814 lines
157 KiB
Plaintext
814 lines
157 KiB
Plaintext
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
|
|
SecRule REQUEST_FILENAME "/cerberus-gui/parser\.php" "phase:2,id:95100,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/serendipity_admin\.php" "phase:2,id:95101,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/cgi-bin/cp-admin\.cgi" "phase:2,id:95102,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/typo3/alt_doc\.php" "phase:2,id:95103,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/admin\.mvc" "phase:2,id:95104,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/galaxyplugin\.php" "phase:2,id:95105,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/custsave\.php" "phase:2,id:95106,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/admin\.php" "phase:2,id:95107,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/gceditor\.pl" "phase:2,id:95108,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/compose\.php" "phase:2,id:95109,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/tiki-editpage\.php" "phase:2,id:95110,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300079"
|
|
|
|
SecRule REQUEST_FILENAME "/editimage\.html" "phase:2,id:95111,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/__utm\.gif" "phase:2,id:95112,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/paypallink\.php" "phase:2,id:95113,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/products_product_process\.php" "phase:2,id:95114,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/merchant\.mvc" "phase:2,id:95115,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/product_modify\.php" "phase:2,id:95116,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/news/add" "phase:2,id:95117,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/tce_file\.php" "phase:2,id:95118,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/edit\.php" "phase:2,id:95119,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/egroupware/index\.php" "phase:2,id:95120,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300075"
|
|
|
|
SecRule REQUEST_FILENAME "/smf/index\.php" "phase:2,id:95121,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:95122,t:none,pass,nolog,skipAfter:END_RULES_95122"
|
|
|
|
SecRule ARGS|!ARGS:css_text|!ARGS:message "overflow ?: ?auto" "phase:2,deny,log,auditlog,status:403,id:300200,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Hidden Text',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_RULES_95122
|
|
|
|
SecRule REQUEST_FILENAME "/livehelp/send\.php" "phase:2,id:95123,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/adserver/www/delivery/lg\.php" "phase:2,id:95124,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/submit\.php" "phase:2,id:95125,t:none,t:lowercase,pass,nolog,noauditlog,skip:1,ctl:ruleRemovebyID=300077"
|
|
SecAction "phase:2,id:95126,t:none,pass,nolog,skipAfter:END_RULES_95126"
|
|
|
|
SecRule ARGS|!ARGS:bodytext|!ARGS:code|!ARGS:/^widget-text/|!ARGS:template|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:template_data|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/^commontemplate/ "style ?= ?\" ?display ?: ?none ?" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300201,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_RULES_95126
|
|
|
|
SecRule REQUEST_FILENAME "/tbl_replace\.php" "phase:2,id:95127,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/admin\.pl" "phase:2,id:95128,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/do_siteinput_aed\.php" "phase:2,id:95129,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/submitticket\.php" "phase:2,id:95130,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/blacklist\.php" "phase:2,id:95131,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/wysiwyg/save\.php" "phase:2,id:95132,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/add_static_cgi\.php" "phase:2,id:95133,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:95134,t:none,pass,nolog,skipAfter:END_RULES_95134"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:description|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:homepage|!ARGS:mode|!ARGS:data[About][content]|!ARGS:data[Contact][content]|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:template|!ARGS:/header/|!ARGS:/footer/|!ARGS:/blog_text/ "\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?:/" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300081,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_RULES_95134
|
|
|
|
SecRule REQUEST_FILENAME "/course/modedit\.php" "phase:2,id:95135,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/livehelp/include/tracker\.php" "phase:2,id:95136,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/leads/orders\.php" "phase:2,id:95137,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/search\.php" "phase:2,id:95138,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/tce_db\.php" "phase:2,id:95139,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/sysext/rtehtmlarea/" "phase:2,id:95140,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/parse_html\.php" "phase:2,id:95141,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/index\.php/zblocks/adminhtml_zblocks/" "phase:2,id:95142,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/newticket\.php" "phase:2,id:95143,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/mailer\.php" "phase:2,id:95144,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/serverftpprocess\.php" "phase:2,id:95145,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/product\.php" "phase:2,id:95146,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/csnewsletter\.cgi" "phase:2,id:95147,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/cm/ui\.php4" "phase:2,id:95148,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/grades\.aspx" "phase:2,id:95149,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/content/ajax/page\.php" "phase:2,id:95150,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/filemanager/browser/default/browser\.htm" "phase:2,id:95151,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/noticias/submit\.php" "phase:2,id:95152,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/pncrtl/options\.php" "phase:2,id:95153,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/wp-login\.php" "phase:2,id:95154,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300032"
