iniApp
/
modsecurity-waf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

inital

This commit is contained in:
sbyrd 2024-12-11 16:57:51 -05:00
parent 281cd49ee2
commit bcbbd7d941
67 changed files with 40285 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.idea/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# Default ignored files
/shelf/
/workspace.xml
# Editor-based HTTP Client requests
/httpRequests/
# Datasource local storage ignored files
/dataSources/
/dataSources.local.xml

6
.idea/misc.xml Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="MarkdownSettingsMigration">
<option name="stateVersion" value="1" />
</component>
</project>

8
.idea/modsecurity.iml Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="WEB_MODULE" version="4">
<component name="NewModuleRootManager">
<content url="file://$MODULE_DIR$" />
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
</component>
</module>

8
.idea/modules.xml Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/.idea/modsecurity.iml" filepath="$PROJECT_DIR$/.idea/modsecurity.iml" />
</modules>
</component>
</project>

4
.idea/php.xml Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="PhpProjectSharedConfiguration" php_language_level="7.3" />
</project>

6
.idea/vcs.xml Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="VcsDirectoryMappings">
<mapping directory="$PROJECT_DIR$" vcs="Git" />
</component>
</project>

32
nginx-waf/00_asl_accesslist.conf Normal file
View File

@ -0,0 +1,32 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2019 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Disable rules for hosts on the always allow list
# Be *VERY* careful about whom is set to always allow
#Include IP list and do not scan or block
SecRule REMOTE_ADDR "@ipMatchFromFile /etc/asl/accesslist" "rev:1,id:345679,phase:1,t:none,nolog,noauditlog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

38
nginx-waf/00_asl_whitelist.conf Normal file
View File

@ -0,0 +1,38 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2019 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#######################################
#
# This file has been deprecated by 00_asl_accesslist.conf
#
#######################################
# Disable rules for hosts on the whitelist
# Be *VERY* careful about whom is whitelisted.
#Include whitelisted IPs and do not scan or block
SecRule REMOTE_ADDR "@ipMatchFromFile /etc/asl/whitelist" "rev:1,id:345678,phase:1,t:none,nolog,noauditlog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
#SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "rev:1,id:345678,phase:1,t:none,nolog,noauditlog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

39
nginx-waf/00_asl_x_searchengines.conf Normal file
View File

@ -0,0 +1,39 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2012-2019 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
# Note: These rules will not work without this apache setting
#
# HostnameLookups Double
SecAction "phase:1,t:none,nolog,noauditlog,setvar:tx.WHITELIST_SEARCH_ENGINES=1,pass,id:318744,tag:'no_ar'"

241
nginx-waf/00_asl_y_searchengines.conf Normal file
View File

@ -0,0 +1,241 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2013-2017 Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
# Note: These rules will not work without this apache setting
#
# HostnameLookups Double
#Modsecurity 2.8.0 has a nasty bug that makes it not work with ipmatch rules
#so we cant let these rules load in 2.8.0 boxes
#SecRule MODSEC_BUILD "@gt 020777900" #phase:1,id:333772,rev:1,t:none,nolog,pass,skipAfter:END_SEARCH_ENGINE
SecRule REQUEST_HEADERS:User-Agent "@pm googlebot bingbot yahoo yeti hailoobot technoratibot friendfeedbot newsgator blogscope gist bloglines/ netvibes yandex friendfeedbot/ baiduspider/ mediapartners-google Feedfetcher-Google Twitterbot" "id:318745,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333722,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_SEARCH_ENGINE"
#Twitterbot
#199.59.148.0/22
SecRule REQUEST_HEADERS:User-Agent "Twitterbot" "id:338746,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:334904,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_TWITTER"
SecRule REMOTE_HOST "@ipmatch 199.59.148.0/24" "id:343917,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "\.twttr\.com$" "id:303831,severity:'2',rev:1,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake twitter bot',phase:1"
#Real MSN search engine
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'339331',t:none,nolog,noauditlog,allow"
SecMarker END_TWITTER
#User-Agent: Feedly/1.0 (+http://www.feedly.com/fetcher.html; like FeedFetcher-Google)
SecRule REQUEST_HEADERS:User-Agent "^Feedly" "id:303990,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303991,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_FEEDLY"
SecRule REMOTE_HOST "@ipmatch 65.19.138.0/26,8.29.198.0/24" "id:323978,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!@endsWith .feedly.com" "capture,id:303890,severity:'2',rev:4,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Feedly webcrawler',phase:1,logdata:'%{TX.0}'"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303992',t:none,nolog,noauditlog,allow"
SecMarker END_FEEDLY
#Google
SecRule REQUEST_HEADERS:User-Agent "^(?:Googlebot-richsnippets|OnPageBot)" "phase:1,id:323931,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE"
SecRule REQUEST_HEADERS:User-Agent "@pm googlebot mediapartners-google" "id:323900,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333901,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE"
#74.125.0.0/16 is registered to google, but does not have a PTR record
#66.249.64.0/19 is google
SecRule REMOTE_HOST "@ipmatch 74.125.0.0/16,66.249.64.0/19,173.194.0.0/16" "id:323918,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!@endsWith .googlebot.com" "capture,id:303800,rev:3,severity:'2',t:none,t:lowercase,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Googlebot webcrawler',phase:1,logdata:'%{TX.0}'"
#Real Google Search Engine
#Allow all from google
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303902',t:none,nolog,noauditlog,allow"
SecMarker END_GOOGLE
#Feedfetcher-Google
SecRule REQUEST_HEADERS:User-Agent "@contains Feedfetcher-Google" "id:303947,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:343948,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE2"
SecRule REMOTE_HOST "@ipmatch 74.125.0.0/16,66.249.64.0/19" "id:323928,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!@endsWith .google.com" "capture,id:303833,severity:'2',rev:5,t:none,t:lowercase,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Google Feedfetcher webcrawler',phase:1,logdata:'%{TX.0}'"
#Allow all from google
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303935',t:none,nolog,noauditlog,allow"
SecMarker END_GOOGLE2
#MSN search engine
SecRule REQUEST_HEADERS:User-Agent "@pm msnbot bingbot" "id:318746,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333904,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_MSN"
SecRule REMOTE_HOST "@ipmatch 157.54.0.0/15,207.46.0.0/16,40.124.0.0/16,40.96.0.0/12,40.112.0.0/13,40.125.0.0/17,40.74.0.0/15,40.120.0.0/14,40.80.0.0/12,40.76.0.0/14" "id:323917,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.search\.msn\.com$)" "capture,id:303801,severity:'2',rev:6,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler',phase:1,logdata:'%{TX.0}'"
#SecRule REMOTE_HOST "!(^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.search\.msn\.com$|^131\.253\.[2-4][0-9]\.[0-9]+$)"
#Real MSN search engine
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303903',t:none,nolog,noauditlog,allow"
SecMarker END_MSN
#Yahoo Slurp engine
SecRule REQUEST_HEADERS:User-Agent "@contains yahoo! slurp" "id:323904,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333905,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YAHOO"
#China Yahoo ranges
#110.75.160.0 - 110.75.191.255
#110.75.171.0 - 110.75.176.255
#
#Other yahoo ranges
#98.136.0.0/14
SecRule REMOTE_HOST "@ipmatch 110.75.160.0/19,98.136.0.0/14,68.180.128.0/17,217.146.179.0/24" "id:323914,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(\.yahoo\.(?:net|com)$)" "id:303802,severity:'2',rev:5,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yahoo! Slurp webcrawler',phase:1"
#Real Yahoo Slurp engine
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303906',t:none,nolog,noauditlog,allow"
SecMarker END_YAHOO
SecRule REQUEST_HEADERS:User-Agent "@contains yahoo pipes" "id:303907,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333908,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YAHOO2"
SecRule REMOTE_HOST "!(\.yahoo\.(?:com|net)$)" "id:303803,severity:'2',rev:2,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yahoo Pipes webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303908',t:none,nolog,noauditlog,allow"
SecMarker END_YAHOO2
SecRule REQUEST_HEADERS:User-Agent "@beginsWith Yeti/" "id:303909,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:318749,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YETI"
#SecRule REMOTE_HOST "@ipmatch 61.247.192.0/19" # "id:323916,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(^crawl-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.naver\.jp$)" "id:303804,severity:'2',rev:4,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yeti webcrawler',phase:1"
#SecRule REMOTE_HOST "!(^crawl-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.naver\.jp$|^61\.247\.(19[2-9]|2[0-2][0-3])\.[0-9]{1,3}$" #
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303910',t:none,nolog,noauditlog,allow"
SecMarker END_YETI
SecRule REQUEST_HEADERS:User-Agent "@contains hailoobot" "id:303913,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333911,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_HAIL"
SecRule REMOTE_HOST "!@endswith webcrawler.hailoo.com" "id:303805,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Hailoobot webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303912',t:none,nolog,noauditlog,allow"
SecMarker END_HAIL
SecRule REQUEST_HEADERS:User-Agent "@contains technoratibot/" "id:303915,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333915,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_TECHNO"
SecRule REMOTE_HOST "!@endswith .crawler.technorati.com" "id:303806,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Technoratibot webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303916',t:none,nolog,noauditlog,allow"
SecMarker END_TECHNO
SecRule REQUEST_HEADERS:User-Agent "@contains friendfeedbot/" "id:303917,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333918,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_FACEBOOK"
SecRule REMOTE_HOST "!@endsWith .facebook.com" "id:303807,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake FriendFeed/Facebook webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303919',t:none,nolog,noauditlog,allow"
SecMarker END_FACEBOOK
SecRule REQUEST_HEADERS:User-Agent "yandex(?:bot|images|blog)" "id:303920,rev:2,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303921,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YANDEX"
SecRule REMOTE_HOST "@ipmatch 95.108.158.128/25" "id:323916,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(\.yandex\.(?:ru|com|net)$)" "id:303808,severity:'2',rev:2,t:none,t:lowercase,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yandex webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303900',t:none,nolog,noauditlog,allow"
SecMarker END_YANDEX
SecRule REQUEST_HEADERS:User-Agent "@contains bloglines/" "id:313921,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:313922,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BLOGLINES"
SecRule REMOTE_HOST "!@streq crawler.bloglines.com" "id:303810,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Bloglines webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303901',t:none,nolog,noauditlog,allow"
SecMarker END_BLOGLINES
SecRule REQUEST_HEADERS:User-Agent "@contains gist server" "id:303924,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303925,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GIST"
SecRule REMOTE_HOST "!@endsWith .gist.com" "id:303811,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Gist webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303922',t:none,nolog,noauditlog,allow"
SecMarker END_GIST
SecRule REQUEST_HEADERS:User-Agent "@contains blogscope" "id:303927,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303928,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BLOGSCOPE"
SecRule REMOTE_HOST "!@endsWith .toronto.edu" "id:303812,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake BlogScope webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303923',t:none,nolog,noauditlog,allow"
SecMarker END_BLOGSCOPE
SecRule REQUEST_HEADERS:User-Agent "newsgator/2\.0 bot" "id:303930,rev:2,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303931,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_NEWSGATOR"
SecRule REMOTE_HOST "!@endsWith .newsgator.com" "id:303813,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake NewsGatorOnline webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303904',t:none,nolog,noauditlog,allow"
SecMarker END_NEWSGATOR
SecRule REQUEST_HEADERS:User-Agent "@contains netvibes" "id:303933,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303934,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_NETVIBES"
SecRule REMOTE_HOST "!@endsWith .netvibes.com" "id:303814,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Netvibes webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303905',t:none,nolog,noauditlog,allow"
SecMarker END_NETVIBES
#Baidu seems to have a broken resolver
#The forward record never resolves
#
#nslookup baiduspider-180-76-5-87.crawl.baidu.com
#** server can't find baiduspider-180-76-5-87.crawl.baidu.com: NXDOMAIN
#nslookup 180.76.5.87
#87.5.76.180.in-addr.arpa name = baiduspider-180-76-5-87.crawl.baidu.com.
#So some known static ranges are added
#inetnum: 180.76.0.0 - 180.76.255.255
#netname: Baidu
#
#inetnum: 123.125.71.0 - 123.125.71.255
#netname: SADF
#123.122.0.0 - 123.122.15.255
#119.63.192.0 - 119.63.199.255
#202.46.32.0 - 202.46.63.255
SecRule REQUEST_HEADERS:User-Agent "@contains baiduspider/" "id:303936,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:323937,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BAIDU"
SecRule REMOTE_HOST "@ipmatch 180.76.0.0/16,123.122.0.0/20,123.125.71.0/24,119.63.192.0/21,220.181.0.0/16,202.46.32.0/19,185.10.104.0/22" "id:323915,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(\.crawl\.baidu\.com$)" "id:303937,severity:'2',rev:7,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Baidu webcrawler',phase:1"
#SecRule REMOTE_HOST "!(\.crawl\.baidu\.com$|^180\.76\.[0-9]+\.[0-9]+$|^123\.125\.71\.[0-9]+$|^220\.181\.[0-9]+\.[0-9]+$|123\.122\.[0-15]\.[0-9]+$|^119\.63\.19[2-9]\.[0-9]+$)"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303938',t:none,nolog,noauditlog,allow"
SecMarker END_BAIDU
SecMarker END_SEARCH_ENGINE

52
nginx-waf/00_asl_z_aa_threat_intelligence.conf Normal file
View File

@ -0,0 +1,52 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# TI rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2014-2019 by Atomicorp, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecAction "phase:1,id:343699,t:none,pass,nolog,noauditlog,initcol:ip=%{remote_addr}"
#Skip on broken 2.8.0 boxes
#SecRule MODSEC_BUILD "@gt 020777900" #phase:1,id:333777,rev:1,t:none,nolog,pass,skipAfter:END_TI
SecRule REMOTE_ADDR "@ipMatchFromFile /etc/asl/whitelist" "phase:1,pass,t:none,id:328745,nolog,noauditlog,skipAfter:END_TI"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "phase:1,pass,t:none,id:328746,nolog,noauditlog,skipAfter:END_TI"
#Is already on the threat1 RBL, dont bother looking it up, DROP the connection
SecRule IP:threat1 "@eq 1" "phase:1,t:none,deny,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com (Previous TI Match)',severity:'1',id:350051,rev:1"
#Dont look up the IP if we've checked it in the last 3m
SecRule IP:PREVIOUS_LOOKUP "@eq 1" "phase:1,id:313134,t:none,pass,nolog,noauditlog,skipAfter:END_TI"
SecAction "phase:1,t:none,id:343698,nolog,noauditlog,pass,setvar:ip.previous_lookup=1,expirevar:ip.previous_lookup=180"
SecRule REMOTE_ADDR "@rbl threat1.atomicrbl.com." "phase:1,t:none,deny,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL (TI-1). See this URL for details http://www.atomicrbl.com',severity:'1',setvar:ip.threat1=1,expirevar:ip.threat1=900,id:355500,rev:1"
SecMarker END_TI

60
nginx-waf/00_asl_z_antievasion.conf Normal file
View File

@ -0,0 +1,60 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/modules/addon_file_editor/action_handler\.php" "phase:2,id:91001,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/imp/compose\.php" "phase:2,id:91002,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/file/ajax/" "phase:2,id:91003,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/ajax/actions\.hsp" "phase:2,id:91004,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/hallinta/hallinta-tiedostot\.php" "phase:2,id:91005,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/toolbox_nb/" "phase:2,id:91006,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330791"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2019 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#Detect request body processing errors
SecRule REQBODY_ERROR "!@eq 0" "phase:2,deny,t:none,status:400,msg:'Failed to parse request body. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors.',id:'330791',rev:3,auditlog,log,logdata:'%{reqbody_error_msg}',severity:2,tag:'no_ar'"
#Block malformed bodies
#Workaround for Plesk HSP multipart messages which are really broken
SecRule REQUEST_URI "^/supportcenter/server/" "id:334356,t:none,t:lowercase,pass,nolog,noauditlog,ctl:requestBodyAccess=off,tag:'no_ar'"
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}: check your application or client for errors, this is not a false positive.',id:'340152',rev:1,severity:'5'"
# multipart/form-data name evasion attempts
SecRule FILES|FILES_NAMES|!FILES:pic|!FILES:/tablerate/|!FILES:async-upload|!FILES:/^ticketattachment/ "[\";=]" "capture,phase:2,deny,log,auditlog,id:390700,rev:7,t:none,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules: Evasion Attack: Invalid filename in FILES argument. Which may be a possible attempt at multipart/form-data bypass',logdata:'%{matched_var}'"

218
nginx-waf/00_asl_zz_strict.conf Normal file
View File

@ -0,0 +1,218 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/wp-admin/user-new\.php" "phase:2,id:91007,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/wp-admin/options-permalink\.php" "phase:2,id:91008,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/shop/remote\.php" "phase:2,id:91009,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/administrator/ajax-tab\.php" "phase:2,id:91010,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/livezilla/server\.php" "phase:2,id:91011,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/wp-admin/options\.php" "phase:2,id:91012,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/shop/admin/remote\.php" "phase:2,id:91013,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/ts_manage\.php" "phase:2,id:91014,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/phpmyadmin/import\.php" "phase:2,id:91015,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330792"
SecRule REQUEST_FILENAME "csfileshare/csfileshare\.cgi" "phase:2,id:91016,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330792"
SecRule REQUEST_FILENAME "/ajax\.php" "phase:2,id:91017,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/beheer\.php" "phase:2,id:91018,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/wp-admin/async-upload\.php" "phase:2,id:91019,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330791"
SecRule REQUEST_FILENAME "/wp-admin/post\.php" "phase:2,id:91020,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/newreply\.php" "phase:2,id:91021,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/showmail\.php" "phase:2,id:91022,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/parsechecker\.php" "phase:2,id:91023,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704,ctl:ruleRemovebyID=390708"
SecRule REQUEST_FILENAME "/limesurvey/index\.php" "phase:2,id:91024,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/modules/v7_pages_engine\.php" "phase:2,id:91025,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/tce_file\.php" "phase:2,id:91026,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/admin/updatepage\.php" "phase:2,id:91027,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/redaxo/index\.php" "phase:2,id:91028,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/colors\.css\.php" "phase:2,id:91029,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/cgi-bin/potd/ir_potd_enter\.pl" "phase:2,id:91030,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703,ctl:ruleRemovebyID=330793"
SecRule REQUEST_FILENAME "/multilang/" "phase:2,id:91031,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/soap\.hsp" "phase:2,id:91032,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/index\.php/api/xmlrpc" "phase:2,id:91033,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/amember/admin-users" "phase:2,id:91034,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/v2c/json/" "phase:2,id:91035,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/v2a/json/" "phase:2,id:91036,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/v1c/json/" "phase:2,id:91037,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/services/bmsubscribers\.json" "phase:2,id:91038,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/phpmyadmin/index\.php" "phase:2,id:91039,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390722"
SecRule REQUEST_FILENAME "/ipac20/ipac\.jsp" "phase:2,id:91040,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390722"
SecRule REQUEST_FILENAME "/toolbox_nb/" "phase:2,id:91041,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330791,ctl:ruleRemovebyID=330792,ctl:ruleRemovebyID=390722"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2019 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#Detect possible evasion attempt
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,log,auditlog,t:none,pass,msg:'Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors.',id:'330792',rev:3,severity:5,tag:'no_ar'"
#Disable below rule if filename contains a single quote
SecRule MULTIPART_BOUNDARY_QUOTED "@eq 0" "t:none,id:330794,nolog,noauditlog,phase:1,chain,pass,ctl:ruleRemoveById=330793"
SecRule REQBODY_PROCESSOR_ERROR "@eq 0" "t:none,chain"
SecRule MULTIPART_BOUNDARY_WHITESPACE "@eq 0" "t:none,chain"
SecRule MULTIPART_DATA_BEFORE "@eq 0" "t:none,chain"
SecRule MULTIPART_DATA_AFTER "@eq 0" "t:none,chain"
SecRule MULTIPART_HEADER_FOLDING "@eq 0" "t:none,chain"
SecRule MULTIPART_LF_LINE "@eq 0" "t:none,chain"
SecRule MULTIPART_INVALID_QUOTING "@eq 1" "t:none,chain"
SecRule MULTIPART_INVALID_HEADER_FOLDING "@eq 0" "t:none,chain"
SecRule MULTIPART_INVALID_PART "@eq 0" "t:none,chain"
SecRule MULTIPART_FILE_LIMIT_EXCEEDED "@eq 0" "t:none"
#Enforce strict multipart body checks
SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,log,auditlog,t:none,deny,status:403,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, IP %{MULTIPART_INVALID_PART}, FL %{MULTIPART_FILE_LIMIT_EXCEEDED}',id:'330793',rev:3,severity:2"
SecRule TX:/^MSC_/ "!@streq 0" "id:'350708',severity:'3',phase:2,log,auditlog,t:none,deny,status:403,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecRule INBOUND_DATA_ERROR "@eq 1" "phase:1,id:350709,deny,status:403,t:none,auditlog,log,msg:'Request Body Larger than SecRequestBodyLimit Setting',severity:'4'"
SecRule OUTBOUND_DATA_ERROR "@eq 1" "phase:1,id:350710,deny,status:403,t:none,auditlog,log,msg:'Response Body Larger than SecResponseBodyLimit Setting',severity:'4'"
SecRule REQUEST_METHOD "COOK" "capture,deny,log,auditlog,status:403,t:none,phase:1,id:314681,rev:1,severity:3,msg:'Atomicorp.com WAF Rules: Invalid HTTP method detected',logdata:'%{TX.0}'"
SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain,phase:2,t:none,log,auditlog,deny,status:400,msg:'Atomicorp.com WAF Rules: Possible URL Encoding Abuse Attack Attempt',id:'390703',rev:5,severity:'5'"
SecRule REQUEST_URI "@validateUrlEncoding"
SecRule REQUEST_HEADERS:Content-Type "^(text/xml|application/(soap|xml))" "chain,id:374357,rev:3,phase:1,t:none,t:lowercase,pass,nolog,noauditlog"
SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" "chain,phase:2,t:none,log,auditlog,deny,status:400,msg:'Atomicorp.com WAF Rules: Possible Encoding Abuse Attack Attempt',id:'390704',rev:1,severity:'5'"
SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding"
#Check for suspiscious indicators, such as missing Host: headers, empty headers, numeric, etc.
SecRule &REQUEST_HEADERS:Host "@eq 0" "chain,skipAfter:END_HOST_CHECK,phase:2,rev:2,t:none,pass,msg:'Atomicorp.com WAF Rules: Suspicious activity detected - HTTP Request Missing a Host Header',id:'331030',severity:'5',tag:'no_ar'"
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none"
SecRule REQUEST_HEADERS:Host "^$" "phase:2,rev:1,log,auditlog,t:none,pass,msg:'Atomicorp.com WAF Rules: Suspicious activity detected - Empty Host Header detected in HTTP request',id:'331031',severity:'5',tag:'no_ar'"
SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "chain,phase:2,rev:4,log,auditlog,t:none,pass,msg:'Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address', severity:'2',id:'331032',severity:'5',tag:'no_ar'"
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none"
SecMarker END_HOST_CHECK
SecRule REQUEST_URI "^/eprocservice/supplierinboundservice" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:373944,skipAfter:END_390717"
#SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "%0[ad]content-(type|length) ?:" "log,auditlog,deny,log,status:403,phase:2,rev:3,t:none,t:lowercase,t:compressWhitespace,capture,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com WAF Rules: HTTP Response Splitting Attack',id:'390713',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" "log,auditlog,deny,log,status:403,phase:2,rev:4,t:none,t:lowercase,t:compressWhitespace,capture,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com WAF Rules: HTTP Response Splitting Attack',id:'390713',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME "@rx [\n\r]" "id:390714,rev:2,severity:2,phase:1,deny,status:403,t:none,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules: HTTP Splitting (CR/LF in request filename detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',log,auditlog"
SecAction "phase:2,id:'391009',t:none,nolog,noauditlog,pass,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsx/'"
SecRule REQUEST_BASENAME "@rx \.([^.]+)$" "id:390716,rev:2,phase:2,deny,status:403,severity:3,capture,t:none,msg:'Atomicorp.com WAF Rules: URL file extension is restricted by policy',logdata:'%{TX.0}',setvar:'tx.extension=.%{tx.1}/',log,auditlog,chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "\%u[fF]{2}[0-9a-fA-F]{2}" "log,auditlog,deny,log,status:403,chain,t:none,capture,phase:2,msg:'Atomicorp.com WAF Rules: Unicode Width Attack Attempt',id:'390621',rev:5,severity:'4',logdata:'%{TX.0}'"
SecRule MATCHED_VAR "!(%uFFFD)" "t:none"
#bash style encoding evasion
#/???
SecRule REQUEST_URI|ARGS "\/\?\?\?/" "phase:2,t:none,t:urlDecodeUni,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Command Line style Encoding Abuse Attack Attempt',id:'390763',rev:5,severity:'2'"
#SecRule REQUEST_BODY "content-type ?:.*content-type ?:" "log,auditlog,deny,status:403,phase:2,rev:2,t:none,t:lowercase,t:compressWhitespace,capture,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com WAF Rules: HTTP Response Splitting Attack',id:'390717',logdata:'%{TX.0}',severity:'2'"
#session fixation attacks
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "phase:2,id:'333795',t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:334360,t:none,pass,nolog,noauditlog,skipAfter:END_SESSION_FIX_PROTECTION"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!ARGS:text "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Atomicorp.com WAF Rules: Session Fixation Attack',id:'390708',rev:5,logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Atomicorp.com WAF Rules: Session Fixation Attack',id:'390718',rev:1,logdata:'%{TX.0}',severity:'2'"
SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "log,auditlog,chain,phase:2,rev:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,status:403,msg:'Atomicorp.com WAF Rules: Possible Session Fixation attack',id:390739,logdata:'%{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
SecRule REQUEST_HEADERS:Referer "^(?:ht|f)tps?://(.*?)\/" "chain,capture"
SecRule TX:1 "!@beginsWith %{request_headers.host}"
SecMarker END_SESSION_FIX_PROTECTION
SecMarker END_390717
#Enforce proper requests per HTTP RFC
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" "chain,deny,status:403,t:none,t:lowercase,capture,phase:2,rev:2,log,auditlog,msg:'Atomicorp.com WAF Rules: Invalid HTTP Request Line in violation of RFC (if you do not wish to follow HTTP RFCs, disable this rule)',id:'330700',severity:'4',logdata:'%{TX.0}'"
#Java 1.6 doesnt seem to follow the RFC correctly
SecRule REQUEST_HEADERS:User-Agent "^java/1\.6"
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "deny,status:403,t:none,capture,phase:2,rev:2,log,auditlog,msg:'Atomicorp.com WAF Rules: client redefining HTTP_PROXY value denied',id:'330773',severity:'4',logdata:'%{TX.0}'"
#Header sanitization
#php code injection in select headers
SecRule REQUEST_HEADERS:X-Forwarded-For|REQUEST_HEADERS:X-Real-IP|REQUEST_HEADERS:Reverse-Via|REQUEST_HEADERS:X-Varnish|REQUEST_HEADERS:X-UA-Compatible|REQUEST_HEADERS:X-Powered-By|REQUEST_HEADERS:TE|REQUEST_HEADERS:X-REQUESTED-WITH|REQUEST_HEADERS:X-PIPER-ID|REQUEST_HEADERS:X-UCBROWSER-UA|REQUEST_HEADERS:X-WAP-PROFILE|REQUEST_HEADERS:X-EBO-UA|REQUEST_HEADERS:X-OPERAMINI-*|REQUEST_HEADERS:DEVICE-STOCK-UA|REQUEST_HEADERS:FORWARDED|REQUEST_HEADERS:WAP-CONNECTION|REQUEST_HEADERS:X-CONTENT-OPT "< ?\? ?" "deny,status:403,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,rev:2,log,auditlog,msg:'Atomicorp.com WAF Rules: Code injection in HTTP header attack blocked',id:'356331',severity:'1',logdata:'%{TX.0}'"
#SecRule REQUEST_HEADERS:X-Forwarded-For "%" #SecRule REQUEST_HEADERS:X-Forwarded-For|REQUEST_HEADERS:X-ProxyUser-Ip "^[a-z0-9/ ,\:]+$" # "phase:2,deny,status:403,id:356332,rev:3,t:none,t:lowercase,log,auditlog,msg:'Atomicorp.com WAF Rules: invalid character in X-Forwarded for header',severity:'3'"
SecRule REQUEST_HEADERS:User-Agent "(?:><|\{\:\:)" "phase:2,deny,status:403,id:356332,rev:1,t:none,t:urlDecodeUni,t:removewhitespace,log,auditlog,msg:'Atomicorp.com WAF Rules: invalid characters in User-Agent header',severity:'2'"
#SecRule ARGS|!ARGS:_wp_http_referer|!ARGS:jsess|!ARGS:wp_http_referer|!ARGS:selection|!ARGS:permalink_structure|!ARGS:message|!ARGS:/post/|!ARGS:/dformat/|!ARGS:_u_b|!ARGS:state "@rx %[0-9a-fA-F]{2}" "id:390721,rev:5,phase:2,status:403,deny,log,auditlog,t:none,msg:'Atomicorp.com WAF Rules: Multiple URL Encoding Detected',logdata:'%{MATCHED_VAR}',severity:2"
#Vpatching add on
#Prevent Impedence mismatches on ARG names
SecRule REQUEST_FILENAME "\.php" "chain,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,phase:2,deny,status:403,id:390720,rev:6,msg:'Atomicorp.com WAF Rules: Possible Impedence Mismatch attack on PHP appliction using space to start argument name',logdata:'%{TX.0}',severity:'1',tag:'no_ar',log,auditlog"
SecRule ARGS_NAMES "^ " "t:none,t:utf8toUnicode,t:urlDecodeUni,t:removenulls,multimatch"
#SecRule ARGS_NAMES "!^[\^\$0-9a-zA-Z\#_-\.@\{\}\[\]\(\)]+$" "t:none,t:utf8toUnicode,t:urlDecodeUni"
SecRule ARGS_GET|!ARGS_GET:enhancedcontentdata "@rx [\n\r]" "id:390722,rev:5,phase:2,status:403,deny,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,msg:'Atomicorp.com WAF Rules: HTTP Header Injection Attack via payload (CR/LF detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,severity:'CRITICAL'"

68
nginx-waf/01_asl_content.conf Normal file
View File

@ -0,0 +1,68 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/remote\.php/webdav/" "phase:2,id:91042,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=391213"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2022 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
SecAction "phase:1,id:'333792',t:none,nolog,noauditlog,pass, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|text/html|application/x-mal-client-data|application/octet-stream|text/plain|application/soap xml|application/soap+xml|application/json|application/json-rpc|application/vnd.svn-svndiff|image/jpeg|application/vnd.ms-sync.wbxml|message/rfc822|application/x-java-serialized-object|text/calendar|image/png|image/gif|image/jpg|application/x-fcs|application/vnd.svn-skel|text/vcard|application/vnd.open|application/x-git-upload-pack-request|application/dns-message'"
#restrict content types to prevent possible bypass attacks
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "phase:1,t:none,chain,pass,nolog,noauditlog,id:'333791',severity:'4'"
SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,ctl:forceRequestBodyVariable=On"
SecRule REQUEST_HEADERS:Content-Type "^(text/xml|application/(soap|xml))" "chain,id:334357,rev:3,phase:1,t:none,t:lowercase,pass,nolog,noauditlog"
SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML"
#El5 doesnt have modsec 2.9, so this can only be enabled on EL6 and above
#SecRule REQUEST_HEADERS:Content-Type "application/json" # "id:'334367',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
#
#
#Skip binary/octect for nginx amplify
#User-Agent: nginx-amplify-agent/0.34-2
#Content-Type: binary/octet-stream
SecRule REQUEST_HEADERS:Content-Type "^binary/octet-stream$" "phase:2,t:none,id:336719,pass,nolog,noauditlog,chain,skipAfter:END_391213"
SecRule REQUEST_HEADERS:User-Agent "^nginx-amplify-agent" "t:none"
#ModSecurity parses only three content types:
# application/x-www-form-urlencoded, multipart/form-data request and
# text/xml.
#
# The protection provided for any other type is inferior.
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Request content type is not allowed by policy',id:'391213',severity:'4',logdata:'%{matched_var}'"
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On"
SecMarker END_391213

42
nginx-waf/01_asl_content_smuggling.conf Normal file
View File

@ -0,0 +1,42 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2023 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Detect HTTP Smuggling attempts by checking for multiple conflicting headers
# Rule to detect multiple Content-Length headers
SecRule &REQUEST_HEADERS:Content-Length "@ge 2" "id:300111,rev:1,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Multiple Content-Length headers detected',severity:CRITICAL"
# Rule to detect multiple Transfer-Encoding headers
SecRule &REQUEST_HEADERS:Transfer-Encoding "@ge 2" "id:300112,rev:1,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Multiple Transfer-Encoding headers detected',severity:CRITICAL"
# Rule to detect both Content-Length and Transfer-Encoding headers in the same request
SecRule REQUEST_HEADERS:Content-Length "[0-9]+" "chain,id:300113,rev:2,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Both Content-Length and Transfer-Encoding headers detected',severity:CRITICAL"
SecRule REQUEST_HEADERS:Transfer-Encoding "chunked" "t:none,t:lowercase"
# Rule to detect inconsistent Content-Length and Transfer-Encoding headers
SecRule REQUEST_HEADERS:Content-Length "[0-9]+" "chain,id:300114,rev:2,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Inconsistent Content-Length and Transfer-Encoding headers detected',severity:CRITICAL"
SecRule REQUEST_HEADERS:Transfer-Encoding "!@rx ^(identity|chunked)$" "t:none,t:lowercase"

