(?:rel(?:(?:nam|typ)e|kind)|to_(?:numbe|cha)r|d(?:elete|rop)|group\b\W*\bby|insert|where)\b|s(?:(?:ubstr(?:ing)?|leep)\W+$|(?:hutdown|elect)\b)|(?:b(?:enchmark|in)|find_in_set|position|mid)\W+\(|c(?:o(?:n(?:cat\W+\(|vert\b)|unt\b)|ha?r\b)|u(?:n(?:hex\W+\(|ion\b)|pdate\b)|l(?:o(?:cate|wer)\W+\(|ength\b)|a(?:ttn(?:ame|um)\b|scii\W+\()|h(?:aving\b|ex\W+\())" "phase:2,rev:'2.0.5',chain,capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"; 436: SecRule MATCHED_VAR "(?:[\\\($\%#]|--)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 439: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b(?:benchmark|encode)\b" "phase:2,rev:'2.0.5',chain,capture,t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Blind SQL Injection Attack',id:'950007',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"; 440: SecRule MATCHED_VAR "(?:[\\\%#]|--)" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"; 442: SecMarker END_SQL_INJECTION_WEAK; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_xss_attacks.conf; 14: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" "phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}"; 16: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,nolog,pass"; 18: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "@pm jscript onsubmit copyparentfolder javascript meta onchange onmove onkeydown onkeyup activexobject onerror onmouseup ecmascript bexpression onmouseover vbscript: <![cdata[ http: .innerhtml settimeout shell: onabort asfunction: onkeypress onmousedown onclick .fromcharcode background-image: .cookie x-javascript ondragdrop onblur mocha: javascript: onfocus lowsrc getparentfolder onresize @import alert script onselect onmouseout application onmousemove background .execscript livescript: vbscript getspecialfolder .addimport iframe onunload createtextrange <input onload" "t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:tx.pm_xss_score=+%{tx.critical_anomaly_score}"; 20: SecRule TX:PM_XSS_SCORE "@eq 0" "phase:2,t:none,pass,skipAfter:END_XSS_CHECK,nolog"; 24: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 27: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonmousedown\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958414',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 30: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958032',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 33: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmocha:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958026',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 36: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonabort\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958027',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 39: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bhttp:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958054',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 42: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonmouseup\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958418',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 45: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*\=.*bexpression\b\W*\(" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958034',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 48: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958019',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 51: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcreatetextrange\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958013',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 54: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bondragdrop\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958408',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 57: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcopyparentfolder\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958012',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 60: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonunload\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958423',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 63: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\.execscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958002',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 66: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetspecialfolder\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958017',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 69: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bonload\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958007',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 72: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958047',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 75: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonkeydown\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958410',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 78: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonmousemove\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958415',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 81: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\blivescript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958022',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 84: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonblur\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958405',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 87: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonmove\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958419',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 90: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsettimeout\b\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958028',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 93: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\< ?iframe" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958057',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 96: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958031',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 99: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<body\b.*?\bbackground\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958006',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 102: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958033',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 105: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\becmascript\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958038',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 108: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonfocus\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958409',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 111: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\.cookie\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958001',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 114: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\<\!\[cdata\[" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958005',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 117: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonerror\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958404',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 120: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958023',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 123: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bactivexobject\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958010',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 126: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonkeypress\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958411',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 129: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonsubmit\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958422',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 132: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958036',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 135: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\.addimport\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958000',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 138: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958018',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 141: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonchange\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958406',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 144: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958040',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 147: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\balert\b\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958052',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 150: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958037',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 153: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\< ?meta\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958049',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 156: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsrc\b\W*?\bhttp:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958030',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 159: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bvbscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958041',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 162: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonmouseout\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958416',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 165: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958024',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 168: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\basfunction:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958059',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 171: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonmouseover\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958417',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 174: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bhref\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958020',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 177: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958045',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 180: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\.innerhtml\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958004',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 183: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonselect\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958421',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 186: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\@import\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958009',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 189: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\blowsrc\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958025',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 192: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonload\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958413',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 195: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\< ?script\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958051',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 198: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonresize\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958420',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 201: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonclick\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958407',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 204: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\biframe\b.{0,100}?\bsrc\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958056',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 207: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bbackground-image:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958011',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 210: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bonkeyup\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958412',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 213: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<input\b.*?\btype\b\W*?\bimage\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958008',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 216: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\burl\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958046',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 219: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btype\b\W*?\btext\b\W*?\bjavascript\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958039',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 222: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\.fromcharcode\b" "phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958003',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 225: SecRule TX:PARANOID_MODE "!@eq 1" "phase:2,t:none,nolog,pass,skipAfter:END_XSS_CHECK"; 228: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bgetparentfolder\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958084',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 232: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonmousedown\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958482',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 236: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bsrc\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958100',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 240: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bmocha:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958094',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 244: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonabort\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958095',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 248: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\blowsrc\b\W*?\bhttp:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958122',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 252: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonmouseup\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958486',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 256: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bstyle\b\W*\=.*bexpression\b\W*\(" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958102',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 260: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bhref\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958087',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 264: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcreatetextrange\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958081',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 268: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bondragdrop\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958476',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 272: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcopyparentfolder\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958080',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 276: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonunload\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958491',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 280: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\.execscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958070',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 284: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bgetspecialfolder\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958085',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 288: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "<body\b.*?\bonload\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958075',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 292: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\burl\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958115',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 296: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonkeydown\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958478',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 300: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonmousemove\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958483',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 304: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\blivescript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958090',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 308: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonblur\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958473',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 312: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonmove\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958487',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 316: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bsettimeout\b\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958096',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 320: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\< ?iframe" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958125',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 324: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bsrc\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958099',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 328: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "<body\b.*?\bbackground\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958074',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 332: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bsrc\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958101',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 336: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\btype\b\W*?\btext\b\W*?\becmascript\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958106',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 340: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonfocus\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958477',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 344: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\.cookie\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958069',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 348: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\<\!\[cdata\[" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958073',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 352: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonerror\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958472',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 356: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\blowsrc\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958091',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 360: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bactivexobject\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958078',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 364: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonkeypress\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958479',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 368: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonsubmit\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958490',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 372: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\btype\b\W*?\bapplication\b\W*?\bx-javascript\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958104',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 376: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\.addimport\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958068',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 380: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bhref\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958086',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 384: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonchange\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958474',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 388: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\btype\b\W*?\btext\b\W*?\bjscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958108',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 392: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\balert\b\W*?\(" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958120',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 396: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\btype\b\W*?\bapplication\b\W*?\bx-vbscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958105',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 400: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\< ?meta\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958117',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 404: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bsrc\b\W*?\bhttp:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958098',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 408: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\btype\b\W*?\btext\b\W*?\bvbscript\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958109',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 412: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonmouseout\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958484',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 416: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\blowsrc\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958092',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 420: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\basfunction:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958127',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 424: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonmouseover\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958485',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 428: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bhref\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958088',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 432: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\burl\b\W*?\bjavascript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958113',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 436: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\.innerhtml\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958072',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 440: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonselect\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958489',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 444: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\@import\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958077',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 448: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\blowsrc\b\W*?\bvbscript:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958093',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 452: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonload\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958481',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 456: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\< ?script\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958119',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 460: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonresize\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958488',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 464: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonclick\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958475',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 468: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\biframe\b.{0,100}?\bsrc\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958124',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 472: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bbackground-image:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958079',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 476: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bonkeyup\b\W*?\=" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958480',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 480: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "<input\b.*?\btype\b\W*?\bimage\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958076',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 484: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\burl\b\W*?\bshell:" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958114',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 488: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\btype\b\W*?\btext\b\W*?\bjavascript\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958107',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 492: SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\.fromcharcode\b" "phase:2,rev:'2.0.5',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'958071',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 494: SecMarker END_XSS_CHECK; 555: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" "phase:2,rev:'2.0.5',id:'973300',capture,t:none,t:jsDecode,t:lowercase,pass,nolog,auditlog,msg:'Possible XSS Attack Detected - HTML Tag Handler',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 558: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\ballowscriptaccess\b|\brel\b\W*?=" "phase:2,rev:'2.0.5',id:'973301',capture,t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 563: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "application/x-shockwave-flash|image/svg\+xml|text/(css|html|ecmascript|javascript|vbscript|x-(javascript|scriptlet|vbscript))" "phase:2,rev:'2.0.5',id:'973302',capture,t:none,t:htmlEntityDecode,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 571: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bon(abort|blur|change|click|dblclick|dragdrop|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|move|readystatechange|reset|resize|select|submit|unload)\b\W*?=" "phase:2,rev:'2.0.5',id:'973303',capture,t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 587: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" "phase:2,rev:'2.0.5',id:'973304',capture,t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 605: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(asfunction|javascript|vbscript|data|mocha|livescript):" "phase:2,rev:'2.0.5',id:'973305',capture,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 613: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bstyle\b\W*?=" "phase:2,rev:'2.0.5',id:'973306',capture,t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 645: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(fromcharcode|alert|eval)\s*\(" "phase:2,rev:'2.0.5',id:'973307',capture,t:none,t:htmlEntityDecode,t:jsDecode,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 671: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "background\b\W*?:\W*?url|background-image\b\W*?:|behavior\b\W*?:\W*?url|-moz-binding\b|@import\b|expression\b\W*?\(" "phase:2,rev:'2.0.5',id:'973308',capture,t:none,t:htmlEntityDecode,t:cssDecode,t:replaceComments,t:removeWhitespace,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 675: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<!\[cdata\[|\]\]>" "phase:2,rev:'2.0.5',id:'973309',capture,t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 686: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[/'\"<]xss[/'\">]" "phase:2,rev:'2.0.5',id:'973310',capture,t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 691: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(88,83,83)" "phase:2,rev:'2.0.5',id:'973311',capture,t:none,logdata:'%{TX.0}',t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 696: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "'';!--\"<xss>=&{()}" "phase:2,rev:'2.0.5',id:'973312',capture,logdata:'%{TX.0}',t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 701: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "&{" "phase:2,rev:'2.0.5',id:'973313',capture,logdata:'%{TX.0}',t:none,pass,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 718: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<!