|
|
|
|
SecRule REQUEST_FILENAME "/stores/edit_item\.php" "phase:2,id:95155,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/cart\.php" "phase:2,id:95156,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/spc\.php" "phase:2,id:95157,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/private\.php" "phase:2,id:95158,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/thumb\.php" "phase:2,id:95159,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/dbpro\.cgi" "phase:2,id:95160,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/widget\.php" "phase:2,id:95161,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/marque_list\.php" "phase:2,id:95162,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/createsite\.php" "phase:2,id:95163,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/insert\.php" "phase:2,id:95164,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/chat/server\.php" "phase:2,id:95165,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/ajax\.php" "phase:2,id:95166,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/modules\.php" "phase:2,id:95167,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/ajax\.savephotos\.php" "phase:2,id:95168,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/cgi-bin/database/portal\.pl" "phase:2,id:95169,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/callback\.php" "phase:2,id:95170,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/cataloger\.image\.php" "phase:2,id:95171,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/template\.php" "phase:2,id:95172,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/mail\.cgi" "phase:2,id:95173,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/webmail\.aspx" "phase:2,id:95174,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/xml-processing\.aspx" "phase:2,id:95175,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/element/chunk\.php" "phase:2,id:95176,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/tiki-adminusers\.php" "phase:2,id:95177,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/res-bev\.php" "phase:2,id:95178,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/reservation_confirm\.php" "phase:2,id:95179,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/eecms\.php" "phase:2,id:95180,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/clientsprofile\.php" "phase:2,id:95181,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/banner_manager\.php" "phase:2,id:95182,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/business_profile_engine\.php" "phase:2,id:95183,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/mailtemplateeditaction\.php" "phase:2,id:95184,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/property-edit\.php" "phase:2,id:95185,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/blog-edit\.php" "phase:2,id:95186,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/index/pdfsettings/" "phase:2,id:95187,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/livehelp/" "phase:2,id:95188,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/livehelpnew/" "phase:2,id:95189,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/livehelpnew/agent/" "phase:2,id:95190,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/scripts/track\.php" "phase:2,id:95191,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/ckeditor/xss" "phase:2,id:95192,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/process/process_job\.php" "phase:2,id:95193,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/process/update_job\.php" "phase:2,id:95194,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/eventpendingaction\.php" "phase:2,id:95195,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/textpattern/index\.php" "phase:2,id:95196,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/connectors/browser/file\.php" "phase:2,id:95197,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/code_editor\.php" "phase:2,id:95198,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/connectors/security/access/policy/template\.php" "phase:2,id:95199,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/login\.php" "phase:2,id:95200,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300079"
|
|
|
|
SecRule REQUEST_FILENAME "/admin_edit_cat\.php" "phase:2,id:95201,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/delivery/ajs\.php" "phase:2,id:95202,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/members/proc_grp_email\.php" "phase:2,id:95203,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/edit_offer\.php" "phase:2,id:95204,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/manager/index\.php" "phase:2,id:95205,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/invoices\.php" "phase:2,id:95206,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/aw/cat\.php" "phase:2,id:95207,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/register_warranty\.php" "phase:2,id:95208,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/support/agent/index\.php" "phase:2,id:95209,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/we_cmd\.php" "phase:2,id:95210,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/json-api/cpanel" "phase:2,id:95211,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/infraction\.php" "phase:2,id:95212,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/za/zcadm" "phase:2,id:95213,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/updatemenu\.php" "phase:2,id:95214,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/ustawienia\.php" "phase:2,id:95215,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/front_content\.php" "phase:2,id:95216,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/amember/unsubscribe\.php" "phase:2,id:95217,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/addnews\.php" "phase:2,id:95218,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/nereus/article-edit\.php" "phase:2,id:95219,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/contao/main\.php" "phase:2,id:95220,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
|
|
|
|
SecRule REQUEST_FILENAME "/mt\.cgi" "phase:2,id:95221,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
|
|
|
|
SecRule REQUEST_FILENAME "/dash/index\.php" "phase:2,id:95222,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