35
nginx-waf/01_asl_content_z.conf Normal file
View File

@ -0,0 +1,35 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.9 and up
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2015-2019 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
SecRule REQUEST_HEADERS:Content-Type "application/json" "id:'354367',phase:1,t:none,t:lowercase,pass,nolog,noauditlog,ctl:requestBodyProcessor=JSON"

97
nginx-waf/03_asl_dos.conf Normal file
View File

@ -0,0 +1,97 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2019 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,log,auditlog,pass,rev:1,id:343434,msg:'Atomicorp.com WAF Rules: Client Connection dropped by Apache due to slow connection, possible Slowaris attack',severity:'4'"
#/?CtrlFunc_
SecRule REQUEST_METHOD "@streq POST" "chain,severity:2,log,t:none,deny,status:403,auditlog,phase:1,id:331215,rev:1,msg:'Atomicorp.com WAF Rules: CtrlFunc Brute Force Attack Dropped'"
SecRule REQUEST_URI "@beginsWith /?CtrlFunc_" "t:none"
#DOS Rules go right up front
#Wordpress Resource Exhaustion attack
SecRule REQUEST_URI "@pm /wp-trackback\.php" "phase:1,id:'393939',t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:393940,t:none,pass,nolog,noauditlog,skipAfter:END_DOS_CHECKS_WP"
SecRule ARGS:charset "(?:utf-8,utf-8,utf-8,utf-8,utf-8,utf-8|,.*,.*,.*,.*,)" "phase:1,deny,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,id:390639,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'"
#Wordpress Resource Exhaustion attack exploit
SecRule ARGS:title "abcedfgabcedfgabcedfgabcedfg" "phase:1,deny,status:403,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390640,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'"
SecMarker END_DOS_CHECKS_WP
#Another variant of a DOS attack
SecRule REQUEST_URI "\?(?:ptrxcz|xclzve)_" "log,auditlog,phase:1,deny,log,status:403,t:none,t:urlDecodeUni,t:lowercase,id:370145,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known wormsign'"
#/?CtrlFunc_
SecRule REQUEST_URI "\?-?[0-9]{3,6}=-?[0-9]{3,6}" "severity:2,log,auditlog,t:none,deny,status:403,phase:1,id:331216,rev:2,msg:'Atomicorp.com WAF Rules: Wordpress DOS Attack Dropped',chain"
SecRule REQUEST_URI "!(^/administrator/)" "t:none,t:lowercase"
#long lines
SecRule REQUEST_METHOD "@streq HEAD" "chain,severity:2,log,auditlog,t:none,deny,phase:1,id:331217,rev:1,msg:'Atomicorp.com WAF Rules: Possible DOS Attack Dropped'"
SecRule REQUEST_URI "\?[0-9a-z]{2000,}" "t:none,t:lowercase"
#xmlrpc DOS attacks
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" "log,auditlog,chain,phase:1,rev:3,t:none,deny,log,status:403,msg:'Atomicorp.com WAF Rules: xmlrpc DOS attack',id:'392331',severity:'2'"
SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,chain"
SecRule REQUEST_URI "xmlrpc\.php" "t:none,t:urlDecodeUni,t:lowercase"
#Per count DOS checks
SecAction "nolog,noauditlog,pass,id:350115,phase:1,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=5',setvar:'tx.dos_block_timeout=600'"
SecRule IP:DOS_BLOCK "@eq 1" "log,auditlog,chain,phase:1,id:350116,deny,log,status:404,severity:2,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0"
# Block and track # of requests but don't log, then skip because its already blocked
SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'350117',t:none,deny,status:404,noauditlog,nolog,severity:2,nolog,setvar:ip.dos_block_counter=+1"
SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'350118',t:none,nolog,noauditlog,pass,skipAfter:END_DOS_PROTECTION_CHECKS"
# Count the number of requests to the protected resoures
#SecRule REQUEST_FILENAME "@pmFromFile dos_protected.txt"
SecRule REQUEST_FILENAME "xmlrpc\.php" "phase:5,id:'350112',t:none,t:urlDecodeUni,t:lowercase,nolog,noauditlog,pass,setvar:ip.dos_counter=+1"
# If the request count is greater than or equal to our thresholds
# then set the burst counter
SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'350113',t:none,nolog,noauditlog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
# Check DOS Burst Counter
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
SecRule IP:DOS_BURST_COUNTER "@ge 2" "log,auditlog,phase:5,id:'350114',rev:1,severity:3,t:none,log,pass,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout},tag:'no_ar'"
SecMarker END_DOS_PROTECTION_CHECKS
#SecRule REQUEST_BASENAME "xmlrpc\.php" # "chain,phase:2,deny,log,auditlog,severity:2,id:'350116',rev:1,msg:'Atomicorp.com WAF Rules: Wodpress XML Pingback (Disable if you want to allow pingbacks to Wordpress)',t:none,t:lowercase,t:urlDecodeUni"
#SecRule REQUEST_BODY|XML:/* "pingback\.ping" "t:none,t:lowercase"

12
nginx-waf/05_asl_exclude.conf Normal file
View File

@ -0,0 +1,12 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "\.*" "phase:2,id:91043,t:none,t:lowercase,pass,nolog,noauditlog"
# Current Sigs with known issues.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# DO NOT MODIFY THIS FILE
# Make your own exclude list as 00_asl_custom_exclude.conf
# ---ASL-CONFIG-FILE---

87
nginx-waf/10_asl_antimalware.conf Normal file
View File

@ -0,0 +1,87 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Anti Malware rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2019 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Phase 2 rules
#skip this for certain file types
SecRule REQUEST_FILENAME "\.((m|j)pe?g4?|bmp|tiff?|p((p|g|b)m|n(g|m))|gif|js|css|ico|avi|w(mv|ebp)|mp(3|4)|cgm|svg|swf|og(m|v|x))$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333946,skipAfter:END_ANTI_MALWARE"
SecRule REQUEST_URI "/imp/compose\.php" "phase:2,pass,id:333947,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_ANTI_MALWARE"
SecRule ARGS|REQUEST_URI|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:SAMLResponse|!ARGS:message|!ARGS:/txt/|!ARGS:/solution/|XML:/* "@pm http:// https:// ftp:// ftps:// ogg:// data:// php:// zlib:// gopher://" "phase:2,id:338812,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:338370,t:none,pass,nolog,noauditlog,skipAfter:END_ANTI_MALWARE"
# Broadcheck
#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
SecRule REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:message|!ARGS:/txt/|!ARGS:/solution/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,auditlog,phase:2,deny,log,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:7,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace"
# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
#SecRule REQUEST_BODY|ARGS|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "@pmFromFile malware-blacklist.txt"
# Rule 330003: Blocklist of known malware sites
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360003,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URI',chain,logdata:'%{TX.0}'"
#SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
#SecRule REQUEST_URI "@pmFromFile malware-blacklist.txt"
#Rule 330004: Blocklist suspicious sites in referral
#SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist.txt" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360004,rev:2,severity:2,msg:'Atomicorp.com Malware Blocklist: Suspicious Blocklist Malware Site detected in Referral',logdata:'%{TX.0}'"
#
# Rule 330005: Blocklist of known malware sites w/ Anti-evasion features
SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,auditlog,phase:2,deny,log,status:403,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:360005,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
#SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:SAMLResponse "@pmFromFile malware-blacklist.txt" "t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace"
##Rule 360005: Local malware lists
##SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" ## "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
#SecRule ARGS "@pmFromFile malware-blacklist-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360005,rev:2,severity:2,msg:'Local Blocklist Malware Site (AE)'"
#
## Rule 330006: Blocklist of known malware sites w/ Anti-evasion features
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360006,rev:1,severity:2,msg:'Local Malware Site in ARGS/Body (AE)',chain"
#SecRule REQUEST_BODY|ARGS "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
#SecRule REQUEST_BODY|ARGS "@pmFromFile malware-blacklist-local.txt"
#
## Rule 330003: Blocklist of known malware sites
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360007,rev:4,severity:2,msg:'Local Malware Site in URI',chain"
#SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
#SecRule REQUEST_URI "@pmFromFile malware-blacklist-local.txt"
#
##Rule 330004: Blocklist suspicious sites in referral
#SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360008,rev:2,severity:2,msg:'Suspicious Local Blocklist Malware Site in Referral'"
#
SecMarker END_ANTI_MALWARE

6585
nginx-waf/10_asl_rules.conf Normal file
View File

File diff suppressed because one or more lines are too long

73
nginx-waf/11_asl_brute_enhanced.conf Normal file
View File

@ -0,0 +1,73 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.5+
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2016 by Atomicorp, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#Commercial rules timers
#XMLRPC rate limiting timer
#SecAction "phase:2,id:311220,nolog,noauditlog,pass,deprecatevar:ip.count_x=1/20"
#Limit exceeded blocks
SecRule IP:COUNT_X "@gt 5" "chain,phase:2,severity:2,id:311221,rev:2,deny,status:403,log,auditlog,msg:'Atomicorp WAF Rules : XMLRPC - Ratelimiting calls/possible attack'"
SecRule REQUEST_FILENAME "/xmlrpc" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_URI "/wp-login\.php\?action=logout" "phase:2,chain,id:339318,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT_EN"
SecRule REQUEST_METHOD "GET" "t:none"
SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5" "chain,phase:2,id:377370,rev:3,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Multiple Wordpress Authentication Failures from the same IP.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt}'"
SecRule REQUEST_FILENAME "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase"
#SecRule RESPONSE_BODY "@pm incorrect passwort password wrong match valid unrecognized succeed re-type error sorry, messagestackerror error-msg blank usuario isadmin" #phase:4,id:343892,pass,t:none,nolog,noauditlog,skip:1
SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,id:377366,rev:2,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:200,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Authentication Failure',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt} '"
SecRule REQUEST_METHOD "@streq POST" "t:none,chain"
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>\: ?(?:The password you entered for the username|Incorrect password|(?:Invalid|Unknown) username)" "t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,log,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Authentication Failure',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt} ',id:'377369',rev:2,severity:'4',tag:'no_ar',setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
SecRule REQUEST_URI "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule RESPONSE_STATUS "200" "t:none"
SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,id:377365,rev:2,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:200,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Admin Authentication Failure',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt}'"
SecRule REQUEST_METHOD "@streq POST" "t:none,chain"
SecRule ARGS:log "admin" "chain,t:none,t:lowercase,t:urlDecodeUni"
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>\: ?(?:The password you entered for the username|Incorrect password|(?:Invalid|Unknown) username)" "t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
SecMarker END_BRUTE_OUT_EN
#XMLRPC code block
#SecRule REQUEST_FILENAME "/xmlrpc" "t:none,t:urlDecodeUni,t:lowercase"
#detect old XMLRPC attacks and increment timer for litespeed systems
SecRule RESPONSE_BODY "fault(?:Code|String)" "chain,phase:4,severity:2,id:311222,pass,t:none,log,auditlog,status:200,msg:'Atomicorp.com WAF Rules - Login Detection: WordPress XMLRPC Failure',setvar:ip.count_x=+1,expirevar:ip.count_x=60"
SecRule REQUEST_FILENAME "/xmlrpc" "t:none,t:urlDecodeUni,t:lowercase"

139
nginx-waf/11_asl_data_loss.conf Normal file
View File

@ -0,0 +1,139 @@
SecRule REQUEST_FILENAME "/ajax/getsymptoms\.php" "phase:2,id:92738,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=361008"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by the Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2021 by Atomicorp, Inc. all rights reserved.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecDefaultAction "log,deny,auditlog,phase:4"
#skip for ASL GUI
SecRule SERVER_PORT "@streq 30000" "phase:4,id:333710,pass,t:none,nolog,noauditlog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT"
#Detect sensitive numbers in output
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" "phase:4,id:333711,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:4,id:333712,t:none,pass,nolog,noauditlog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT"
# GSA SmartPay
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) - GSA SmartPay Card Number sent from site to user',id:'361020',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# MasterCard
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: MasterCard Credit Card Number sent from site to user',id:'361006',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# Visa
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -Visa Credit Card Number sent from site to user',id:'361008',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# American Express
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -American Express Credit Card Number sent from site to user',id:361010,severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# Diners Club
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -Diners Club Credit Card Number sent from site to user',id:'361012',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# enRoute
#SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "(?:^|[^\d])(?<!google_ad_client = \"pub-)(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" # "logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -enRoute Credit Card Number sent from site to user',id:'361014',severity:'1',tag:'no_ar'"
# Discover
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -Discover Credit Card Number sent from site to user',id:'361016',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# JCB
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -JCB Credit Card Number sent from site to user',id:'361018',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
SecMarker END_POTENTIAL_CREDIT_CARD_OUT
SecRule REQUEST_URI "^/index\.php\?module=asl" "phase:4,id:349852,pass,t:none,t:lowercase,nolog,noauditlog,chain,skipAfter:END_DLP_OUTPUT"
SecRule SERVER_PORT "@streq 30000"
#Detect potential error messages that leak sensitive information
SecRule RESPONSE_BODY "@pm hsqldb DB2 error illegal unexpected Ingres maxdb ibase_ jdbc exception database ODBC Tomcat DM_QUERY_E_SYNTAX mysql_connect( MySQL Warning SQLite. PostgreSQL ORA- SQLException Driver oci_ ora_ exception SQLSTATE" "phase:4,t:none,pass,nolog,noauditlog,skip:1,id:333713,tag:'no_ar'"
SecAction "phase:4,t:none,pass,nolog,noauditlog,id:333714,skipAfter:END_POTENTIAL_ERROR_LEAK"
SecRule RESPONSE_BODY "<title>Apache Tomcat.{,512}Error report" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Error Message with sensitive information sent from tomcat',id:'361019',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\bWarning: mysql_connect\(\)\:" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361021',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "You have an error in your SQL syntax; check the manual " "phase:4,rev:2,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361022',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "SQLite.Exception|System.Data.SQLite.SQLiteException|Warning:.{,100}(?:sqlite_|SQLite3::)" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361023',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\bsupplied argument is not a valid (?:MySQL|PostgreSQL)\b" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361024',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\b(?:Column count doesn't match value count at row|MySQL server version for the right syntax to use)\b" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: SQL Information Leakage',id:'361025',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:Warning.{,512}*(?:sqlite|SQLite3)|SQLite/JDBCDriver|SQLite\.Exception)" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: SQLite Information Leakage',id:'361225',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "Exception (condition )?\d+\. Transaction rollback\." "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential Frontbase SQL Information Leakage detected',id:'361026',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "org\.hsqldb\.jdbc" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential hsqldb SQL Error Message with sensitive information sent',id:'361140',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:Warning.{,512}ingres_|Ingres SQLSTATE|Ingres\W.{,512}Driver)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Informix SQL Error Message with sensitive information sent',id:'361141',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:<b>Warning</b>: ibase_|Unexpected end of command in statement)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Informix SQL Error Message with sensitive information sent',id:'361142',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.{,512}Informix)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Informix SQL Error Message with sensitive information sent',id:'361143',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:SQL error.{,512}POS([0-9]+)|Warning.{,512}maxdb)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential maxDB SQL Error Message with sensitive information sent',id:'361144',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:Sybase message:|Warning.{,512}sybase|Sybase.{,512}Server message)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential maxDB SQL Error Message with sensitive information sent',id:'361145',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:DB2(?: SQL error:|/6000\])|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.{,256}DB2|db2_ ?\()" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential IBM DB2 SQL Error Message with sensitive information sent',id:'361031',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\[DM_QUERY_E_SYNTAX\]" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential EMC Error Message with sensitive information sent',id:'361032',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "Dynamic SQL Error" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Firebirg Error Message with sensitive information sent',id:'361033',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:(?:JET|Access) Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Microsoft SQL Error Message with sensitive information sent',id:'361030',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle(?: error|.{,512}Driver)|Warning.{,512}oc(?:i|a)_)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Orale SQL Error Message with sensitive information sent',id:'361229',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "define\(\'(?:WP_DEBUG|DB_NAME)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Wordpress Config file download blocked',id:'361230',rev:3,severity:'1',tag:'no_ar'"
SecMarker END_DLP_OUTPUT
SecMarker END_POTENTIAL_ERROR_LEAK

2299
nginx-waf/12_asl_adv_rules.conf Normal file
View File

File diff suppressed because it is too large Load Diff

2462
nginx-waf/12_asl_adv_xss_rules.conf Normal file
View File

File diff suppressed because it is too large Load Diff

257
nginx-waf/12_asl_brute.conf Normal file
View File

@ -0,0 +1,257 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.9+
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2005-2019 by Atomicorp, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#SecRule REQUEST_METHOD "^post$" #phase:2,pass,t:none,t:lowercase,nolog,skip:1
#SecAction phase:2,t:none,pass,nolog,skipAfter:END_BRUTE_IN
#vbulletin
#set a variable that someone tried to login
#SecRule REQUEST_URI "/login\.php" # "pass,nolog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_vbulletin_login=yes,noauditlog,nolog,id:377400,rev:1,severity:2"
#SecRule ARGS:do "^login$"
#PHP logins
#SecRule REQUEST_URI "/ucp\.php" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes"
#SecRule ARGS:mode "^login$"
#wikimedia
#"POST /wiki/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page
#SecRule ARGS:title "^special\:userlogin$" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes"
#SecRule ARGS:action "^submitlogin$" chain
#SecRule ARGS:type "^login$"
#SecMarker END_BRUTE_IN
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'"
SecRule REQUEST_URI "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule RESPONSE_STATUS "200" "t:none"
SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with no user-agent or referrer, Bot attempting Wordpress Login',id:'377390',rev:3,severity:'2'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with empty user-agent and referrer, possible bot',id:'377391',rev:4,severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "^$" "t:none,t:removeWhiteSpace,chain"
SecRule REQUEST_HEADERS:Referer "^$" "t:none,t:removeWhiteSpace"
#multi-auth blocking for wordpress xmlrpc
#wp.getUsersBlogs
SecRule REQUEST_URI "/xmlrpc\.php" "t:none,t:urlDecodeUni,t:lowercase,phase:2,id:345868,pass,nolog,noauditlog,chain,skip:1"
SecRule REQUEST_METHOD "@streq POST" "t:none"
SecAction "phase:2,id:323318,t:none,pass,nolog,noauditlog,skipAfter:END_XMLRPC_BRUTE_1"
SecRule REQUEST_BODY|XML:/* "(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest)" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377609',rev:4,severity:'2'"
SecRule REQUEST_URI "^/xmlrpc.php\?for=jetpack" "phase:2,id:323338,t:none,t:lowercase,pass,log,skipAfter:END_XMLRPC_BRUTE_2"
SecRule REQUEST_BODY|XML:/* "system\.multicall" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377619',rev:2,severity:'2'"
#wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories
#
SecMarker END_XMLRPC_BRUTE_2
SecRule XML:/* "wp\.getUserBlogs.{,400}wp\.getUserBlogs.{,400}wp\.getUserBlogs" "phase:2,t:none,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377368',rev:2,severity:'2'"
SecRule XML:/* "(?:wp\.getusersblogs|system\.multicall)" "phase:2,chain,t:none,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377367',rev:2,severity:'2'"
SecRule XML:/* "params" "t:none,t:lowercase,chain"
SecRule XML:/* "(?:admin.{,400}admin|string.{,200}string.{,200}string.{,200}string)" "t:none,t:lowercase"
SecMarker END_XMLRPC_BRUTE_1
SecRule SERVER_PORT "@streq 30000" "phase:4,id:339854,pass,t:none,nolog,noauditlog,skipAfter:END_BRUTE_OUT_1"
SecRule RESPONSE_BODY "@pm incorrect passwort password wrong match valid unrecognized succeed re-type error sorry, messagestackerror error-msg blank usuario isadmin" "phase:4,id:333862,pass,t:none,nolog,noauditlog,skip:1"
SecAction "phase:4,id:333318,t:none,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT"
#Login Details Incorrect. Please try again.
SecRule RESPONSE_BODY "<p>Login Details Incorrect\. Please try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WHMCS login failure',id:'378410',rev:1,severity:'4',tag:'no_ar'"
#Recaptcha invalid response
# <td class="row3" colspan="2" align="center"><span class="gensmall error">The visual confirmation code you submitted was incorrect</span></td>
#phpbb login failure
SecRule RESPONSE_BODY ">The visual confirmation code you submitted was incorrect</span>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Recaptcha invalid code',id:'377410',rev:1,severity:'4',tag:'no_ar'"
#phpbb login failure
SecRule RESPONSE_BODY "You have entered an invalid username or password\. Please enter the correct details and" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: VBulletin Login Attempt Failure ',id:'377300',rev:1,severity:'4',tag:'no_ar'"
#377301
#phpbb login failure
#You have specified an incorrect password. Please check your password and try again.
SecRule RESPONSE_BODY "You have specified an incorrect password\. Please check your password and try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: PHPBB Login Attempt Failure ',id:'377301',rev:1,severity:'4',tag:'no_ar'"
#mediawiki
#Incorrect password entered. Please try again
SecRule RESPONSE_BODY "Incorrect password entered\. Please try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wikimedia Login Attempt Failure ',id:'377302',rev:1,severity:'4',tag:'no_ar'"
#sugarcrm
SecRule RESPONSE_BODY "You must specify a valid username and password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Sugarcrm Administration system Login Attempt Failure ',id:'377303',rev:1,severity:'4',tag:'no_ar'"
#joomla
#Use a valid username and password to gain access to the Administrator Back-end
SecRule RESPONSE_BODY "(?:<li>Username and password do not match|Use a valid username and password to gain access to the Administrator Back-end|Nombre de usuario y contraseña no encontrados|Usuario no existe|Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Joomla Administration Login Attempt Failure ',id:'377304',rev:5,severity:'4',tag:'no_ar'"
#wordpress
#<div id="login_error"> <strong>ERROR</strong>: The password you entered for the username <strong>admin</strong> is incorrect. <a href="http://server2/wordpress/wp-login.php?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>\: The password you entered for the username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377305',rev:2,severity:'4',tag:'no_ar'"
#Newer versions of WP
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>\: Incorrect password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377605',rev:2,severity:'4',tag:'no_ar'"
#Multiple WP xmlrpc brute force
SecRule RESPONSE_BODY|XML:/* "faultString.{,32}Incorrect username or password.{,100}faultString.{,32}Incorrect username or password.{,100}faultString.{,32}Incorrect username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377679',rev:2,severity:'2'"
SecRule RESPONSE_BODY|XML:/* "isAdmin.{,100}boolean.{,100}isAdmin.{,100}boolean.{,100}isAdmin.{,100}boolean" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377689',rev:2,severity:'2'"
#Newer versions of WP XMLRPC API
SecRule RESPONSE_BODY|XML:/* "(?:<string>|faultString.{,128})Incorrect username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377625',rev:3,severity:'4',tag:'no_ar'"
#Newer versions of WP XMLRPC API
SecRule RESPONSE_BODY "<string>server error. requested method wp\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules: Potential WordPress Method Probe Detected ',id:'377626',rev:3,severity:'4',tag:'no_ar'"
#wordpress
#<div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href="http://server2/wordpress/wp-login.php?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>: (?:Invalid|Unknown) username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress invalid username failure ',id:'377306',rev:2,severity:'4',tag:'no_ar'"
#Drupal
SecRule RESPONSE_BODY "Sorry, unrecognized username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Drupal invalid username or password failure ',id:'377308',rev:2,severity:'4',tag:'no_ar'"
#typo3
#<h2>Your login attempt did not succeed</h2>
# <p>Make sure to spell your username and password correctly, including upper/lowercase characters.</p>
SecRule RESPONSE_BODY "<h2>Your login attempt did not succeed</h2>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Typo3 invalid username or password failure ',id:'377309',rev:1,severity:'4',tag:'no_ar'"
#modx
# <p class="error">That account could not be located. Check the username and re-type the password to try again.</p> </div></div></div>
SecRule RESPONSE_BODY ">That account could not be located\. Check the username and re-type the password to try again\.</p>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX invalid username failure ',id:'377310',rev:1,severity:'4',tag:'no_ar'"
# <p class="error">The username or password you entered is incorrect. Please check the username, re-type the password, and try again.</p> </div></div></div>
SecRule RESPONSE_BODY "The username or password you entered is incorrect\. Please check the username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX password login failure ',id:'377311',rev:1,severity:'4',tag:'no_ar'"
#moodle
# <div class="loginerrors"><span class="error">Invalid login, please try again</span></div> <form action="http://server2/moodle/login/index.php" method="post" id="login" >
SecRule RESPONSE_BODY ">Invalid login, please try again</span></div>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Moodle login failure ',id:'377312',rev:1,severity:'4',tag:'no_ar'"
#Plesk
#</SPAN>You have entered incorrect username or password.</DIV>
SecRule RESPONSE_BODY "</SPAN>You have entered incorrect username or password\.</DIV>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Plesk login failure ',id:'377313',rev:1,severity:'4',tag:'no_ar'"
#oscommerce customer login
#Error: No match for E-Mail Address and/or Password.</td>
SecRule RESPONSE_BODY "Error\: No match for E-Mail Address and/or Password\.</td>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Oscommerce customer login failure ',id:'377314',rev:1,severity:'4',tag:'no_ar'"
#oscommerce admin login
SecRule RESPONSE_BODY "(?:Error\: Identification of the store administrator failed\.|Invalid administrator login attempt\.)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Oscommerce admin login failure ',id:'377315',rev:2,severity:'4',tag:'no_ar'"
#zencart customer login
#Error: Sorry, there is no match for that email address and/or password.</
SecRule RESPONSE_BODY "Error\: Sorry, there is no match for that email address and/or password\.</" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ZenCart customer login failure ',id:'377323',rev:1,severity:'4',tag:'no_ar'"
#zencart admin login
#messageStackError">You entered the wrong username or password.
SecRule RESPONSE_BODY "messageStackError\">You entered the wrong username or password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ZenCart admin login failure ',id:'377316',rev:1,severity:'4',tag:'no_ar'"
#dokuwiki
# <div class="error">Sorry, username or password was wrong.</div>
SecRule RESPONSE_BODY "<div class=\"error\">Sorry, username or password was wrong\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Dokuwiki login failure ',id:'377317',rev:1,severity:'4',tag:'no_ar'"
# magento customer
# Please enter a valid email address. For example johndoe@domain.com.
#SecRule RESPONSE_BODY "Please enter a valid email address\. For example johndoe@domain.com\." # "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Magento customer login failure ',id:'377318',rev:1,severity:'4'"
# magento admin
# <li class="error-msg"><ul><li><span>Invalid Username or Password.</span>
SecRule RESPONSE_BODY "<li class=\"error-msg\"><ul><li><span>Invalid Username or Password\.</span>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Magento admin login failure ',id:'377319',rev:1,severity:'4',tag:'no_ar'"
# prestashop invalid password
# <li>Invalid password</li>
SecRule RESPONSE_BODY "<li>Invalid password</li>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (invalid password)',id:'377320',rev:1,severity:'4',tag:'no_ar'"
# prestashop invalid email
# <ol style="margin: 0 0 0 20px;"><li>Employee does not exist or password is incorrect.</li>
SecRule RESPONSE_BODY "<li>Employee does not exist or password is incorrect\.</li>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (invalid email)',id:'377321',rev:1,severity:'4',tag:'no_ar'"
# prestashop blank password
# <ol style="margin: 0 0 0 20px;"><li>Password is blank</li>
SecRule RESPONSE_BODY "<li>Password is blank</li>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (blank password)',id:'377322',rev:1,severity:'4',tag:'no_ar'"
#phpbb login failure
#You have specified an incorrect password. Please check your password and try again.
SecRule RESPONSE_BODY "You have specified an incorrect username\. Please check your username and try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: PHPBB Login Attempt Failure - Incorrect Username ',id:'377326',rev:1,severity:'4',tag:'no_ar'"
#377324 is next
SecMarker END_BRUTE_OUT_1
#ASL bruteforce
SecRule RESPONSE_BODY "(?:<span class=\'text_red\'>Invalid username or password</span>|class=\"td_login_fail\">Invalid username or password</td>)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ASL GUI invalid username or password failure ',id:'377307',rev:3,severity:'4',tag:'no_ar'"
SecRule REQUEST_URI "^/login/\?login_only=1" "t:none,t:urlDecodeUni,t:lowercase,phase:5,id:335897,pass,nolog,noauditlog,skip:1"
SecAction "phase:5,id:333319,t:none,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT"
#Cpanel
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Cpanel WHM Login Attempt Failure ',id:'377363',rev:2,severity:'4',tag:'no_ar'"
SecRule REQUEST_URI "^/login/\?login_only=1" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule RESPONSE_STATUS "401" "t:none"
#successful cpanel root login
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Detection: Cpanel WHM root Login succeeded ',id:'377364',rev:2,severity:'5',tag:'no_ar'"
SecRule REQUEST_URI "^/login/\?login_only=1" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:user "root" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule RESPONSE_STATUS "200" "t:none"
#SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,severity:2,id:377365,t:none,t:lowercase,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Admin Authentication Failure Violation.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt}'"
# SecRule REQUEST_METHOD "@streq POST" "t:none,chain"
# SecRule ARGS:log "admin" "chain,t:none,t:lowercase,t:urlDecodeUni"
# SecRule RESPONSE_STATUS "200" "chain,t:none"
# SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." "chain,t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
# SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5"
#
#SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,severity:2,id:377366,t:none,t:lowercase,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Authentication Failure Violation.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt} '"
# SecRule REQUEST_METHOD "@streq POST" "t:none,chain"
# SecRule RESPONSE_STATUS "200" "chain,t:none"
# SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." "chain,t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
# SecRule IP:FAILED_AUTH_ATTEMPT "@gt 10"
SecMarker END_BRUTE_OUT
#Wordpress login probes
SecRule REQUEST_URI "wp-login\.php" "chain,phase:2,id:307367,severity:2,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules - Login Brute Force: Wordpress Authentication Probes detected .',logdata:'Number of probes in 60 seconds: %{ip.login_probe} '"
SecRule REQUEST_METHOD "@streq HEAD" "t:none,chain,setvar:ip.login_probe=+1,expirevar:ip.login_probe=60"
SecRule IP:LOGIN_PROBE "@gt 5"
#cpanel login probes
SecRule REQUEST_URI "(?:dologin|clientarea)\.php" "chain,phase:2,severity:2,id:317368,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: WHMCS brute force probe blocked.'"
SecRule REQUEST_METHOD "@streq HEAD" "t:none"
#Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
#SecRule REQUEST_HEADERS:User-Agent "MSIE 7\.0" #"chain,phase:2,log,deny,auditlog,t:none,id:354322,rev:3,severity:4,msg:'Atomicorp.com WAF Rules: Cpanel brute force attack detected'"
#SecRule REQUEST_URI "(?:dologin|clientarea)\.php" "t:none,t:lowercase"

39
nginx-waf/13_asl_brute_enhanced.conf Normal file
View File

@ -0,0 +1,39 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.5+
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2005-2016 by Atomicorp, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#Wordpress login probes
SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:2,severity:2,id:307368,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules - Login Brute Force: Possible Wordpress Authentication Probes detected .',logdata:'Number of probes in 60 seconds: %{ip.login_probe} '"
SecRule REQUEST_METHOD "@streq GET" "t:none,chain,setvar:ip.login_probe=+1,expirevar:ip.login_probe=60"
SecRule IP:LOGIN_PROBE "@gt 10"