(doctype|entity)" "phase:2,rev:'2.0.5',id:'973314',capture,logdata:'%{TX.0}',t:none,t:lowercase,pass,nolog,auditlog,msg:'XSS Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 724: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&[#=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))))" "phase:2,rev:'2.0.5',id:'973315',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 726: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]style[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))" "phase:2,rev:'2.0.5',id:'973316',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 728: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973317',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}; 730: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<applet[ /+\t].*?code[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973318',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 732: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)" "phase:2,rev:'2.0.5',id:'973319',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 734: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<base[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973320',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 736: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<link[ /+\t].*?href[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973321',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 738: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|REQUEST_BODY "(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973322',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 740: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<\?import[ /+\t].*?implementation[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973323',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 742: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<embed[ /+\t].*?SRC.*?=)" "phase:2,rev:'2.0.5',id:'973324',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 744: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[ /+\t\"\'`]on\c\c\c+?[ +\t]*?=.)" "phase:2,rev:'2.0.5',id:'973325',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}; 746: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<.*[:]vmlframe.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973326',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}; 748: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973327',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 750: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<isindex[ /+\t>])" "phase:2,rev:'2.0.5',id:'973328',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 752: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<form.*?>)" "phase:2,rev:'2.0.5',id:'973329',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 754: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?[ /+\t]*?src[ /+\t]*=)" "phase:2,rev:'2.0.5',id:'973330',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 756: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:<script.*?>)" "phase:2,rev:'2.0.5',id:'973331',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 758: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))).*?=)" "phase:2,rev:'2.0.5',id:'973332',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 760: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?))=)" "phase:2,rev:'2.0.5',id:'973333',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 762: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'].*?\[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?$)" "phase:2,rev:'2.0.5',id:'973334',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; 764: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?\(.*?$)" "phase:2,rev:'2.0.5',id:'973335',capture,logdata:'%{TX.0}',t:none,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,auditlog,msg:'IE XSS Filters - Attack Detected',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_42_tight_security.conf; 18: SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:1,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Path Traversal Attack',id:'950103',severity:'2'"; 20: SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" "t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_45_trojans.conf; 30: SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,rev:'2.0.5',t:none,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"; 32: SecRule REQUEST_FILENAME "root\.exe" "phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"; 34: SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{0,10}?\bversion\b.{0,20}?$c$ copyright 1985-.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" "phase:4,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',tag:'WASCTC/WASC-01',tag:'OWASP_TOP_10/A7',tag:'PCI/5.1.1',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1,setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/TROJAN-%{matched_var_name}=%{matched_var}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_47_common_exceptions.conf; 15: SecRule REQUEST_LINE "^GET /$" "chain,phase:2,t:none,pass,nolog"; 16: SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"; 17: SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"; 18: SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"; 23: SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,t:none,pass,nolog"; 24: SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none"; 25: SecRule REQUEST_HEADERS:User-Agent "^Apache.*$internal dummy connection$$" "t:none,t:none,chain"; 26: SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"; 27: SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf; 25: SecRule TX:ANOMALY_SCORE "@ge 20" "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_inbound_blocking.conf; 18: SecRule TX:ANOMALY_SCORE "@gt 0" "chain,phase:2,t:none,nolog,auditlog,block,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"; 19: SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_50_outbound.conf; 19: SecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Zope Information Leakage',id:'970007',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 23: SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace $click to expand$\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Cold Fusion Information Leakage',id:'970008',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 27: SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Information Leakage',id:'970009',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 31: SecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ISA server existence revealed',id:'970010',tag:'MISCONFIGURATION',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MISCONFIGURATION-%{matched_var_name}=%{tx.0}"; 35: SecRule RESPONSE_BODY "<o:documentproperties>" "phase:4,rev:'2.0.5',t:none,capture,nolog,auditlog,msg:'Microsoft Office document properties leakage',id:'970012',tag:'LEAKAGE/INFO',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 38: SecRule RESPONSE_BODY "\<\%" "phase:4,rev:'2.0.5',chain,t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"; 39: SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 44: SecRule RESPONSE_BODY "<cf" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'Cold Fusion source code leakage',id:'970016',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 48: SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" "phase:4,rev:'2.0.5',t:none,capture,t:lowercase,ctl:auditLogParts=+E,nolog,auditlog,msg:'IIS installed in default location',id:'970018',severity:'3',chain"; 49: SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score}"; 52: SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"; 54: SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| $0x80040e31$<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'The application is not available',id:'970118',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"; 57: SecRule RESPONSE_STATUS "^500$" "phase:4,rev:'2.0.5',chain,t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'WebLogic information disclosure',id:'970021',severity:'3'"; 58: SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 61: SecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,rev:'2.0.5',chain,capture,t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'File or Directory Names Leakage',id:'970011',tag:'LEAKAGE/INFO',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"; 62: SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,capture,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 68: SecRule RESPONSE_BODY "!@pm iframe" "phase:4,rev:'2.0.5',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skipAfter:END_IFRAME_CHECK"; 70: SecRule RESPONSE_BODY "<\W*iframe[^>]+?\b(?:width|height)\b\W*?=\W*?[\"']?[^\"'1-9]*?(?:(?:20|1?\d(?:\.\d*)?)(?![\d%.])|[0-3](?:\.\d*)?%)" "t:replaceComments,phase:4,rev:'2.0.5',ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Possibly malicious iframe tag in output',id:'981000',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"; 72: SecRule RESPONSE_BODY "<\W*iframe[^>]+?\bstyle\W*?=\W*?[\"']?\W*?\bdisplay\b\W*?:\W*?\bnone\b" "t:replaceComments,phase:4,rev:'2.0.5',ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Possibly malicious iframe tag in output',id:'981001',tag:'MALICIOUS_IFRAME',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"; 73: SecMarker END_IFRAME_CHECK; 78: SecRule RESPONSE_BODY "@pmFromFile modsecurity_50_outbound_malware.data" "phase:4,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Possible link to malware domain in output',id:'981002',tag:'MALWARE_LINK',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_IFRAME-%{matched_var_name}=%{tx.0}"; 85: SecRule RESPONSE_BODY "!@pmFromFile modsecurity_50_outbound.data" "phase:4,rev:'2.0.5',t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUD_CHECK"; 89: SecRule RESPONSE_BODY "\bwscript\.shell\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971379',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 91: SecRule RESPONSE_BODY "<jsp:" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971300',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 93: SecRule RESPONSE_BODY "\.addheader\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971360',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 95: SecRule RESPONSE_BODY "\bserver\.execute\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971373',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 97: SecRule RESPONSE_BODY "\bserver\.mappath\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971375',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 99: SecRule RESPONSE_BODY "\bresponse\.binarywrite\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971369',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 101: SecRule RESPONSE_BODY "\bserver\.createobject\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971372',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 103: SecRule RESPONSE_BODY "\.createtextfile\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971361',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 105: SecRule RESPONSE_BODY "\bwscript\.network\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971378',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 107: SecRule RESPONSE_BODY "\bvbscript\.encode\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971377',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 109: SecRule RESPONSE_BODY "\bserver\.htmlencode\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971374',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 111: SecRule RESPONSE_BODY "\bjavax\.servlet" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971301',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 113: SecRule RESPONSE_BODY "\bscripting\.filesystemobject\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971371',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 115: SecRule RESPONSE_BODY "\bserver\.urlencode\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971376',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 117: SecRule RESPONSE_BODY "\.getfile\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971362',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 119: SecRule RESPONSE_BODY "\.loadfromfile\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971363',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 121: SecRule RESPONSE_BODY "\bresponse\.write\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'ASP/JSP source code leakage',id:'971370',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 125: SecRule RESPONSE_BODY "\bproc_open\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958976',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 127: SecRule RESPONSE_BODY "\bgzread\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958972',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 129: SecRule RESPONSE_BODY "\bftp_nb_fget\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958963',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 131: SecRule RESPONSE_BODY "\bftp_nb_get\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958965',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 133: SecRule RESPONSE_BODY "\bfscanf\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958959',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 135: SecRule RESPONSE_BODY "\breadfile\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958978',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 137: SecRule RESPONSE_BODY "\bfgetss\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958955',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 139: SecRule RESPONSE_BODY "\$_post\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958941',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 141: SecRule RESPONSE_BODY "\bsession_start\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958982',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 143: SecRule RESPONSE_BODY "\breaddir\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958977',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 145: SecRule RESPONSE_BODY "\bgzwrite\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958973',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 147: SecRule RESPONSE_BODY "\bscandir\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958981',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 149: SecRule RESPONSE_BODY "\bftp_get\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958962',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 151: SecRule RESPONSE_BODY "\bfread\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958958',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 153: SecRule RESPONSE_BODY "\breadgzfile\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958979',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 155: SecRule RESPONSE_BODY "\bftp_put\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958967',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 157: SecRule RESPONSE_BODY "\bfwrite\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958968',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 159: SecRule RESPONSE_BODY "\bgzencode\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958970',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 161: SecRule RESPONSE_BODY "\bfopen\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958957',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 163: SecRule RESPONSE_BODY "\$_session\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958942',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 165: SecRule RESPONSE_BODY "\bftp_nb_fput\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958964',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 167: SecRule RESPONSE_BODY "\bftp_fput\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958961',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 169: SecRule RESPONSE_BODY "\bgzcompress\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958969',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 171: SecRule RESPONSE_BODY "\bbzopen\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958946',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 173: SecRule RESPONSE_BODY "\bgzopen\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958971',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 175: SecRule RESPONSE_BODY "\bfgetc\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958953',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 177: SecRule RESPONSE_BODY "\bmove_uploaded_file\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958975',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 179: SecRule RESPONSE_BODY "\bftp_nb_put\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958966',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 181: SecRule RESPONSE_BODY "\bcall_user_func\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958983',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 183: SecRule RESPONSE_BODY "\$_get\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958940',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 185: SecRule RESPONSE_BODY "\bfgets\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958954',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 187: SecRule RESPONSE_BODY "\bftp_fget\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'958960',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 190: SecRule RESPONSE_BODY "<\?(?!xml)" "phase:4,rev:'2.0.5',chain,t:none,capture,ctl:auditLogParts=+E,nolog,auditlog,msg:'PHP source code leakage',id:'970902',tag:'LEAKAGE/SOURCE_CODE',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"; 191: SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}"; 195: SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?webcruncher\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971019',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 197: SecRule RESPONSE_BODY "\bThese statistics were produced by PeLAB\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971011',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 199: SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?analog\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971020',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 201: SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?Jware\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971018',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 203: SecRule RESPONSE_BODY "\bThis summary was generated by.{0,100}?wwwstat\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971014',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 205: SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?calamaris\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971022',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 207: SecRule RESPONSE_BODY "\bThis report was generated by WebLog\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971013',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 209: SecRule RESPONSE_BODY "\b[gG]enerated by.{0,100}?[Ww]ebalizer\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971024',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 211: SecRule RESPONSE_BODY "\bThese statistics were produced by getstats\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971010',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 213: SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?EasyStat\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971023',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 215: SecRule RESPONSE_BODY "\bThis analysis was produced by.{0,100}?analog\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Statistics Information Leakage',id:'971021',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 220: SecRule RESPONSE_BODY "\bCould not find server \'\w+\' in sysservers\. execute sp_addlinkedserver\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971154',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 222: SecRule RESPONSE_BODY "\bSyntax error converting the \w+ value .*? to a column of data type\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971153',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 224: SecRule RESPONSE_BODY "\bORA-\d{5}\: " "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971198',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 226: SecRule RESPONSE_BODY "\bUnclosed quotation mark before the character string\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971092',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 228: SecRule RESPONSE_BODY "\[Microsoft\]\[ODBC " "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971197',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 230: SecRule RESPONSE_BODY "\berror \'800a01b8\'" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971069',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 232: SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax near \'" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971094',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 234: SecRule RESPONSE_BODY "\bmicrosoft jet database engine error \'8" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971072',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 236: SecRule RESPONSE_BODY "\bselect list because it is not contained in an aggregate function and there is no GROUP BY clause\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971086',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 238: SecRule RESPONSE_BODY "\bUnable to connect to PostgreSQL server\:" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971091',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 240: SecRule RESPONSE_BODY "\bPostgreSQL query failed\:" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971068',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 242: SecRule RESPONSE_BODY "\bsupplied argument is not a valid MS SQL\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971158',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 244: SecRule RESPONSE_BODY "\bsupplied argument is not a valid Oracle\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971157',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 246: SecRule RESPONSE_BODY "\bWarning: mysql_connect\:" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971093',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 248: SecRule RESPONSE_BODY "\bsupplied argument is not a valid ODBC\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971159',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 250: SecRule RESPONSE_BODY "\bMicrosoft OLE DB Provider for .{0,30} [eE]rror '" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971076',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 252: SecRule RESPONSE_BODY "\bSQL Server does not exist or access denied\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971096',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 254: SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted; the operation\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971099',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 256: SecRule RESPONSE_BODY "\bcannot take a \w+ data type as an argument\." "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971060',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 258: SecRule RESPONSE_BODY "\bselect list because it is not contained in either an aggregate function or the GROUP BY clause\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971087',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 260: SecRule RESPONSE_BODY "\bThe column prefix .{0,50}? does not match with a table name or alias name used in the query\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971155',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 262: SecRule RESPONSE_BODY "\bsupplied argument is not a valid PostgreSQL result\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971088',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 264: SecRule RESPONSE_BODY "\bYou have an error in your SQL syntax;" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971150',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 266: SecRule RESPONSE_BODY "\bsupplied argument is not a valid MySQL\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971156',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 268: SecRule RESPONSE_BODY "\bEither BOF or EOF is True, or the current record has been deleted. Requested\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971067',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 270: SecRule RESPONSE_BODY "\bincorrect syntax near (?:\'|the\b|\@\@error\b)" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SQL Information Leakage',id:'971152',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 275: SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?: |\s)Microsoft \.NET Framework Version\:" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971123',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 277: SecRule RESPONSE_BODY ">error \'ASP\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971111',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 279: SecRule RESPONSE_BODY "\berror \'800" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971116',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 281: SecRule RESPONSE_BODY "\<b\>Version Information\:\<\/b\>(?: |\s)ASP\.NET Version\:" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971124',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 283: SecRule RESPONSE_BODY "\bA trappable error occurred in an external object\. The script cannot continue running\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971122',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 285: SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime Error\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971125',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 287: SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation \(0x8\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971121',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 289: SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.aspx\?[Ee]rror\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971113',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 291: SecRule RESPONSE_BODY "\bMicrosoft VBScript runtime \(0x8\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971126',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 293: SecRule RESPONSE_BODY "\bObject required\: \'" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971112',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 295: SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\bApplication uses a value of the wrong type for the current operation\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971115',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 297: SecRule RESPONSE_BODY "/[Ee]rror[Mm]essage\.asp\?[Ee]rror\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971127',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 299: SecRule RESPONSE_BODY "\bADODB\.Command\b.{0,100}?\berror\'" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971114',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 301: SecRule RESPONSE_BODY "\bMicrosoft VBScript compilation error\b" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'971119',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 303: SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" "phase:4,rev:'2.0.5',chain,t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'IIS Information Leakage',id:'970904',tag:'LEAKAGE/ERRORS',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3'"; 304: SecRule RESPONSE_STATUS "!^404$" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"; 308: SecRule RESPONSE_BODY ">[To Parent Directory]</[Aa]><br>" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Directory Listing',id:'971202',tag:'LEAKAGE/INFO',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 310: SecRule RESPONSE_BODY "<TITLE>Index of.*?<H1>Index of" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Directory Listing',id:'971201',tag:'LEAKAGE/INFO',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 312: SecRule RESPONSE_BODY "<title>Index of.*?<h1>Index of" "phase:4,rev:'2.0.5',t:none,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Directory Listing',id:'971200',tag:'LEAKAGE/INFO',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx.0}"; 313: SecMarker END_OUTBOUND_CHECK; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_59_outbound_blocking.conf; 23: SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" "phase:4,t:none,nolog,auditlog,block,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"; In file: /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf; 21: SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" "chain,phase:5,t:none,log,pass,severity:'0',msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"; 22: SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"; 27: SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" "chain,phase:5,t:none,log,pass,severity:'1',msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'"; 28: SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"; 31: SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" "chain,phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"; 32: SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}" "skipAfter:END_CORRELATION"; 35: SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQLI_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"; 38: SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_level}" "phase:5,t:none,log,noauditlog,pass,msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'"; 40: SecMarker END_CORRELATION