|
|
|
|
SecRule REQUEST_FILENAME "/categories\.php" "phase:2,id:95223,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/tiki-edit_css\.php" "phase:2,id:95224,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/securelogin/configuration\.php" "phase:2,id:95225,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/account/" "phase:2,id:95226,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/account/saved-designs/" "phase:2,id:95227,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/otrs/index\.pl" "phase:2,id:95228,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/define_bottompage\.php" "phase:2,id:95229,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/addonmodules\.php" "phase:2,id:95230,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/plugins/system/" "phase:2,id:95231,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/bfaudit\.php" "phase:2,id:95232,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/filefield/" "phase:2,id:95233,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/pma/import\.php" "phase:2,id:95234,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/securelogin/" "phase:2,id:95235,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/define_header\.php" "phase:2,id:95236,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/product_print\.php" "phase:2,id:95237,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/offers_engine\.php" "phase:2,id:95238,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/modules/custom/shopping_centre/" "phase:2,id:95239,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/changetitle\.php" "phase:2,id:95240,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/edittitle\.php" "phase:2,id:95241,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/pages/clients-massive\.php" "phase:2,id:95242,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/documents/blog\.php" "phase:2,id:95243,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/aendern_erg\.php" "phase:2,id:95244,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/aendern\.php" "phase:2,id:95245,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/sendgrid/unsub\.php" "phase:2,id:95246,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/sendgrid/sub\.php" "phase:2,id:95247,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/item/edit/index\.php" "phase:2,id:95248,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/moodle/mod/lesson/editpage\.php" "phase:2,id:95249,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/checksitelock\.php" "phase:2,id:95250,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/myaccount/modules/addons/" "phase:2,id:95251,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/processing\.php" "phase:2,id:95252,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/modules/v2_news_engine\.php" "phase:2,id:95253,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/configuressl\.php" "phase:2,id:95254,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/shop/remote\.php" "phase:2,id:95255,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/do_add_new_image\.php" "phase:2,id:95256,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/clients\.php" "phase:2,id:95257,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/acp/" "phase:2,id:95258,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/mailblast\.html" "phase:2,id:95259,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/system/ajax" "phase:2,id:95260,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/edicion1\.php" "phase:2,id:95261,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/moderate\.php" "phase:2,id:95262,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/include\.backendedit\.php" "phase:2,id:95263,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/saveredirect\.html" "phase:2,id:95264,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/redaxo/index\.php" "phase:2,id:95265,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/tools/" "phase:2,id:95266,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/displaycombinations_ajax\.php" "phase:2,id:95267,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/supporttickets\.php" "phase:2,id:95268,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/editmainimage\.php" "phase:2,id:95269,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/skriv/entries" "phase:2,id:95270,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/ajax/_products\.php" "phase:2,id:95271,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/builder/" "phase:2,id:95272,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/control/catalog/" "phase:2,id:95273,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/payonline/" "phase:2,id:95274,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/eecms\.php" "phase:2,id:95275,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/get_messages\.php" "phase:2,id:95276,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300074"
|
|
|
|
SecRule REQUEST_FILENAME "/cgi-bin/apluspro/scripts/" "phase:2,id:95277,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/amember/login" "phase:2,id:95278,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300057"
|
|
|
|
SecRule REQUEST_FILENAME "/trackpanel/catalog/product_set/" "phase:2,id:95279,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/getcontractextdetails\.php" "phase:2,id:95280,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/wp-json/tcb/v1/lightspeed/optimize" "phase:2,id:95281,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/editquestion\.php" "phase:2,id:95282,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
SecRule REQUEST_FILENAME "/v2c/json/fr\.template\.save/" "phase:2,id:95283,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
|
|
|
|
SecRule REQUEST_FILENAME "/csm/bp_event/webbuchung/mailer/mailer_sendmail\.php" "phase:2,id:95284,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300076"
|
|
|
|
SecRule REQUEST_FILENAME "/content-manager/collection-types/" "phase:2,id:95285,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=300000-300081,ctl:ruleRemovebyID=300183-300189,ctl:ruleRemovebyID=300299,ctl:ruleRemovebyID=300300,ctl:ruleRemovebyID=301311,ctl:ruleRemovebyID=301313,ctl:ruleRemovebyID=300201,ctl:ruleRemovebyID=300299-300304,ctl:ruleRemovebyID=300182,ctl:ruleRemovebyID=300134"