57
nginx-waf/13_asl_command_injection.conf Normal file
View File

File diff suppressed because one or more lines are too long

442
nginx-waf/20_asl_useragents.conf Normal file
View File

@ -0,0 +1,442 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/cron/index\.php" "phase:2,id:95076,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330017"
SecRule REQUEST_FILENAME "/ssp_director/index\.php" "phase:2,id:95077,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
SecRule REQUEST_FILENAME "/ssp_director" "phase:2,id:95078,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
SecRule REQUEST_FILENAME "/silentpost\.php" "phase:2,id:95079,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330030"
SecRule REQUEST_FILENAME "/cgi/upload\.cgi" "phase:2,id:95080,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
SecRule REQUEST_FILENAME "/tfu/tfu_upload\.php" "phase:2,id:95081,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
SecRule REQUEST_FILENAME "/qm/dm\.master" "phase:2,id:95082,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330072"
SecRule REQUEST_FILENAME "/dump_full_recs\.txt" "phase:2,id:95083,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330072"
SecRule REQUEST_FILENAME "/export/kelkoo\.php" "phase:2,id:95084,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330128"
SecRule REQUEST_FILENAME "/admincp" "phase:2,id:95085,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
SecRule REQUEST_FILENAME "/ideal_wbp1ah\.php" "phase:2,id:95086,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
SecRule REQUEST_FILENAME "/checkout/onepage" "phase:2,id:95087,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
SecRule REQUEST_FILENAME "/postsale\.php" "phase:2,id:95088,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
SecRule REQUEST_FILENAME "/cancel\.php" "phase:2,id:95089,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
SecRule REQUEST_FILENAME "/cp-res-cancel\.php" "phase:2,id:95090,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
SecRule REQUEST_FILENAME "/cron\.php" "phase:2,id:95091,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330017"
SecRule REQUEST_FILENAME "/linkmachine/linkmachine\.php" "phase:2,id:95092,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330072"
SecRule REQUEST_FILENAME "/api/postback" "phase:2,id:95093,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
SecRule REQUEST_FILENAME "/spinclude\.cgi" "phase:2,id:95094,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330039"
SecRule REQUEST_FILENAME "/vmpayment/realex/notify\.php" "phase:2,id:95095,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330039"
SecRule REQUEST_FILENAME "/alipay_callback\.php" "phase:2,id:95096,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330131"
SecRule REQUEST_FILENAME "/cgi-bin/quickshow\.cgi" "phase:2,id:95097,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=332039,ctl:ruleRemovebyID=336657"
SecRule REQUEST_FILENAME "/payment/barclays/barclays_response\.php" "phase:2,id:95098,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
SecRule REQUEST_FILENAME "/modules/ogone/validation\.php" "phase:2,id:95099,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# User Agent Security Rules for modsec 2.x
#
# Copyright 2005-2023 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
# ---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecRule ARGS "acunetix_wvs_security_test" "phase:2,rev:'3',t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site',id:333331,severity:'2'"
#check headers for known malicious clients and agents
SecRule REQUEST_HEADERS|REQUEST_HEADERS_NAMES|REQUEST_COOKIES "@pm aaaaaa x-scan-memo acunetix ethereumstratum xmrig xmr-stak-cpu minername cpuminer" "id:334927,rev:1,phase:2,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333729,pass,nolog,noauditlog,skipAfter:END_UA_H_CHECKS"
SecRule REQUEST_HEADERS "x-aaaaaa" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:330001,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Spam: Generic spam header detected'"
SecRule REQUEST_HEADERS_NAMES|REQUEST_COOKIES "acunetix" "phase:2,rev:'3',t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site',id:333301,severity:'2'"
SecRule REQUEST_HEADERS_NAMES|REQUEST_COOKIES "(?:ethereumstratum|xmrig/|xmr-stak-cpu|minername/|cpuminer/)" "phase:2,rev:'4',t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Cryptoware blocked',id:333330,severity:'2'"
SecRule REQUEST_HEADERS_NAMES|REQUEST_COOKIES "X-Scan-Memo" "phase:2,rev:'3',t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Security Scanner Scanned the Site',id:333341,severity:'2'"
SecMarker END_UA_H_CHECKS
SecRule REQUEST_HEADERS:User-Agent "^Internet Explorer " "phase:2,t:none,deny,log,auditlog,status:403,id:330305,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Fake Microsoft Internet Explorer Browser'"
SecRule REQUEST_HEADERS:User-Agent "baidu; baiduspider" "phase:2,t:none,deny,log,auditlog,status:403,id:330363,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Known malicious agent and fake baiduspider'"
SecRule REQUEST_HEADERS:User-Agent "^Windows NT 6.1; Win64; x64$" "phase:2,t:none,deny,log,auditlog,status:403,id:333332,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Known malicious agent'"
# Rule 330006: recursion attack in UA field
#SecRule REQUEST_HEADERS:User-Agent "\.\./\.\." "id:330006,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: recursion attack in UA field'"
#May cause false positives with some software, comment out if it does
#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Atomicorp.com WAF Rules: Suspicious Automated or Manual Request'"
#SecRule "REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Accept" "^$"
#
SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" "phase:2,t:none,deny,log,auditlog,status:403,id:333333,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WAF bypass detected using x-up-devcap-post-charset in combination with prefix \'UP\' to User-Agent',chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" "t:none"
#Parallel skip
SecRule REQUEST_HEADERS:User-Agent|REQUEST_URI "@pm Xs_Kontrol NextGenSearchBot Synapse App3leWebKit MJ12bot sosospider fdm ICS python libcurl js-kit bot 5.0 8484 admin@google.com agdm79@mail mua amiga-aweb/3.4 analyzer atomic_email_hunter backdoor bilbo black blackwidow brutus butch__2 bwh3_user_agent cgichk cherrypickernicerspro china combine concealed contentsmartz copyguard copyrightcheck cisco-torch sql springenwerk toata scan whcc sundayddr nmap prog.customcrawler network-services-auditor grendel-scan get-minimal pymills-spider dav.pm crescent datacha0s dbrowse demo digimarc download dts ebrowse ecollector emailcollector emailwolf exploit godzilla dirbuster dotdotpwn extractor extractorpro fantombrowser foobar franklin full gameboy grabber grub hole indy injection internet-exprorer isc jaascois k1b larbin@unspecified libwen-us pycurl blacksun cyberdog absinthe autogetcolumn metis missigua morfeus morzilla mosiac mozilla/3 mozilla/2.01 mozilla/4.0 mozilla/4.76 mozilla/5. murzillo nameofagent .nasl nessus arachni havij acunetix whatweb newt nikto ninja nokia-waptoolkit nsauditor n-stealth paros pavuk picscout pe pmafind poe-component-client production prowebwaler psycheclone rainbow safexplorer security shareware siphon sitesnagger sohu spider s.t.a.l.k.e.r stress surf teleport telesoft test voideye vxb webbandit webcopier webemailextract webinspect weblogs webmole webroot webster webstripper webtrends webvulnscan webzip wells wep widow windows-update-agent < php http_get_vars super happy fun psycheclone grub crawl hurt core-project/ winnie poh siphon nutscrape/ missigua emailsiphon digger nutchcvs trackback/ autoemailspider pussycat user-agent: omniexplorer ecollector cherrypicker zemu revolt casper kmccrew planetwork dex sledink perl kangen sasqia t34mh4k mama jcomers indonetwork goblox ayumi_im0etz whitehat zmeu w3af.sourceforge.net yandex chinaclaw googlehttpclient playstation script about applet activex chrome object www.80legs.com netscape winhttp.winhttprequest.5 obot shell_exec if r00t intelium b55 cybeye riddler loadimpact 2600 patchone pogs chishijen12 typhoeus table href iframe script php xmlset blackseo appscan xSlurp .exe Pcore-HTTP Datanyze struts-pwn raphaelrocks nuclei) wp_is_mobile tsunami openvas fuzz" "id:333924,rev:3,phase:2,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333719,pass,nolog,noauditlog,skipAfter:END_UA_CHECKS_1"
SecRule REQUEST_HEADERS:User-Agent "wp_is_mobile" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:337741,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: AccessPress Themes backdoor blocked'"
#nmaplowercheck
SecRule REQUEST_URI "nmaplowercheck" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:337764,rev:2,severity:3,msg:'Atomicorp.com WAF Rules: NMAP scanner blocked'"
#Pcore-HTTP
SecRule REQUEST_HEADERS:User-Agent "Datanyze" "phase:2,deny,log,auditlog,status:403,t:none,id:337749,rev:2,severity:3,msg:'Atomicorp.com WAF Rules: Datanyze bot blocked'"
#Pcore-HTTP
SecRule REQUEST_HEADERS:User-Agent "Pcore-HTTP" "phase:2,deny,log,auditlog,status:403,t:none,id:334749,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Pcore-HTTP'"
#Xs_Kontrol
SecRule REQUEST_HEADERS:User-Agent "Xs_Kontrol" "phase:2,deny,log,auditlog,status:403,t:none,id:347749,rev:2,severity:3,msg:'Atomicorp.com WAF Rules: Xs_Kontrol bot blocked'"
#Yahoo!xSlurp
SecRule REQUEST_HEADERS:User-Agent "Yahoo\!xSlurp" "phase:2,deny,log,auditlog,status:403,t:none,id:334729,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake SUPEE-5344 malware agent blocked'"
#Yahoo!xSlurp
SecRule REQUEST_HEADERS:User-Agent "NextGenSearchBot" "phase:2,deny,log,auditlog,status:403,t:none,id:334739,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake zoominfo search bot blocked'"
#Blackseo Agent v 0.1
SecRule REQUEST_HEADERS:User-Agent "blackseo agent" "phase:2,deny,log,auditlog,status:403,t:none,t:compressWhitespace,t:lowercase,id:334719,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Blackseo Agent blocked'"
#droptable
SecRule REQUEST_HEADERS:User-Agent "(?:drop ?table| href|iframe|< ?(?:script|php)|xmlset)" "phase:2,deny,log,auditlog,status:403,t:none,t:compressWhitespace,t:lowercase,id:334709,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Malicious user-agent header attack',chain"
SecRule REQUEST_HEADERS:User-Agent "!(Iframely)" "t:none"
#Mozilla/4.0 (compatible; Synapse)
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; Synapse\)" "phase:2,deny,log,auditlog,status:403,t:none,id:334009,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt'"
#chishijen12
SecRule REQUEST_HEADERS:User-Agent "chishijen12" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:334309,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: CryptoPHP Malicious UserAgent Blocked'"
#Netscape 6.0; WinNT6.1
SecRule REQUEST_HEADERS:User-Agent "^Netscape " "phase:2,deny,log,auditlog,status:403,t:none,id:334003,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake Netscape Browser'"
#Known worm sign
SecRule REQUEST_HEADERS:User-Agent "WinHttp\.WinHttpRequest\.5" "phase:2,deny,log,auditlog,status:403,t:none,id:334703,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: WinHttp.WinHttpRequest.5 known worm sign detected'"
# Rule 330003: XSS in the UA field
SecRule REQUEST_HEADERS:User-Agent "<(?:.|\s|\n)?(?:script|about|applet|activex|chrome|object)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:330003,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: XSS in User Agent field'"
# Rule 330004: PHP code injection attack
SecRule REQUEST_HEADERS:User-Agent "(?:< ?\? ?php|^ ?< ?\?)" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330004,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: PHP code injection via User Agent'"
# Rule 330005: PHP code injection attack
SecRule REQUEST_HEADERS:User-Agent "http_get_vars" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330005,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: PHP code injection via User Agent 2'"
#Joomla bot
#BOT/0.1 (BOT for JCE)
SecRule REQUEST_HEADERS:User-Agent "Sosospider" "phase:2,t:none,deny,log,auditlog,status:403,id:330215,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Sosospider - Known abusive bot'"
#Joomla bot
#BOT/0.1 (BOT for JCE)
SecRule REQUEST_HEADERS:User-Agent "bot for jce" "phase:2,t:none,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330205,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Joomla Exploit Bot'"
#Mozilla/4.0 (compatible; ICS)"
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; ICS\)" "phase:2,t:none,deny,log,auditlog,status:403,id:360205,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: ICS Bot'"
#Free Download Manager
SecRule REQUEST_HEADERS:User-Agent "FDM" "phase:2,t:none,deny,log,auditlog,status:403,id:360215,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Free Download Manager'"
#Joomla bot
#Mua
SecRule REQUEST_HEADERS:User-Agent "^mua$" "phase:2,t:none,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330206,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Joomla Exploit Bot'"
# Rule 330010: DataCha0s
SecRule REQUEST_HEADERS:User-Agent "datacha0s/2\.0" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330010,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: DataCha0s'"
# Rule 330011: Damn fine UA
SecRule REQUEST_HEADERS:User-Agent "(?:exploit|morzilla|cyberdog|blacksun|absinthe|autogetcolumn|bsqlbf|cisco-torch|crimscanner|dav\.pm|pymills-spider|get-minimal|grendel-scan|mysqloit|prog\.customcrawler|sql power injector|sqlmap|sundayddr|friendly-scanner|toata dragostea|b\:2600|loadimpact|patchone|pogs/2\.0|shellshock-scan|appscan|(?:xpymep|start)\.exe|struts-pwn|raphaelrocks|tsunami)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330011,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: Known Exploit Tool Detected'"
# Rule 330014: XML RPC exploit tool
SecRule REQUEST_HEADERS:User-Agent "(?:dirbuster|dotdotpwn)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330015,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: Exploit tool'"
#Playstation
#SecRule REQUEST_HEADERS:User-Agent "psp \(playstation portable\)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:393716,phase:2,t:lowercase,msg:'Atomicorp.com WAF Rules: Bad User Agent: Playstation Portable',deny,status:403"
# Rule 330016: A friendly little exploit banner for a WP vuln
SecRule REQUEST_HEADERS:User-Agent "wordpress hash grabber" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330016,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: Wordpress hash grabber'"
# Rule 330017: Blocks scripts
#SecRule REQUEST_URI "!(/webprobilling/pipe/pop\.php|/cron/index\.php|/read\.php|/pg/cron/)" "chain,id:330017,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User Agent: lwp - Disable this rule if you are using LWP'"
#SecRule REQUEST_HEADERS:User-Agent lwp
# Rule 330019: Web leaches
SecRule REQUEST_HEADERS:User-Agent "^(?:web(?:(?:st(?:ripp)?| download|copi)er|zip)|(?:prowebwalk|sitesnagg)er|c(?:heesebot|ombine)|teleport pro|black hole|chinaclaw)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330019,rev:3,severity:3,msg:'Atomicorp.com WAF Rules: Suspicious Web Client Detected (Disable this rule if you wish to allow these clients)'"
# Rule 330031: Bogus Mozilla UA lines
SecRule REQUEST_HEADERS:User-Agent "m(?:icrosoft internet explorer/5.0|ozilla/3.mozilla/(?:2.01|5\.0)|ozilla/4\.0 \(compatible; msie 7\.0; na; \))$" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,capture,id:330031,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Fake Browser User agent detected',logdata:'%{TX.0}'"
# Rule 330033: Bogus UA
SecRule REQUEST_HEADERS:User-Agent "(?:f(?:oobar/|axobot)|^www\.weblogs\.com)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330033,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Malicious bot attack blocked'"
# Rule 330034: Vuln scanner UA
SecRule REQUEST_HEADERS:User-Agent "(?:n(?:-stealth|sauditor|e(?:ssus|etwork-services-auditor)|ikto|map)|b(?:lack ?widow|rutus|ilbo)|web(?:inspec|roo)t|p(?:mafind|aros|avuk)|cgichk|jaascois|\.nasl|metis|w(?:ebtrends security analyzer|hcc|3af\.sourceforge\.net)|\bzmeu\b|springenwerk|arachni|acunetix-product|\bhavij\b|^b55 |\briddler\b|netsparker|projectdiscovery/nuclei| openvas|fuzz faster)" "capture,phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330034,rev:14,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Vulnerability Scanner detected',logdata:'%{TX.0}'"
# Rule 330035: Vuln scanner UA
SecRule &REQUEST_HEADERS:X-Scanner "@eq 1" "capture,phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330035,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Vulnerability Scanner detected',logdata:'%{TX.0}'"
# Rule 330037: WhatWeb/
SecRule REQUEST_HEADERS:User-Agent "whatweb/" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330037,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WhatWeb web scanner detected'"
# Rule 330036: BAd/Bogus UAs
SecRule REQUEST_HEADERS:User-Agent "indy library" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330036,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected. Disable this rule if you use indy library.'"
# Rule 330038: BAd/Bogus UAs
SecRule REQUEST_HEADERS:User-Agent "safexplorer tl" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330038,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (SAFEXPLORER)'"
# Rule 330039: Libwww-perl
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:330039,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. '"
SecRule REQUEST_HEADERS:User-Agent "libwww-perl" "chain,t:none,t:lowercase"
SecRule REQUEST_HEADERS:User-Agent "!(^w3c-|systran\))" "t:none,t:lowercase"
# Rule 330039: python-requests/
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:332039,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests/. '"
SecRule REQUEST_HEADERS:User-Agent "python-requests/" "t:none,t:lowercase"
SecRule REQUEST_FILENAME "admin/controllers/cron\.php$" "phase:2,id:343759,pass,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_332139"
# Rule 332139: libcurl
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:332139,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libcurl). Disable this rule if you use libcurl. '"
SecRule REQUEST_HEADERS:User-Agent "libcurl" "t:none,t:lowercase"
SecMarker END_332139
#typhoeus
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:332150,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User Agent (typhoeus). Disable this rule if you use typhoeus. '"
SecRule REQUEST_HEADERS:User-Agent "typhoeus" "t:none,t:lowercase"
# Rule 331039: Python-urllib
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:331039,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (Python-urllib). Disable this rule if you use Python-urllib. '"
SecRule REQUEST_HEADERS:User-Agent "python-urllib" "chain,t:none,t:lowercase"
SecRule REQUEST_HEADERS:User-Agent "!(^w3c-|systran\))" "t:none,t:lowercase"
# Rule 330040: TwengaBot
SecRule REQUEST_HEADERS:User-Agent "twengabot" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330040,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Impolite bot - TwengaBot detected. Disable this rule if you want to allow TwengaBot. '"
# Rule 330040: TwengaBot
SecRule REQUEST_HEADERS:User-Agent "(?:JS-Kit URL Resolver|JSKitBotURLResolver|js-kit\.com)" "phase:2,t:none,deny,log,auditlog,status:403,id:330140,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Impolite bot - JS-Kit URL Resolver detected. Disable this rule if you want to allow JS-Kit URL Resolver. '"
# Rule 330041:VB development library used by many spammers, might block legite VBscripts
#comment out if you have problems
SecRule REQUEST_HEADERS:User-Agent "crescent internet toolpak" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330041,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected'"
# Rule 330039: Libpycurl
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:330045,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (pycurl). Disable this rule if you use pycurl. '"
SecRule REQUEST_HEADERS:User-Agent "pycurl" "t:none,t:lowercase"
# Rule 330044: e-mail collectors and spammers
SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:s(?:iphon|pider)|collector|wolf)|xtractor(?:pro)?|collector)|web(?:(?:emailextrac|bandi)t|mole)|autoemailspider|cherrypicker|under the rainbow 2|nicerspro|telesoft|grub|j12bot\/v1\.0\.8|(?:blogsearchbot-marti|super happy fu)n|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat)|(?:grub crawl|omniexplor)er|auto ?email ?spider|winnie poh|nut(?:scrape/|chcvs)|app3lewebkit)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,chain,id:330056,rev:10,severity:2,msg:'Atomicorp.com WAF Rules: Email Harvester Spambot User agent detected'"
SecRule REQUEST_HEADERS:User-Agent "!(windows-live-social-object-extractor-engine|nutch-)" "t:none,t:lowercase"
#Spiders that eat up bandwidth for their customers
# Rule 330057: Not a spammer, just a spider, comment out if you like
SecRule REQUEST_HEADERS:User-Agent "(?:copy(?:rightcheck|guard)|digimarc webreader|picscout)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330057,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: DRM Spider User agent detected'"
# Rule 330060: MArketing spiders
SecRule REQUEST_HEADERS:User-Agent "zeus .*webster pro" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330060,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Marketing Spider User agent detected'"
# Rule 330061: Poker spam
SecRule REQUEST_HEADERS:User-Agent "(?:(?:w(?:ise(?:nut)?|ebalt)bo|(?:nameof|dts )agen|8484 boston projec)t|(?:f(?:ranklin locato|antombrowse)|atspide)r|china local browse 2|murzillo compatible|libwen-us|program shareware 1|we(?:lls search ii|p search 00)|digger|trackback\/)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330061,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Spambot User agent detected'"
#330269 suspicious UA
SecRule REQUEST_HEADERS:User-Agent "poe-component-client" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330269,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User Agent (POE-Component-Client)'"
# Rule 330070: spam bots
SecRule REQUEST_HEADERS:User-Agent "missigua" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330070,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious unusual User Agent'"
#spammer
SecRule REQUEST_HEADERS:User-Agent "(?:agdm79@mail\.ru|larbin@unspecified|butch__2\.1\.1|internet exploiter|hl_ftien_spider|godzilla)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330079,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent'"
#Fake Gameboy UA
SecRule REQUEST_HEADERS:User-Agent "gameboy\, powered by nintendo" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330080,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Gamboy UA)'"
#bogus amiga UA
SecRule REQUEST_HEADERS:User-Agent "amiga-aweb/3\.4" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330081,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Fake Amiga Web Agent'"
#bogus googlebot UA
SecRule REQUEST_HEADERS:User-Agent "(?:nokia-waptoolkit.* googlebot.*googlebot|googlehttpclient)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330083,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake GoogleBot'"
#exploit UA
SecRule REQUEST_HEADERS:User-Agent "(?:mo(?:rfeus fucking scanner|siac 1)|internet(?:-exprorer| ninja)|s\.t\.a\.l\.k\.e\.r\.|kenjin spider|neuralbot/| obot|shell_exec|if \(|r00t|intelium|cybeye|\bcaptch|^apitool$)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330082,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Known Exploit User Agent'"
#fake UA
SecRule REQUEST_URI "!(\.asmx$)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,chain,id:330090,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Windows Update Agent)'"
SecRule REQUEST_HEADERS:User-Agent "windows-update-agent"
#Vadix bot
SecRule REQUEST_HEADERS:User-Agent "vadixbot" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330095,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Vadixbot User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "concealed defense" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330096,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Concealed Defense User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "core-project/1." "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330097,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: core-project/1.0 User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "(?:no browser|user[- ]agent ?:)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,chain,id:330094,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Compromised User-Agent Agent Attack blocked'"
SecRule REQUEST_HEADERS:User-Agent "!(http://bsalsa\.com|^site24x7)"
SecRule REQUEST_HEADERS:User-Agent "backdoor" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330099,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: backdoor User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "(?:script|sql) injection" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330100,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: script injection User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "security scan" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330101,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: script injection User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "stress test" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330102,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Stress Test User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "voideye" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330103,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: VoidEYE User Agent String'"
SecRule REQUEST_HEADERS:User-Agent "$botname/$botversion" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330105,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Broken Bot Generic User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "(?:p(?:e 1\.4|roduction bot|sycheclone)|[a-z]surf[0-9][0-9])" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330110,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Scanbot User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "searchbot admin@google\.com" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330115,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Fake Google Searchengine User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "(?:sogou develop spider|sohu agent)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330116,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Fake Sogou Searchengine User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "(?:bwh3_user_agent|zemu|mama (?:casper|cyber|sox|xirio)|(?:kmccrew|sasqia|casper|planetwork|dex|jcomers|sledink|goblox|indo(?:com|network)) bot search|^perl post$|rk q kangen|t34mh4k|^revolt$)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330122,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Attack Script User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "(?:con(?:tentsmartz|tactbot/)|atomic_email_hunter|isc systems irc search 2\.1)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330124,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Email Harvester Spambot User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "(?:demo bot|educate search vxb|full web bot)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,chain,id:330125,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Scanbot User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "!(flipboardbrowser)" "t:none,t:lowercase"
SecRule REQUEST_HEADERS:User-Agent "k1b compatible; rss 6.0; windows sot 5.1 security kol" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330132,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Attacker User Agent String Detected'"
SecRule REQUEST_HEADERS:User-Agent "pleasecrawl/1\." "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330136,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Badbot User Agent String Detected'"
#SecRule REQUEST_HEADERS:User-Agent "yandexbot" # "id:330137,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: YandexBot Search Engine User Agent Detected (Disable this rules if you wish to allow this search bot, this is not a false positive)'"
# Rule 330014: Exploit UA
SecRule REQUEST_HEADERS:User-Agent "that's gotta hurt" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330014,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Exploit User Agent Detected'"
SecRule REQUEST_HEADERS:User-Agent "www\.80legs\.com" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:333514,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Bad Bot www.80legs.com'"
SecRule REQUEST_HEADERS:User-Agent "MJ12bot" "phase:2,t:none,deny,log,auditlog,status:403,id:333515,rev:4,severity:4,msg:'Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)',tag:'no_ar'"
SecMarker END_UA_CHECKS_1
#Suspicious useragent
#SecRule REQUEST_HEADERS:User-Agent "@endsWith ;)" "chain,phase:2,t:none,t:compressWhitespace,deny,log,auditlog,status:403,id:309925,severity:2,rev:10,msg:'Atomicorp.com WAF Rules: Suspicious User-Agent, parenthesis closed with a semicolon %{REQUEST_HEADERS.User-Agent}'"
#SecRule REQUEST_HEADERS:User-Agent "!(Qualidator\.com|ExaleadCloudView|^Mozilla/4\.0 \(compatible;\)$|UTVDriveBot|Add Catalog|^Appcelerator|GoHome Spider|^ownCloud News|^Hatena|^facebookexternalhit|DashLinkPreviews|Google-InspectionTool)" "t:none"
#Check major browsers for validity
SecRule REQUEST_HEADERS:User-Agent "@pm mozilla ;. newt google explore msie compatible opera" "id:333925,t:none,phase:2,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333720,pass,nolog,noauditlog,skipAfter:END_UA_CHECKS_2"
#"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
#"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
SecRule REQUEST_HEADERS:User-Agent "Mozilla/5\.0 \(Windows NT 5\.1\) AppleWebKit/537\.36 \(KHTML, like Gecko\) Chrome/46\.0\.2490\.71 Safari/537\.36" "chain,phase:2,log,deny,auditlog,t:none,id:357989,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Joomla DOS bot blocked'"
SecRule REQUEST_URI "/administrator" "t:none,t:lowercase"
#Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows" "chain,phase:2,log,deny,auditlog,t:none,id:397989,rev:1,severity:4,msg:'Atomicorp.com WAF Rules: MSIE 6.0 detected (Disable if you want to allow MSIE 6)'"
SecRule REQUEST_HEADERS:User-Agent "!(MS Web Services Client Protocol|WormlyBot|webauth@cmcm\.com)" "t:none"
#Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
SecRule REQUEST_HEADERS:User-Agent "(?:Mozilla/4.0 \(compatible: MSIE 7\.0; Windows NT 6\.0|Mozilla/5\.0 \(Windows; U; MSIE 7\.0)" "chain,phase:2,log,deny,auditlog,t:none,id:354321,rev:2,severity:4,msg:'Atomicorp.com WAF Rules: MSIE 7.0 detected (Disable if you want to allow MSIE 7)'"
SecRule REQUEST_HEADERS:User-Agent "!(MS Web Services Client Protocol|WormlyBot|webauth@cmcm\.com)" "t:none"
#Fake MSIE 6
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible\; MSIE (?:6\.0\.|6\.00)" "chain,phase:2,log,deny,auditlog,t:none,id:397999,rev:3,severity:4,msg:'Atomicorp.com WAF Rules: Fake MSIE 6.0 detected'"
SecRule REQUEST_HEADERS:User-Agent "!(MS Web Services Client Protocol|WormlyBot)" "t:none"
#Fake MSIE 5.01
#User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; MSIE 5\.01\)" "phase:2,log,deny,auditlog,t:none,id:397970,rev:1,severity:3,msg:'Atomicorp.com WAF Rules: Fake MSIE 5.01 detected'"
#MSIE 5.5
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; MSIE 5\.5; Windows NT 5\.0\)" "phase:2,log,deny,auditlog,t:none,id:397990,rev:1,severity:3,msg:'Atomicorp.com WAF Rules: Fake MSIE 5.5 detected'"
#Fake Mozilla UA string
SecRule REQUEST_HEADERS:User-Agent "(?:$mozilla^|mozilla/[45]\.[1-9]|^mozilla/4\.0$)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330131,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Malicious Bot Blocked (Fake Mozilla User Agent String Detected)'"
#Fake Opera browser
#SecRule REQUEST_HEADERS:User-Agent "^.* Opera[ /][0-9]\." # "phase:2,t:none,deny,status:403,id:336655,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake Opera browser',chain"
#SecRule &REQUEST_HEADERS:X-Wap-Profile "@eq 0" "t:none"
#SecRule &REQUEST_HEADERS:X-Wap-Profile "@eq 0" "t:none,chain"
#SecRule REQUEST_HEADERS:User-Agent "!(Nintendo DSi)" "t:none"
#Fake MSIE 9
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/4\.0 \(compatible; MSIE 9.0; Windows NT 6.1\)$" "phase:2,t:none,deny,status:403,id:336656,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake MSIE 9./0 browser %{REQUEST_HEADERS.User-Agent}.',log,auditlog"
#Broken Bot
SecRule REQUEST_HEADERS:User-Agent "compatible ;\." "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330130,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Broken Bot User Agent String Detected'"
# Rule 330072: Some regexps to catch silly bots
#SecRule REQUEST_HEADERS:User-Agent "(?:^(?:google|i?explorer?\.exe|(?:ms)?ie( [0-9.]+)?[ ]?(?:compatible(?: browser)?)?|mozilla(?: [0-9.]+)?[ ]?\((?:windows|linux|(?:ie )?compatible)\))$|compatible \; msie)" #"chain,phase:2,t:none,t:compressWhitespace,t:lowercase,deny,status:403,id:330072,rev:6,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake Browser detected'"
#SecRule REQUEST_HEADERS:User-Agent "!(placeware rpc 1\.0\)$)"
# Rule 330074: Some regexps to catch silly bots
#SecRule REQUEST_HEADERS:User-Agent "^(?:mozilla/5\.0 \(x11; u; linux i686; en-us; rv\:0\.9\.6\+\) gecko/2001112|mozilla/.+[. ]+|mozilla/4\.0 \(compatible\; msie 6\.0\; windows nt 5\.1)$" # "id:330074,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Mozilla)'"
#330076: Broken spammer tool
SecRule REQUEST_HEADERS:User-Agent "^mozilla/4\.0\+" "phase:2,t:none,t:lowercase,deny,status:403,chain,auditlog,log,id:330076,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake User Agent (Spammer converting spaces to plus signs)'"
SecRule REQUEST_HEADERS:User-Agent "^!(mozilla/4.0+\(compatible; uptimerobot/1\..; http://www.uptimerobot.com/\))$"
#SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; ?(\.net clr.*){4,}.*msoffice 12" SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; \.net clr 1\.1\.4322; \.net clr 2\.0\.503l3; \.net clr 3\.0\.4506\.2152; \.net clr 3\.5\.30729; ?msoffice 12" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:331136,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible slowloris DOS attack tool detected'"
# Rule 330042: Borland Delphi signature, as above, comment out if it gives you problems
#spammers sometimes use these UAs
SecRule REQUEST_HEADERS:User-Agent "(?:newt activex\; win32|mozilla.*newt)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330042,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected'"
#Older MSIE6 on newer platforms
#SecRule REQUEST_HEADERS:User-Agent "msie 6\.0[ab]?;(?: .+;)? windows nt [56]\." # "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:336657,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Client using IE6 on verion of Windows that should have IE7 or higher installed'"
#Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
#
#Mozilla/5.0 (Wihndows NT
SecRule REQUEST_HEADERS:User-Agent "Mozilla/5\.0 \(Wihndows NT" "log,auditlog,phase:1,t:none,deny,log,status:403,id:336658,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Known DOS Attack Tool'"
#Known attack box
#^Mozilla/4.76 \[ru\] \(X11; U; SunOS 5.7 sun4u\)
SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.76 \[ru\]" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330043,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected'"
SecMarker END_UA_CHECKS_2
#exclusions

36
nginx-waf/21_asl_useragents.conf Normal file
View File

@ -0,0 +1,36 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# User Agent Security Rules for modsec 2.x
#
# Copyright 2005-2017 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
# ---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bad_agents.txt" "phase:2,log,auditlog,deny,status:403,capture,t:none,t:urlDecodeUni,id:390509,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - User Defined Bad User-Agent blocked',logdata:'%{TX.0}'"