Module Name: mod_evasive20.c
Content handlers: none
Configuration Phase Participation: Create Server Config
Request Phase Participation: Check Access
Module Directives:: DOSHashTableSize - Set size of hash table; DOSPageCount - Set maximum page hit count per interval; DOSSiteCount - Set maximum site hit count per interval; DOSPageInterval - Set page interval; DOSSiteInterval - Set site interval; DOSBlockingPeriod - Set blocking period for detected DoS IPs; DOSEmailNotify - Set email notification; DOSLogDir - Set log dir; DOSSystemCommand - Set system command on DoS; DOSWhitelist - IP-addresses wildcards to whitelist
Current Configuration:: In file: /etc/httpd/conf.d/mod_evasive.conf; 12: DOSHashTableSize 3097; 18: DOSPageCount 50; 24: DOSSiteCount 100; 28: DOSPageInterval 1; 32: DOSSiteInterval 1; 41: DOSBlockingPeriod 300; 48: DOSEmailNotify info@zarcrom.com

Module Name: mod_cgi.c
Content handlers: yes
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Content Handlers
Module Directives:: ScriptLog - the name of a log for script debugging info; ScriptLogLength - the maximum length (in bytes) of the script debug log; ScriptLogBuffer - the maximum size (in bytes) to record of a POST request
Current Configuration:

Module Name: mod_disk_cache.c
Content handlers: none
Configuration Phase Participation: Create Server Config
Request Phase Participation: none
Module Directives:: CacheRoot - The directory to store cache files; CacheDirLevels - The number of levels of subdirectories in the cache; CacheDirLength - The number of characters in subdirectory names; CacheMinFileSize - The minimum file size to cache a document; CacheMaxFileSize - The maximum file size to cache a document
Current Configuration:

Module Name: mod_suexec.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Create Server Config
Request Phase Participation: none
Module Directives:: SuexecUserGroup - User and group for spawned processes
Current Configuration:

Module Name: mod_cache.c
Content handlers: none
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Quick Handler
Module Directives:: CacheEnable - A cache type and partial URL prefix below which caching is enabled; CacheDisable - A partial URL prefix below which caching is disabled; CacheMaxExpire - The maximum time in seconds to cache a document; CacheDefaultExpire - The default time in seconds to cache a document; CacheIgnoreNoLastMod - Ignore Responses where there is no Last Modified Header; CacheIgnoreCacheControl - Ignore requests from the client for uncached content; CacheStorePrivate - Ignore 'Cache-Control: private' and store private content; CacheStoreNoStore - Ignore 'Cache-Control: no-store' and store sensitive content; CacheIgnoreHeaders - A space separated list of headers that should not be stored by the cache; CacheIgnoreQueryString - Ignore query-string when caching; CacheIgnoreURLSessionIdentifiers - A space separated list of session identifiers that should be ignored for creating the key of the cached entity.; CacheLastModifiedFactor - The factor used to estimate Expires date from LastModified date; CacheLock - Enable or disable the thundering herd lock.; CacheLockPath - The thundering herd lock path. Defaults to the '/mod_cache-lock' directory in the system temp directory.; CacheLockMaxAge - Maximum age of any thundering herd lock.
Current Configuration:

Module Name: mod_proxy_connect.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: none
Module Directives: none

Module Name: mod_proxy_http.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: none
Module Directives: none

Module Name: mod_proxy_ftp.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: none
Module Directives: none

Module Name: mod_proxy_balancer.c
Content handlers: yes
Configuration Phase Participation: none
Request Phase Participation: Content Handlers
Module Directives: none

Module Name: mod_proxy.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs
Request Phase Participation: Post-Read Request, Translate Name, Map to Storage, Fixups, Content Handlers
Module Directives:: <Proxy> - Container for directives affecting resources located in the proxied location; <ProxyMatch> - Container for directives affecting resources located in the proxied location, in regular expression syntax; ProxyRequests - on if the true proxy requests should be accepted; ProxyRemote - a scheme, partial URL or '*' and a proxy server; ProxyRemoteMatch - a regex pattern and a proxy server; ProxyPassInterpolateEnv - Interpolate Env Vars in reverse Proxy; ProxyPass - a virtual path and a URL; ProxyPassMatch - a virtual path and a URL; ProxyPassReverse - a virtual path and a URL for reverse proxy behaviour; ProxyPassReverseCookiePath - Path rewrite rule for proxying cookies; ProxyPassReverseCookieDomain - Domain rewrite rule for proxying cookies; ProxyBlock - A list of names, hosts or domains to which the proxy will not connect; ProxyReceiveBufferSize - Receive buffer size for outgoing HTTP and FTP connections in bytes; ProxyIOBufferSize - IO buffer size for outgoing HTTP and FTP connections in bytes; ProxyMaxForwards - The maximum number of proxies a request may be forwarded through.; NoProxy - A list of domains, hosts, or subnets to which the proxy will connect directly; ProxyDomain - The default intranet domain name (in absence of a domain in the URL); AllowCONNECT - A list of ports which CONNECT may connect to; ProxyVia - Configure Via: proxy header header to one of: on | off | block | full; ProxyErrorOverride - use our error handling pages instead of the servers' we are proxying; ProxyPreserveHost - on if we should preserve host header while proxying; ProxyTimeout - Set the timeout (in seconds) for a proxied connection. This overrides the server timeout; ProxyBadHeader - How to handle bad header line in response: IsError | Ignore | StartBody; BalancerMember - A balancer name and scheme with list of params; ProxyStatus - Configure Status: proxy status to one of: on | off | full; ProxySet - A balancer or worker name with list of params; ProxyFtpDirCharset - Define the character set for proxied FTP listings
Current Configuration:: In file: /etc/httpd/conf.d/status.conf; 27: ProxyStatus On

Module Name: mod_rewrite.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs
Request Phase Participation: Translate Name, Fixups, Content Handlers
Module Directives:: RewriteEngine - On or Off to enable or disable (default) the whole rewriting engine; RewriteOptions - List of option strings to set; RewriteBase - the base URL of the per-directory context; RewriteCond - an input string and a to be applied regexp-pattern; RewriteRule - an URL-applied regexp-pattern and a substitution URL; RewriteMap - a mapname and a filename; RewriteLock - the filename of a lockfile used for inter-process synchronization; RewriteLog - the filename of the rewriting logfile; RewriteLogLevel - the level of the rewriting logfile verbosity (0=none, 1=std, .., 9=max)
Current Configuration:

Module Name: mod_alias.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs
Request Phase Participation: Translate Name, Fixups
Module Directives:: Alias - a fakename and a realname; ScriptAlias - a fakename and a realname; Redirect - an optional status, then document to be redirected and destination URL; AliasMatch - a regular expression and a filename; ScriptAliasMatch - a regular expression and a filename; RedirectMatch - an optional status, then a regular expression and destination URL; RedirectTemp - a document to be redirected, then the destination URL; RedirectPermanent - a document to be redirected, then the destination URL
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 467: Alias /icons/ "/var/www/icons/"; 492: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"; 771: Alias /error/ "/var/www/error/"; In file: /etc/httpd/conf/conf.sites/possessionstudios.com.conf; 4: <VirtualHost 209.236.236.49:80>; 15: Redirect / https://possessionstudios.com/; : </VirtualHost>

Module Name: mod_userdir.c
Content handlers: none
Configuration Phase Participation: Create Server Config
Request Phase Participation: Translate Name
Module Directives:: UserDir - the public subdirectory in users' home directories, or 'disabled', or 'disabled username username...', or 'enabled username username...'
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 283: UserDir disabled

Module Name: mod_speling.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Create Server Config
Request Phase Participation: Fixups
Module Directives:: CheckSpelling - whether or not to fix miscapitalized/misspelled requests; CheckCaseOnly - whether or not to fix only miscapitalized requests
Current Configuration:

Module Name: mod_actions.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Content Handlers
Module Directives:: Action - a media type followed by a script name; Script - a method followed by a script name
Current Configuration:

Module Name: mod_dir.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Fixups
Module Directives:: DirectoryIndex - a list of file names; DirectorySlash - On or Off
Current Configuration:: In file: /etc/httpd/conf.d/php.conf; 22: DirectoryIndex index.php; In file: /etc/httpd/conf/httpd.conf; 319: DirectoryIndex index.tpl index.dna index.html index.html.var

Module Name: mod_negotiation.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Check Type, Fixups, Content Handlers
Module Directives:: CacheNegotiatedDocs - Either 'on' or 'off' (default); LanguagePriority - space-delimited list of MIME language abbreviations; ForceLanguagePriority - Force LanguagePriority elections, either None, or Fallback and/or Prefer
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 659: LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW; 666: ForceLanguagePriority Prefer Fallback; 775: <Directory "/var/www/error">; 782: LanguagePriority en es de fr; 783: ForceLanguagePriority Prefer Fallback; : </Directory>

Module Name: mod_vhost_alias.c
Content handlers: none
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Translate Name
Module Directives:: VirtualScriptAlias - how to create a ScriptAlias based on the host; VirtualDocumentRoot - how to create the DocumentRoot based on the host; VirtualScriptAliasIP - how to create a ScriptAlias based on the host; VirtualDocumentRootIP - how to create the DocumentRoot based on the host
Current Configuration:

Module Name: mod_dav_fs.c
Content handlers: none
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: none
Module Directives:: DAVLockDB - specify a lock database
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 481: DAVLockDB /var/lib/dav/lockdb

Module Name: mod_info.c
Content handlers: yes
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Content Handlers
Module Directives:: AddModuleInfo - a module name and additional information on that module
Current Configuration:

Module Name: mod_autoindex.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Content Handlers
Module Directives:: AddIcon - an icon URL followed by one or more filenames; AddIconByType - an icon URL followed by one or more MIME types; AddIconByEncoding - an icon URL followed by one or more content encodings; AddAlt - alternate descriptive text followed by one or more filenames; AddAltByType - alternate descriptive text followed by one or more MIME types; AddAltByEncoding - alternate descriptive text followed by one or more content encodings; IndexOptions - one or more index options [+|-][]; IndexOrderDefault - {Ascending,Descending} {Name,Size,Description,Date}; IndexIgnore - one or more file extensions; AddDescription - Descriptive text followed by one or more filenames; HeaderName - a filename; ReadmeName - a filename; FancyIndexing - The FancyIndexing directive is no longer supported. Use IndexOptions FancyIndexing.; DefaultIcon - an icon URL; IndexStyleSheet - URL to style sheet; IndexHeadInsert - String to insert in HTML HEAD section
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 520: IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8; 527: AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip; 529: AddIconByType (TXT,/icons/text.gif) text/*; 530: AddIconByType (IMG,/icons/image2.gif) image/*; 531: AddIconByType (SND,/icons/sound2.gif) audio/*; 532: AddIconByType (VID,/icons/movie.gif) video/*; 534: AddIcon /icons/binary.gif .bin .exe; 535: AddIcon /icons/binhex.gif .hqx; 536: AddIcon /icons/tar.gif .tar; 537: AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv; 538: AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip; 539: AddIcon /icons/a.gif .ps .ai .eps; 540: AddIcon /icons/layout.gif .html .shtml .htm .pdf; 541: AddIcon /icons/text.gif .txt; 542: AddIcon /icons/c.gif .c; 543: AddIcon /icons/p.gif .pl .py; 544: AddIcon /icons/f.gif .for; 545: AddIcon /icons/dvi.gif .dvi; 546: AddIcon /icons/uuencoded.gif .uu; 547: AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl; 548: AddIcon /icons/tex.gif .tex; 549: AddIcon /icons/bomb.gif core; 551: AddIcon /icons/back.gif ..; 552: AddIcon /icons/hand.right.gif README; 553: AddIcon /icons/folder.gif ^^DIRECTORY^^; 554: AddIcon /icons/blank.gif ^^BLANKICON^^; 560: DefaultIcon /icons/unknown.gif; 578: ReadmeName README.html; 579: HeaderName HEADER.html; 585: IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