|
|
|
|
# Atomicorp (Gotroot.com) ModSecurity rules
|
|
# Anti Spam rules
|
|
#
|
|
# Copyright 2005 - 2024 Atomicorp, Inc. All rights reserved.
|
|
# Redistribution is strictly prohibited in any form, including whole or in part.
|
|
#
|
|
# Distribution of this work or derivative of this work in any form is
|
|
# prohibited unless prior written permission is obtained from the
|
|
# copyright holder.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
|
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
|
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
|
# THE POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
#---ASL-CONFIG-FILE---
|
|
|
|
# Do not edit this file!
|
|
# This file is generated and changes will be overwritten.
|
|
#
|
|
# If you need to make changes to the rules, please follow the procedure here:
|
|
# http://www.atomicorp.com/wiki/index.php/Mod_security
|
|
|
|
# Phase 2 rules
|
|
|
|
|
|
#Skip these rules if its not a POST or GET
|
|
SecRule REQUEST_METHOD "!(?:GET|POST)" "id:370111,phase:2,t:none,skipAfter:END_SPAM,nolog,noauditlog,pass"
|
|
|
|
#Search engines dont post
|
|
#Googlebot|MSNBot|BingBot
|
|
SecRule REQUEST_URI "/wp-comments-post\.php" "chain,phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:lowercase,id:323299,rev:1,severity:3,msg:'Atomicorp.com WAF AntiSpam Rules: Spammer attempting to post to WP comments as fake search engine',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:Googlebot|MSNBot|BingBot)" "t:none"
|
|
|
|
#UA spam
|
|
#User-Agent: Opera/9.80 <a href="http://www.youtube.com/watch?v=wAnBXRtU9Qg">how to treat hemorrhoids</a> (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
|
|
#<a href="
|
|
SecRule REQUEST_HEADERS:User-Agent "< ?a href ?=" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:303299,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Link Spam in User-Agent header',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#Known spam/worm sign
|
|
SecRule &REQUEST_HEADERS:Gyoarazujo "@eq 1" "phase:2,deny,log,auditlog,status:403,t:none,id:313299,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Known worm sign'"
|
|
|
|
#Trusted IPs
|
|
#173.0.81.0/24 paypal
|
|
#SecRule REMOTE_HOST "@ipmatch 173.0.81.0/24" # "phase:2,t:none,pass,nolog,id:355897,skipAfter:END_SPAM"
|
|
|
|
#Skip SPAM rules if this is a not something to check for spam, like control panels, ASL gui, etc.
|
|
SecRule SERVER_PORT "^(?:844[3-5]|30000)$" "phase:2,id:333721,pass,t:none,nolog,noauditlog,skipAfter:END_SPAM"
|
|
|
|
#Skip SPAM rules if this is a not something to check for spam, like graphics, videos, CSS, ico, docs, etc.
|
|
SecRule REQUEST_FILENAME "\.te?xt$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333896,skipAfter:END_SPAM"
|
|
SecRule TX:STATIC "@eq 1" "phase:2,id:'363897',pass,t:none,nolog,noauditlog,skipAfter:END_SPAM"
|
|
|
|
|
|
#Concrete 5 editing bypass
|
|
SecRule ARGS:ccm-edit-block-submit "^submit$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333897,skipAfter:END_SPAM"
|
|
|
|
#Concrete 5 editing bypass
|
|
SecRule ARGS:selected "^News$" "phase:2,t:none,pass,nolog,noauditlog,id:353897,skipAfter:END_SPAM"
|
|
|
|
#Skip SPAM rules for admin applications and the like
|
|
#/?_task=mail
|
|