813
nginx-waf/30_asl_antispam.conf Normal file
View File

@ -0,0 +1,813 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/cerberus-gui/parser\.php" "phase:2,id:95100,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/serendipity_admin\.php" "phase:2,id:95101,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/cgi-bin/cp-admin\.cgi" "phase:2,id:95102,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/typo3/alt_doc\.php" "phase:2,id:95103,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/admin\.mvc" "phase:2,id:95104,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/galaxyplugin\.php" "phase:2,id:95105,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/custsave\.php" "phase:2,id:95106,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/admin\.php" "phase:2,id:95107,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/gceditor\.pl" "phase:2,id:95108,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/compose\.php" "phase:2,id:95109,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/tiki-editpage\.php" "phase:2,id:95110,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300079"
SecRule REQUEST_FILENAME "/editimage\.html" "phase:2,id:95111,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/__utm\.gif" "phase:2,id:95112,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/paypallink\.php" "phase:2,id:95113,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/products_product_process\.php" "phase:2,id:95114,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/merchant\.mvc" "phase:2,id:95115,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/product_modify\.php" "phase:2,id:95116,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/news/add" "phase:2,id:95117,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/tce_file\.php" "phase:2,id:95118,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/edit\.php" "phase:2,id:95119,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/egroupware/index\.php" "phase:2,id:95120,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300075"
SecRule REQUEST_FILENAME "/smf/index\.php" "phase:2,id:95121,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:95122,t:none,pass,nolog,skipAfter:END_RULES_95122"
SecRule ARGS|!ARGS:css_text|!ARGS:message "overflow ?: ?auto" "phase:2,deny,log,auditlog,status:403,id:300200,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Hidden Text',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_RULES_95122
SecRule REQUEST_FILENAME "/livehelp/send\.php" "phase:2,id:95123,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/adserver/www/delivery/lg\.php" "phase:2,id:95124,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/submit\.php" "phase:2,id:95125,t:none,t:lowercase,pass,nolog,noauditlog,skip:1,ctl:ruleRemovebyID=300077"
SecAction "phase:2,id:95126,t:none,pass,nolog,skipAfter:END_RULES_95126"
SecRule ARGS|!ARGS:bodytext|!ARGS:code|!ARGS:/^widget-text/|!ARGS:template|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:template_data|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/^commontemplate/ "style ?= ?\" ?display ?: ?none ?" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300201,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_RULES_95126
SecRule REQUEST_FILENAME "/tbl_replace\.php" "phase:2,id:95127,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/admin\.pl" "phase:2,id:95128,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/do_siteinput_aed\.php" "phase:2,id:95129,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/submitticket\.php" "phase:2,id:95130,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/blacklist\.php" "phase:2,id:95131,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/wysiwyg/save\.php" "phase:2,id:95132,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/add_static_cgi\.php" "phase:2,id:95133,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:95134,t:none,pass,nolog,skipAfter:END_RULES_95134"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:description|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:homepage|!ARGS:mode|!ARGS:data[About][content]|!ARGS:data[Contact][content]|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:template|!ARGS:/header/|!ARGS:/footer/|!ARGS:/blog_text/ "\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?:/" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300081,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_RULES_95134
SecRule REQUEST_FILENAME "/course/modedit\.php" "phase:2,id:95135,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/livehelp/include/tracker\.php" "phase:2,id:95136,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/leads/orders\.php" "phase:2,id:95137,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/search\.php" "phase:2,id:95138,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/tce_db\.php" "phase:2,id:95139,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/sysext/rtehtmlarea/" "phase:2,id:95140,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/parse_html\.php" "phase:2,id:95141,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/index\.php/zblocks/adminhtml_zblocks/" "phase:2,id:95142,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/newticket\.php" "phase:2,id:95143,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/mailer\.php" "phase:2,id:95144,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/serverftpprocess\.php" "phase:2,id:95145,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/product\.php" "phase:2,id:95146,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/csnewsletter\.cgi" "phase:2,id:95147,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/cm/ui\.php4" "phase:2,id:95148,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/grades\.aspx" "phase:2,id:95149,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/content/ajax/page\.php" "phase:2,id:95150,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/filemanager/browser/default/browser\.htm" "phase:2,id:95151,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/noticias/submit\.php" "phase:2,id:95152,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/pncrtl/options\.php" "phase:2,id:95153,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/wp-login\.php" "phase:2,id:95154,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300032"
SecRule REQUEST_FILENAME "/stores/edit_item\.php" "phase:2,id:95155,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/cart\.php" "phase:2,id:95156,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/spc\.php" "phase:2,id:95157,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/private\.php" "phase:2,id:95158,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/thumb\.php" "phase:2,id:95159,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/dbpro\.cgi" "phase:2,id:95160,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/widget\.php" "phase:2,id:95161,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/marque_list\.php" "phase:2,id:95162,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/createsite\.php" "phase:2,id:95163,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/insert\.php" "phase:2,id:95164,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/chat/server\.php" "phase:2,id:95165,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/ajax\.php" "phase:2,id:95166,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/modules\.php" "phase:2,id:95167,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/ajax\.savephotos\.php" "phase:2,id:95168,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/cgi-bin/database/portal\.pl" "phase:2,id:95169,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/callback\.php" "phase:2,id:95170,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/cataloger\.image\.php" "phase:2,id:95171,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/template\.php" "phase:2,id:95172,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/mail\.cgi" "phase:2,id:95173,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/webmail\.aspx" "phase:2,id:95174,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/xml-processing\.aspx" "phase:2,id:95175,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/element/chunk\.php" "phase:2,id:95176,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/tiki-adminusers\.php" "phase:2,id:95177,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/res-bev\.php" "phase:2,id:95178,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/reservation_confirm\.php" "phase:2,id:95179,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/eecms\.php" "phase:2,id:95180,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/clientsprofile\.php" "phase:2,id:95181,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/banner_manager\.php" "phase:2,id:95182,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/business_profile_engine\.php" "phase:2,id:95183,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/mailtemplateeditaction\.php" "phase:2,id:95184,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/property-edit\.php" "phase:2,id:95185,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/blog-edit\.php" "phase:2,id:95186,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/index/pdfsettings/" "phase:2,id:95187,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/livehelp/" "phase:2,id:95188,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/livehelpnew/" "phase:2,id:95189,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/livehelpnew/agent/" "phase:2,id:95190,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/scripts/track\.php" "phase:2,id:95191,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/ckeditor/xss" "phase:2,id:95192,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/process/process_job\.php" "phase:2,id:95193,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/process/update_job\.php" "phase:2,id:95194,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/eventpendingaction\.php" "phase:2,id:95195,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/textpattern/index\.php" "phase:2,id:95196,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/connectors/browser/file\.php" "phase:2,id:95197,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/code_editor\.php" "phase:2,id:95198,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/connectors/security/access/policy/template\.php" "phase:2,id:95199,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/login\.php" "phase:2,id:95200,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300079"
SecRule REQUEST_FILENAME "/admin_edit_cat\.php" "phase:2,id:95201,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/delivery/ajs\.php" "phase:2,id:95202,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/members/proc_grp_email\.php" "phase:2,id:95203,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/edit_offer\.php" "phase:2,id:95204,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/manager/index\.php" "phase:2,id:95205,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/invoices\.php" "phase:2,id:95206,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/aw/cat\.php" "phase:2,id:95207,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/register_warranty\.php" "phase:2,id:95208,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/support/agent/index\.php" "phase:2,id:95209,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/we_cmd\.php" "phase:2,id:95210,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/json-api/cpanel" "phase:2,id:95211,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/infraction\.php" "phase:2,id:95212,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/za/zcadm" "phase:2,id:95213,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/updatemenu\.php" "phase:2,id:95214,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/ustawienia\.php" "phase:2,id:95215,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/front_content\.php" "phase:2,id:95216,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/amember/unsubscribe\.php" "phase:2,id:95217,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/addnews\.php" "phase:2,id:95218,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/nereus/article-edit\.php" "phase:2,id:95219,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/contao/main\.php" "phase:2,id:95220,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
SecRule REQUEST_FILENAME "/mt\.cgi" "phase:2,id:95221,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
SecRule REQUEST_FILENAME "/dash/index\.php" "phase:2,id:95222,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
SecRule REQUEST_FILENAME "/categories\.php" "phase:2,id:95223,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/tiki-edit_css\.php" "phase:2,id:95224,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/securelogin/configuration\.php" "phase:2,id:95225,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/account/" "phase:2,id:95226,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/account/saved-designs/" "phase:2,id:95227,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/otrs/index\.pl" "phase:2,id:95228,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/define_bottompage\.php" "phase:2,id:95229,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/addonmodules\.php" "phase:2,id:95230,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/plugins/system/" "phase:2,id:95231,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/bfaudit\.php" "phase:2,id:95232,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/filefield/" "phase:2,id:95233,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/pma/import\.php" "phase:2,id:95234,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/securelogin/" "phase:2,id:95235,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/define_header\.php" "phase:2,id:95236,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/product_print\.php" "phase:2,id:95237,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/offers_engine\.php" "phase:2,id:95238,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/modules/custom/shopping_centre/" "phase:2,id:95239,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/changetitle\.php" "phase:2,id:95240,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/edittitle\.php" "phase:2,id:95241,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/pages/clients-massive\.php" "phase:2,id:95242,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/documents/blog\.php" "phase:2,id:95243,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/aendern_erg\.php" "phase:2,id:95244,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/aendern\.php" "phase:2,id:95245,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/sendgrid/unsub\.php" "phase:2,id:95246,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/sendgrid/sub\.php" "phase:2,id:95247,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/item/edit/index\.php" "phase:2,id:95248,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/moodle/mod/lesson/editpage\.php" "phase:2,id:95249,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/checksitelock\.php" "phase:2,id:95250,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/myaccount/modules/addons/" "phase:2,id:95251,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/processing\.php" "phase:2,id:95252,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/modules/v2_news_engine\.php" "phase:2,id:95253,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/configuressl\.php" "phase:2,id:95254,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/shop/remote\.php" "phase:2,id:95255,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/do_add_new_image\.php" "phase:2,id:95256,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/clients\.php" "phase:2,id:95257,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/acp/" "phase:2,id:95258,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/mailblast\.html" "phase:2,id:95259,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/system/ajax" "phase:2,id:95260,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/edicion1\.php" "phase:2,id:95261,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/moderate\.php" "phase:2,id:95262,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/include\.backendedit\.php" "phase:2,id:95263,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/saveredirect\.html" "phase:2,id:95264,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/redaxo/index\.php" "phase:2,id:95265,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/tools/" "phase:2,id:95266,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/displaycombinations_ajax\.php" "phase:2,id:95267,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/supporttickets\.php" "phase:2,id:95268,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/editmainimage\.php" "phase:2,id:95269,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/skriv/entries" "phase:2,id:95270,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/ajax/_products\.php" "phase:2,id:95271,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/builder/" "phase:2,id:95272,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/control/catalog/" "phase:2,id:95273,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/payonline/" "phase:2,id:95274,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/eecms\.php" "phase:2,id:95275,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/get_messages\.php" "phase:2,id:95276,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300074"
SecRule REQUEST_FILENAME "/cgi-bin/apluspro/scripts/" "phase:2,id:95277,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/amember/login" "phase:2,id:95278,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300057"
SecRule REQUEST_FILENAME "/trackpanel/catalog/product_set/" "phase:2,id:95279,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/getcontractextdetails\.php" "phase:2,id:95280,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/wp-json/tcb/v1/lightspeed/optimize" "phase:2,id:95281,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/editquestion\.php" "phase:2,id:95282,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
SecRule REQUEST_FILENAME "/v2c/json/fr\.template\.save/" "phase:2,id:95283,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
SecRule REQUEST_FILENAME "/csm/bp_event/webbuchung/mailer/mailer_sendmail\.php" "phase:2,id:95284,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
SecRule REQUEST_FILENAME "/content-manager/collection-types/" "phase:2,id:95285,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
# Atomicorp (Gotroot.com) ModSecurity rules
# Anti Spam rules
#
# Copyright 2005 - 2024 Atomicorp, Inc. All rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Phase 2 rules
#Skip these rules if its not a POST or GET
SecRule REQUEST_METHOD "!(?:GET|POST)" "id:370111,phase:2,t:none,skipAfter:END_SPAM,nolog,noauditlog,pass"
#Search engines dont post
#Googlebot|MSNBot|BingBot
SecRule REQUEST_URI "/wp-comments-post\.php" "chain,phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:323299,rev:1,severity:3,msg:'Atomicorp.com WAF AntiSpam Rules: Spammer attempting to post to WP comments as fake search engine',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule REQUEST_HEADERS:User-Agent "(?:Googlebot|MSNBot|BingBot)" "t:none"
#UA spam
#User-Agent: Opera/9.80 <a href="http://www.youtube.com/watch?v=wAnBXRtU9Qg">how to treat hemorrhoids</a> (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
#<a href="
SecRule REQUEST_HEADERS:User-Agent "< ?a href ?=" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:303299,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Link Spam in User-Agent header',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#Known spam/worm sign
SecRule &REQUEST_HEADERS:Gyoarazujo "@eq 1" "phase:2,deny,log,auditlog,status:403,t:none,id:313299,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Known worm sign'"
#Trusted IPs
#173.0.81.0/24 paypal
#SecRule REMOTE_HOST "@ipmatch 173.0.81.0/24" # "phase:2,t:none,pass,nolog,id:355897,skipAfter:END_SPAM"
#Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc.
SecRule SERVER_PORT "^(?:844[3-5]|30000)$" "phase:2,id:333721,pass,t:none,nolog,noauditlog,skipAfter:END_SPAM"
#Skip SPAM rules if this is a not something to check for spam, like graphics, videos, CSS, ico, docs, etc.
SecRule REQUEST_FILENAME "\.te?xt$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333896,skipAfter:END_SPAM"
SecRule TX:STATIC "@eq 1" "phase:2,id:'363897',pass,t:none,nolog,noauditlog,skipAfter:END_SPAM"
#Concrete 5 editing bypass
SecRule ARGS:ccm-edit-block-submit "^submit$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333897,skipAfter:END_SPAM"
#Concrete 5 editing bypass
SecRule ARGS:selected "^News$" "phase:2,t:none,pass,nolog,noauditlog,id:353897,skipAfter:END_SPAM"
#Skip SPAM rules for admin applications and the like
#/?_task=mail
SecRule REQUEST_URI "(?:/(?:(?:i(?:nclude\.php?path=forum/editpost|mp/compose)|pr(?:o(?:duct_thumb|file)|eview_static_cgi)|callback|diagnostics|editsection|tickets)\.php|system/index\.php?s=.*c=(?:publish|edit)&m=new_entry$|workshops/register\.php|link(?:machine/linkmachine\.php|s/\?act=addsite)|(?:\?modulo=loja&action|update\.php?pageid)=|nav\.php\?nav=(?:moderate|addnews)|cgi-bin/mailinglist/mail\.cgi)|/(?:(?:s(?:itebuilder|hopadmin)|cms/(?:resources/edit|save/key)|hspc/pcc|node/add|vsadmin)/|w(?:p-(?:content/plugins|admin)/|izard/edit/html)|adm(?:in(?:istrator/)?|/))|\?(?:(?:p=admin_cms|task=(?:edit|addressbook)|tab=admin[a-z]+)&|action=admin)|node/[0-9]+/edit|^/\?[sv]=|\?q=ckeditor|/comment/reply/[0-9]+|/(?:new|edit)/[0-9]+/confirm|/index\.php(?:\?(?:option=com_j(?:reviews|events|easyblog)|tmpl=component|dispatch=)|/blog_admin/manage_blog)/|/calendar/index\.php\?act=calendar&code=addnewevent|/index\.php\?(?:view=article&id=.*&task=edit|p=admin)|/page/edit/\?id=[0-9]+|(?:/(?:(?:m(?:embers/editing|ickadmincp|anager?)|c(?:ontrol_panel|ar_admin|heckout|ms)|p(?:(?:hpmy|a)admin|lugins/payment)|b(?:uild/connectors|ackoffice)|s(?:(?:ecu|to)re|ite-?admin)|adm(?:in(?:istrator|cp)?)?|_admin(?:panel)?|ndxz-?studio|file/ajax|rm-tools|wp-admin|order)/|i(?:n(?:dex.php/(?:mail/composemessage/|component/resman)|stall)|mp/))|admin.(?:p(?:hp|l)|cgi)|(?:message|ipn)\.php)|/catalogsearch/|(?:update(?:case|event)|edit_producto?|wp-load|/inc/go)\.php|/[a-z]+?admin[0-9]+?/|^/livehelpnew/agent/|^/page/submit-news|^\?q=node|^/wbb/acp/index\.php\?form=|^/webmail/|^/adm\?|^/za/zcadm|^/cp/index\.cgi|^/nieuwsbrief/index\.php\?c=template|^/upload/|^/elements/save/|^/articles/update|^/posts?/edit|^/clients/clientarea|/cms_block/save/|^/[a-z0-9\./]+/saml/sso|^/typo?/mod\.php|^/connectors/(?:element|resource)/|^/[a-z]+/[a-z]+/(?:add|edit)/[0-9]+|^/eprocservice/supplierinboundservice|^/index\.php\?module=calendar|^/([a-z]+/)?(?:c?admin|whmadmcp)|^/\?_task=mail|^/ajax/api/editor/|^/services/bmcontent\.json|^/sitelogin/index\.php\?route=catalog|^/publish/index\.php|ipnhandler\.php|paypal/ipn|^/backend/|^/client/vacancies/|^/typo3/index\.php\?route=/rte/wizard/|^/\?option=com_easyblog|^/app/index\.php/zurmo/|^/\?fl_builder|^/sitemgr/|^/index\.php/[a-z]+admin/cms_page/|^/orders|^/sogo/|^/[a-z0-9]+/index\.php\?route=catalog/product/update|^/active-campaign/|^/\?et_pb_preview=|^/services/bmwidget\.json)" "phase:2,id:333898,rev:5,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skipAfter:END_SPAM"
SecRule REQUEST_URI "!(?:/imp/compose\.php|/node/(([0-9]+)/edit|add/news-story)|^/news/add$|/profile\.php)" "phase:2,deny,log,auditlog,status:403,chain,id:300134,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Potential Referer Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule REQUEST_HEADERS:Referer "!@pmFromFile domain-spam-whitelist.txt" "chain,t:none,t:lowercase"
SecRule REQUEST_HEADERS:Referer "@pmFromFile domain-blacklist.txt" "t:none,t:lowercase"
############ SPAMMY URLS ########################
#
SecRule ARGS "@pm http:// https:// ftp:// ftps:// @" "id:333899,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:343722,t:none,pass,nolog,noauditlog,skipAfter:END_SPAMMY_URLS"
#Broken spamtool
SecRule ARGS:name "^http://www\.[a-z]+," "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:303201,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam Tool detected',logdata:'%{TX.2}'"
# Rule 300001: Blacklist of URI and email sign up spam
SecRule ARGS "(?:(?:ht|f)tps?:/|[a-z0-9._%+-]+@[a-z0-9.-]+)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300001,rev:24,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Abusive or Spam Domain detected in argument',chain,logdata:'%{TX.2}'"
SecRule ARGS "!@pmFromFile domain-spam-whitelist.txt" "chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule ARGS|!ARGS:gltr_page_content|!ARGS:/admin/|!ARGS:/censor/|!ARGS:block "@pmFromFile domain-blacklist.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
#
#SecRule REQUEST_HEADERS:Referer "!@pmFromFile domain-spam-whitelist.txt" # "chain,id:300000,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Blacklist Referer Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#SecRule REQUEST_HEADERS:Referer "@pmFromFile domain-blacklist.txt"
# Rule 300034:
# Spammers posting spam into blog/forum software temp & cache
#SecRule ARGS|!ARGS:/comment/|!ARGS:loc|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:msg_body|!ARGS:/text/|!ARGS:/txt/|!ARGS:Post|!ARGS:link_href|!ARGS:src|!ARGS:message|!ARGS:/department/|!ARGS:/reply/|!ARGS:filename|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/ "http://.*[a-z0-9]{2,}\.[a-z]{2,}(?:(/blog)?/wp-content(?:/uploads/|themes|gallery)/|/blogs?/templates/)" # "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300034,rev:19,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam or Malware: URL to temporary directory',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#SecRule REQUEST_URI "!(casetracker)"
# Rule 300052:
#SecRule ARGS "href.*http.*\{@\domain}\.*\{\@url\}.*\{\@anchor\}" # "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300052,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Broken spambot',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300054: Comment Spam
#SecRule ARGS|!ARGS:/email/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:description|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:/web/|!ARGS:/host/ "(?:ht|f)tps?://.*[0-9]{7,}(web\.)?\.(?:com|net|org)" # "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300054,rev:6,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Bad URL',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300036:
#SecRule ARGS|!ARGS:/page_content/ "(?:[0-9]+(books|epson|fang|flower|tour)\.com|d+x?\.(?:fate\.se|aus\.cc|bilsay\.com|lov3\.net|plorp\.com|top\.tc|us\.to|a\.la|dnip\.net|ig3\.net|mercedesazcona\.com\.ar|mooo\.com|myserver\.org|static\.net|uk\.to|weedns\.com)|\.ltdcr\.(?:com|net|org|cn)|\.hkce\.(?:org|net)|\.cegcr\.(?:com|net)|\b51hc\.(?:com|net)|club[1-4]?\.blog-city\.com|wifi(?:-world|-planet|guide)\.org|(?:au-(?:feminin|masculin)|(?:casino|slots|car-?insurance).*)\.blogspot\.com|yahotels\.(?:net|eu)|gundam(?:wing|seed)\.de|\.more\.(?:at|by)|\.notrix\.(?:at|ch|de|net)|shurl\.(?:net|org)|tiny(?:click|link)\.com)/" # "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300036,rev:5,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Spammy Domain detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300014:
# needs more testing
# /^([a-z0-9]([-a-z0-9]*[a-z0-9])?\\.)+((a[cdefgilmnoqrstuwxz]|aero|arpa)|(b[abdefghijmnorstvwyz]|biz)|(c[acdfghiklmnorsuvxyz]|cat|com|coop)|d[ejkmoz]|(e[ceghrstu]|edu)|f[ijkmor]|(g[abdefghilmnpqrstuwy]|gov)|h[kmnrtu]|(i[delmnoqrst]|info|int)|(j[emop]|jobs)|k[eghimnprwyz]|l[abcikrstuvy]|(m[acdghklmnopqrstuvwxyz]|mil|mobi|museum)|(n[acefgilopruz]|name|net)|(om|org)|(p[aefghklmnrstwy]|pro)|qa|r[eouw]|s[abcdeghijklmnortvyz]|(t[cdfghjklmnoprtvwz]|travel)|u[agkmsyz]|v[aceginu]|w[fs]|y[etu]|z[amw])$/
#
#SecRule REQUEST_URI "!(?:/imp/compose\.php|/node/(([0-9]+)/edit|add/news-story)|^/news/add$)" # "capture,id:300014,rev:5,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Possible Random Nonsensical URL detected',chain,logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#SecRule REQUEST_HEADERS:Referer "!(?:/imp/login\.php)" chain
#SecRule ARGS "http://(?:[a-z]*[x-z][a-z]*q[^u][a-z]*|[a-z]*q[^u][a-z]*[x-z][a-z]*).*\.[a-z]{2,}/"
#
#rjblhwqgarriawtjkubz, http://www.menopausetreatmentblog.com/ menopause symptoms, IkoLrvM, http://www.cankersoresinfo.com/ canker sore, gfsyaAM, http://www.yourinsomniablog.com/ sleep aid, qXNbhEE, http://www.yoursexualhealthblog.com/ Sexual Health, ITuZoif, http://www.bladder-cancer-info.com/ Bladder Cancer, DumMdUm, http://www.braininjuryinfoblog.com/ Traumatic Brain Injury, gHlyTzw, http://www.goutmatter.com/ Gout symptoms and treatment, XxBqkFf, http://www.crohnsdiseaseblog247.com/ crohns disease, sSNGXhk.
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:ban|!ARGS:/admin/|!ARGS:/sql/|!ARGS:/query/ "^[a-z]{16,} , < ?a href ?= \"? ?http://[a-z\.0-9/]+/ [a-z]+ [a-z]+, [a-z]{6,}, http://[a-z\.0-9/]+/ [a-z]+" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300299,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Link Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:ban|!ARGS:/admin/|!ARGS:/sql/|!ARGS:/query/ "^[a-z0-9]{4,32} ?, ?< ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*> ?[a-z0-9]{4,32} ?.*< ?/ ?a ?> ?, ?[a-z0-9]{4,32} ?.*, ?< ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*< ?/ ?a ?> ?, ?[a-z0-9]{4,32} ?, < ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*< ?/ ?a ?> ?, [a-z0-9]{4,32} ?," #"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300300,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Link Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#Spamming wiki urls
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "\[" "id:333900,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333723,t:none,pass,nolog,noauditlog,skipAfter:END_SPAMMY_URLS"
#Rule 300079:
SecRule ARGS|!ARGS:item_value|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:homepage|!ARGS:mode|!ARGS:data[About][content]|!ARGS:data[Contact][content]|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:template|!ARGS:/header/|!ARGS:/footer/ "(?:\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?:/|(\[ ?(url|link) ?\]https?://.*\[ ?/ ?(url|link) ?\].*){4,})" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300079,rev:18,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#Multiple URLs in a wiki post
SecRule ARGS|!ARGS:suffix|!ARGS:ban|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:homepage|!ARGS:mode|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:/template/|!ARGS:/header/|!ARGS:/footer/ "(\[ ?http://.*){4,}" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300023,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#
SecRule ARGS "(\[ ?url ?= ?\"? ?https?://.*\[ ?link ?= ?\"? ?https?://.*|\[ ?link ?= ?\"? ?https?://.*\[ ?url ?= ?\"? ?https?://)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300182,rev:18,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Mixed URL posting types - possible spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#[url=http://example.com/foo/bar/+]junk[/url]+&location=USA&occupation=Real&interests=Religion,+spiritual&signature=[url=[url=http://www.example.com+]spam phrase[/url]+]another spam phrase[/url][url=[url=http://www.example.com]more spam phrases&#243;wek[/url]+]spam phrase[/url]
SecRule ARGS "\[ ?url ?= ?\[ ?url ?= ?\"? ?https?://.*url ?\]" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300282,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Broken URL posting type - possible spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#>>>+Technical+Jobs+In+Spamland+<<<
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "\[ ?http://.*>>> ?[a-z0-9 -_.,\"\'\|]+ ?<<<.*\]" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300302,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam Link',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#Known wiki spam pattern
#==<center>[http://example.com/stuff<big>'''<u>morestuff</u>'''</big>]</center>==
SecRule ARGS|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "< ?center.*\[ ?http://.*big ?>.*'' ?[a-z0-9 -_.,\"\'\| ].*big.*\]" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300313,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam Link',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_SPAMMY_URLS
#Spam signups
SecRule REQUEST_URI "/ucp\.php" "phase:2,deny,log,auditlog,status:403,chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,id:391100,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spammer signup for forum',chain,logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS:occupation "(?:^,,,,,|Здравоохранение|Реклама|пластика)"
############ SPAMMER TRICKS ##############
SecRule ARGS "@pm font height hidden auto width position absolute overflow style display px" "id:353901,phase:2,t:none,t:urlDecodeUni,t:replaceComments,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333734,t:none,pass,nolog,noauditlog,skipAfter:END_HIDDEN_TEXT"
SecRule ARGS:send_mail "^true$" "id:375111,rev:1,phase:2,t:none,t:urlDecodeUni,t:lowercase,skipAfter:END_HIDDEN_TEXT,nolog,noauditlog,pass"
SecRule ARGS:text "^< ?\? ?php" "id:375141,rev:1,phase:2,t:none,t:lowercase,t:compressWhiteSpace,skipAfter:END_HIDDEN_TEXT,nolog,noauditlog,pass"
#Rule 300056: Hidden spam links
#examples:
#<font style=position:absolute;overflow:hidden;height:1px;width:1px;>
#overflow:auto;width:0;height:0
SecRule ARGS|!ARGS:field_id_2|!ARGS:/email/|!ARGS:/milestone/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:/^Store_OUI_/|!ARGS:grid_html|!ARGS:/code/|!ARGS:/tt_content/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:/^we_/|!ARGS:tmpl|!ARGS:/^elements/|!ARGS:formData|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/css/|!ARGS:/^widget-text/|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/template/|!ARGS:entire_file "<.{,200}style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).{1,200} (?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300056,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Exploit',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#Hidden wiki text using a negative pixel size
#example
#{CODE(ishtml="1")}<div class="dnn_dnnContent" style="margin-left: -1500px;"><a href="http://otimizacao-de-websites.com">otimização de sites</a> <a href="http://desentupidorasanehidro.com.br">desentupidora</a> <a href="http://www.graficavendahoje.com.br">grafica</a> <a href="http://www.deeplaser.com.br">clinica de estetica</a> <a href="http://asacompanhantessp.com.br">acompanhantes sao paulo</a> <a href="http://pactotransportes.com.br">transportadora</a> <a href="http://www.mtksistemas.com.br">relogio de ponto</a> <a href="http://www.dentistaespecialista.com.br">dentista</a></div>{CODE}
#SecRule ARGS|!ARGS:/field_id_2/|!ARGS:search|!ARGS:/email/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:entire_file|!ARGS:pdf|!ARGS:/code/|!ARGS:formData "(?:height|width) ?(?:=|\:) ?(?:\"|\')? ?-[0-9]+ ?(?:\"|\')? ?px ?;" SecRule ARGS|!ARGS:/field_id_2/|!ARGS:search|!ARGS:/email/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:entire_file|!ARGS:pdf|!ARGS:grid_html|!ARGS:/tt_content/|!ARGS:/code/|!ARGS:optional_head|!ARGS:formData|!ARGS:/^we_/|!ARGS:/^elements/ "< ?div.{1,200}style=\-[0-9]+ ?px ?;.{1,200}< ?/ ?div ?>" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300058,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Using Negative Pixel Size',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 30076
# This matches against height:0-4px (most CSS hidden spam) (regardless of whitespace on either side of the colon)
# This matches against overflow:auto (regardless of whitespace on either side of the colon)
SecRule ARGS|!ARGS:document|!ARGS:/field_id_2/|!ARGS:/milestone/|!ARGS:/^admin/|!ARGS:/email/|!ARGS:/^jform/|!ARGS:facebookiframe|!ARGS:editor|!ARGS:/tt_content/|!ARGS:objectToLike|!ARGS:grid_html|!ARGS:/previewdata/|!ARGS:optional_head|!ARGS:customized|!ARGS:/^grid_html$/!ARGS:/scrollstyle/|!ARGS:statichtml|!ARGS:/^elements/|!ARGS:/^we_/|!ARGS:html|!ARGS:formData|!ARGS:/code/|!ARGS:body_html|!ARGS:/^Store_OUI_/|!ARGS:_message|!ARGS:pdf|!ARGS:/img_style/|!ARGS:field_description|!ARGS:code|!ARGS:emailmessage|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/^emtext/|!ARGS:htmlPreview|!ARGS:file_content|!ARGS:/department/|!ARGS:filecontent|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:resumoDetalhe|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/css/|!ARGS:code|!ARGS:/^widget-text/|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/template/|!ARGS:entire_file "(?: (?:height|width) ?(?:=|\:) ?[0-9] ?px|overflow ?: ?(?:auto|hidden)|style ?= ?\"? ?display ?: ?none ?)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300076,rev:31,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Hidden Text Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_HIDDEN_TEXT
#####SKIP ALL SPAM RULES BY KEYWORD#########
#SecRule ARGS "@pmFromFile spam.data" # "phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
# SecAction phase:2,pass,nolog,noauditlog,skipAfter:END_SPAM
#skip spam rules for content about spam
SecRule ARGS "@pm spamassassin qmail smapdyke postfix clamav clamd modsecurity mod_security ossec" "phase:2,id:333902,t:none,pass,nolog,noauditlog,skipAfter:END_SPAM"
############ GAMBLING SPAM ##############
SecRule ARGS "@pm casino poker roulette slot pacific hold texas royal bet" "phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,id:333903,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333735,t:none,pass,nolog,noauditlog,skipAfter:END_GAMBLING_SPAM"
# Rule 300032:
SecRule ARGS|!ARGS:/token/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:pacific[ -_.,\"\'\|].{1,100}poker|[ -_.,\"\'\|].{1,100}casino[ -_.,\"\'\|]|slot[ -_.,\"\'\|].{1,100}machines|(?:random|free|internet)+[ -_.,\"\'\|].{1,100}slots|poker|casino[ -_.,\"\'\|](?:games|action)|bet(ting)?[ -_.,\"\'\|](?:at|on)[ -_.,\"\'\|](?:home|horse))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,chain,id:300032,rev:11,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Gambling or Poker Content (Disable this rule if you wish to allow that content)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule MATCHED_VAR "!(poker flat|casino royale|un casino di)"