Module Name: mod_status.c
Content handlers: yes
Configuration Phase Participation: none
Request Phase Participation: Content Handlers
Module Directives:: ExtendedStatus - "On" to enable extended status information, "Off" to disable; SeeRequestTail - For verbose requests, "On" to see the last 63 chars of the request, "Off" (default) to see the first 63 in extended status display
Current Configuration:: In file: /etc/httpd/conf.d/status.conf; 18: ExtendedStatus On

Module Name: mod_dav.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs
Request Phase Participation: Fixups, Content Handlers
Module Directives:: DAV - specify the DAV provider for a directory or location; DAVMinTimeout - specify minimum allowed timeout; DAVDepthInfinity - allow Depth infinity PROPFIND requests
Current Configuration:

Module Name: mod_mime.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Check Type
Module Directives:: AddCharset - a charset (e.g., iso-2022-jp), followed by one or more file extensions; AddEncoding - an encoding (e.g., gzip), followed by one or more file extensions; AddHandler - a handler name followed by one or more file extensions; AddInputFilter - input filter name (or ; delimited names) followed by one or more file extensions; AddLanguage - a language (e.g., fr), followed by one or more file extensions; AddOutputFilter - output filter name (or ; delimited names) followed by one or more file extensions; AddType - a mime type followed by one or more file extensions; DefaultLanguage - language to use for documents with no other language file extension; MultiviewsMatch - NegotiatedOnly (default), Handlers and/or Filters, or Any; RemoveCharset - one or more file extensions; RemoveEncoding - one or more file extensions; RemoveHandler - one or more file extensions; RemoveInputFilter - one or more file extensions; RemoveLanguage - one or more file extensions; RemoveOutputFilter - one or more file extensions; RemoveType - one or more file extensions; TypesConfig - the MIME types config file; ModMimeUsePathInfo - Set to 'yes' to allow mod_mime to use path info for type checking
Current Configuration:: In file: /etc/httpd/conf.d/php.conf; 15: AddHandler php5-script .php; 16: AddType text/html .php; In file: /etc/httpd/conf/httpd.conf; 341: TypesConfig /etc/mime.types; 625: AddLanguage ca .ca; 626: AddLanguage cs .cz .cs; 627: AddLanguage da .dk; 628: AddLanguage de .de; 629: AddLanguage el .el; 630: AddLanguage en .en; 631: AddLanguage eo .eo; 632: AddLanguage es .es; 633: AddLanguage et .et; 634: AddLanguage fr .fr; 635: AddLanguage he .he; 636: AddLanguage hr .hr; 637: AddLanguage it .it; 638: AddLanguage ja .ja; 639: AddLanguage ko .ko; 640: AddLanguage ltz .ltz; 641: AddLanguage nl .nl; 642: AddLanguage nn .nn; 643: AddLanguage no .no; 644: AddLanguage pl .po; 645: AddLanguage pt .pt; 646: AddLanguage pt-BR .pt-br; 647: AddLanguage ru .ru; 648: AddLanguage sv .sv; 649: AddLanguage zh-CN .zh-cn; 650: AddLanguage zh-TW .zh-tw; 695: AddType application/x-compress .Z; 696: AddType application/x-gzip .gz .tgz; 701: AddType application/x-x509-ca-cert .crt; 702: AddType application/x-pkcs7-crl .crl; 724: AddHandler type-map var; 732: AddType text/html .shtml; 733: AddOutputFilter INCLUDES .shtml; 775: <Directory "/var/www/error">; 778: AddOutputFilter Includes html; 779: AddHandler type-map var; : </Directory>; In file: /var/www/cgi-bin/WebCatalogEngine/webdna.conf; 49: AddType text/html .tpl .dna .newsuffix; 52: AddHandler webcatalog2-handler .tpl .html .htm .dna

Module Name: mod_setenvif.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs
Request Phase Participation: Post-Read Request, Header Parse
Module Directives:: SetEnvIf - A header-name, regex and a list of variables.; SetEnvIfNoCase - a header-name, regex and a list of variables.; BrowserMatch - A browser regex and a list of variables.; BrowserMatchNoCase - A browser regex and a list of variables.
Current Configuration:: In file: /etc/httpd/conf.d/deflate.conf; 5: BrowserMatch ^Mozilla/4 gzip-only-text/html; 8: BrowserMatch ^Mozilla/4\.0[678] no-gzip; 16: BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html; 19: SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary; 20: SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|mov|mp3|rar)$ no-gzip dont-vary; 21: SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary; In file: /etc/httpd/conf.d/ssl.conf; 76: <VirtualHost _default_:443>; 215: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0; : </VirtualHost>; In file: /etc/httpd/conf/httpd.conf; 811: BrowserMatch "Mozilla/2" nokeepalive; 812: BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0; 813: BrowserMatch "RealPlayer 4\.0" force-response-1.0; 814: BrowserMatch "Java/1\.0" force-response-1.0; 815: BrowserMatch "JDK/1\.0" force-response-1.0; 824: BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully; 825: BrowserMatch "MS FrontPage" redirect-carefully; 826: BrowserMatch "^WebDrive" redirect-carefully; 827: BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully; 828: BrowserMatch "^gnome-vfs/1.0" redirect-carefully; 829: BrowserMatch "^XML Spy" redirect-carefully; 830: BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully; In file: /etc/httpd/conf/conf.ssl/adgs.com.conf; 2: <VirtualHost 209.236.236.33:443>; 27: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/mginterface.com.conf; 3: <VirtualHost 209.236.236.52:443>; 29: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/possessionstudios.com.conf; 4: <VirtualHost 209.236.236.49:443>; 29: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/stocktonproducts.com.conf; 4: <VirtualHost 209.236.236.58:443>; 29: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/ventcovercreations.com.conf; 1: <VirtualHost 209.236.236.46:443>; 23: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/vicenzadesigns.com.conf; 1: <VirtualHost 209.236.236.47:443>; 23: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0; : </VirtualHost>

Module Name: mod_usertrack.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Create Server Config
Request Phase Participation: Fixups
Module Directives:: CookieExpires - an expiry date code; CookieDomain - domain to which this cookie applies; CookieStyle - 'Netscape', 'Cookie' (RFC2109), or 'Cookie2' (RFC2965); CookieTracking - whether or not to enable cookies; CookieName - name of the tracking cookie
Current Configuration:

Module Name: mod_headers.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Post-Read Request, Fixups, Insert Filters, Insert Errors
Module Directives:: Header - an optional condition, an action, header and value followed by optional env clause; RequestHeader - an action, header and value followed by optional env clause
Current Configuration:: In file: /etc/httpd/conf.d/deflate.conf; 24: Header append Vary User-Agent env=!dont-vary

Module Name: mod_deflate.c
Content handlers: none
Configuration Phase Participation: Create Server Config
Request Phase Participation: none
Module Directives:: DeflateFilterNote - Set a note to report on compression ratio; DeflateWindowSize - Set the Deflate window size (1-15); DeflateBufferSize - Set the Deflate Buffer Size; DeflateMemLevel - Set the Deflate Memory Level (1-9); DeflateCompressionLevel - Set the Deflate Compression Level (1-9)
Current Configuration:

Module Name: mod_expires.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Insert Filters, Insert Errors
Module Directives:: ExpiresActive - Limited to 'on' or 'off'; ExpiresByType - a MIME type followed by an expiry date code; ExpiresDefault - an expiry date code
Current Configuration:

Module Name: mod_mime_magic.c
Content handlers: none
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Check Type
Module Directives:: MimeMagicFile - Path to MIME Magic file (in file(1) format)
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 361: MIMEMagicFile conf/magic

Module Name: mod_ext_filter.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config
Request Phase Participation: none
Module Directives:: ExtFilterOptions - valid options: DebugLevel=n, LogStderr, NoLogStderr; ExtFilterDefine - Define an external filter
Current Configuration:

Module Name: mod_env.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Merge Directory Configs
Request Phase Participation: Fixups
Module Directives:: PassEnv - a list of environment variables to pass to CGI.; SetEnv - an environment variable name and optional value to pass to CGI.; UnsetEnv - a list of variables to remove from the CGI environment.
Current Configuration:

Module Name: mod_logio.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: Pre-Connection, Logging
Module Directives: none