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "!(poker flat|casino royale)"
# Rule 300028:
SecRule ARGS|!ARGS:/domain/|!ARGS:/token/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:texas[ -_.,\"\'\|].{1,100}hold[ -_.,\"\'\|]?em|texas[ -_.,\"\'\|]?hold[ -_.,\"\'\|]?em|casino[ -_.,\"\'\|]?online)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300028,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Gambling',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_GAMBLING_SPAM
############ WEIGHT LOSS SPAM ############
# Rule 300042:
SecRule ARGS "@pm weight loss" "id:353904,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333736,t:none,pass,nolog,noauditlog,skipAfter:END_WEIGHTLOSS_SPAM"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:username|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:lose[ -_.,\"\'\|]?weight[ -_.,\"\'\|]?quick|weight[ -_.,\"\'\|]?loss[ -_.,\"\'\|]?pills?|(?:rapid|quick)[ -_.,\"\'\|]?weight[ -_.,\"\'\|]?loss)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300042,rev:4,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Weight Loss',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_WEIGHTLOSS_SPAM
############ GENERIC SPAM ################
SecRule ARGS "@pm bulk sysco jagk knloony cam sysrem lemon exit defunct commie andrew music miccel rooo rowdd colkk fortune magazine finder netfirms rolex z0rder fargo weight virility pills squirrel online lezaquin golden mortgage pill hyphen force fast laser fuel cheap phone hontak lasik huojia jinx telemati diamond horo oa274 star exicornt afmbb. cragrats. brook stars eblija liuhecai szilva96 insurance star exicornt afmbb. cragrats. brook stars eblija liuhecai szilva96 insurance loan follow tprehj license ushummingirds credit divorce forever video ganzaoji geurtstagskarten imwithoy liuhecai pharm myzenegra netftplya netguy degree oyoulders payday sonnerie calculator" "phase:2,pass,t:none,t:urlDecodeUni,pass,id:363905,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333737,t:none,pass,nolog,noauditlog,skipAfter:END_GENERIC_SPAM"
# Rule 300051:
SecRule ARGS|!ARGS:/dnssearch/|!ARGS:/pf.pass/|!ARGS:/pf.user/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:magazine[ -_.,\"\'\|]?(?:finder|netfirms)|rolex[ -_.,\"\'\|]|z0rder|well-fargo|phvonline|weight-watcher|virility[ -_.,\"\'\|]pills|squirrelht|sams-club-online|nexium-online|levaquin-500|golden-coins|gmac-mortgage-corp|enlarge(ment)?pill|crestor[ -_.,\"\'\|]online|3hyphens|forcedvid|fastpayd|spycam|laser[ -_.,\"\'\|]?eye|eye[ -_.,\"\'\|]?laser|fuelcellmarket|fuel-dispenser|fueling-dispenser|cheapest[ -_.,\"\'\|]?i?phone|kontaktlinsen|lasikclinic|huojia|jinxinghj|telemati[ck]sone|a-mortgage|diamondabrasives|-horoskop|oa274|exicornt|afmbb\.|cragrats\.|reuterbrook|lazy-stars|szilva96|(?:mortgage|home loan) calculator|fast loan)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300051,rev:10,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: General',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300009:
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:cash[ -_.,\"\'\|]?advance|pay[ -_.,\"\'\|]?day[ -_.,\"\'\|]?loan|(?:i|la)-sonneries?[ -_.,\"\'\|]*\.[a-z]{2,})" # "phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300009,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Possible Loan Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_GENERIC_SPAM
############ MALE ENHANCEMENT ##############
SecRule ARGS "@pm penis male enlarg enhanc natural surgery pill traction pump diet member rod cock dick shaft bigger larger increase" "id:333906,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333738,t:none,pass,nolog,noauditlog,skipAfter:END_MALEENHANCE_SPAM"
# Rule 300056:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:male|penis)[ -_.,\"\'\|]?(?:en(?:larg|hanc)|natural|pill|surgery|traction|pump)|(?:diet|penis|male)[ -_.,\"\'\|]?(?:pills|en(?:larg|hanc))|(?:en(larg|hanc)).{0,10}(?:male|penis)|pills? x [0-9]+ ?mg|enlarge[ -_.,\"\'\|]?yourself[ -_.,\"\'\|]?now|advanced[ -_.,\"\'\|]?gain[ -_.,\"\'\|]?pro|(?:bigger|larger|increase[ -_.,\"\'\|]?your)[ -_.,\"\'\|]?(?:member|rod|shaft|cock|dick|penis)\b[ -_.,\"\'\|])" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300010,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Male Enhancement Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_MALEENHANCE_SPAM
############ PHARMACY SPAM ################
SecRule ARGS|!ARGS:/medical/|!ARGS:/drug/ "@pm adipex allegra ambien amitriptyline bontril buy canadian carisoprodol celexa cheap cialis didrex diet diethylpropion hormone discount drug steroid effexor ephedra ephedrine ewilla extra fioricet flonase free gluclosamine glucosamine hgh hydrocodone ionamin levitra lexapro lipitor lisinopril lostr lsotr medic meridia mexic neurontin nexium nullnix online order ortho oxycodone paxil penicillin pharm phendimetrazine phentermine pheromone pill pimrim plavix plongs ponagansetpost prednisone prescript prevacid price propecia protonix provigil prozac pseudovent ragazze ritalin seroquel silagra startseek store strattera suboxone synthroid tadalafil tenuate topamax toprol tramadol trazodone tricyclen ultracet ultram valium valtex valtrex abilify premarin viagra impotence lithobid keflex terbinafine lamisil gleevec aztrin azithromycin desyrel oleptro beneficat desirel molipaxin thombran trazorel trialodine trittico mesyrel trazodone lamictal purim salbutamol flovent flonase phentrimine aciphex cimetidine ranitidine omeprazole pantoprazole zantac prilosec citalopram lorazepam vicodin vigrx vig-rx vioxx voltaren vytorin wellbutrin xanax xenical zithromax zocor zoloft zyban zyprexa zyrtec doxycycline alli supplements methylphenidate prescription augmentin amoxil outlet dapoxetine" "id:333907,rev:2,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333739,t:none,pass,nolog,noauditlog,skipAfter:END_PHARM_SPAM"
# Rule 300040:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/email/!ARGS:Mensaje|!ARGS:/product/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/medical/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/medication/|!ARGS:/ajax/ "(?:(?:nullnix|plongs|pimrim|ewilla|startseek|ponagansetpost|prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil!l|vioxx|celexa|valtrex|zyrtec| hgh |!(t)ambien |carisoprodol|dapoxetine|flonase|allegra|didrex|bontril|nexium)+[ -_.,\"\'\|].{1,100} -_.,\"\'\|](?:l(?:so|os)tr)|ragazze-? ?|(?:prices|pills|buy|diet.{1,100}medic(?:ine|ation|al)|drug).{1,10}pharma|[ -_.,\"\'\|]meridia[ -_.,\"\'\|]|(?:wellbutrin|tenuate|tramadol|pheromones|phendimetrazine|ionamin|ultram |ortho.?tricyclen)+[ -_.,\"\'\|])\.[a-z]{2,}" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300040,rev:10,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300057:
# stacked spam rule - levitra-levitra-levitra or leviTrA retila_prosac etc.
SecRule ARGS|!ARGS:/page_content/|!ARGS:file|!ARGS:Mensaje|!ARGS:/product/|!ARGS:/medical/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/medication/|!ARGS:/ajax/|!ARGS:/email/ "[-_ ]?\b(?:adipex|suboxone|pseudovent|topamax|trazodone|prevacid|zyrtec|xenical|toprol|zoloft|synthroid|valtrex|wellbutrin|valium|protonix|vytorin|ritalin|zocor|seroquel|ultracet|plavix|voltaren|zyprexa|xanax|vicodin|penicillin|tramadol|provigil|prednisone|vioxx|zithromax|strattera|ultram!(a)|prozac|abilify|terbinafine|premarin|viagra|male impotence|lithobid\b|keflex\b|amoxil\b|augmentin\b|lamisil|gleevec|aztrin|azithromycin|desyrel|oleptro|beneficat|desirel|molipaxin|thombran|trazorel|trialodine|trittico|mesyrel|trazodone|methylphenidate|sertraline|lamictal|purim|salbutamol|flovent|dapoxetine|flonase|phentrimine|aciphex|cimetidine|pantoprazole|omeprazole|ranitidine|zantac|prilosec|citalopram|lorazepam|doxycycline|propecia|natural[-_ ]?hormone[-_ ]?replacement|levitra|phentermine|cialis\b |fioricet|ephedra|ambien\b|carisoprodol)\b[-_ ]?" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300061,rev:25,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam or Restricted content: Pharmacy and/or Drug content detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300011:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/medical/|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:(?:online|canadian|mexic(?:an|o))[ -_.,\"\'\|]?(?:pharmacy|drug[ -_.,\"\'\|]?store|medication)|(?:cheap(?:est)?|free)[ -_.,\"\'\|]?(?:pill|drug|steroid)s|order(?:ing)?[ -_.,\"\'\|]?(?:drug|pill|steroid)s[ -_.,\"\'\|]?online|extra [0-9][0-9]\% (?:pill|drug|steroid)|[ -_.,\"\'\|]?discounted[ -_.,\"\'\|]?(?:prescriptions?|drug|steroid)|no[ -_.,\"\'\|]?(?:prior)?[ -_.,\"\'\|]?prescription[ -_.,\"\'\|]?needed|online[ -_.,\"\'\|]?phentermine|phentermine[ -_.,\"\'\|].{1,100}online|online[ -_.,\"\'\|](?:prescription|pharmacy|drug[ -_.,\"\'\|]?store)[ -_.,\"\'\|]|muscle supplements and free stuff|free supplements|purchase[ -_.,\"\'\|]?[a-z]+[ -_.,\"\'\|]?prescription[ -_.,\"\'\|]?on[ -_.,\"\'\|]?line|buy[ -_.,\"\'\|]?generic[ -_.,\"\'\|]?[a-z0-9]+[ -_.,\"\'\|]?online)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300011,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300038:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/!ARGS:/page_content/|!ARGS:/medical/ "\b(?:silagra|ritalin|levitra|carisoprodol|oxycodone|phentermine|amitriptyline|diethylpropion|abilify|terbinafine|premarin|viagra|male impotence|lithobid\b|keflex\b|lamisil|desyrel|oleptro|beneficat|desirel|molipaxin|thombran|trazorel|trialodine|dapoxetine|trittico|mesyrel|trazodone|aztrin|azithromycin|lamictal|purim|salbutamol|flovent|flonase|phentrimine|aciphex|cimetidine|pantoprazole|cimetidine|protonix|ranitidine|zantac|prilosec|citalopram|omeprazole|lorazepam|doxycycline|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|tadalafil|ephedrine|neurontin|glucosamine|cialis\b |lipitor|effexor|propecia|celebrex|gluclosamine|lexapro|ephedra|levitra| alli weight)[ \-_.,<>\|\"\']" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300038,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_PHARM_SPAM
########## ADULT SPAM#################
SecRule ARGS "@pm 9sekund abuse adult alicia amateur anal animal anime apparatus asia ass assauly audition bang barn bdsm beast bestial big blow bondage boob boy brother bukakke bung butt buy bynes c0ck cam camel celeb chat cheat cheer child club cock comic costume counch cuck cuff cum cunt d1ck dad dailyorbit daughter dick dildo dirty dog doll door dress ebony exotic face femdom femsub fetish filth fist fresh fuck furniture gang gay giant girl golden grann hairy hand hannigan hardcore homo horny horse hot hub hudgens hunter huojia husband hyke incent incest japanese jinxinghj kink l1ck large latex lesbian lick leashed little live lolita love maledom malesub man manga mature member men milf mom mouth movie naked natural niece nude nudity nurse pair paris penis photo pic pig plug pony petgirl porn pussies pussy queen rod russian scat scene schoolgirl schoolboy seduce sex s-e-x shabby shaft shag shaved shemale shower silver sister slave sleep slut small son spank spy still story strapon strip submissive suck sultry swap swinger talk tape tease teen tied top torture tounge toy trailer tran tube twink uncle under vagina vibrat vid virgin voyeur whip wife wive woman women xxx young zone zoo orgasm rape illegal date ptch model pantyhose pantyhouse hentai cuckold" "id:353908,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333740,t:none,pass,nolog,noauditlog,skipAfter:END_ADULT_SPAM"
# Rule 300065:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:[ -_.,\"\'\|]+brutal[ -_.,\"\'\|]+dild(?:oes|o|os)[ -_.,\"\'\|]|[ -_.,\"\'\|]cum[ -_.,\"\'\|]shots?[ -_.,\"\'\|]|(?:hairy|shaved|leashed|under[ -_.,\"\'\|]?age|lolitas?|teens?) (?:[a-z]+ puss(?:y|ies)|puss(?:y|ies))|[ -_.,\"\'\|]+(?:naked|porn|adult|school(?:girl|boy)|(?:gay|anal) sex)[ -_.,\"\'\|]+movies?[ -_.,\"\'\|]|[ -_.,\"\'\|](?:hudgens|free)[ -_.,\"\'\|]+naked[ -_.,\"\'\|]|9sekund|find-it-buy-it|bukakke|(?:incest|amat(?:eur|ure)|horny|bondage|bestiall?ity|slave|submissive|femdom|maledom|femsub|malesub|gay|lesbian|bi(?:-| )?sexual|lolitas?|shemales?|(?:g|t)rann(?:ys?|ies)|swingers?|milfs?|(?:hot|slut)[ -_.,\"\'\|]?wi(?:v|f)es?|under[ -_.,\"\'\|]?age|sex[ -_.,\"\'\|]?doll|fisting|child|lolitas?|preteens?)[ -_.,\"\'\|]?\b(?:boys|sex|porn|video|mpe?g|avi|wmv|fuck|shag|xxx)\b|teen[ -_.,\"\'\|]?(?:lesbian|gay|girls?|boys?)[ -_.,\"\'\|]?orgasm|porno?[ -_.,\"\'\|]?(?:film|video)|video porno|girls[ -_.,\"\'\|]?in[ -_.,\"\'\|]?pantyhou?se|school(?:boy|girl)[ -_.,\"\'\|]cumshot|sexx?y teen model|teen model sexx?y|/wporn/w gay)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300065,rev:11,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult Content Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300068:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:silver[ -_.,\"\'\|]foxes|sex[ -_.,\"\'\|]?toys?[ -_.,\"\'\|]?(?:for[ -_.,\"\'\|]?sale|online|store)|free[ -_.,\"\'\|]?adult|sex-position|fake[ -_.,\"\'\|]?vagina|lovehoney ?sex|adult[ -_.,\"\'\|]?(?:shop|store)|anal[ -_.,\"\'\|]?(?:sex)?[ -_.,\"\'\|]?toy|dildos|strapon|butt[ -_.,\"\'\|]?plug|vibrators|official[ -_.,\"\'\|]?pornstar|[ -_.,\"\'\|]inch(?:es)? .{0,10}(?:cock|dick)\b|(?:bdsm|bondage)[ -_.,\"\'\|]?apparatus|(?:sex|fuck|shag|bondage|bdsm)[ -_.,\"\'\|]?(?:furniture|couch)|[ -_.,\"\'\|](?:suck|l[i1]ck).{1,30}(?:c[o0]ck|d[i1]ck|pussy)[ -_.,\"\'\|]|sultryserver|cock[ -_.,\"\'\|]?ring !(nano )|group[ -_.,\"\'\|]?sex|(?:nude|naked|xxx)[ -_.,\"\'\|]?(?:celebs|cheerleaders|girls|boys|teens|nymph)|(?:illegal|rape|fetish|latex|slave|bdsm|leashed|bondage|bestiall?ita?y|farm)[ -_.,\"\'\|]?(?:porn|xxx)|(?:pony|pet)[ -_.,\"\'\|]?(?:girl|boy)|date[ -_.,\"\'\|]?rape[ -_.,\"\'\|]?drug[ -_.,\"\'\|]?video)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300068,rev:9,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Adult Content Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300057: Comment Spam
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:amember_pass|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:back[ -_.,\"\'\|]?seat[ -_.,\"\'\|]?bangers?|gang[ -_.,\"\'\|]?bang(?:ed|ing)?)[ -_.,\"\'\|]|(?:fuck|shag)[ -_.,\"\'\|]?giant[ -_.,\"\'\|]?cock\b|(?:mouth|face)[ -_.,\"\'\|]?(?:fuck|shag)|(?:huge|massive|monster)[ -_.,\"\'\|]?(?:cock|dick|strapon)\b[ -_.,\"\'\|]?(?:small|tiny|little)[ -_.,\"\'\|]?(?:wom(?:a|e)n|girl|boy|twink)|girls[ -_.,\"\'\|]?next[ -_.,\"\'\|]?door[ -_.,\"\'\|]?on[ -_.,\"\'\|]?e|(?:top|biggest|hottest|sexiest|teen)[ -_.,\"\'\|]?porn[ -_.,\"\'\|]?stars|(?:hannigan|nymphets?|bynes|alicia[ -_.,\"\'\|]silverstone)[ -_.,\"\'\|]?(?:nude|nudi(?:es|ty)|american[ -_.,\"\'\|]pie)[ -_.,\"\'\|]|(?:blow[ -_.,\"\'\|]?(?:jobs?)[ -_.,\"\'\|]|jennas[ -_.,\"\'\|]?myspace | i kissed a girl|(?:mature|teen|au ?pair)[ -_.,\"\'\|]?(?:sex|porn|xxx|club)[ -_.,\"\'\|]?(?:sex|club|porn|xxx)))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300057,rev:8,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300003: Comment Spam
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:g(?:a|u)y|homosexual|bi-?sex(?:ual)?|shemales?|lolitas?|manga|virgins?|teens?|porno?)[ -_.,\"\'\|](?:beastiality|bestiallity|sex[ -_.,\"\'\|]scenes?|video|slut|trailer|(?:boy|girl)[ -_.,\"\'\|](?:pic|video)s?|(?:fuck|shag)ing)|(?:naked|vivid|xxx)[ -_.,\"\'\|](?:boys|girls|child[ -_.,\"\'\|]sex)|anime[ -_.,\"\'\|]boobs?|shabby[ -_.,\"\'\|]virgins?|(?:cunt|pussy|vagina|cock|trann?(?:y|ie)s?|shemales?)[ -_.,\"\'\|]?abuse|cock[ -_.,\"\'\|]?(?:and)?[ -_.,\"\'\|]?ball[ -_.,\"\'\|]?torture|sleep[ -_.,\"\'\|]?assault|my[ -_.,\"\'\|]?gay[ -_.,\"\'\|]?(?:tale|story|porn)|camel[ -_.,\"\'\|]?toe[ -_.,\"\'\|]?auditions?|teen[ -_.,\"\'\|]?anal[ -_.,\"\'\|]?queen|[ -_.,\"\'\|]ebony[ -_.,\"\'\|]porn)[ -_.,\"\'\|]" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300003,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult Video',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300004: Comment Spam
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:beastilality|bestiallity)[ -_.,\"\'\|]?stor(?:y|ies)|bounce[ -_.,\"\'\|]?your[ -_.,\"\'\|]?boob|\bshow[ -_.,\"\'\|]?your[ -_.,\"\'\|]?(?:pussy|cunt|cock)\b|dailyorbit|i-horny|filthserver|milf[ -_.,\"\'\|].{1,100}(?:hunter|cruiser|mom)|(?:fuck|shag|anal)(ing)? lessons?|mikes?[ -_.,\"\'\|]apartment|sexy[ -_.,\"\'\|](?:moms|lingerie|teens?)|(?:horse|animal|dog|farm)[ -_.,\"\'\|].{1,100}\b(?:porn|cocks?|dicks?|sex|penis|blowjob)\b[ -_.,\"\'\|]?|free[ -_.,\"\'\|]?(?:sex|beastiality|bestiallity|extreme|(gay|(?:bi|tran)sex(ual)?)? ?porn|xxx|adult|bondage|bdsm|femdom|sex|femsub|maledom|malesub|fuck|shag)[ -_.,\"\'\|]|(?:sex|beastiality|bestiallity|porn(o|s)?|xxx|adult|bondage|bdsm|femdom|femsub|maledom|malesub|fuck|shag)[ -_.,\"\'\|]?free|camfun24|(?:fresh|dirty)[ -_.,\"\'\|]?(?:girls|comics|boys|teens)|dirty[ -_.,\"\'\|]sex[ -_.,\"\'\|]comic|top model links|teenmodel club)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300004,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 30074
SecRule ARGS|!ARGS:/saml/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail|!ARGS:/ajax/ "(?:s-e-x|zoo(?:ph|f)ilia|giant cock\b|porn(?:hub|tube)|sexyongpin|(?:wi(?:f|v)es?|slaves?|strippers?|whores?|prostitutes?|under[ -_.,\"\'\|]?age|teeners?|lolitas?|animal|dog|couples?|bisexuals?|bicurious|anal|ass|fisting|rimming|pussy[ -_.,\"\'\|]?(?:(?:li|fu)cking|sex)|barnyard|lesbians?|dykes?|horses?|zoo|nurses?|cheerleaders?|costume|dressup|topless|exotic[ -_.,\"\'\|]?dancer)[ -_.,\"\'\|]?(?:sex|porn|video|xxx)|sex-with|(?:cam|chat|online)sex|live[ -_.,\"\'\|](?:sex|nude|girls)|sexchat|(?:adult|free)[ -_.,\"\'\|]?porn|adult[ -_.,\"\'\|]?video|adultweb|hardcore(?:sex|porn)|(?:teen|lolitas?|xxx|core)porn|cam(?:girl|live|lolita)|(:?animal|cam|chat|dog|hardcore|live|online|voyeur)sex|(?:paris[ -_.,\"\'\|]?hilton|kardashian)[ -_.,\"\'\|]?sex[ -_.,\"\'\|]?tape|huojia|jinxinghj|sex[ -_.,\"\'\|]?(?:plugin|zone)|boy-and-girl-kiss|naughty[ -_.,\"\'\|]?high[ -_.,\"\'\|]?school|(?:horny|sexy|under[ -_.,\"\'\|]?age|amateur)[ -_.,\"\'\|]?(?:teen|porn|xxx|l(?:esbian|olita|ingerie)|bisexual|shemale)|adult[ -_.,\"\'\|]?buy[ -_.,\"\'\|]?sex|sex[ -_.,\"\'\|]?toy[ -_.,\"\'\|]?store|adult[ -_.,\"\'\|]?shopping|(?:under[ -_.,\"\'\|]?age|asian|lesbian|incest|girls?|lolitas?|shemale|(?:g|t)rann(?:y|ie))[ -_.,\"\'\|]?(?:sex|porn)|!(be)slut|sex[ -_.,\"\'\|]?(?:\bcam\b|chat|plugin|zone)|adult(?:chat|live|porn|web|friend|xxx)|porn(?:all|m|sex|zone|web|link)|(?:mail[ -_.,\"\'\|]?order|russian)[ -_.,\"\'\|]?bride|dominatrix|maledom|femdom|femsub|malesub|cuckold|(?:ass|butt)[ -_.,\"\'\|]?(?:fuck|shag)|scatology|girl[ -_.,\"\'\|]?girl|foot[ -_.,\"\'\|]?fetish|golden[ -_.,\"\'\|]?shower|submissive[ -_.,\"\'\|]?(?:male|female|husband|wife|girl|boy|dyke|lesbian|twink)|lolita (?:(?:erotica|beauty|model|young|lolita) (?:pic|nude|blue)|underage)|(?:ukraine|russian?|underaged?|asian?|great|little|forbidden|lesbian|teens?|preteens?) lolita|(?:pedo|underage|babies|content) pthc|pthc (?:megaupload|bbs|kasumi)|aqua teen porn|(?:preteen(age)?|underage|lolita) mod(?:el|le))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300074,rev:23,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300078:
SecRule ARGS|!ARGS:/saml/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/refer/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/ "[ -_.,\"\'\|](?:sister cartoons|couples? (?:seduce|fuck|bang|shag) (?:teen|young|girl|boy|little)|(?:sister|milf|gay|lesbian|lolitas?|under[ -_.,\"\'\|]?age|teen(?:er)?s?|hardcore|porn)s? (?:sex|fuck|shag)|cumming[ -_.,\"\'\|]?on[ -_.,\"\'\|]?(each[ -_.,\"\'\|]?other|(?:her|his)[ -_.,\"\'\|]?face)|(?:cheating|slut|swapp?(?:ing)?)[ -_.,\"\'\|]?wi(?:v|f)e|free[ -_.,\"\'\|]?movies?[ -_.,\"\'\|]?of|sexy[ -_.,\"\'\|]?strip[ -_.,\"\'\|]?tease|(porno?|sex|gay|lesbian|under[ -_.,\"\'\|]?age|lolita)[ -_.,\"\'\|]?(?:movie|video|picture|still|photo)s?|hardcore[ -_.,\"\'\|]?(?:porn|xxx|movies|teen|lolita)|hentai|(great|fuck|shag)[ -_.,\"\'\|]?penis(?:es)?|(?:real|cute|atk|extreme|ugly|crazy|free|local)[ -_.,\"\'\|]?hairy[ -_.,\"\'\|]?girls?|(?:little|young|underage)[ -_.,\"\'\|]?(?:girl|boy)s?[ -_.,\"\'\|]?(?:naked|sex|fuck|shag|xxx|porn)|large[ -_.,\"\'\|]?natural[ -_.,\"\'\|]?(?:tit|boob)(?:ie)?s?|naked[ -_.,\"\'\|]?(?:boys|girls)[ -_.,\"\'\|]?young|hentai[ -_.,\"\'\|]|(?:big[ -_.,\"\'\|]?tits?|\bporn\b|anal|cuckold|school(?:girl|boy))[ -_.,\"\'\|]?gall?er(?:y|ies))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300078,rev:6,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_ADULT_SPAM
############ COMMERCIAL SPAM #############
SecRule ARGS "@pm free survey cheap discount sale ipod iphone dumps cvv nkoia phone music mp3 player plasma flat screen xbox play payment station ps3 ps2 superfood fuel vaction time share named number increase guarantee advice rollx rollex diet pill vacation percent off buy rumer online leads google ranking limited itune zune wii ipad brass cable broad cigarette phone gifts spells office purchase graduation money shop hand shoulder gucci vuitton oakley" "id:333909,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,t:none,id:333741,pass,nolog,noauditlog,skipAfter:END_COMMERCIAL_SPAM"
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:description|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:brass(?:fast|-parts-india|-nuts-screws-fasteners|-inserts|-fittings-india|-fastener-india|-copper-castings|-components-india|turnedcomponents|terminalconnectors|-screws-bolts-nuts|precisionparts|partsindia|nuts-brassbolts|neutrallinks|-inserts-fasteners-india|insertsbrassnutsbrassbolts|buildinghardware|cableglands|electrical|electricalaccessories|electricalcomponents|fastenersindia|-fasteners|-fasteners-india|fittingcomponents)|cable(glandsworldwide|-glands-asia|glands-india)|serve(?:beer|blog|counterstrike|ftp|game|halflife|mp3|pics|quake)|broad(?:-band-phone|band-phone-future\.blogspot|band-phone-info|bandphoneservices)|\.cable(?:accs|glandsindia)|\.conex(?:india|metals|techno)|diamond-(rings-india|ring-diamond-rings|pendants-india|earrings-india|jewellery-india|ring-rings\.tripod)|electrical(?:-brass-components|brass\.f2s))\.com" # "t:none,t:lowercase,t:compressWhitespace,id:300067,rev:13,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial spammer URL',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300069:
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "\b(?:free|cheap|discount|shop|for[ -_.,\"\'\|]?sale)\b[ -_.,\"\'\|](?:crocs|nokia|north ?face|canada ?goose|cell[ -_.,\"\'\|]?i?phone|(?:mp3|music|ip(?:od|hone)[ -_.,\"\'\|]?player)|ip(?:od|hone)|plasma|flat[ -_.,\"\'\|]?screen|\bxbox\b|play[ -_.,\"\'\|]?station|ps(?:4|3|2)|game[ -_.,\"\'\|]?boy|\bpsp\b|louis[ -_.,\"\'\|]?vuitton|(?:hand|shoulder)[ -_.,\"\'\|]?bag|roll?ex|diet[ -_.,\"\'\|]?pill|vacation|time[ -_.,\"\'\|]?share|free online games)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300069,rev:26,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:named[ -_.,\"\'\|]?(?:\#1|number[ -_.,\"\'\|]?(?:1|one))[ -_.,\"\'\|]?superfood|fuel[ -_.,\"\'\|]?increase[ -_.,\"\'\|]?guarante|advice[ -_.,\"\'\|]?and[ -_.,\"\'\|]?payment[ -_.,\"\'\|]?notification|(?:louis[ -_.,\"\'\|]?vuitton|factory|north ?face|canada ?goose)[ -_.,\"\'\|]?\b(?:outlet|online|stores?)\b|(?:vacation|time[ -_.,\"\'\|]?share)[ -_.,\"\'\|]?(?:discount|for[ -_.,\"\'\|]?sale|free|[0-9][0-9](?:\%|percent)[ -_.,\"\'\|]?off|cheap)|aggressive[ -_.,\"\'\|]?buying[ -_.,\"\'\|]?equipment|get a discount of up to 50% for|x-?rumer |increase your online leads|1st page google ranking|attract free shipment|yiacoumis z limited|for[ -_.,\"\'\|]?s(?:a|e)ll[ -_.,\"\'\|]?i?(?:phone|tune|pod|xbox|wii|ipad|zune)|cheap[ -_.,\"\'\|]?(?:abercrombie|\buggs?\b)|i sell dumps|interactive survey panel|surveys?[ -_.,\"\'\|]?(?:for|4)[ -_.,\"\'\|]?(?:money|cash)|electronic cigarette|reverse[ -_.,\"\'\|]c?e?l?l? ?[ -_.,\"\'\|]phone[ -_.,\"\'\|]lookup|(?:(?:basket|foot)ball|soccer)[ -_.,\"\'\|]coach[ -_.,\"\'\|]gifts|love spells.{1,100}financial help|microsoft office term 20[0-1][0-9]|can purchase a spinner bicycle|picking a good graduation gifts|quickly earn money|make money fast|(?:uggs?|coach|vitton|factory|michael kors|gucci|oakley|handbags?) outlet|oakley x squared )" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300066,rev:26,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_COMMERCIAL_SPAM
############# SEO SPAM #################
SecRule ARGS "@pm traffic mass rankings post thread forum blog cheat guest seo google bing captcha register break web site cool helpful understand nice good rock design search engine optim first rank xrunner xroomer xrumer xruumer xrummer portal website board paralleled matchless otimiza link gold" "id:333910,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333743,t:none,pass,nolog,noauditlog,skipAfter:END_SEO_SPAM"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:utm_term|!ARGS:/ticket/|!ARGS:/banned/|!ARGS:ban_user|!ARGS:/casetrack/|!ARGS:block|!ARGS:ban|!ARGS:setting[banemail]|!ARGS:/password/ "(?:generator cheats? 202|cheats 202. working|(?:cheat|gem)s? generator|cheatmod\.org|(?:gold|diamonds?) generator no (?:jailbreak|human)|go cheats? code|lives generator and cheat)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300073,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Game cheat spam content detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
# Rule 300071:
SecRule ARGS|!ARGS:/domain/|!ARGS:/filter/!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:xr(?:unn|oom|uu?m)er |mass post threads and messages on forums, blogs, guestbooks,|this forum has captcha on registering, but it's was breaked|break (?:captchas?|anti-?bot (?:protections?)?) automa(?:t|g)icall?y |did you hear about best software for promo and seo|search[ -_.,\"\'\|]engine[ -_.,\"\'\|]optimiz|hello[ -_.,\"\'\|]?cool[ -_.,\"\'\|]?site|xciting[ -_.,\"\'\|]?website|cool[ -_.,\"\'\|]?guest[ -_.,\"\'\|]?book|really[ -_.,\"\'\|]?helpful[ -_.,\"\'\|]?for[ -_.,\"\'\|]?understand|!(very)[ -_.,\"\'\|]?(?:nice|good)[ -_.,\"\'\|]?(?:(?:web)?site|design)|this[ -_.,\"\'\|]?site[ -_.,\"\'\|]?rocks|wonderful(?: that site wonderful|(?:wonderful this|your) portal (?:incomparable|nice))|super your site nice |(?:otimização|otimização) de sites|(?:seo|search engine optimization) services?:? get free evaluation of your (?:(web)?site|blog|forum)|we (?:are interested to|can) increase (?:traffic|rankings?) (?:to|of) your website|free website analysis and ranking report for|p to ten times your targeted traffic|(?:seo|search engine optimization|link[ -_.,\"\'\|]?building) service|drive mass traffic to your site|top of the search engine)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300071,rev:14,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:w(?:o(?:nderful (?:your(?:'s (?:portal (?:incomparable|unparalleled)|board unparalleled|site incomparable)| (?:portal incomparable|board unparalleled))|th(?:at (?:board (?:matchless|unmatched)|site wonderful)|is portal (?:peerless|nice))|it's portal unequalled)|w (?:th(?:is (?:b(?:oard wonderful|log peerless)|portal nonpareil)|at (?:site (?:matchless|wonderful)|board unmatched))|your(?: portal unparalleled|'s portal nice)|it's (?:portal|blog) class))|hant to say (?:your(?: b(?:oard (?:un(?:parallel|match)ed|wonderful)|log unparalleled)|'s board (?:incomparable|cool))|th(?:is (?:b(?:oard unparalle|log unequal)led|portal matchless|site cool)|at site (?:unmatched|class))|it's (?:portal matchle|site cla)ss)|a(?:nna say (?:your(?: (?:(?:blog unparallel|portal unmatch)ed|site nonpareil)|'s site cool)|th(?:is (?:board unapproachable|portal nonpareil)|at site unparalleled)|it's b(?:oard unapproach|log incompar)able)|r doesn't make boys men)|e all agree that your theory is crazy)|i (?:say (?:your(?:'s (?:site (?:unapproachable|peerless)|portal wonderful|blog unmatched)| (?:portal (?:incomparable|wonderful)|(?:board matchle|site cla)ss))|th(?:at (?:blog (?:unmatched|wonderful)|site unapproachable)|is board (?:unparalleled|nonpareil|peerless))|it's (?:site matchless|portal nice))|think (?:your(?:'s (?:portal (?:(?:matchle|cla)s|have 5 star)s|site (?:unparalleled|class))| (?:site have 5 star|blog clas)s)|this site peerless)|know (?:your(?:'s (?:portal (?:wonderful|nice)|site incomparable)| portal (?:unparalleled|wonderful))|this (?:site have 5 star|board peerles)s))|yes (?:th(?:is (?:blog (?:un(?:approachable|equalled)|matchless)|site unparalleled|portal nonpareil)|at (?:board nonpareil|site nice))|it's (?:b(?:oard (?:unapproachable|class)|log incomparable)|site incomparable|portal matchless)|your(?: (?:b(?:log wonderful|oard nice)|portal matchless|site nice)|'s portal have 5 stars))|amazing (?:your(?:'s (?:blog (?:unapproachable|nonpareil|class)|site incomparable)| b(?:oard|log) nonpareil)|th(?:is portal unapproachable|at portal unequalled)|it's (?:board unapproachable|portal peerless))|gorgeous (?:th(?:at (?:b(?:log (?:unequalled|cool)|oard incomparable)|site unequalled)|is board peerless)|your(?:'s b(?:oard nonpareil|log unmatched)| portal matchless)|it's site (?:have 5 stars|unmatched))|super (?:th(?:at (?:board incomparable|portal matchless)|is board matchless)|it's (?:blog (?:incomparable|unequalled)|portal peerless)|your (?:(?:portal|site) nice|board cool)))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300049,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_SEO_SPAM
############# SEO SPAM #################
SecRule ARGS "@pm hello dear membery forum secretsline everyone name devils shows traffic princess wonderful brilliant knowing" "id:353911,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333744,t:none,pass,nolog,noauditlog,skipAfter:END_FORUM_SPAM"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:hello dear membery? forum|anonymous downloading movies, music and surfing on the internet|secretsline|devils icebox|high quality wire shows|methods for generating youtube traffic)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300035,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS "(?:what is up everyone\? my name is .{1,50}am new to the forum and just wanted to say hi|friend.s princess|wonderful beat \!|broadcast provided brilliant clear idea|my knowing has)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300186,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Generic Forum Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_FORUM_SPAM
############# TRAVEL SPAM #################
SecRule ARGS "@pm visit saopaulo paris bahamas island eleuthera" "id:333912,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333745,t:none,pass,nolog,noauditlog,skipAfter:END_TRAVEL_SPAM"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "visit(?:(?:afghanistan|armenia|azerbaijan|bahrain|bangladesh|bhutan|bosnia|brunei|cambodia|china|christmasisland|centralasia|cocosislands|croatia|cyprus|egypt|india|indonesia|iran|israel|jordan|kiev|korea|kosovo|kuwait|kyrgyzstan|laos|latvia|macedonia|malaysia|maldives|mongolia|nepal|northkorea|oman|pakistan|philippines|russia|saudiarabia|southkorea|switzerland|tajikistan|turkmenistan|uae|uzbekistan)|(?:chn|capena|car|esp|solomonislands)\.com|(?:bombay|world)\.info|visit-london\.eu)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300030,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:saopaulo(?:aero|artes|autos|bares|bus|channel|cidades|cinemas|estradas|eventos|gallery|gallery|gaytravel|invest|links|mall|mapas|market|metro|moda|museus|night|noticias|parques|photo|praias|relax|restaurantes|ruas|shuttle|sites|suites|teatros|town|work)|bahamas(-beach-rental|-bookstore|-diving|-honeymoon|-rental|-store|-travel|-villa-rental|homesite)|cat-island(?:-rental\.com|\.net)|eleuthera-(?:bahamas|bahamas-rental|rental))\.com" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300031,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "paris(?:officedetourisme|tennessenews|roller|texasnewspaper)\.info" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300033,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_TRAVEL_SPAM
###########DEGREE MILL#############
# Rule 300072:
SecRule ARGS "@pm degree diploma" "id:333913,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333746,t:none,pass,nolog,noauditlog,skipAfter:END_DIPLOMA_SPAM"
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:degree|diploma) in radiology" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300072,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Degree Mill',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_DIPLOMA_SPAM
############FAKE AV SPAM##################
SecRule ARGS "@pm virus malware spy greeting" "id:333914,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333747,t:none,pass,nolog,noauditlog,skipAfter:END_ANTIVIRUS_SPAM"
#Rule 300080
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:free|discount)[ -_.,\"\'\|]?anti[ -_.,\"\'\|]?(?:virus|(?:spy|mal)ware)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300080,rev:5,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Free antivirus/spyware Link/Content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
#Rule 300080
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "pick[ -_.,\"\'\|]?up[ -_.,\"\'\|]?your[ -_.,\"\'\|]?greeting[ -_.,\"\'\|]?card" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300060,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam/Malware Link/Content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_ANTIVIRUS_SPAM
############WOW/GOLD FARMING SPAM###########
SecRule ARGS "@pm gold farm making make hour tip likes" "id:353915,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333748,t:none,pass,nolog,noauditlog,skipAfter:END_WOW_SPAM"
#Rule 300184
SecRule ARGS "(?:gold[ -_.,\"\'\|](?:making|farmers)|game[ -_.,\"\'\|]tip[ -_.,\"\'\|]wow[ -_.,\"\'\|]gold|gold[ -_.,\"\'\|]an[ -_.,\"\'\|]hour[ -_.,\"\'\|]farm|farming[ -_.,\"\'\|]gold|runescape[ -_.,\"\'\|]?gold|buy (?:instagram|facebook|twitter) likes)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300184,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_WOW_SPAM
############ESSAY SPAM###########
SecRule ARGS "@pm essay paper best term dissertations writing custom resume editing proofreading research video custom" "id:333916,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333749,t:none,pass,nolog,noauditlog,skipAfter:END_ESSAY_SPAM"
SecRule ARGS|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/ "(?:best (?:term|college) (?:papers|essays)|best essays|academic writing assistance for term papers|(?:custom|essay|resume|paper|book report|video|research paper|dissertation|book and report) (?:writ|edit)ing (?:website|service)|(?:proofreading|custom writing) services|custom (?:research papers|paper writing)|original custom research paper for you|essay editing|custom (?:paper|writing))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300185,rev:4,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Essay spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_ESSAY_SPAM
############# GENERAL FORUM SPAM ###################
SecRule ARGS "@pm dumps cvv verified unlimited ebay heinchuini@ymail.com fullz atm" "id:333917,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333750,t:none,pass,nolog,noauditlog,skipAfter:END_HACK_SPAM"
SecRule ARGS "(?:fresh and verified and unlimited ebay|atm pin database|heinchuini@ymail.com|fullz and uk fullz|cvv\+full info|i sell dumps)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300188,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_HACK_SPAM
#Movies spam
SecRule ARGS "@pm movies capital rapidshare hollywood" "id:353918,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333751,t:none,pass,nolog,noauditlog,skipAfter:END_MOVIES_SPAM"
SecRule ARGS "(?:movies capital (?:has an|scam)|rapidshare premium link generator|huge collection of photos of hollywood stars)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300189,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_MOVIES_SPAM
SecRule ARGS "@streq unlimited" "id:333919,phase:2,t:none,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333752,t:none,pass,nolog,noauditlog,skipAfter:END_HOSTING_SPAM"
SecRule ARGS "business of unlimited reseller hosting" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300301,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Reseller spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_HOSTING_SPAM
SecRule ARGS "@pm visa fiance spouse spousal green" "id:333920,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333755,t:none,pass,nolog,noauditlog,skipAfter:END_VISA_SPAM"
SecRule ARGS "(?:k(?:1|3) (?:fiancee?|spous(?:e|al)) (?:visa|green ?card)|k(?:1|2|3) visa)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300303,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible visa spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_VISA_SPAM
#job search spam
#job search faster
SecRule ARGS "@pm job search" "id:333921,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333756,t:none,pass,nolog,noauditlog,skipAfter:END_JOBS_SPAM"
SecRule ARGS "(?:job search faster|find perfect jobs|free enterprise jobs)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300304,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible job search spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_JOBS_SPAM
SecRule ARGS "@pm loan checking money cash" "id:333922,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333757,t:none,pass,nolog,noauditlog,skipAfter:END_LOAN_SPAM"
SecRule ARGS "(?:second chance checking|pay ?day ?loan|money site url|cash[ -_.,\"\'\|]?advance)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300311,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible loan spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_LOAN_SPAM
SecRule REQUEST_URI "@pm result: ++++" "id:333923,phase:2,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333758,t:none,pass,nolog,noauditlog,skipAfter:END_SPLIT_SPAM"
SecRule REQUEST_URI "\+\+\+\+\+\+\+\+\+\+\+.{1,100}result\:" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:301311,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Session Splitting Spam Attempt',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
SecMarker END_SPLIT_SPAM
#All spam end
#anti hotlinking
# SecRule REQUEST_HEADERS:Referer # "!@beginsWith %{request_headers.host}" # phase:1,t:none,log,drop,chain
# SecRule REQUEST_FILENAME "!\.(?:gif|png|jpe?g|ico)$" # t:none,t:lowercase
SecMarker END_SPAM

66
nginx-waf/31_asl_urispam.conf Normal file
View File

@ -0,0 +1,66 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# Atomicorp (Gotroot.com) ModSecurity rules
# Anti Spam rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005 - 2022 by Atomicorp, Inc. All rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Phase 2 rules
# Rule 300000: Blacklist of referer spam hostnames
SecRule SERVER_PORT "@streq 30000" "phase:1,id:339853,pass,t:none,nolog,noauditlog,skipAfter:END_SPAM_URI"
#Skip SPAM rules if this is a not something to check for spam, like graphics, videos, CSS, ico, docs, etc.
SecRule REQUEST_FILENAME "\.((m|j)pe?g4?|bmp|tiff?|p((p|g|b)m|n(g|m)|df|s)|gif|js|css|flv|ico|avi|w(m(?:v|a)|ebp)|mp(3|4)|cgm|svg|swf|og(m|v|x)|te?xt|doc|xls|od(?:t|s)|ppt|wbk)$" "phase:2,id:333938,pass,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_SPAM_URI"
#Concrete 5 editing bypass
SecRule ARGS:ccm-edit-block-submit "^submit$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333939,skipAfter:END_SPAM_URI"
#Skip SPAM rules for admin applications and the like
SecRule REQUEST_URI "(?:/(?:(?:i(?:nclude\.php?path=forum/editpost|mp/compose)|pr(?:o(?:duct_thumb|file)|eview_static_cgi)|callback|diagnostics|editsection|tickets)\.php|system/index\.php?s=.*c=(?:publish|edit)&m=new_entry$|workshops/register\.php|link(?:machine/linkmachine\.php|s/\?act=addsite)|(?:\?modulo=loja&action|update\.php?pageid)=|nav\.php\?nav=(?:moderate|addnews)|cgi-bin/mailinglist/mail\.cgi)|/(?:(?:s(?:itebuilder|hopadmin)|cms/resources/edit|hspc/pcc|node/add|vsadmin)/|w(?:p-(?:content/plugins|admin)/|izard/edit/html)|adm(?:in(?:istrator/)?|/))|\?(?:(?:p=admin_cms|task=edit|tab=admin[a-z]+)&|action=admin)|node/[0-9]+/edit|^/\?[sv]=|\?q=ckeditor|/secure/|/site-?admin/|/ndxz-studio/|/wp-admin/|/cms/|/file/ajax/|/members/editing/|/comment/reply/[0-9]+|/new/[0-9]+/confirm|/index\.php\?option=com_jreviews|/calendar/index\.php\?act=calendar&code=addnewevent)" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333940,skipAfter:END_SPAM_URI"
############ SPAMMY URLS ########################
#
SecRule ARGS "@pm http:// https:// @" "id:333941,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:353535,t:none,pass,nolog,noauditlog,skipAfter:END_SPAM_URI"
#Check spam domain to see if its on the URIRBL list
SecRule ARGS "https?\://(.*?)/" "chain,log,auditlog,phase:2,severity:2,id:377777,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,capture,msg:'Atomicorp.com WAF Rules: Possible Spam Domain: URIBL Match of Submitted Link Domain on urirbl.com blocklist. (Report False Positives to www.uribl.com)',logdata:'%{tx.domain}',setvar:tx.domain=%{tx.1}"
SecRule TX:1 "@rbl multi.uribl.com" "capture,chain"
SecRule TX:0 "(BLACK)" t:none
#Check spam domain to see if its on the URIRBL list
#SecRule ARGS "@(.*?)" # "chain,log,phase:2,id:377779,severity:2,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,capture,msg:'Atomicorp.com WAF Rules: Possible Spam Domain: URIBL Match of Submitted Link Domain on urirbl.com blocklist.',logdata:'%{tx.domain}',setvar:tx.domain=%{tx.1}"
#SecRule TX:1 "@rbl multi.uribl.com" "capture,chain"
#SecRule TX:0 "(BLACK)" t:none
#All spam end
SecMarker END_SPAM_URI

35
nginx-waf/45_asl_hpp.conf Normal file
View File

@ -0,0 +1,35 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2016 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
#skip this for technologies that dont have HPP vulnerabilities
#count arguments
##SecRule ARGS_NAMES "\." "phase:2,id:381731,rev:'2',pass,nolog,noauditlog,setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
##SecRule TX:/paramcounter_.*/ "@gt 1" "msg:'HTTP Parameter Pollution (%{TX.1})',chain,phase:2,id:381723,rev:21,severity:'CRITICAL',deny,log,auditlog,status:403,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
##SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)" "capture"

345
nginx-waf/50_asl_rootkits.conf Normal file
View File

@ -0,0 +1,345 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "homecounter\.php" "phase:2,id:95286,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "moderation\.php" "phase:2,id:95287,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148"
SecRule REQUEST_FILENAME "/paadmin/file_manager\.php" "phase:2,id:95288,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/__utm\.gif" "phase:2,id:95289,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144"
SecRule REQUEST_FILENAME "/administrator/index\.php" "phase:2,id:95290,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/ota/admin/file_manager\.php" "phase:2,id:95291,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/admin/shop_file_manager\.php" "phase:2,id:95292,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/admin/file_manager\.php" "phase:2,id:95293,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/modules/mod_oneononechat/chatfiles/*" "phase:2,id:95294,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/fud/adm/admbrowse\.php" "phase:2,id:95295,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-cron\.php" "phase:2,id:95296,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/admin/mods/easymod/easymod_install\.php" "phase:2,id:95297,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/autogallery/autogallery\.php" "phase:2,id:95298,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/alfresco/scripts/onload\.js" "phase:2,id:95299,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/assets/files/who/" "phase:2,id:95300,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/forum/viewtopic\.php" "phase:2,id:95301,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/setup/" "phase:2,id:95302,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/administrator/index2\.php" "phase:2,id:95303,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/sales/soap\.php" "phase:2,id:95304,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/twg177/admin/" "phase:2,id:95305,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/images/smilies/" "phase:2,id:95306,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148"
SecRule REQUEST_FILENAME "/admin/dogen_display\.php" "phase:2,id:95307,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811"
SecRule REQUEST_FILENAME "/horde/themes/graphics/" "phase:2,id:95308,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/whois/quick\.php" "phase:2,id:95309,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/ubbthreads\.php" "phase:2,id:95310,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390902"
SecRule REQUEST_FILENAME "/administrator/" "phase:2,id:95311,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390902"
SecRule REQUEST_FILENAME "^/img/logos_square/shell\.gif$" "phase:2,id:95312,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "^/plugins/editors/jckeditor/plugins/jfilebrowser/images/icons/gif\.gif$" "phase:2,id:95313,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/admin/templates/data_templates/data_templates\.php" "phase:2,id:95314,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811"
SecRule REQUEST_FILENAME "/nagios/cgi-bin/cmd\.cgi" "phase:2,id:95315,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/tools_cron\.php" "phase:2,id:95316,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390904"
SecRule REQUEST_FILENAME "/admin/layout/edit/" "phase:2,id:95317,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390810,ctl:ruleRemovebyID=390811"
SecRule REQUEST_FILENAME "/nagios/stylesheets/cmd\.css" "phase:2,id:95318,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/adjs\.php" "phase:2,id:95319,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390144"
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95320,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801"
SecRule REQUEST_FILENAME "/wp-admin/plugin-editor\.php" "phase:2,id:95321,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801"
SecRule REQUEST_FILENAME "/import\.php" "phase:2,id:95322,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390804"
SecRule REQUEST_FILENAME "/terms\.php" "phase:2,id:95323,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/jfilebrowser/images/icons/gif\.gif" "phase:2,id:95324,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/thumbs/" "phase:2,id:95325,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/modules/mod_jw_ajaxnf/" "phase:2,id:95326,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390147"
SecRule REQUEST_FILENAME "/wp-admin/nav-menus\.php" "phase:2,id:95327,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/themes/default/graphics/" "phase:2,id:95328,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/catalog/product/cache/" "phase:2,id:95329,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148,ctl:ruleRemovebyID=390800"
SecRule REQUEST_FILENAME "/installation/index\.php" "phase:2,id:95330,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390907"
SecRule REQUEST_FILENAME "/wp-admin/theme-editor\.php" "phase:2,id:95331,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390801,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-admin/post\.php" "phase:2,id:95332,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149,ctl:ruleRemovebyID=390801"
SecRule REQUEST_FILENAME "/admin/scripts/shell\.js" "phase:2,id:95333,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390148"
SecRule REQUEST_FILENAME "/timthumb\.php" "phase:2,id:95334,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/connectors/workspace/packages-rest\.php" "phase:2,id:95335,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/admin/supporttickets\.php" "phase:2,id:95336,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/piwik\.php" "phase:2,id:95337,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/pwiki\.php" "phase:2,id:95338,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390145"
SecRule REQUEST_FILENAME "/json-api/cpanel" "phase:2,id:95339,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390904,ctl:ruleRemovebyID=390907"
SecRule REQUEST_FILENAME "/picat/admin/" "phase:2,id:95340,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/viewticket\.php" "phase:2,id:95341,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/supporttickets\.php" "phase:2,id:95342,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/dokuwiki/doku\.php" "phase:2,id:95343,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-admin/edit-comments\.php" "phase:2,id:95344,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/clientsservices\.php" "phase:2,id:95345,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax\.php" "phase:2,id:95346,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390149"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Known shells, remote toolkits, etc. signatures for modsec 2.x
#
# Copyright 2005-2023 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#Master list of known malware script file names
#SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390500,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in URL',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "@pmFromFile malware_scripts.txt"
#SecRule ARGS|REQUEST_FILENAME "@pmFromFile malware_scripts.txt" \ "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:390501,rev:1,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Malware Script detected in ARGS',logdata:'%{TX.0}'"
#Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc.
SecRule SERVER_PORT "@streq 30000" "phase:4,id:333852,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_ALL"
SecRule REQUEST_FILENAME "\.(?:flv|ico|avi|w(?:m(?:v|a)|ebp|bk)|mp(?:3|4|e?g)|cgm|s(?:vg|wf)|og(?:m|v|x)|xls|doc|od(?:t|s)|ppt)$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333853,skipAfter:END_ROOTKIT_FINAL"
SecRule REQUEST_URI "^/(?:eprocservice/supplierinboundservice|\?_task=mail)" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:331853,skipAfter:END_ROOTKIT_FINAL"
#possible crypto mining tools
#mining.submit mining.subscribe mining.authorize
#EthereumStratum|MinerName/1.0.0|cpuminer/2.5.1
SecRule REQUEST_URI|ARGS "(?:mining\.(submit|authorized|subscribe)|ethereumstratum|minername/|cpuminer/|eth_submitlogin|ethereumstratum|xmrig/|xmr-stak-cpu)" "t:none,t:urlDecodeUni,t:lowercase,capture,id:391111,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Cryptomalware attack blocked',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm http:// https:// gopher:// ogg:// zlib:// ftp:// ftps://" "id:333854,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333760,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_RFI"
#SecRule REQUEST_URI|!ARGS:/redirect/|!ARGS:/referrer/|!ARGS:/url/|!ARGS:/img/|!ARGS:/^link/|!ARGS:loc|!ARGS:/referer/ "(?:ogg|gopher|zlib|(?:ht|f)tps?)\://(.+)\.(?:c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|html?|tmp)\x20?\?" "t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,chain,id:390144,rev:21,severity:2,msg:'Atomicorp.com WAF Rules: Command shell attack: Generic Attempt to remote include command shell',logdata:'%{TX.0}'"
#SecRule REQUEST_URI "!(horde/services/go\.php|tiki-view_cache\.php|event\.ng/type=click|^/\?out=http://.*/.*\?ref=.*|^event\.ng/|^/hiphop2/=http|homeCounter\.php\?offerid=.*&ureferrer=http|/gltr_dontrunhttps?://|/plugins/wpeditimage/editimage\.html|/spc\.php)"
#
#shell patterns
SecRule REQUEST_URI "=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/(.+)\.(c|dat|kek|sh|te?xt|dat|tmp)\?" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,chain,id:390145,rev:11,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: Generic Attempt to install shell'"
SecRule REQUEST_URI "!(?:/event\.ng/|horde/services/go\.php|tiki-view_cache\.php|^/\?out=http://|homecounter\.php\?offerid=.*ureferrer=http|__utm\.gif\?|/plugins/wpeditimage/editimage\.html|/spc\.php)"
SecRule ARGS "^(ht|f)tps?://([a-z0-9_\.?]+\.)?((rapidshare|mega(?:upload|shares?)|filefactory|mediafire|depositfiles|sendspace|badongo|uploading|savefile|cocshare|axifile|turboupload|gigasize|ziddu|uploadpalace|filefront|momupload|speedyshare|rnbload|adrive|easy-share|megarotic|egoshare)\.com|ifolder\.ru|files\.to|cocoshare\.cc|(?:usaupload|bitroad)\.net|netload\.in|rapidshare\.de)/.+" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:replaceNulls,t:lowercase,t:compressWhitespace,id:390902,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client'"
#SecRule ARGS_POST "^http://(rapidshare|megaupload)\.com.+" "capture,id:390901,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_RFI
#Jooma and wordpress PHP Shells
#SecRule REQUEST_URI
SecRule REQUEST_URI "(?:/images/stories/|/components/com_smartformer/files/|/uploaded_files/user/|uploads/job-manager-uploads/).*\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318812,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in images directory',logdata:'%{TX.0}'"
SecRule REQUEST_URI "/(?:title|sourceinc|xml|general|info|dir|javascript|cache|menu|themes|functions|dump|inc)[0-9]+\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:removewhitespace,capture,id:318814,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit',logdata:'%{TX.0}'"
SecRule REQUEST_URI "(?:cache\.uniq_[0-9]+|cache\.managed|/components/com_remository_files/*/*)\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:318912,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in joomla modules directory',logdata:'%{TX.0}'"
SecRule REQUEST_URI "media/banner/.+\.php" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in Kaboozu CMS banner directory',logdata:'%{TX.0}'"
SecRule REQUEST_URI "/wp-(?:settings|config)\.php" "chain,deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:342153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Attempt to inject code into wordpress',logdata:'%{TX.0}'"
SecRule ARGS_NAMES "code(?:s|z)"
SecRule REQUEST_URI "forums?\.php" "chain,deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,capture,id:342154,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known vBulletin backdoor',logdata:'%{TX.0}'"
SecRule ARGS:x "(?:shell|exec|passthru)"
#Fake Major domains
SecRule REQUEST_URI|ARGS "(?:wordpress|img\.youtube|picasa|blogger|flickr)\.com\.[a-z0-9]+" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:318813,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake Domain name used in URL, Possible Injection Attack',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS "@pm cmd inc= name= x_key x_file act= appfileexplorer thepath=" "id:333855,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333761,t:none,pass,nolog,noauditlog,skipAfter:END_KNOWN_ROOTKITS"
#known shell URLS
SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:/resolution/|!ARGS:/solution/|!ARGS:/message/|!ARGS:/text/|!ARGS:prefix|!ARGS:suffix "(?:\.(?:dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(?:cmd|inc|name|action)=|\.php\?act=?:(chmod&f|cmd|ls|f&f)|/cmd\?&(?:(?:ch|mk)dir=/|action=(?:ch|mk)dir))" "deny,log,auditlog,status:404,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhitespace,capture,id:340033,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Possible attempt to run malware',logdata:'%{TX.0}'"
#Body sigs
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "capture,phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Backdoor or shell access blocked',id:392146,severity:'2',logdata:'%{TX.0}'"
#ASP sigs
SecRule REQUEST_FILENAME "\.asp" "deny,log,auditlog,status:404,chain,t:none,t:urlDecodeUni,t:lowercase,capture,id:391150,rev:6,severity:2,msg:'Atomicorp.com WAF Rules: Rootkit attack: ASP shell attempt',logdata:'%{TX.0}'"
SecRule REQUEST_URI "(?:theact=inject&thepath=|pagename=appfileexplorer|showupload&thepath=|system32/cmd\.exe)"
SecMarker END_KNOWN_ROOTKITS
SecRule ARGS_NAMES "c99shcook" "deny,log,auditlog,status:404,id:391158,phase:2,capture,t:none,t:lowercase,severity:1,rev:1,msg:'Atomicorp.com WAF Rules: PHP c99 webshell',logdata:'%{TX.0}'"
#Check body of responses for known or suspected malicious web applications
SecRule REQUEST_METHOD "^REPORT$" "phase:4,rev:2,id:334785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
SecRule REQUEST_URI "/wp-admin/plugin-install\.php\?tab=plugin-information&plugin=wordfence" "phase:4,rev:2,id:364785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
SecRule RESPONSE_BODY "@pm boff rapidleech mailer telnet shell hacke sh3ll SecurityCrewz phpftp explorer aventis xerror injection rhtools commander terminal ntdaddy fux0r www.sanalteror.org haxplor konsole c99 zfxid1.txt c100 r57 aventgrup exploit safe_mode open_basedir feecomz shirohigomz pshyco safemode safe-mode sh-inf: sh-err: emailbases prioritet leech uname leech ehennemdea obzerve feelcomz shirohigeshirohige lusif3r_666 sience emp3ror undetectable hack pshyco owned backdoor jaheem networkfilemanagerphp bots suid sguid service.pwd .bash_history .fetchmailrc #mhpver vulner4bl3 /etc/passwd mode: alucar rst/ghc netsploit bruteforce M4st3r Indishell GIF89 Upl04d3r uploader FilesMan JPEG-1.1<base64_encoded bypass 3xp1r3 Cracker Symlink Symlink hijack connected backdoor woman-five companies-best-man million-support" "id:333856,rev:2,phase:4,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:4,id:333762,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
#Moved from embargoed rules
SecRule RESPONSE_BODY "(?:<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>|<p>Companies-Best-Man-Vendors-Best</p>|<p>Million-Support-Years-Week-Agents</p>)" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked Solarwinds malware on system',id:'340004',rev:1,severity:'2'"
#Fake GIF89
SecRule RESPONSE_BODY "^GIF89" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked malware on system',id:'393150',rev:5,severity:'2',chain"
SecRule REQUEST_FILENAME "!@endswith .gif" "t:none,t:lowercase"
SecRule RESPONSE_BODY "^JPEG-1.1<base64_encoded" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible cloaked malware on system',id:'393151',rev:5,severity:'2'"
SecRule RESPONSE_BODY "Connected to root:" "phase:4,t:none,ctl:auditLogParts=+F,auditlog,deny,log,status:404,msg:'Atomicorp.com WAF Rules: Possible web shell blocked on system',id:'393152',rev:5,severity:'1'"
#Request Body patterns that are not malicious
SecRule RESPONSE_BODY "<title>(?:.{0,64}Web[m|M]ail|Horde \:\:)" "phase:4,rev:2,id:333785,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY"
SecRule RESPONSE_BODY "(?:add (?:new emailbases to database|high prioritet emails)|<title>dark-mailer v|xerror was here|title>\:\: mailer inbox \:\:)" "phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible spamtool installed on system',id:'390150',rev:5,severity:'2'"
#Rapid Leech blocks
SecRule RESPONSE_BODY "(?:rapidleech plugmod -|you are not allowed to leech from|=\"http://www\.rapidleech\.com)" "deny,log,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible Unauthorized Download Client - Rapidleech',id:'390900',rev:12,severity:'2'"
SecRule REQUEST_URI "^/wp-admin/admin\.php\?page=WordfenceOptions$" "id:321117,rev:1,phase:4,t:none,pass,nolog,noauditlog,skipAfter:SKIP_AFTER_RULE_390149"
#trick them with a 40
SecRule RESPONSE_BODY "(?:(?:ne(?:ws remote php shell injection|tworkfilemanagerphp|tsploit)|c(?:(?:99 ?(?:mad)?|100 ?) ?(web)shell|ehennemden|gi-?telnet)|php(?: ?(?:commander|shell)|-?terminal| backdoor|ftp)|SvT SheLL|WSO 2.4|WebRooT Hack Tools|\b(?:r(?:emote explorer|57 ?sh(?:e|3)ll)|(?:alucar|saudi) sh(?:3|e)ll)\b|inbox mass mailer by hack|r(?:57 ?shell|htools)|(?:konsole |stun ?)shell|\.sanalteror\.org|haxplorer|gamma ?web|fux0r inc| - n3t)|[Ss](?:h(?:ell by (?:rst/ghc|alucar)|irohigeshirohige|-(?:err|inf): )|afe(?:(?:-| )?mode(?: bypass|execdir| ?\[ ?[Ss]afe(?:-| )?mode\:)|-mode bypass|modeexecdir)|tunshell)|f(?:ind (?:.(?:bash_history|fetchmailrc)|[gs]uid|all) files|eelcomz)|(?:e(?:mp3ror undetectabl|xecution php-cod))e|b(?:(?:\.o\.v sience 2|off 1\.)0|y pshyco, © 2008 error|indshell)|php ?(?:4|5).{1,200}? safe_mode ?(\&|/|and)? ?open_basedir ?bypass|t(?:his is an? exploit from|otal bots active)|design by (?:rst/ghc|alucar)|l(?:ocus7shell|usif3r_666)|(?:o|0)wned by (?:hacker|#)|jaheem galaxy 2|reverseshell|\#mhpver|\[Exploit-DB|syrian-shell.com|SyRiAn Sh3ll|Sh(?:3|e)ll Uploader|W3lc0m3 M4st3r|Indishell|Safe ?(?:-| )?mode ?\: ?OFF|Upl04d3r|FilesMan|>Hacked by <|(?:Da3s|Da3s HaCkEr) File Manager|Symlink Bypass|3xp1r3|Finder/Cracke|Symlink</title>|Index Hijack|Smoker Backdoor)" "deny,log,capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible remote shell or bot access denied',id:'390149',rev:59,severity:'2',logdata:'%{TX.0}'"
SecMarker SKIP_AFTER_RULE_390149
#This protects the victims, by preventing compromised files from being loaded
SecRule RESPONSE_BODY "(?:SecurityCrewz|Exploit-DB)" "deny,log,capture,phase:4,t:none,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Possible compromised website detected and 404 sent to user',id:'392149',rev:1,severity:'2',logdata:'%{TX.0}',tag:'no_ar'"
SecMarker END_ROOTKIT_BODY
SecRule REQUEST_URI|ARGS|!ARGS:SAMLResponse "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc @@rndstr@@ netenberg psybnc fantastico_de_luxe arta.zip information_schema.tables char( php_uname eval decode_base64 base64_decode gzuncompress base64_url_decode" "id:333857,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333763,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_2"
#generic payload
#if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd']));
#
SecRule REQUEST_URI|ARGS|!ARGS:code|!ARGS:/description/|!ARGS:/^layout/|!ARGS:message|!ARGS:email|!ARGS:description|!ARGS:body|!ARGS:/text/|!ARGS:/txt/ "(?:<\? ?php (?:echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()" "deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,chain,capture,id:390801,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shellkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&)"
#some broken attack program
SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:_@@rndstr@@|netenberg |psybnc |fantastico_de_luxe |arta\.zip )" "deny,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,t:lowercase,id:390803,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known Wormsign',logdata:'%{TX.0}'"
#New SEL attack seen
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:select.*from.*information_schema\.tables|and.+char\(.*\).+user\schar\()" #"capture,t:none,t:urlDecodeUni,t:lowercase,id:390804,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known shell SQL payload',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_BODY_2
SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "phase:2,id:333786,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333764,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_3"
SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" "deny,log,auditlog,status:403,chain,capture,t:none,t:lowercase,t:compressWhitespace,id:390810,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:description|!ARGS:message|!ARGS:problem|!ARGS:solution "(?:<\? ?php (echo ?\"hi ?master|(system|passthru|shell_exec|exec) ?(?:\(|@|\: ?'?))|(?:system|passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()"
SecMarker END_ROOTKIT_BODY_3
SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "id:333859,phase:2,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333765,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_4"
SecRule REQUEST_URI "!(?:^/wp-login\.php\?vaultpress=true&action=exec&doing_wp_cron&wp-admin)" "deny,log,auditlog,status:403,chain,capture,t:none,t:lowercase,t:compressWhitespace,id:390811,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:code "(?:<\? ?php (echo ?\"hi ?master|(?:system|passthru|shell_exec|exec) ?\()|(?:passthru|shell_exec|exec) ?\(|(?:stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|base64_url_decode|decode_base64|gzuncompress) ?\()"
SecMarker END_ROOTKIT_BODY_4
#SecRule MODSEC_BUILD "!@ge 020513900" "t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_5
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "@pm echo system passthru shell_exec exec error_reporting stripshashes _request get_magic_quotes_gpc php_uname eval" "phase:2,t:none,t:decodeBase64Ext,pass,nolog,noauditlog,skip:1"
#SecAction phase:2,t:none,pass,nolog,noauditlog,skipAfter:END_ROOTKIT_BODY_5
#
#SecRule REQUEST_URI|ARGS|REQUEST_BODY "(?:<\? ?php (echo ?\"hi ?master|.*(system|passthru|shell_exec|exec) ?\()|error_reporting\(.*\) ?\; ?if ?\(isset ?\(.*\) ?\) (system|passthru|shell_exec|exec) ?\(|(stripslashes|passthru) ?\( ?\$_request\[\"|if \( ?get_magic_quotes_gpc\(|php_uname|eval ?\( ?(?:base64_decode|gzuncompress) ?\()" "capture,t:none,t:decodeBase64Ext,t:lowercase,t:compressWhitespace,id:390811,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Generic Attempt to insert shell code',logdata:'%{TX.0}'"
#SecMarker END_ROOTKIT_BODY_5
SecRule REQUEST_URI "@pm perl xkernel kaiten mampus trojan r57 c99 zfxid1.txt c100 fuckthepolice.php test.php 404.php.jpg webadmin.php.flv dump footer.php press60.php gallery.php" "id:333860,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333766,t:none,pass,nolog,noauditlog,skipAfter:END_PERL_EXEC"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "(?:perl .*\.pl(\s|\t)*\;|\;(\s|\t)*perl .*\.pl|perl (?:xpl\.pl|kut|viewde|httpd\.txt)|\./xkernel\;|/kaiten\.c|/mampus\?&(?:cmd|command)|trojan\.htm|/(?:r57|c99|c100)\.(?:php|txt)|r57shell\.(?:php|txt)|fuckthepolice\.php|404\.php\.jpg|webadmin\.php\.flv|zfxid1\.txt|(?:royalslider/languages/test|/js/imgareaselect/footer|/cgi-bin/whm/press60|wp-content/themes/avada/fonts/gallery)\.php)" "capture,status:500,deny,log,auditlog,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390802,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Possible Rootkit attack: Known Rootkit',logdata:'%{TX.0}'"
SecMarker END_PERL_EXEC
SecRule RESPONSE_HEADERS:WWW-Authenticate "rapidleech" "deny,log,capture,t:none,t:lowercase,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"
SecRule ARGS|REQUEST_URI "@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget ftpget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet gcc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar" "id:333861,phase:2,t:none,t:urlDecodeUni,t:cmdline,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:333767,rev:3,t:none,pass,nolog,noauditlog,skipAfter:END_KNOWN_SIGNS"
#Known shells
SecRule ARGS:cmd|ARGS:act|ARGS:command|ARGS:action "\b(?:ls\b(?: -|\&)|find /|mysqldump |ifconfig |chdir=|php |echo |perl |killall |kill -|python |rpm |yum |apt-get |emerge |lynx |links\b |mkdir |elinks |(?:ftp|w)get |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|\bmv\b |unzip |tar |\brm\b |\bcat\b (?:/|\.\.)|\brar\b )" "chain,deny,log,auditlog,status:403,capture,t:none,t:urlDecodeUni,t:cmdline,multimatch,id:390904,rev:15,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"
SecRule REQUEST_URI "!(^/components/com_clm/clm/)"
#for direct CGI type commands
#http://example.com/cmd.cgi?cat /etc/passwd
#SecRule REQUEST_URI "\b(?:ls\b -|find /|mysqldump |php |echo |perl |killall |kill |python |lynx |e?links (?:[0-9]|h|f) |mkdir |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc -?[a-z0-9]+ |\bcpp\b |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route)\b|mv\b |unzip |tar\b |rm\b |cat (?:/|\.\.)|rar\b )" "capture,t:none,t:urlDecodeUni,t:compresswhitespace,multimatch,id:390907,rev:9,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"
SecRule ARGS:ev "^print [0-9]+ ?;" "deny,log,auditlog,status:403,capture,id:390905,rev:1,t:none,t:lowercase,severity:2,msg:'Atomicorp.com WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
#new known injected payload
#SecRule ARGS "(?:cd /(?:tmp|var/tmp) ?; ?(?:lwp-download|wget|curl|elinks|fetch|rm -[r|f][r|f])|killall -9 perl ?; ? rm -[r|f][r|f])" "capture,t:none,t:urlDecodeUni,t:cmdline,id:390906,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Possible Shell Command Attempt',logdata:'%{TX.0}'"
SecMarker END_KNOWN_SIGNS
#Uploaded php files in the WP cache directories
SecRule REQUEST_FILENAME "/wp-content/(?:themes/.+/cache|uploads/(?:[0-9]+/[0-9]+|tmp)|plugins/revslider/temp/update_extract/resume|plugins/wp-mobile-detector/cache)/.+\.ph(?:p[345]|tml|t)$" "log,deny,log,status:404,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:318811,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in WP cache directory',logdata:'%{TX.0}',chain"
SecRule REQUEST_FILENAME "!(/cache/timthumb\.php$)"
#/modules/simpletest/files/
#/files/stats38.php
SecRule REQUEST_FILENAME "/file(?:s/.*\.php[0-9]+?$|manager/userfiles/.*\.ph(?:p|tml|t))" "log,deny,status:404,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:compressWhiteSpace,capture,id:316812,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Possible Attempt to Access unauthorized shell or exploit in upload directory',logdata:'%{TX.0}'"
SecMarker END_ROOTKIT_FINAL
SecMarker END_ROOTKIT_ALL