Module Name: mod_log_config.c
Content handlers: none
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Logging
Module Directives:: CustomLog - a file name, a custom log format string or format name, and an optional "env=" clause (see docs); TransferLog - the filename of the access log; LogFormat - a log format string (see docs) and an optional format name; CookieLog - the filename of the cookie log; BufferedLogs - Enable Buffered Logging (experimental)
Current Configuration:: In file: /etc/httpd/conf.d/ssl.conf; 76: <VirtualHost _default_:443>; 85: TransferLog logs/ssl_access_log; 221: CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"; : </VirtualHost>; In file: /etc/httpd/conf/httpd.conf; 413: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined; 414: LogFormat "%h %l %u %t \"%r\" %>s %b" common; 415: LogFormat "%{Referer}i -> %U" referer; 416: LogFormat "%{User-agent}i" agent; 442: CustomLog logs/access_log combined; In file: /etc/httpd/conf/conf.sites/adgs.com.conf; 3: <VirtualHost 209.236.236.33:80>; 12: CustomLog logs/adgs.com-access_log common; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/mginterface.com.conf; 2: <VirtualHost 209.236.236.52:80>; 8: CustomLog logs/mginterface.com-access_log common; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/pamphletarchitecture.org.conf; 3: <VirtualHost 209.236.236.51:80>; 12: CustomLog logs/pamphletarchitecture.org-access_log common; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/possessionstudios.com.conf; 4: <VirtualHost 209.236.236.49:80>; 13: CustomLog logs/possessionstudios.com-access_log common; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/stocktonproducts.com.conf; 4: <VirtualHost 209.236.236.58:80>; 13: CustomLog logs/stocktonproducts.com-access_log common; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/ventcovercreations.com.conf; 3: <VirtualHost 209.236.236.46:80>; 9: CustomLog logs/ventcovercreations.com-access_log common; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/vicenzadesigns.com.conf; 3: <VirtualHost 209.236.236.47:80>; 9: CustomLog logs/vicenzadesigns.com-access_log common; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/adgs.com.conf; 2: <VirtualHost 209.236.236.33:443>; 10: TransferLog logs/ssl-adgs.com-access_log; 29: CustomLog logs/duccutters.com-ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/mginterface.com.conf; 3: <VirtualHost 209.236.236.52:443>; 11: TransferLog logs/ssl-mginterface.com-access_log; 30: CustomLog logs/mginterface.com-ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/possessionstudios.com.conf; 4: <VirtualHost 209.236.236.49:443>; 11: TransferLog logs/possessionstudios.com-ssl-access.log; 31: CustomLog logs/possessionstudios.com-ssl-request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/stocktonproducts.com.conf; 4: <VirtualHost 209.236.236.58:443>; 11: TransferLog logs/stocktonproducts.com-ssl-access.log; 31: CustomLog logs/stocktonproducts.com-ssl-request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/ventcovercreations.com.conf; 1: <VirtualHost 209.236.236.46:443>; 7: TransferLog logs/ssl-ventcovercreations.com-access_log; 24: CustomLog logs/ventcovercreations.com-ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/vicenzadesigns.com.conf; 1: <VirtualHost 209.236.236.47:443>; 7: TransferLog logs/ssl-vicenzadesigns.com-access_log; 24: CustomLog logs/vicenzadesigns.com-ssl.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"; : </VirtualHost>

Module Name: mod_include.c
Content handlers: none
Configuration Phase Participation: Create Directory Config, Create Server Config
Request Phase Participation: Fixups
Module Directives:: XBitHack - Off, On, or Full; SSIErrorMsg - a string; SSITimeFormat - a strftime(3) formatted string; SSIStartTag - SSI Start String Tag; SSIEndTag - SSI End String Tag; SSIUndefinedEcho - String to be displayed if an echoed variable is undefined; SSIAccessEnable - Whether testing access is enabled. Limited to 'on' or 'off'; SSILastModified - Whether to set the last modified header or respect an existing header. Limited to 'on' or 'off'; SSIEtag - Whether to allow the generation of ETags within the server. Existing ETags will be preserved. Limited to 'on' or 'off'
Current Configuration:

Module Name: mod_authnz_ldap.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User Access
Module Directives:: AuthLDAPURL - URL to define LDAP connection. This should be an RFC 2255 complaint URL of the form ldap://host[:port]/basedn[?attrib[?scope[?filter]]]. <ul> <li>Host is the name of the LDAP server. Use a space separated list of hosts to specify redundant servers. <li>Port is optional, and specifies the port to connect to. <li>basedn specifies the base DN to start searches from <li>Attrib specifies what attribute to search for in the directory. If not provided, it defaults to <b>uid</b>. <li>Scope is the scope of the search, and can be either <b>sub</b> or <b>one</b>. If not provided, the default is <b>sub</b>. <li>Filter is a filter to use in the search. If not provided, defaults to <b>(objectClass=*)</b>. </ul> Searches are performed using the attribute and the filter combined. For example, assume that the LDAP URL is <b>ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*)</b>. Searches will be done using the filter <b>(&((posixid=*))(uid=<i>username</i>))</b>, where <i>username</i> is the user name passed by the HTTP client. The search will be a subtree search on the branch <b>ou=People, o=Airius</b>.; AuthLDAPBindDN - DN to use to bind to LDAP server. If not provided, will do an anonymous bind.; AuthLDAPBindPassword - Password to use to bind to LDAP server. If not provided, will do an anonymous bind.; AuthLDAPBindAuthoritative - Set to 'on' to return failures when user-specific bind fails - defaults to on.; AuthLDAPRemoteUserIsDN - Set to 'on' to set the REMOTE_USER environment variable to be the full DN of the remote user. By default, this is set to off, meaning that the REMOTE_USER variable will contain whatever value the remote user sent.; AuthLDAPRemoteUserAttribute - Override the user supplied username and place the contents of this attribute in the REMOTE_USER environment variable.; AuthzLDAPAuthoritative - Set to 'off' to allow access control to be passed along to lower modules if the UserID and/or group is not known to this module; AuthLDAPCompareDNOnServer - Set to 'on' to force auth_ldap to do DN compares (for the "require dn" directive) using the server, and set it 'off' to do the compares locally (at the expense of possible false matches). See the documentation for a complete description of this option.; AuthLDAPGroupAttribute - A list of attributes used to define group membership - defaults to member and uniquemember; AuthLDAPGroupAttributeIsDN - If set to 'on', auth_ldap uses the DN that is retrieved from the server forsubsequent group comparisons. If set to 'off', auth_ldap uses the stringprovided by the client directly. Defaults to 'on'.; AuthLDAPDereferenceAliases - Determines how aliases are handled during a search. Can bo one of thevalues "never", "searching", "finding", or "always". Defaults to always.; AuthLDAPCharsetConfig - Character set conversion configuration file. If omitted, character setconversion is disabled.
Current Configuration:

Module Name: util_ldap.c
Content handlers: yes
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Content Handlers
Module Directives:: LDAPSharedCacheSize - Set the size of the shared memory cache (in bytes). Use 0 to disable the shared memory cache. (default: 100000); LDAPSharedCacheFile - Set the file name for the shared memory cache.; LDAPCacheEntries - Set the maximum number of entries that are possible in the LDAP search cache. Use 0 or -1 to disable the search cache (default: 1024); LDAPCacheTTL - Set the maximum time (in seconds) that an item can be cached in the LDAP search cache. Use 0 for no limit. (default 600); LDAPOpCacheEntries - Set the maximum number of entries that are possible in the LDAP compare cache. Use 0 or -1 to disable the compare cache (default: 1024); LDAPOpCacheTTL - Set the maximum time (in seconds) that an item is cached in the LDAP operation cache. Use 0 for no limit. (default: 600); LDAPTrustedGlobalCert - Takes three args; the file and/or directory containing the trusted CA certificates (and global client certs for Netware) used to validate the LDAP server. Second arg is the cert type for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an optional passphrase if applicable.; LDAPTrustedClientCert - Takes three args; the file and/or directory containing the client certificate, or certificate ID used to validate this LDAP client. Second arg is the cert type for the first arg, one of CA_DER, CA_BASE64, CA_CERT7_DB, CA_SECMOD, CERT_DER, CERT_BASE64, CERT_KEY3_DB, CERT_NICKNAME, KEY_DER, or KEY_BASE64. Third arg is an optional passphrase if applicable.; LDAPTrustedMode - Specify the type of security that should be applied to an LDAP connection. One of; NONE, SSL or STARTTLS.; LDAPVerifyServerCert - Set to 'ON' requires that the server certificate be verified before a secure LDAP connection can be establish. Default 'ON'; LDAPConnectionTimeout - Specify the LDAP socket connection timeout in seconds (default: 10)
Current Configuration:

Module Name: mod_authz_default.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User Access
Module Directives:: AuthzDefaultAuthoritative - Set to 'Off' to allow access control to be passed along to lower modules. (default is On.)
Current Configuration:

Module Name: mod_authz_dbm.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User Access
Module Directives:: AuthDBMGroupFile - database file containing group names and member user IDs; AuthzDBMType - what type of DBM file the group file is; AuthzDBMAuthoritative - Set to 'Off' to allow access control to be passed along to lower modules, if the group required is not found or empty, or the user is not in the required groups. (default is On.)
Current Configuration:

Module Name: mod_authz_groupfile.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User Access
Module Directives:: AuthGroupFile - text file containing group names and member user IDs; AuthzGroupFileAuthoritative - Set to 'Off' to allow access control to be passed along to lower modules if the 'require group' fails. (default is On).
Current Configuration:

Module Name: mod_authz_owner.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User Access
Module Directives:: AuthzOwnerAuthoritative - Set to 'Off' to allow access control to be passed along to lower modules. (default is On.)
Current Configuration:

Module Name: mod_authz_user.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User Access
Module Directives:: AuthzUserAuthoritative - Set to 'Off' to allow access control to be passed along to lower modules if the 'require user' or 'require valid-user' statement is not met. (default: On).
Current Configuration:

Module Name: mod_authz_host.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Check Access
Module Directives:: order - 'allow,deny', 'deny,allow', or 'mutual-failure'; allow - 'from' followed by hostnames or IP-address wildcards; deny - 'from' followed by hostnames or IP-address wildcards
Current Configuration:: In file: /etc/httpd/conf.d/status.conf; 3: <Location /info>; 5: Order deny,allow; 6: Deny from all; 7: Allow from all; : </Location>; 10: <Location /status>; 12: Order deny,allow; 13: Deny from all; 14: Allow from all; : </Location>; In file: /etc/httpd/conf/httpd.conf; 216: <Directory />; 219: order allow,deny; 220: deny from 23.225.141.70; 221: allow from all; : </Directory>; 234: <Directory "/var/www/html">; 260: Order allow,deny; 261: Allow from all; : </Directory>; 332: <Files ~ "^\.ht">; 333: Order allow,deny; 334: Deny from all; : </Files>; 469: <Directory "/var/www/icons">; 472: Order allow,deny; 473: Allow from all; : </Directory>; 498: <Directory "/var/www/cgi-bin">; 501: Order allow,deny; 502: Allow from all; : </Directory>; 775: <Directory "/var/www/error">; 780: Order allow,deny; 781: Allow from all; : </Directory>; In file: /var/www/cgi-bin/WebCatalogEngine/webdna.conf; 8: <Location ~ "/.*\.db($|.*\?)">; 9: deny from all; : </Location>; 12: <Location ~ "/.*\.hdr($|.*\?)">; 13: deny from all; : </Location>; 16: <Location ~ "/.*/WebCatalog($| Prefs|Ctl)">; 17: deny from all; : </Location>; 20: <Location ~ "/.*/WebMerchant/CompletedOrders">; 21: deny from all; : </Location>; 24: <Location ~ "/.*/WebMerchant/Problems">; 25: deny from all; : </Location>; 28: <Location ~ "/.*/WebMerchant/Pending">; 29: deny from all; : </Location>; 32: <Location ~ "/.*/WebMerchant/StockRoom">; 33: deny from all; : </Location>; 36: <Location ~ "/.*/Orders">; 37: deny from all; : </Location>; 40: <Location ~ "/.*/ShoppingCarts">; 41: deny from all; : </Location>; 44: <Location ~ "/[Ww]eb[Cc]atalog/ErrorLog($|\.txt)">; 45: deny from all; : </Location>

Module Name: mod_authn_default.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User ID
Module Directives:: AuthDefaultAuthoritative - Set to 'Off' to allow access control to be passed along to lower modules if the UserID is not known to this module. (default is On).
Current Configuration:

Module Name: mod_authn_dbm.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: none
Module Directives:: AuthDBMUserFile - dbm database file containing user IDs and passwords; AuthDBMType - what type of DBM file the user file is
Current Configuration:

Module Name: mod_authn_anon.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: none
Module Directives:: Anonymous - a space-separated list of user IDs; Anonymous_MustGiveEmail - Limited to 'on' or 'off'; Anonymous_NoUserId - Limited to 'on' or 'off'; Anonymous_VerifyEmail - Limited to 'on' or 'off'; Anonymous_LogEmail - Limited to 'on' or 'off'
Current Configuration:

Module Name: mod_authn_alias.c
Content handlers: none
Configuration Phase Participation: Create Server Config
Request Phase Participation: none
Module Directives:: <AuthnProviderAlias> - Container for authentication directives grouped under a provider alias
Current Configuration:

Module Name: mod_authn_file.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: none
Module Directives:: AuthUserFile - text file containing user IDs and passwords
Current Configuration:

Module Name: mod_auth_digest.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Post-Read Request, Verify User ID, Fixups
Module Directives:: AuthName - The authentication realm (e.g. "Members Only"); AuthDigestProvider - specify the auth providers for a directory or location; AuthDigestQop - A list of quality-of-protection options; AuthDigestNonceLifetime - Maximum lifetime of the server nonce (seconds); AuthDigestNonceFormat - The format to use when generating the server nonce; AuthDigestNcCheck - Whether or not to check the nonce-count sent by the client; AuthDigestAlgorithm - The algorithm used for the hash calculation; AuthDigestDomain - A list of URI's which belong to the same protection space as the current URI; AuthDigestShmemSize - The amount of shared memory to allocate for keeping track of clients
Current Configuration:

Module Name: mod_auth_basic.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User ID
Module Directives:: AuthBasicProvider - specify the auth providers for a directory or location; AuthBasicAuthoritative - Set to 'Off' to allow access control to be passed along to lower modules if the UserID is not known to this module
Current Configuration:

Module Name: mod_so.c
Content handlers: none
Configuration Phase Participation: Create Server Config
Request Phase Participation: none
Module Directives:: LoadModule - a module name and the name of a shared object file to load it from; LoadFile - shared object file or library to load into the server at runtime
Current Configuration:

Module Name: http_core.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: Process Connection, Create Request, HTTP Scheme, Default Port, Map to Storage
Module Directives:: KeepAliveTimeout - Keep-Alive timeout duration (sec); MaxKeepAliveRequests - Maximum number of Keep-Alive requests per connection, or 0 for infinite; KeepAlive - Whether persistent connections should be On or Off
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 22: KeepAlive On; 26: MaxKeepAliveRequests 1000; 30: KeepAliveTimeout 10

Module Name: prefork.c
Content handlers: none
Configuration Phase Participation: none
Request Phase Participation: none
Module Directives:: User - Effective user id for this server; Group - Effective group id for this server; ChrootDir - The directory to chroot(2) into; ListenBacklog - Maximum length of the queue of pending connections, as used by listen(2); Listen - A port number or a numeric IP address and a port number, and an optional protocol; SendBufferSize - Send buffer size in bytes; ReceiveBufferSize - Receive buffer size in bytes; StartServers - Number of child processes launched at server startup; MinSpareServers - Minimum number of idle children, to handle request spikes; MaxSpareServers - Maximum number of idle children; MaxClients - Maximum number of children alive at the same time; ServerLimit - Maximum value of MaxClients for this run of Apache; GracefulShutdownTimeout - Maximum time in seconds to wait for child processes to complete transactions during shutdown
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 44: StartServers 8; 45: MinSpareServers 5; 46: MaxSpareServers 20; 47: ServerLimit 256; 48: MaxClients 256; 74: Listen 80; In file: /etc/httpd/conf.d/ssl.conf; 19: Listen 443; In file: /etc/httpd/conf/httpd.conf; 154: User apache; 155: Group apache