38
nginx-waf/51_asl_paranoid_extra.conf Normal file
View File

@ -0,0 +1,38 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2023 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#SecAction "phase:1,t:none,pass,nolog,noauditlog,initcol:global=global,initcol:ip=%{remote_addr}"
#
SecRule REQUEST_URI "@detectXSS" "phase:2,deny,status:403,t:none,capture,id:301010,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: (Paranoid Extra Ruleset) Possible XSS injection attack in URL',auditlog,log,logdata:'%{TX.0}'"
SecRule REQUEST_URI "@detectSQLi" "phase:2,deny,status:403,t:none,multimatch,capture,id:301011,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: (Paranoid Extra Ruleset) Possible SQL injection attack in URL',auditlog,log,logdata:'%{TX.0},%{matched_var_name}',tag:'SQLi'"

45
nginx-waf/51_asl_rootkits.conf Normal file
View File

@ -0,0 +1,45 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Known rootkits, remote toolkits, etc. signatures for modsec 2.x
#
# Copyright 2005-2016 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#Master list of known malware script file names
SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" "phase:2,chain,capture,log,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:390500,rev:2,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Possible Malware Script detected in URL',logdata:'%{TX.0}'"
SecRule REQUEST_URI "@pmFromFile malware_names.txt"
SecRule SERVER_PORT "@streq 30000" "phase:2,id:337852,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_FINAL_2"
#default is to trick them with a 404
SecRule REQUEST_FILENAME "@pmFromFile malware_names.txt" "phase:2,chain,log,auditlog,deny,status:404,capture,t:none,t:urlDecodeUni,t:normalisePath,id:390501,rev:4,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Known Malware detected in Request Filename',logdata:'%{TX.0}'"
SecRule REQUEST_METHOD "(?:POST|GET)" "t:none,chain"
SecRule REQUEST_FILENAME "!@rx ^/.well-known/acme-challenge/" "t:none"
SecMarker END_ROOTKIT_FINAL_2

36
nginx-waf/51_asl_wordpress_extra.conf Normal file
View File

@ -0,0 +1,36 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Known rootkits, remote toolkits, etc. signatures for modsec 2.x
#
# Copyright 2024 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecRule REQUEST_URI "/wp-content/uploads/" \
"phase:2,id:333149,rev:21,severity:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,chain,msg:'Atomicorp.com WAF Rules: Possible PHP webshell detected and blocked'"
SecRule REQUEST_FILENAME "\.php$" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule REQUEST_FILENAME "!@rx /index\.php$" "t:none,t:urlDecodeUni,t:lowercase"

1506
nginx-waf/60_asl_recons.conf Normal file
View File

File diff suppressed because it is too large Load Diff

292
nginx-waf/61_asl_recons_dlp.conf Normal file
View File

@ -0,0 +1,292 @@
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Search Engine Recon/Search Engine Hacks Security Rules for modsec 2.x
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2011 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Note: For modsecurity 2.5 and above only
# Use 404 for these rules to trick attackers and search engines
# TODO - dont check internal referrers
SecDefaultAction "log,deny,auditlog,phase:2,status:404"
SecRule REQUEST_HEADERS:Referer "@pm ext:inc ext:ini ext:cfg ext:cgi ext:wml ext:dca ext:ccm ext:cdx ext:dbf ext:jbf ext:ics ext:reg ext:dat ext:vmx ext:vmdk ext:pqi ext:gho ext:txt ext:log ext:conf ext:nsf ext:ldif ext:php ext: ext:htm ext:dhtml filetype: username public sensitive vulnerability receipt admin confidential restricted intranet security passwd password passlist assessment secret index" "id:333890,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:313498,t:none,pass,nolog,noauditlog,skipAfter:END_RECON_CHECKS_DLP_ALL"
#possible info leak probes
SecRule REQUEST_HEADERS:Referer "@pm public sensitive vulnerability receipt admin confidential restricted intranet security assessment safeguard unclassified" "id:333891,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:315409,t:none,pass,nolog,noauditlog,skipAfter:END_RECON_CHECKS_DLP"
SecRule REQUEST_HEADERS:Referer "not for public release" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371253,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "(?:security (?:related|restricted)|safeguards?|sensitive but unclassified|unclassified controlled nuclear) information" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373254,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "host vulnerability summary report " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371436,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "performed by beyond security's automated scanning" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371931,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "network vulnerability assessment report" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371437,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "thank you for your order \+receipt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371438,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "site:edu grades admin" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371463,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "not for distribution confidential" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371439,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "you have requested access to a restricted area of our website\. please authenticate yourself to continue\." "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371760,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "shadow security scanner performed a vulnerability assessment" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371925,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "the following report contains confidential information vulnerability" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371926,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "network host assessment report internet scanner" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371972,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "welcome to intranet" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:372024,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecMarker END_RECON_CHECKS_DLP
SecRule REQUEST_HEADERS:Referer "@pm passwd password protected username ap-secrets passlist" "id:333892,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:302904,t:none,pass,nolog,noauditlog,skipAfter:END_RECON_CHECKS_PASSWORD"
SecRule REQUEST_HEADERS:Referer "inurl:(?:p|ch)ap-secrets -cvs " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373092,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:log username putty" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371004,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:sql password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371122,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:reg reg hkey_current_user username" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371006,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "login: \* password: \* filetype:xls" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371037,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:sql insert into.*pass" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371040,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "your password is filetype:log" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371054,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "\[wfclient\] password= filetype:ica" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371059,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer " filetype:sql \(passwd values \*\*\*\* \| password values \*\*\*\* \| pass values \*\*\*\* \)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371070,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: '"
SecRule REQUEST_HEADERS:Referer "filetype:sql \(values \* md5 \* \| values \* password \* \| values \* encrypt \*\)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371071,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:netrc password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371128,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:dat password\.dat" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371136,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:cfm cfapplication name password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371148,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:htpasswd htpasswd" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371153,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:xls username password email" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371158,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:mdb standard jet \(password \| username \| user \| pass\)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371571,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl.*(?:passlist|passwords?|passwds?)\.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:350013,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Password list Search Engine Recon attempt'"
SecRule REQUEST_HEADERS:Referer "inurl:-cfg in(?:text|body):enable password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371036,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:ventrilo_srv\.ini adminpassword" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371047,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:server\.cfg rcon password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371065,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:grc\.dat in(?:text|body):password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371080,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:lilo\.conf filetype:conf password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371114,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:ospfd\.conf in(?:text|body):password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371119,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:zebra\.conf in(?:text|body):password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371120,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:wvdial\.conf in(?:text|body):password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371133,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:log inurl:password\.log" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371137,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:properties inurl:db in(?:text|body):password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371143,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:changepassword\.asp" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371440,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:changepassword\.cgi -cvs" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371590,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "please enter a valid password! inurl:polladmin" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373698,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "web-based management please input password to login" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373702,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "in(?:text|body):master account domain name password inurl:/cgi-bin/qmailadmin " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373740,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "you can now password \| this is a special page only seen by you\. your profile visitors inurl:imchaos" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373991,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:wp-login\.php register username password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:372283,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "please re-enter your password it must match exactly" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371018,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "\+htpasswd \+ws_ftp\.log filetype" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371034,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "parent directory \+proftpdpasswd" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371048,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "autocreate=true password=\*" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371108,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "your password is \* remember this for later use" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371115,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "access denied for user using password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371212,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "dumping data for table ?(?:user|passw)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371391,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "site info for enter admin password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371715,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:index.of.(?:password|protected)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371646,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "inurl:passlist\.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373154,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecMarker END_RECON_CHECKS_PASSWORD
SecRule REQUEST_HEADERS:Referer "ext:" "id:333893,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:329543,t:none,pass,nolog,noauditlog,skipAfter:END_RECON_CHECKS_EXT"
SecRule REQUEST_HEADERS:Referer "ext:inc pwd= uid=" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371058,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:ini version=4\.0\.0\.4 password" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371076,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:ini eudora\.ini" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371077,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "liveice configuration file ext:cfg" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371090,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:urchin \(5\|3\|admin\) ext:cgi" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373261,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "contacts ext:wml " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371263,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:dca dca" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371272,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:ccm ccm -catacomb" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371273,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:cdx cdx" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371274,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:dbf dbf" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371275,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:jbf jbf" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371276,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:ics ics" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371278,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:reg username=\* putty" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371292,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:dat bpk\.dat" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371305,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:vmx vmx" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371310,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:vmdk vmdk" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371311,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:pqi pqi -database" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371312,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:gho gho" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371313,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:txt final encryption key " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371316,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "microsoft \(r\) windows \* \(tm\) version \* drwtsn32 copyright \(c\) ext:log" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371318,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:conf nocatauth -cvs" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371327,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:ldif ldif" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371346,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:log software: microsoft internet information services \*\.\*" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371349,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:member login note: your browser must have cookies enabled in order to log into the site\. ext:php or ext:cgi" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373756,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:cgi intitle:control panel enter your owner password to continue!" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373788,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:cfg radius\.cfg" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371938,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:middle frame of videoconference management system ext:htm" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373107,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "ext:dhtml intitle:document centre\|\(home\) or intitle:xerox" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373131,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecMarker END_RECON_CHECKS_EXT
SecRule REQUEST_HEADERS:Referer "filetype:" "id:333894,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:329544,t:none,pass,nolog,noauditlog,skipAfter:END_RECON_CHECKS_FILETYPE"
SecRule REQUEST_HEADERS:Referer "intitle.*php shell.*enable stderr.*filetype:\.?php" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:350016,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Vulnerable App Search Engine Recon attempt'"
SecRule REQUEST_HEADERS:Referer "phpkonsole phpshell filetype:php" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:373226,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:php haxplorer server files browser" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371027,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:bak createobject sa" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371046,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "admin account info filetype:log" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371053,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:inf sysprep " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371068,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:inc mysql_connect or mysql_pconnect" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371075,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:log see `ipsec --copyright" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371081,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:mdb wwforum" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371096,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ini wcx_ftp" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371099,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:conf oekakibbs " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371101,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ini servudaemon" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371106,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:pwl pwl" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371110,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:pwd service" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371121,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:sql \+identified by -cvs" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371123,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ldb admin" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371124,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:cfg mrtg target\[\*\] -sample -cvs -example" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371125,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:dat wand\.dat" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371126,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ini \+ws_ftp \+pwd" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371129,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "signin filetype:url" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371127,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:inc dbconn" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371132,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:conf slapd\.conf" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371135,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:reg reg hkey_current_user sshhostkeys " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371140,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "eggdrop filetype:user user" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371147,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:reg reg hkey_current_user sshhostkeys" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371248,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ps ps" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371269,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:qbw qbw" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371270,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "mysql dump filetype:sql 21232f297a57a5a743894a0e4a801fc3" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371281,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ora tnsnames" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371282,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ctt msn" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371296,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ctt contact" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371297,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:blt buddylist" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371299,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:myd myd -cvs" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371321,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:config web\.config -cvs" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371322,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ns1 ns1" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371323,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:pst pst -from -to -date" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371325,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:vcs vcs" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371348,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:asp dbq= & server\.mappath\(\*\.mdb\)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371351,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:pdb pdb backup \(pilot \| pluckerdb\) " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371352,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:reg terminal server client" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371355,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:rdp rdp" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371356,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:bkf bkf" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371358,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:qbb qbb" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371359,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:qdf qdf" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371361,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:cfg auto_inst\.cfg" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371368,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:fp7 fp7" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371369,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:fp3 fp3" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371370,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:fp5 fp5 -site:gov -site:mil -cvs log" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371371,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ora ora" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371374,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "data filetype:mdb -site:gov -site:mil" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371381,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "begin \(certificate\|dsa\|rsa\) filetype:csr" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371387,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "begin \(certificate\|dsa\|rsa\) filetype:key" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371388,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "e-mail address filetype:csv csv" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371389,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:mny mny" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371392,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:ctt ctt messenger" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371395,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:log access\.log -cvs" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371406,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:log cron\.log" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371407,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:wab wab " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371412,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "mysql dump filetype:sql" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371432,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "robots\.txt \+ disallow: filetype:txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371452,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "phpmyadmin mysql-dump filetype:txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371461,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:htaccess basic" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371464,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:wsdl wsdl" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371603,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:cnf my\.cnf -cvs -example" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371604,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:pl download: suse linux openexchange server ca " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371860,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:cfg login loginserver=" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371871,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "filetype:r2w r2w" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371887,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecMarker END_RECON_CHECKS_FILETYPE
SecRule REQUEST_HEADERS:Referer "(?:index.of|result index on line)" "id:333895,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:329545,t:none,pass,nolog,noauditlog,skipAfter:END_RECON_CHECKS_INDEX"
SecRule REQUEST_HEADERS:Referer "intitle:index of \.(?:sh_history|bash_history)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371013,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of \.diz \.nfo last modified" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371298,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of \* admin news\.asp configview\.asp" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371336,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of inbox dbx" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371433,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of ws_ftp\.ini" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371445,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of dead\.letter" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371446,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of apache server at" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371447,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of.(?:etc|passlist|administrators|sites.ini)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371159,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of cgiirc\.config'" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371459,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of haccess\.ctl" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371465,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of*config" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371610,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of robots\.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371469,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of web-inf" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371620,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of /maildir/" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371621,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of abyss\.conf" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371630,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index.of / stats merchant" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371635,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of sc_serv\.conf sc_serv content" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371072,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of passwords modified" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371113,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of trillian\.ini" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371155,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of config\.php" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371161,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of\.\.etc passwd" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371162,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of spwd\.db passwd" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371163,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of \.htpasswd htgroup" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371164,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of \.htpasswd htpasswd\.bak" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371165,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of pwd\.db" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371166,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of master\.passwd" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371167,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of passwd passwd\.bak" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371168,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of people\.lst" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371169,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of \.mysql_history" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371171,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of upload size parent directory" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371333,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of cookies\.txt size" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371378,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of \+myd \+size" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371383,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of mysql\.conf or mysql_config" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371409,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "mystuff\.xml intitle:index of" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371462,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of mt-db-pass\.cgi" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371472,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of finances\.xls" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371474,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of finance\.xls" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371475,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of dbconvert\.exe chats" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371476,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of \* mode links bytes last-changed name" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371490,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of / modified php\.exe" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371606,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of /cfide/ administrator" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371631,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of parent directory desktop\.ini site:dyndns\.org" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371633,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of /phpmyadm" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371648,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of cfide" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371659,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index of c:\\windows" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371661,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index\.of\.personal" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371660,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index\.of\.secure" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371666,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index\.of\.winnt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371667,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index\.of\.private" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371668,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "intitle:index\.of\.secret" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371669,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index.* perform\.ini" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371009,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of / lck" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371010,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of / upload" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371017,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of ?/ ws_ftp\.ini parent directory" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371097,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "unable to jump to row on mysql result index on line" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371175,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of / chat/logs " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371430,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of rar r01 nfo modified 2004" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371624,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index.*of\.dcim" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371638,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of / picasa\.ini " "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371645,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of /network last modified" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371651,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of cgi-bin" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371658,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "index of /backup" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:371670,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecRule REQUEST_HEADERS:Referer "copyright 2010\. software index" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,id:372393,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Search Engine Recon Attempt for sensitive information'"
SecMarker END_RECON_CHECKS_INDEX
SecMarker END_RECON_CHECKS_DLP_ALL

42
nginx-waf/80_asl_proxy_abuse.conf Normal file
View File

@ -0,0 +1,42 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2016 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" "chain,phase:1,severity:2,id:'356137',t:none,capture,block,rev:'2.2.6',msg:'Atomicorp.com WAF Rules: Potential Open Proxy Abuse - GeoIP Country Code Mismatch of X-Forwarded-For Request Header and Client REMOTE_ADDR',logdata:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{tx.geo_x-forwarded-for}'"
SecRule TX:0 "@geoLookup" "chain,setvar:tx.geo_x-forwarded-for=%{geo.country_code}"
SecRule REMOTE_ADDR "@geoLookup" "chain,t:none"
SecRule GEO:COUNTRY_CODE "!@streq %{tx.geo_x-forwarded-for}" "t:none"

33
nginx-waf/98_asl_jitp.conf Normal file
View File

@ -0,0 +1,33 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Just In Time Patches for Vulnerable Applications Rules for modsec 2.5.11
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2010 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS and CONTRIBUTORS AS IS
# and ANY EXPRESS or IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY and FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER or CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, or
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS or SERVICES; LOSS OF USE, DATA, or PROFITS; or BUSINESS
# INTERRUPTION) HOWEVER CAUSED and ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, or TORT (INCLUDING NEGLIGENCE or OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security

32
nginx-waf/999_asl_truestats.conf Normal file
View File

@ -0,0 +1,32 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
#
# Copyright 2020 by Atomicorp, Inc. all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#

5128
nginx-waf/99_asl_jitp.conf Normal file
View File

File diff suppressed because it is too large Load Diff

1
nginx-waf/bad_agents.txt Normal file
View File

@ -0,0 +1 @@
Put your bad agent strings in this file

24
nginx-waf/conf/00_mod_security.conf Normal file
View File

@ -0,0 +1,24 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
modsecurity on;
modsecurity_rules_file /etc/httpd/modsecurity.d/tortix_waf.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/00_asl_whitelist.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/00_asl_x_searchengines.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/00_asl_y_searchengines.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/00_asl_z_antievasion.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/00_asl_zz_strict.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/01_asl_content.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/03_asl_dos.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/05_asl_exclude.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/10_asl_rules.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/11_asl_data_loss.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/12_asl_brute.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/20_asl_useragents.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/30_asl_antispam.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/31_asl_urispam.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/50_asl_rootkits.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/51_asl_rootkits.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/60_asl_recons.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/61_asl_recons_dlp.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/98_asl_jitp.conf;
modsecurity_rules_file /etc/httpd/modsecurity.d/99_asl_jitp.conf;

87
nginx-waf/conf/nginx.conf Normal file
View File

@ -0,0 +1,87 @@
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
daemon off;

24
nginx-waf/conf/tortix_waf.conf Normal file
View File

@ -0,0 +1,24 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRuleEngine on
SecRequestBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecUploadDir /tmp
SecUploadKeepFiles off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Concurrent
SecAuditLog /var/log/nginx/audit_log
SecAuditLogParts ABIFHZ
SecCookieFormat 0
SecDataDir /tmp
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecRequestBodyLimit 134217728
SecResponseBodyLimitAction ProcessPartial
SecRequestBodyNoFilesLimit 1048576
SecAuditLogDirMode 0770
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
SecResponseBodyAccess on
SecCollectionTimeout 86400

0
nginx-waf/domain-blacklist-local.txt Normal file
View File

43
nginx-waf/domain-blacklist.txt Normal file
View File

@ -0,0 +1,43 @@
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2013-2021 by Atomic Corpate Industries Inc. , all rights reserved.
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
thelounge.net
www.nioki.fr
www.timkendall.ca
android.telrock.net
web.telrock.net
muslim.purplesphere.in/
men.sexblog.pw/
currency-trading-brokers.com
fakepassportonline.cc
musclegainer.org
talkwithwebvisitors.com

3
nginx-waf/domain-spam-whitelist.conf Normal file
View File

@ -0,0 +1,3 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# This file has been migrated to domain-spam-whitelist.txt
#

1
nginx-waf/domain-spam-whitelist.txt Normal file
View File

@ -0,0 +1 @@
.googlesyndication.com/pagead/ads?client=

1
nginx-waf/dos_protected.txt Normal file
View File

@ -0,0 +1 @@
xmlrpc.php

0
nginx-waf/honeypot-files.txt Normal file
View File

2874
nginx-waf/malware-blacklist-high.txt Normal file
View File

File diff suppressed because it is too large Load Diff

0
nginx-waf/malware-blacklist-local.txt Normal file
View File

0
nginx-waf/malware-blacklist-low.txt Normal file
View File

930
nginx-waf/malware-blacklist.txt Normal file
View File

@ -0,0 +1,930 @@
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2013-2021 by Atomic Corpate Industries Inc. , all rights reserved.
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
104.27.148.147/
108.179.234.91/
109.234.35.90/
116.125.126.111/
118.130.191.213/
119.75.205.178/
125.161.39.94/
1268vip.com/
173.15.111.29/
173.236.65.24/
177.11.48.237/
180.210.205.209/
185.44.105.7/
190.196.132.14/
195.154.165.135/
195.154.73.79/
195.225.34.101/
198.101.206.138/
200.49.148.95/
200.98.146.61/
200.98.164.3/
201.245.129.42/
202.150.216.211/
208.115.220.82/
210.1.60.156:2082/
212.7.217.117/
213.246.61.125:2082/
213.5.177.196/
217.218.225.2:2082/
37.46.133.10/
46.4.121.189/
62.210.92.9/
65.61.103.76/
66.196.254.130/
6thavenueelectronics.net/
77.65.23.211/
78.46.100.45/
78.46.49.57:21502/
.80systemerroralertcode22.com/
82.196.10.226/
86.55.140.203/
89.248.172.139/
919vn.com/
94.199.51.7/
99.153.29.240/
aarc.dz/
ableoccassion.com/
absolutelycute.net/
academicotogas.com.br/
.actions.ro/
.actualitatea-romaneasca.ro/
adbirdie.com/
ad.dipad.biz/
.adk2x.com/
admpi.com.br/
adobesecurupdate.com/
.advantagewg.com/
aefgh.org/
aegv.pt/
aeronager.com/
.aimeezingdaycare.com/
.airmax90.party/
.albumpalavra.com.br/
alert-sa.com/
.alhikmahsby.com/
allfilesdownload.us/
almadanews.com.br/
almamatez.com/
ampm2u.pw/
.analprolap.se/
andopol.pl/
androidepisode.com/
angelhelper.co.kr/
.angelsagency.com/
.anilorak.com/
antichat.ru/
antoniopastor.com.ar/
anything2u2.org/
anythingforwp.com/
aodaikhoanguyen.com/
aplikacii.com/
apollo5go.com/
apple.gifts-centers.com/
applehelp.net/
aquariusandaquarius.com/
.arabrelevance.com/
arestoscosmeticos.com.br/
asianon.co/
asianons.net/
.attack.com/
auction.pennytrail.com/
.audytor.conlex.pl/
austeal.com/
avanti-pizza.ch/
avarsky.ru/
.avsbackup.com/
awesome4wp.com/
awfwow.net/
babycaleb.axspace.com/
badglorry.in/
badwolff.pw/
.barba2.com.ar/
barra.uol.com.br/
.batoma.com.au/
.bcvziy.com/
bestbooksfiles.com/
bestnulledscripts.com/
bethelphotoworks.com/
betube.co.uk/
bimlolgroup.in/
.binkleyapples.com/
biofoodey.org/
.blackgreenfoods.com/
blackmorgana.com/
blacknite.eu/
blacktitan.org/
.blackwellbusiness.com/
.blankchair.com/
bleury.fr/
blizfone.cf/
blogger.comxvas.tk/
blogg.tommi.nu/
bokoinchina.com/
.bridgenote.com/
bringletorn.biz/
bubblebanks.com/
bukirda.com/
bvbbo.nl/
by-scr43z1.com/
c99txt.net/
.cafebacon.com/
.calagaz.net/
callmenauw.net/
canadaimmigration-visa.com/
canvila.org/
carandfly.net/
carandflys.info/
carnk.com/
carruess.org/
carterinfect.alwaysdata.net/
.carunalnik.org/
casefollowup.com/
.cathyerdmann.com/
cbsfree.com/
ccteam.ru/
.cderlearn.com/
.cdlvilavelha.com.br/
.cgilvicenza.it/
chairguy.pw/
chansteel.in/
.chantier-allemand.com/
checkournewsoft.com/
.cheer.hk/
chinese-foods.info/
chinesemaster.biz/
chinesemasters.pw/
.ciderspace.ch/
.cigdemsporkulubu.com/
.cirend.com.ar/
cirter.com/
clarkcopperheadgaskets.com/
cleanmsgs.com/
clevervc.com/
com-00-northamerica.com/
com-e84.net/
comerciodeitapolis.com.br/
compraourocard.web563.kinghost.net/
computersystemalert.com/
.confeitariabombocado.com.br/
conopizzavenezuela.com/
constructioncalcs.com/
contactpchelp.com/
content-into-cash.com/
cooperdup.mx/
copa-armada.clubnaval.mil.ec/
couponsonakeychain.com/
cpanel.host-ed.net/
cprnash.com/
.creativebooster.ro/
crediyasa.com/
crime-style.org/
csi-tavira.com/
cti-tech.cn/
cuttscan.org/
d1.flnet.org/
dailynulled.com/
damocom.net/
danbarton.in/
daramusic.org/
daramusics.com/
dayddb.com/
dayoo.co/
deadmary.biz/
default7.com/
.deportesenfotos.com/
deutz-marine.com/
.dgodns.net/
diagranti.com/
diamloisirs.infoconnect.re/
didus.org/
.diendanceo.vn/
.dionmorrow.com/
distinctfestive.com/
divisits.com/
dmmjav.com/
doa.go.th/
domaincop247.com/
domesistance.com/
domitian.net/
dondom.co/
donutjs.com/
download.goobzo.com/
dragoncrew.org/
dreamknow.net/
drummercoo.info/
d-s.co.kr/
dudelman.biz/
dudelmans.info/
dundaroil.basgec.org/
duringsha.com/
dynamicxor.com/
easibilitary.com/
editprod.waterfilter.in.ua/
eezdownloads.com/
efax.pfdregistry.net/
efraincolombo.com.ar/
eidk.hopto.org/
eikonsmedia.com/
ekitap.in/
elearning.sace.it/
electradev.info/
electronicfrontierfoundation.org/
.elian.asia.lk/
.eliteteamsite.com/
.el-manhal.com/
.elmillero.us/
emilyg.info/
enamorarlas.com/
.encostadolago.com.br/
envymagazine.ca/
.envytations.net/
ergofilling.com/
.ergunpneus.be/
esd.nzs.com.br/
eshop.earmy.cz/
.esmacu.org/
esportal.in/
esportals.biz/
etymologi.in/
eurolips.in/
.euroquipe.ie/
eurosystems.it/
evolution-store.net/
fabulousall.net/
.faret.cn/
fatrats.in/
fbguns.pw/
.fefnjefb.in/
fewo-appartement-siegen.de/
fighter-writer.org/
filesmonster.porn/
.fileversion.net/
fimfoo.net/
findoki.net/
.fing.usach.cl/
firstpagesearch.com.au/
.fisheries.go.th/
.fisiopremium.com.br/
fixpc99.com/
flashpotdesigns.com/
florenses.xyz/
.fmdevelopersnetwork.com/
fmdons.com/
fmfn.in/
fmfoo.in/
foltimaks.biz/
.fonarick.com/
foodeyo.biz/
foodrumer.com/
foodrumers.co/
foolazylady.pw/
foosample.info/
foosamples.com/
.fordfixer.net/
forestaunicorni.altervista.org/
fotogirl.ca/
fraudsteel.com/
free3dprint.cf/
freeapart.in/
freeaparts.org/
freeforwp.com/
.free-iphone6s.com/
.freelotto.com/
freemiumscripts.com/
froggerbobber.com/
frogprogs.biz/
.fservers.net/
fsquaredmedia.com/
ftp.90plan.ovh.net/
ftp.freehostia.com/
ftp.service-web-host.pagebr.com/
ftp.uhserver.com/
ftp.volleyclubmaconnais.fr/
ftp.vveijsden.nl/
full-comandos.com/
funpixhawaii.com/
futurecomtechnologies.com/
g-analytics.biz/
gay-file.com/
gazetashqiptareonline.com/
.geekgadget.net/
geekube.com/
gencan.in/
genejtrack.com/
generalop.in/
generalops.biz/
.gessorosarinho.com.br/
getnulledscripts.com/
.getonnow.net/
gezidotojyk.org/
.gezondtea.com/
.gfx-loop.com/
ggjghhfhfh.com/
.ghanachambertakoradi.org/
giveourlife.org/
glendalehills.am/
glentools.in/
.glory-korea.com/
gngoo.com/
goldcashin.net/
.goodigood.com/
goodoo.biz/
.gorenergo.com/
graphizma.com/
.grasp-press.co.uk/
greataudiosdownloads.com/
greatvideosdownloads.com/
groundrealty.co.in/
.groupe-rouquette.com/
guitarland.in/
guitarlands.biz/
guruincsite.com/
.gymelitys.ca/
.gynecologicalendocrinology.org/
.gyomainyaralo.hu/
h4cker.tr/
hadyagifts.com/
hamstelbeer.biz/
hantersid.biz/
hanterwall.pw/
.harrisoncarlos.net/
hashcrack.com/
hashcracking.info/
hbo4free.info/
.hcchb.gov.tw/
.heliconsystems.com/
heliomros.com/
.hidayah.edu.my/
higrees.in/
holegirl.eclub.lv/
hollahup.me/
.holleyberry.com/
.honbu.fi/
honeybun.in/
horskypramen.cz/
hortwava.com/
hotlogupdate.com/
http:/404-errors.info/
huntergil.biz/
.i4rent.de/
.ickray.com/
.ifriqiyah-site.com/
iglesembalagens.com.br/
ignews.co/
igooglecache.com/
images.imagenetcom.com/
inctwo.com/
.inesmariaalcalde.com/
infopromo.biz/
inmessagealert.com/
insta.reduct.ru/
interstech.info/
iosalert-error.com/
iosclean.com/
ios.crashreport.info/
ios-errors.com/
iossecurityalert.com/
iscanth.org/
.islandvillasbali.com/
.istanbuldenizotobusu.com/
izplace.com/
.jaintv.com/
.jasa.adv.br/
javrip.net/
.jeetatl.com/
.jejucasa.com/
jewelrydna.com/
.jjctv.com/
.jkladesign.com/
joioiskioeriyyskwkdwjsdfewis.land.ru/
joncon.in/
.josianeguss.com/
.jpetrusbar.com/
jquery-code.su/
jquuery.com/
jsacademys.net/
juicycouture.com.au/
julianus.net/
.k7-gd.com/
kadjisquare.com/
kajtus.webd.pl/
.kantorrico.pl/
kelmanstar.biz/
kereny.ro/
kesi.granc.hu/
k-fish-ka.ru/
kilmarnockbaptist.org/
.kirimcara.com/
kittsburg.com/
kmbc-thai.com/
.kolaka.gr/
kolmen.org/
kolmens.com/
konstantine.ru/
.kontjokenthel.com/
koouse.pw/
kortech.cn/
krasnayadama.info/
kreotceonite.com/
.kriko-car.hu/
.ksma.or.kr/
.kunjungiindonesia.com/
.kyra.ae/
ladiesdehaan.be/
.lanmanserver.com/
largelicacy.com/
laskeygen.net/
laspeores.com.ar/
layfoster.net/
.ldsa.ca/
lennartobdam.nl/
lightingcentre.co.uk/
likebugs.in/
.limitlessnewworlds.com/
lincomers.com/
lincorporato.com/
listen2u.info/
littjohnwilhap.ru/
.logitec.se/
longlifeweld.com.my/
.lopburicoop.com/
.lostbrundageit.com/
losticloud.6te.net/
macattention.in/
mac-health-support.com/
mac-online-support.com/
macrinus.net/
mac-security.com/
madleets.com/
maika-pujales.es/
maisconquiste.com/
maisurpreenda.com/
maraca.hut2.ru/
.maragusa.com.br/
marcelotaiette.sites.uol.com.br/
martinkroesen.nl/
marzs.ru/
masterprotect.ir/
mathlow.co/
mawnew.com/
mawnews.in/
.mayallgogogo.com/
mbrowserstats.com/
mdplaza.co.id/
mediasearchdirect.com/
.megalolik.com/
.meliston.com/
menko.co/
menotepoer.com/
.menyudnya.com/
mermodynamic.com/
mfileshare.com/
microsoft-securety.com/
micrrosoft.net/
mightywordpress.com/
milahoney.org/
milkaxe.biz/
miniboxmaysa.com/
.miuzu.com/
mobileappsmpire.com/
.mobilunion.de/
.mobmusik.com/
mo-fa.etowns.org/
moneycot.org/
moongreen.info/
morenewmedianow.com/
mostelpay.com/
.motorgrup.ro/
mountil.com/
movemorey.in/
mp3raagam.net/
msdnscripts.com/
.mslcomputers.com.au/
mtvboard.biz/
mtvboards.com/
mtvfree.com/
mtvnye.com/
mukasore.xyz/
mundo.busca.uol.com.br/
.mundo-nipo.com/
.muniquilicura.cl/
.muslimrulers.com/
.mutiarabangsa.sch.id/
.mvctecnologia.com.br/
mydigitalfinderone.com/
.myhanbando.com/
mymodule.waterfilter.in.ua/
nanogrades.net/
.ncprd.org.ng/
.nep.go.th/
newfastmediasearcher.com/
newtester2012.atspace.co.uk/
nezlobudnya.com/
nikonographer.ru/
ninoceram.ir/
nkpage.info/
nkpages.net/
.nodong119.co.kr/
nonsensefood.org/
novotempolivraria.com.br/
nuday.net/
nudays.biz/
nulledirectory.com/
nulledlistings.com/
nullednet.com/
nulledstylez.com/
nulledwp.com/
nullit.net/
nutragate.com/
.oglcommunity.de/
one2shoppee.com/
onesource.com.my/
onlinebooksfiles.com/
online-mac-issues.com/
onlinestore.az/
orgfoo.com/
orroa.org/
.ortodontiacorretiva.com.br/
.otherhumanerrors.com/
outletginess.net/
oya2.net/
oz.publikum.sk/
.ozsportsbikes.com/
pader-g.org/
painreliefsite.com/
.pakning.net/
.panhandleflyers.com/
paperplanet.co/
paperplanets.info/
paperplanez.info/
.parallell.ru/
.pasukanjihad.com/
pbdewilgen.nl/
pcassists.info/
pc-errors-notice-1a.com/
pcsafe.us/
.pcts.or.kr/
.pdinahar.com/
.perkinsbraden.com/
phtmllaudanskis.chat.ru/
pic2take.pw/
pic2takes.biz/
pointacademy.kr/
pointern.com/
pokerchips.t35.com/
pollackandball.com/
.pomegranateatthemarket.net/
portaldasmaquinas.net/
portaldoheavymetal.org/
private.directinvesting.com/
privatepaste.com/
privatepracticesecrets.com/
privc0de.com/
prodajpricu.com/
progman.in/
progmans.co/
.programasm.com/
programasm.com/
prolinkirc.org/
promediasearch.com/
.prototypeevolution.com/
psykopatico.altervista.org/
.pueblotricolor.com/
pwn.nixon-security.se/
qbfdq.com/
qualityhost.in/
quatlam.com/
questart.com.pl/
quoteboll.biz/
r57.gen.tr/
.radioretro.com.br/
ramakit.biz/
.ratu-bigsale.com/
raymybe.in/
realanalytics.pro/
.realdanube.sk/
realstatistics.info/
realstatistics.pro/
recognizereality.com/
remotecomputertechhelp.info/
.rerickey.com/
revistaelshaddai.com/
.rgsnewcastle.co.uk/
.riffserver.com/
.riftenterprises.com/
.rinconluismiguel.com.ar/
ringostar.in/
rishtofish.pw/
ritsoperrol.ru/
roadsiderescue.com.au/
.rollemont.com/
.rudyprojectchina.com/
.ryko89.com/
safari-net-help.com/
.sakulejo.com.br/
.salonladym.ro/
sameyouto.com/
saveclip.net/
scamadviser.com/
sceniceyou.pw/
.scoalamirceaeliadepitesti.ro/
.scratchstudio.org/
scriptb.com/
security.belayadama.info/
securityupdatealert.com/
securitywarns.com/
seektoexplore.com/
seikatsuichiba.com/
seo-moz.com/
seo-position-report.net/
.seoulpainclinic.com/
.seranteshotel.com.br/
.serextprevencion.com/
services.paypai.com/
sh3ll.org/
shaunandpaige.com/
.showgirls.com.br/
sikum.com/
.silverbell.org/
silverbell.org/
singletwo.net/
siteanalytics.pro/
sitenko.biz/
.sklep.klichowicz.pl/
slaveralled.com/
sleepyvillage.ca/
slimflicker.in/
slmseguros.es/
smung.spo.moph.go.th/
snap-u.com/
.soccerageclub.com/
.sokut.ir/
.sonhoencantadonet.com/
.space-cs.com/
spearanoia.org/
.spgrepair.ca/
sponsistorm.com/
sportcen.com/
sportscen.org/
.spygrup.org/
stablehost.us/
.star-games.be/
starmediasearcher.com/
stedentrip-europa-aanbieding.nl/
stedentrips-aanbieding.nl/
steinteppiche.ch/
.stencel.co.uk/
stonerock.in/
stonerocks.net/
stranges.info/
stranieistor.com/
studentwine.co.uk/
.studiolegalemanzi.com/
suppornet.ca/
support-firewall.info/
support-pc-now.com/
supports.link/
.suroot.com/
surpreendase.net/
system-connect.com/
system-logs.info/
systemsecurities.info/
systemsecurityalert.com/
tablemaster.in/
tablemasters.org/
tailines.com/
talool.net/
taxiairportpop.com/
.technologyventures.info/
techsupport247.org/
.tecnilibro.com/
.tecnopes.com.ar/
.tecnopoly.it/
.temporel-voyance.com/
termrock.com/
termrock.in/
test0.com/
test246.com/
test557.com/
test5.xyz/
testadordesit.com/
tester2012.h19.ru/
.theatre-lumiere.com/
the-unforgiven.org/
thevintagebar.co.uk/
thexorandor.in/
throughluk.net/
.thurz-x.net/
tioandino.com/
tipesh.biz/
.tkfisher.org.tw/
.tlcdf.com/
.todo-comercial.com.ar/
.tonyveiculos.com.br/
.too-oop.com/
.topinstructoriauto.ro/
topnulledownload.com/
totustuus.or.kr/
trafficanalytics.online/
.trafficsyphon.com/
traffictrade.life/
trailmorey.com/
.transmetro.gov.co/
.transposagenbio.com/
travelsans.pw/
traveltrainer.info/
trimtoroot.com/
tshirtsforsale.co.za/
.tsogcherbalcare.com/
tunegrotto.com/
turnfest.im/
.turuzzonatale.it/
twomath.biz/
.ubat-ff.com/
.ubertom.com/
.uccl-sa.com/
uganonym.com/
.uniaogaucha.org/
uniglader.biz/
universonutri.com.br/
.upandrunnin.net/
.update4ever.xyz/
urlmediafiles.com/
validation.co.kr/
.vebiromania.ro/
.vesti-ua.net/
video-vk.ru/
villagesun.in/
vipsbr.50webs.com/
virusprotectionteam.com/
virusscanalert.com/
virus-scanner.info/
.visaginas.org/
vivalites.biz/
.vmsupply.com/
vmsupply.com/
voca.or.kr/
void.ru/
voudevisa.1gb.ru/
.w0135cyber.net/
wagrain-jugendferien.at/
wardie.dhhsptsa.net/
.weberei-brey.de/
web-esi.com/
webhalf.info/
web-plasa.com/
.webproof123.hdfree.com.br/
websiteacademy.biz/
websitesdesignaffordable.com/
.websnatchers.ro/
webstatistics.pro/
.welawfl.com/
wendami.me/
wikiqedia.biz/
wikiqedias.com/
wilcarobbe.com/
will2012.atspace.co.uk/
windowsdesk.net/
.winjeprijs.com/
wonderfails.net/
wordpresscore.com/
wordprssapi.com/
worldbooksdownloads.com/
worldcut.biz/
worldcute.biz/
worldofhosting.com/
wp-blogstats.com/
wp-nulled.com/
.wushu.org.ge/
wutangclan.ru/
.wuyoubaomu.net/
x01.mirc.com.gr/
.xbox360-kinect.nu/
xenonstyles.net/
xgps150.dualav.com/
xiaoguizi.gotgeeks.com/
xn--pn3b8j57geyi6c.kr/
xreyuk.co.uk/
.yetaotao.com/
y.healing-our-deepest-wounds.com/
yoctotemplates.com/
.youfuze.com/
yourfreemediadownloads.com/
yournetmediastore.com/
yourpromptdownloader.com/
yoursoftwareplace.com/
zarafan.org/
.zeroredirect2.com/
zimlooks.com/
zolokit.biz/
zoneoflive.com/
raw.githubusercontent.com/xmrstudio/
setforconfigplease.com/
getmyfreetraffic.com/
clevertrafficincome.com/
hellofromhony.org/
notifymepush.info/
pushmeandtouchme.info/
recaptcha-in.pw/
destroyforme.com/
.hognoob.se/
fid.hognoob.se/
requestbit.com/
93.158.203.156/
requestbit.com/
requestegg.com/
requestmob.com/
99request.com/
101request.com/
request101.com/
drrequest.com/
rerequest.com/
tryrequest.com/
requesttip.com/
requesthd.com/
hdrequest.com/
requestbee.com/
itenvoirtech.com/
javayousave.com/
mageuserland.com/
pollocart.com/
productjstech.com/
succescripts.com/
upgradenstore.com/
straproduct.com/
userlandit.com/
openyourass.club/
collectfasttracks.com/
destinyfernandi.com/
digestcolect.com/
stivenfernando.com/
trackstatisticsss.com/
traffictrade.life/
yourservice.live/
adsnet.work/
cdn-filestore.com/
nativeredir.tk/
localhostnametable.com/
shellx.org/
kostunivo.com/
chishir.com/
mangoclone.com/
onixcellent.com/
digitalcollege.org/
freescanonline.com/
deftsecurity.com/
thedoccloud.com/
virtualdataserver.com/
incomeupdate.com/
zupertech.com/
databasegalore.com/
panhardware.com/
avsvmcloud.com/
kubecloud.com/
seobundlekit.com/
solartrackingsystem.net/
virtualwebdata.com/
supernetforme.com/
superwebbysearch.com/
.dontkinhooot.tw/
wibuheker.com/
23.106.253.151/
185.213.209.151/
canarytokens.com/
log4shell.huntress.com/
jswl.jdaili.xyz/
209.141.33.141/
cheatmod.org/

443
nginx-waf/malware_names.txt Normal file
View File

@ -0,0 +1,443 @@
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2013-2021 by Atomic Corpate Industries Inc. , all rights reserved.
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
0d4y.php
0day.gif
0day.jpg
0day.php
0wn3d.php
0wned.php
/11.php
/1ndex.php
/22419126.php
24l9khjt.php
/3xp.php
404.php.jpg
/70be.php
/70bex.php
/80cams.php
/90sec.php
ahihi.aspx
/allnet.jpg
allsoft.pl
/alwso.php
/anak.txt
antichat.php
antisecshell
antisux.php
/api/getn.php
appfileexplorer
/arab.indonesia.php
/asm/xyz/xyz/
autoshell.asp
autoshell.txt
/azenv.php
b374k-2.8.php
backdoor.php
/bad.php
/batuk.php
/bbb.php
bdotw44shell
/bhkt.php
/bkht.php
/blackmuscats
blackunix.php
/blekt.php
/borong.php
/botshell.jpg
/bshxgj.
/bt.php
/burung.php
/byroe.jpg
/byroe.php
c100.php
c100.txt
c99.php
c99.txt
cache/cachee.php
cache/css.php
cache.uniq_04793.php
/canz.php
ccccc.php
cfexec.cfm
.cgi?8
cgi-telnet
cgitelnet
/chinta.txt
cih.php
/cilik.php
cjpju91639.txt
/cliti.php
/clk.php?id=
cmd2.asp
cmd2.txt
cmd.asp
cmd-asp-5.1.asp
cmdasp.asp
cmd.dat
cmdjsp.jsp
/cmd.php
cmdshell
/cmdtvul.txt
cmdtvul.txt
/cmd.txt
/cocok.txt
/cok.php
colors/blue/engine_functions.php
command0.php
command0.txt
/command.php
/compiled/fwrite.php
conf_4cn.php
conf_7t9.php
/confgic.php
/confgi.php
Configss.php
/confi.php
conf_m46.php
content/engine/engine_config.php
coreunix.php
/count24.php
cpanel_cracker
/c.php
cr0t.php
crewid.txt
crypt/cipher/view.php
cse.dat
cse.php
custom-content-type-manager/auto-update.php
cx529.php
cx529.txt
/cxmqk.php
/cybercrime.php
cyberz
/daster.jpg
/ddos.txt
ddxdx.php
/diam.txt
diaosi.asp
/dm.php
/door.php
/dor/dor.php
/doyok.php
e7xue.php
efd7a0.php
elgass.cin
elrekt.php
engine/engine_restore.php
enigma2.php
equiangle.pl
/exposedbotnets.txt
/fdgq.php
fdgq.php
/firefoxz.php
/fonts_icon/15/icons.php
/fonts_icon/jg4/coder.php
fr33.php
fx29id
fx29sh
/ganteng.gif
.get.php
gh0st.php
google-assist.php
go.php.txt
gopni3g/story.php
haozk.asp
hardfind.php
hardfork.php
hijack.php
/hlep.php
horind.php
hospedagen.txt
/hphui.php
htacess.php
iblis.htm
/icons/brt/t.php
/icons/kntl/img.php
/ico/search.php
id1.txt
/id3.txt
/idl.txt
id-rfi.txt
/idscan
/id.txt
idx2.txt
/idx.txt
idxx.txt
/images/file.php5
imageshell.ph
images/Image/root
/images/stories/story.php
/inc/admin/cached.jpg
includes/cctm_communicator.php
/includes/joomla/database/database.php
includes/sysdata.php
indeeex.php
/indek.php
/indeks.php
/indice.pl
Indishell
indivision.pl
indoshell.php
/indx.php
/inedx.php
injectorthimthumb.php
injectortimthumb.php
/injektor.php
/injek.txt
_input_1_
_input_2_
_input_3_
_input__test
_input_test
jackrosejump_la
/jahat.php
/jgxfq.php
joomla_verkap.php
joomla_verzkd.php
js/bb.php
js/jquery.min.php
jsp-reverse.jsp
k4l0nk.php
kanjut.txt
khan.php
lala.php
/laravel.php
l_backuptoster
/lc_9.php
lib/fuck-the-usa.txt
/libraries/joomla/jmail.php
/libraries/lol.php
linuxdaybot
/lnnxy.php
/lobo-guara.txt
localroot.php
locus7shell
m3ksi.php
/mct.php
metri.php
mini-shell-backdoor
mistless.pl
/modar.php
morocanz.php
muakero.php
muieblackcat
/multiscan.txt
myluph.php
n3maplowercheck
naskleng.php
/neewsfeed.txt
/newinjector.txt
nigga.php
own3d.php
/owned.jpg
/owned.php
/ownz.txt
p0k3r
/parepare.txt
payment/datacash/fwrite.php
/payment/payment_authorizenet_aim_3_1.php
/payment_virtual_3D.php
/perasaan.php
perlcmd.cgi
peruzak.php
phpbb2_patch
phpbboops
phpbb_patch
/phpm3.txt
phpshell
/phpterm
/pithp.php
/plus/moon.php
/pmg.php
Portal0000.htm
pp104dd04a.php
/priv.php
/prolink.php
proxysx.gif
proxysx.php
proxysx.txt
pshyco
pwn3d.php
pwned.php
qiaogua.php
r00t.php
/r57.
r57-bd.txt
r57shell
rab3oun
racrew.php
/rebots.php
/.reg.php
/rel.php?id=
/reno.php
rms-script-ini
rms-script-mu
rms_unique_wp
/robots.txt.php
root~~
.root.php
/saerch.php
/sangatta.txt
scan1.0/scan/
searchreplacedb2.php
sec4ever.php
securi-fix.php
/sendme_old.txt
sfdg2
sh0.php
sh1.php
/sh2.php
sh3.php
sh4.php
shell0.php
shell1.php
shell2.php
shell3.php
shell4.php
shell5.php
shell6.php
shell7.php
shell8.php
shell9.php
shellbot.pl
sheller.txt
shell.php
/shellpvp.txt
shelltim.php
shell.txt
shell_vup
shelly.php
shipuden.php
/sh.php
/sh.txt
sinan.php
/skin/h2.php
som2.php
sourceinc15.php
sqlshell
src/up.txt
ssh2.php
/.stats.php
/stcp.php
/stmdu.php
/stph.php
suckmydick.php
suntzu
/sux.html
symchanger.php
sym/root
sys/cache.managed.php
/taisui.php
tangshi.php
terminatorx-exp
terminatorxexp
/teste.php
/themess.php
therules25
/tmp.php
too20.
tool20.php
/tool25.dat
/tool25.txt
/toolwar.php
trf/traf.php
trjnx/
/txt.php
/udd.php
UeXploiT
update_l8f.php
update_wjg.php
/upll.php
upload_5y9.php
upload_rry.php
upload_zco.php
upnew.php
USERNAME-WHMCS.TXT
uspas.txt
utf8gat
/viar.php
wdsadmin/autocomplete/error.php
/web.root
whm-myshop.TXT
wiki_up/gif.php
wiki_up/ion.php
wiki_up/jpeg.php
wiki_up/jpg.php
wp-2019.php
wp-autor.php
wp-cache.php
wp-conff.php
/wp_config.txt
wp-conns.php
wp-content/_input_
/wp-content/plugins/shell/
/wp-content/plugins/wp/
wpfootes.php
wpfoot.php
wp-fox.php
wp-includes/adodb.class.php
/wp-includes/css/modules.php
/wp-includes/ms-files-qu.php
wp-main.php
WPnBr.dll
/wp-sbb.php
wp-security.php
/wpstaff/wpstaff.php
/wp-strongs/wp-strongs.php
wp-system.php
wp-xmlrpc.php
wso.php
/wtheie.
xccc.php
xiaolei.php
/xia.php
xline7.php
xm1rpc.ph
xm1rpc.php
/xmlrpc-activate.php
xmlrpc-activate.php
/xmlrppc.php
xmlrppc.php
/xnjjj.php
xpl.php
/xsoul.php
/xt.txt
/xx.php
/ysyqq.php
ysyqq.php
/zaz.php
zbi_1.php
zbi_2.php
zbi_3.php
stager64
wp-plain.php

1040
nginx-waf/os_files.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1263
nginx-waf/php_function_names.txt Normal file
View File

File diff suppressed because it is too large Load Diff

19
nginx-waf/php_variables.txt Normal file
View File

@ -0,0 +1,19 @@
$argc
$argv
$_COOKIE
$_ENV
$_FILES
$_GET
$GLOBALS
$HTTP_COOKIE_VARS
$HTTP_ENV_VARS
$HTTP_GET_VARS
$HTTP_POST_FILES
$HTTP_POST_VARS
$HTTP_RAW_POST_DATA
$HTTP_REQUEST_VARS
$HTTP_SERVER_VARS
$_POST
$_REQUEST
$_SERVER
$_SESSION

108
nginx-waf/sql.txt Normal file
View File

@ -0,0 +1,108 @@
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2013-2021 by Atomic Corpate Industries Inc. , all rights reserved.
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
attnotnull
attrelid
atttypid
autonomous_transaction
dbms_java
'dbo'
information_schema.tables
mb_users
'msdasql'
msysaces
msyscolumns
msysobjects
msysqueries
msysrelationships
mysql.user
nvarchar
openquery
openrowset
pg_attribute
pg_class
sm3na_authors
sp_addextendedproc
sp_execute
sp_executesql
@@spid
sp_makewebtask
sp_oacreate
sp_password
sp_prepare
sp_sqlexec
sql_longvarchar
'sqloledb'
sql_variant
sys.all_tables
syscolumns
sysdatabases
sysobjects
sys.user_catalog
sys.user_constraints
sys.user_objects
sys.user_tab_columns
sys.user_tables
sys.user_triggers
sys.user_views
sysxlogins
tbcreator
user_ind_columns
user_objects
user_tables
user_users
utl_file
utl_http
varchar
@@version
xp_availablemedia
xp_cmdshell
xp_dirtree
xp_enumdsn
xp_execresultset
xp_filelist
xp_loginconfig
xp_makecab
xp_ntsec
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_terminate
tbladmins
@@VERSION--
dns.sqli.
db.collection.find

7719
nginx-waf/ssdeep-database.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1
nginx-waf/trusted-domains.conf Normal file
View File

@ -0,0 +1 @@
SecDefaultAction "log,deny,auditlog,phase:2,status:403"

0
nginx-waf/trusted-domains.txt Normal file
View File

3705
nginx-waf/waf-rule-list Normal file
View File

File diff suppressed because it is too large Load Diff

62
nginx-waf/waf_rule_config Normal file
View File

@ -0,0 +1,62 @@
# WAF version, Description, Filename, Config Token, Default, Severity
2.5.12,NULL,00_asl_0_global.conf,NULL,yes,NULL,NULL,NULL
2.5.12,NULL,malware-blacklist.txt,NULL,yes,NULL,NULL,NULL
2.5.12,RBL Ruleset,00_asl_rbl.conf,MODSEC_00_RBL,no,low,NULL,NULL
2.7.0,Bogus Search Engine Ruleset,00_asl_y_searchengines.conf,MODSEC_00_SEARCHENGINE,no,high,replaced-by-lua,2.9.0
2.6.6,Autowhitelist Search Engine Ruleset,00_asl_x_searchengines.conf,MODSEC_00_AUTOWHITELIST_SEARCHENGINE,no,low,NULL,2.9.0
2.6.1,Antievasion Ruleset,00_asl_z_antievasion.conf,MODSEC_00_ANTIEVASION,yes,high,NULL,NULL
2.7.0,Strict Multiform Ruleset,00_asl_zz_strict.conf,MODSEC_00_STRICT,yes,moderate,NULL,NULL
2.7.7,Threat Intelligence Ruleset,00_asl_z_aa_threat_intelligence.conf,MODSEC_00_THREAT,no,moderate,NULL,NULL
2.7.7,NULL,999_asl_threat_intelligence.conf,MODSEC_00_THREAT,no,moderate,NULL,NULL
2.7.7,NULL,99_asl_zzzz_threat_intelligence.conf,MODSEC_00_THREAT,no,moderate,NULL,NULL
2.5.12,Whitelist Ruleset,00_asl_whitelist.conf,MODSEC_00_WHITELIST,no,pass,NULL,NULL
2.5.12,Whitelist Ruleset,00_asl_accesslist.conf,MODSEC_00_ACCESSLIST,no,pass,NULL,NULL
2.9.0,Blacklist Ruleset,00_asl_blacklist.conf,MODSEC_00_BLACKLIST,no,pass,NULL,NULL
2.6.3,Advanced Antievasion Ruleset,01_asl_content.conf,MODSEC_01_RULES,yes,high,NULL,NULL
2.9.0,NULL,01_asl_content_z.conf,MODSEC_01_RULES,yes,high,NULL,NULL
2.7.8,Custom Domain block Ruleset,01_asl_domain_blocks.conf,MODSEC_01_DOMAIN_BLOCKS,no,pass,NULL,NULL
2.7.2,Slow Denial of Service Protection,03_asl_dos.conf,MODSEC_03_DOS,yes,high,NULL,NULL
2.9.0,Custom User Defined Honeypot Ruleset,06_asl_honeypot.conf,MODSEC_06_HONEYPOT,no,pass,NULL,NULL
2.9.0,NULL,honeypot-files.txt,MODSEC_06_HONEYPOT,no,pass,NULL,NULL
2.7.2,NULL,000000_asl_modreqtimeout.conf,MODSEC_03_DOS,yes,high,NULL,NULL
2.5.12,Exclude Ruleset,05_asl_exclude.conf,NULL,yes,pass,NULL,NULL
2.5.12,Anti-Malware Ruleset,10_asl_antimalware.conf,MODSEC_10_ANTIMALWARE,yes,high,NULL,NULL
2.7.3,Application Specific Rules,01_asl_rules_special.conf,MODSEC_01_APP_RULES,no,low,NULL,NULL
2.9.0,Generic Attack Ruleset,10_asl_rules.conf,MODSEC_10_RULES,yes,high,NULL,NULL
2.6.1,NULL,09_asl_rules.conf,MODSEC_10_RULES,yes,high,NULL,NULL
2.5.12,NULL,sql.txt,MODSEC_10_RULES,yes,high,NULL,NULL
2.9.1,NULL,os_files.txt,MODSEC_10_RULES,yes,high,NULL,NULL
2.6.3,NULL,11_asl_rules.conf,MODSEC_10_RULES,yes,high,NULL,NULL
2.9.2,Advanced Attack Ruleset,11_asl_adv_rules.conf,MODSEC_11_ADV_RULES,yes,high,NULL,NULL
2.9.2,Advanced Attack Ruleset,php_variables.txt,MODSEC_11_ADV_RULES,yes,high,NULL,NULL
2.9.2,Advanced Attack Ruleset,php_function_names.txt,MODSEC_11_ADV_RULES,yes,high,NULL,NULL
2.6.1,Data Loss Protection Ruleset,11_asl_data_loss.conf,MODSEC_11_DLP,no,moderate,NULL,NULL
2.9.1,Brute Force Protection Ruleset,12_asl_brute.conf,MODSEC_12_BRUTE,yes,moderate,NULL,NULL
2.9.2,Advanced Command Injection Ruleset,13_asl_command_injection.conf,MODSEC_13_ADV_CMD,no,moderate,NULL,NULL
2.9.1,Supplemental Brute Force Protection Ruleset,11_asl_brute_enhanced.conf,MODSEC_11_BRUTE,no,low,NULL,NULL
2.9.1,NULL,13_asl_brute_enhanced.conf,MODSEC_11_BRUTE,no,low,NULL,NULL
2.9.0,Advanced XSS Protection Ruleset,12_asl_adv_xss_rules.conf,MODSEC_12_ADV_XSS_RULES,yes,moderate,NULL,NULL
2.5.12,Malicious Useragents Ruleset,20_asl_useragents.conf,MODSEC_20_USERAGENTS,yes,low,NULL,NULL
2.9.0,User Defined Malicious Useragents Ruleset,21_asl_useragents.conf,MODSEC_21_USERAGENTS,no,pass,NULL,NULL
2.9.0,NULL,bad_agents.txt,MODSEC_21_USERAGENTS,no,pass,NULL,NULL
2.5.12,Anti-Spam Ruleset,30_asl_antispam.conf,MODSEC_30_ANTISPAM,no,low,NULL,NULL
2.5.12,NULL,domain-spam-whitelist.txt,MODSEC_30_ANTISPAM,no,low,NULL,NULL
# retired for the .txt extension
2.5.12,NULL,domain-spam-whitelist.conf,MODSEC_30_ANTISPAM,no,low,NULL,NULL
2.5.12,NULL,domain-blacklist.txt,MODSEC_30_ANTISPAM,no,low,NULL,NULL
2.5.12,NULL,spam.data,MODSEC_30_ANTISPAM,no,low,NULL,NULL
2.6.2,Anti-Spam URI RBL Ruleset,31_asl_urispam.conf,MODSEC_31_ANTISPAM_URI,no,low,NULL,NULL
2.5.12,Rootkit Detection Ruleset,50_asl_rootkits.conf,MODSEC_50_ROOTKITS,yes,low,NULL,NULL
2.5.12,NULL,51_asl_rootkits.conf,MODSEC_50_ROOTKITS,yes,low,NULL,NULL
2.5.12,Extra Wordpress Protection Ruleset,51_asl_wordpress_extra.conf,MODSEC_51_WORDPRESS,no,low,NULL,NULL
2.5.12,NULL,malware_names.txt,MODSEC_50_ROOTKITS,yes,low,NULL,NULL
2.5.12,Reconnaissance Attacks Ruleset,60_asl_recons.conf,MODSEC_60_RECONS,no,low,NULL,NULL
2.5.12,Data Leak Prevention Ruleset,61_asl_recons_dlp.conf,MODSEC_61_RECONS_DLP,yes,low,NULL,NULL
2.7.5,Advanced Malware Removal Ruleset,98_asl_adv_redactor.conf,MODSEC_98_ADV_REDACTOR,no,moderate,NULL,NULL
2.5.12,NULL,99_asl_exclude.conf,NULL,yes,NULL,NULL,NULL
2.5.12,Just In Time Patches,99_asl_jitp.conf,MODSEC_99_JITP,yes,high,NULL,NULL
2.5.12,Basic Malware Removal Ruleset,99_asl_redactor.conf,MODSEC_99_REDACTOR,no,moderate,NULL,NULL
2.5.12,Malicious Output Detector,99_asl_redactor_post.conf,MODSEC_99_MALWARE_OUTPUT,no,moderate,NULL,NULL
2.5.12,NULL,99_asl_a_redactor.conf,MODSEC_99_MALWARE_OUTPUT,no,moderate,NULL,NULL
2.5.12,Web Malware Upload Scanner,99_asl_scanner.conf,MODSEC_99_SCANNER,no,high,NULL,NULL
2.9.0,NULL,98_asl_scanner.conf,MODSEC_99_SCANNER,no,high,NULL,NULL

76
nginx-waf/whitelist.txt Normal file
View File

@ -0,0 +1,76 @@
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2013-2021 by Atomic Corpate Industries Inc. , all rights reserved.
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
127.0.0.1
3721.com
amazon.com
americinn.com
atomicorp.com
atomicorp.com
atomicsecuredlinux.com
attacker.com
.authorize.net
badguy.com
bing.com
bit.ly
blogger.com
dailymotion.com
doiop.com
domain.com
doubleclick.net
.dropbox.com
dwarfurl.com
example.com
goo.gl
google.com
.googlesyndication.com
gotroot.com
h1.ripway.com
memurl.com
nonumber.nl
nopaste.me
owned-nets.blogspot.com
pastebin.com
pastie.org
progllc.com
rapidshare.com
readthisurl.com
sf.net
shaunroot.net
site.com
technorati.com
test.com
tinyurl.com
twitter.com
w3.org
wp.me
yandex.ru