Module Name: core.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge Directory Configs, Create Server Config, Merge Server Configs
Request Phase Participation: Pre-Connection, Create Connection, Create Request, Translate Name, Map to Storage, Check Access, Check Type, Fixups, Insert Filters, Content Handlers
Module Directives:: <Directory> - Container for directives affecting resources located in the specified directories; <Location> - Container for directives affecting resources accessed through the specified URL paths; <VirtualHost> - Container to map directives to a particular virtual host, takes one or more host addresses; <Files> - Container for directives affecting files matching specified patterns; <Limit> - Container for authentication directives when accessed using specified HTTP methods; <LimitExcept> - Container for authentication directives to be applied when any HTTP method other than those specified is used to access the resource; <IfModule> - Container for directives based on existance of specified modules; <IfDefine> - Container for directives based on existance of command line defines; <DirectoryMatch> - Container for directives affecting resources located in the specified directories; <LocationMatch> - Container for directives affecting resources accessed through the specified URL paths; <FilesMatch> - Container for directives affecting files matching specified patterns; AuthType - An HTTP authorization type (e.g., "Basic"); AuthName - The authentication realm (e.g. "Members Only"); Require - Selects which authenticated users or groups may access a protected space; Satisfy - access policy if both allow and require used ('all' or 'any'); AddDefaultCharset - The name of the default charset to add to any Content-Type without one or 'Off' to disable; AcceptPathInfo - Set to on or off for PATH_INFO to be accepted by handlers, or default for the per-handler preference; AccessFileName - Name(s) of per-directory config files (default: .htaccess); DocumentRoot - Root directory of the document tree; ErrorDocument - Change responses for HTTP errors; AllowOverride - Controls what groups of directives can be configured by per-directory config files; Options - Set a number of attributes for a given directory; DefaultType - the default MIME type for untypable files; FileETag - Specify components used to construct a file's ETag; EnableMMAP - Controls whether memory-mapping may be used to read files; EnableSendfile - Controls whether sendfile may be used to transmit files; Protocol - Set the Protocol for httpd to use.; AcceptFilter - Set the Accept Filter to use for a protocol; Port - Port was replaced with Listen in Apache 2.0; HostnameLookups - "on" to enable, "off" to disable reverse DNS lookups, or "double" to enable double-reverse DNS lookups; ServerAdmin - The email address of the server administrator; ServerName - The hostname and port of the server; ServerSignature - En-/disable server signature (on|off|email); ServerRoot - Common directory of server-related files (logs, confs, etc.); ErrorLog - The filename of the error log; ServerAlias - A name or names alternately used to access the server; ServerPath - The pathname the server can be reached at; Timeout - Timeout duration (sec); ContentDigest - whether or not to send a Content-MD5 header with each request; UseCanonicalName - How to work out the ServerName : Port when constructing URLs; UseCanonicalPhysicalPort - Whether to use the physical Port when constructing URLs; Include - Name of the config file to be included; LogLevel - Level of verbosity in error logging; NameVirtualHost - A numeric IP address:port, or the name of a host; ServerTokens - Determine tokens displayed in the Server: header - Min(imal), OS or Full; LimitRequestLine - Limit on maximum size of an HTTP request line; LimitRequestFieldsize - Limit on maximum size of an HTTP request header field; LimitRequestFields - Limit (0 = unlimited) on max number of header fields in a request message; LimitRequestBody - Limit (in bytes) on maximum size of request message body; LimitXMLRequestBody - Limit (in bytes) on maximum size of an XML-based request body; RLimitCPU - Soft/hard limits for max CPU usage in seconds; RLimitMEM - Soft/hard limits for max memory usage per process; RLimitNPROC - soft/hard limits for max number of processes per uid; LimitInternalRecursion - maximum recursion depth of internal redirects and subrequests; ForceType - a mime type that overrides other configured type; SetHandler - a handler name that overrides any other configured handler; SetOutputFilter - filter (or ; delimited list of filters) to be run on the request content; SetInputFilter - filter (or ; delimited list of filters) to be run on the request body; AddOutputFilterByType - output filter name followed by one or more content-types; AllowEncodedSlashes - Allow URLs containing '/' encoded as '%2F'; PidFile - A file for logging the server process ID; ScoreBoardFile - A file for Apache to maintain runtime process management information; LockFile - The lockfile used when Apache needs to lock the accept() call; MaxRequestsPerChild - Maximum number of requests a particular child serves before dying.; CoreDumpDirectory - The location of the directory Apache changes to before dumping core; AcceptMutex - Valid accept mutexes for this platform and MPM are: default, flock, fcntl, sysvsem, posixsem, pthread.; MaxMemFree - Maximum number of 1k blocks a particular childs allocator may hold.; TraceEnable - 'on' (default), 'off' or 'extended' to trace request body content
Current Configuration:: In file: /etc/httpd/conf/httpd.conf; 7: ServerTokens ProductOnly; 15: PidFile run/httpd.pid; 18: Timeout 60; 49: MaxRequestsPerChild 4000; In file: /etc/httpd/conf.d/deflate.conf; 2: SetOutputFilter DEFLATE; In file: /etc/httpd/conf.d/ssl.conf; 76: <VirtualHost _default_:443>; 84: ErrorLog logs/ssl_error_log; 86: LogLevel warn; : </VirtualHost>; In file: /etc/httpd/conf.d/status.conf; 3: <Location /info>; 4: SetHandler server-info; : </Location>; 10: <Location /status>; 11: SetHandler server-status; : </Location>; In file: /etc/httpd/conf/httpd.conf; 176: ServerAdmin root@localhost; 199: UseCanonicalName Off; 206: DocumentRoot "/var/www/html"; 216: <Directory />; 217: Options FollowSymLinks; 218: AllowOverride None; : </Directory>; 234: <Directory "/var/www/html">; 248: Options -Indexes FollowSymLinks; 255: AllowOverride All; : </Directory>; 326: AccessFileName .htaccess; 352: DefaultType text/plain; 372: HostnameLookups Off; 400: ErrorLog logs/error_log; 407: LogLevel warn; 452: ServerSignature Off; 469: <Directory "/var/www/icons">; 470: Options MultiViews FollowSymLinks; 471: AllowOverride None; : </Directory>; 498: <Directory "/var/www/cgi-bin">; 499: AllowOverride None; 500: Options None; : </Directory>; 675: AddDefaultCharset UTF-8; 775: <Directory "/var/www/error">; 776: AllowOverride None; 777: Options IncludesNoExec; : </Directory>; 928: ServerTokens ProductOnly; 929: ServerSignature Off; 930: TraceEnable Off; In file: /etc/httpd/conf/conf.sites/adgs.com.conf; 1: NameVirtualHost 209.236.236.33:80; 3: <VirtualHost 209.236.236.33:80>; 4: ServerName adgs.com; 5: ServerAlias *.adgs.com; 7: ServerAdmin info@webdna.us; 9: DocumentRoot /var/www/html/adgs.com; 11: ErrorLog logs/adgs.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/mginterface.com.conf; 1: NameVirtualHost 209.236.236.52:80; 2: <VirtualHost 209.236.236.52:80>; 3: ServerAdmin info@webdna.us; 4: DocumentRoot /var/www/html/mginterface.com; 5: ServerName dwpsignup.com; 6: ServerAlias mginterface.com *.mginterface.com *.dwpsignup.com; 7: ErrorLog logs/mginterface.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/pamphletarchitecture.org.conf; 1: NameVirtualHost 209.236.236.51:80; 3: <VirtualHost 209.236.236.51:80>; 4: ServerAdmin info@webdna.us; 6: DocumentRoot /var/www/html/pamphletarchitecture.org/PamphletArchitecture; 8: ServerName pamphletarchitecture.org; 9: ServerAlias pamphletarchitecture.org *.pamphletarchitecture.org; 11: ErrorLog logs/pamphletarchitecture.org-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/possessionstudios.com.conf; 2: NameVirtualHost 209.236.236.49:80; 4: <VirtualHost 209.236.236.49:80>; 5: ServerAdmin info@webdna.us; 7: ServerName possessionstudios.com; 8: ServerAlias possessionstudios.com *.possessionstudios.com; 10: DocumentRoot /var/www/html/possessionstudios.com/; 12: ErrorLog logs/possessionstudios.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/stocktonproducts.com.conf; 2: NameVirtualHost 209.236.236.58:80; 4: <VirtualHost 209.236.236.58:80>; 5: ServerAdmin info@webdna.us; 7: DocumentRoot /var/www/html/stocktonproducts.com; 9: ServerName stocktonproducts.com; 10: ServerAlias stocktonproducts.com *.stocktonproducts.com; 12: ErrorLog logs/stocktonproducts.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/ventcovercreations.com.conf; 2: NameVirtualHost 209.236.236.46:80; 3: <VirtualHost 209.236.236.46:80>; 4: ServerAdmin info@webdna.us; 5: DocumentRoot /var/www/html/ventcovercreations.com; 6: ServerName ventcovercreations.com; 7: ServerAlias www.ventcovercreations.com *.ventcovercreations.com; 8: ErrorLog logs/ventcovercreations.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.sites/vicenzadesigns.com.conf; 2: NameVirtualHost 209.236.236.47:80; 3: <VirtualHost 209.236.236.47:80>; 4: ServerAdmin info@webdna.us; 5: DocumentRoot /var/www/html/vicenzadesigns.com; 6: ServerName vicenzadesigns.com; 7: ServerAlias vicenzadesigns.com *.vicenzadesigns.com; 8: ErrorLog logs/vicenzadesigns.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/adgs.com.conf; 2: <VirtualHost 209.236.236.33:443>; 3: ServerAdmin info@webdna.us; 4: DocumentRoot /var/www/html/adgs.com; 6: ServerName adgs.com:443; 7: ServerAlias adgs.com:443; 9: ErrorLog logs/ssl-adgs.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/mginterface.com.conf; 1: NameVirtualHost 209.236.236.52:443; 3: <VirtualHost 209.236.236.52:443>; 4: ServerAdmin info@webdna.us; 5: DocumentRoot /var/www/html/mginterface.com; 7: ServerName dwpsignup.com:443; 8: ServerAlias mginterface.com:443 www.mginterface.com:443 www.dwpsignup.com:443 dwpsignup.com:443; 10: ErrorLog logs/ssl-mginterface.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/possessionstudios.com.conf; 2: NameVirtualHost 209.236.236.49:443; 4: <VirtualHost 209.236.236.49:443>; 5: ServerAdmin info@webdna.us; 6: DocumentRoot /var/www/html/possessionstudios.com/; 7: ServerName possessionstudios.com:443; 10: ErrorLog logs/possessionstudios.com-ssl-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/stocktonproducts.com.conf; 2: NameVirtualHost 209.236.236.58:443; 4: <VirtualHost 209.236.236.58:443>; 5: ServerAdmin info@webdna.us; 6: DocumentRoot /var/www/html/stocktonproducts.com/; 7: ServerName stocktonproducts.comm:443; 10: ErrorLog logs/stocktonproducts.com-ssl-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/ventcovercreations.com.conf; 1: <VirtualHost 209.236.236.46:443>; 2: ServerAdmin info@webdna.us; 3: DocumentRoot /var/www/html/ventcovercreations.com; 4: ServerName ventcovercreations.com:443; 5: ServerAlias www.ventcovercreations.com.com:443; 6: ErrorLog logs/ssl-ventcovercreations.com-error.log; : </VirtualHost>; In file: /etc/httpd/conf/conf.ssl/vicenzadesigns.com.conf; 1: <VirtualHost 209.236.236.47:443>; 2: ServerAdmin info@webdna.us; 3: DocumentRoot /var/www/html/vicenzadesigns.com; 4: ServerName vicenzadesigns.com:443; 5: ServerAlias www.vicenzadesigns.com.com:443; 6: ErrorLog logs/ssl-vicenzadesigns.com-error.log; : </VirtualHost>