SecRule REQUEST_URI "(?:/(?:(?:i(?:nclude\.php?path=forum/editpost|mp/compose)|pr(?:o(?:duct_thumb|file)|eview_static_cgi)|callback|diagnostics|editsection|tickets)\.php|system/index\.php?s=.*c=(?:publish|edit)&m=new_entry$|workshops/register\.php|link(?:machine/linkmachine\.php|s/\?act=addsite)|(?:\?modulo=loja&action|update\.php?pageid)=|nav\.php\?nav=(?:moderate|addnews)|cgi-bin/mailinglist/mail\.cgi)|/(?:(?:s(?:itebuilder|hopadmin)|cms/(?:resources/edit|save/key)|hspc/pcc|node/add|vsadmin)/|w(?:p-(?:content/plugins|admin)/|izard/edit/html)|adm(?:in(?:istrator/)?|/))|\?(?:(?:p=admin_cms|task=(?:edit|addressbook)|tab=admin[a-z]+)&|action=admin)|node/[0-9]+/edit|^/\?[sv]=|\?q=ckeditor|/comment/reply/[0-9]+|/(?:new|edit)/[0-9]+/confirm|/index\.php(?:\?(?:option=com_j(?:reviews|events|easyblog)|tmpl=component|dispatch=)|/blog_admin/manage_blog)/|/calendar/index\.php\?act=calendar&code=addnewevent|/index\.php\?(?:view=article&id=.*&task=edit|p=admin)|/page/edit/\?id=[0-9]+|(?:/(?:(?:m(?:embers/editing|ickadmincp|anager?)|c(?:ontrol_panel|ar_admin|heckout|ms)|p(?:(?:hpmy|a)admin|lugins/payment)|b(?:uild/connectors|ackoffice)|s(?:(?:ecu|to)re|ite-?admin)|adm(?:in(?:istrator|cp)?)?|_admin(?:panel)?|ndxz-?studio|file/ajax|rm-tools|wp-admin|order)/|i(?:n(?:dex.php/(?:mail/composemessage/|component/resman)|stall)|mp/))|admin.(?:p(?:hp|l)|cgi)|(?:message|ipn)\.php)|/catalogsearch/|(?:update(?:case|event)|edit_producto?|wp-load|/inc/go)\.php|/[a-z]+?admin[0-9]+?/|^/livehelpnew/agent/|^/page/submit-news|^\?q=node|^/wbb/acp/index\.php\?form=|^/webmail/|^/adm\?|^/za/zcadm|^/cp/index\.cgi|^/nieuwsbrief/index\.php\?c=template|^/upload/|^/elements/save/|^/articles/update|^/posts?/edit|^/clients/clientarea|/cms_block/save/|^/[a-z0-9\./]+/saml/sso|^/typo?/mod\.php|^/connectors/(?:element|resource)/|^/[a-z]+/[a-z]+/(?:add|edit)/[0-9]+|^/eprocservice/supplierinboundservice|^/index\.php\?module=calendar|^/([a-z]+/)?(?:c?admin|whmadmcp)|^/\?_task=mail|^/ajax/api/editor/|^/services/bmcontent\.json|^/sitelogin/index\.php\?route=catalog|^/publish/index\.php|ipnhandler\.php|paypal/ipn|^/backend/|^/client/vacancies/|^/typo3/index\.php\?route=/rte/wizard/|^/\?option=com_easyblog|^/app/index\.php/zurmo/|^/\?fl_builder|^/sitemgr/|^/index\.php/[a-z]+admin/cms_page/|^/orders|^/sogo/|^/[a-z0-9]+/index\.php\?route=catalog/product/update|^/active-campaign/|^/\?et_pb_preview=|^/services/bmwidget\.json)" "phase:2,id:333898,rev:5,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skipAfter:END_SPAM"
|
|
|
|
|
|
SecRule REQUEST_URI "!(?:/imp/compose\.php|/node/(([0-9]+)/edit|add/news-story)|^/news/add$|/profile\.php)" "phase:2,deny,log,auditlog,status:403,chain,id:300134,t:none,t:urlDecodeUni,t:lowercase,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Potential Referer Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
SecRule REQUEST_HEADERS:Referer "!@pmFromFile domain-spam-whitelist.txt" "chain,t:none,t:lowercase"
|
|
SecRule REQUEST_HEADERS:Referer "@pmFromFile domain-blacklist.txt" "t:none,t:lowercase"
|
|
|
|
############ SPAMMY URLS ########################
|
|
#
|
|
SecRule ARGS "@pm http:// https:// ftp:// ftps:// @" "id:333899,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:343722,t:none,pass,nolog,noauditlog,skipAfter:END_SPAMMY_URLS"
|
|
|
|
#Broken spamtool
|
|
SecRule ARGS:name "^http://www\.[a-z]+," "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:303201,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam Tool detected',logdata:'%{TX.2}'"
|
|
|
|
# Rule 300001: Blacklist of URI and email sign up spam
|
|
SecRule ARGS "(?:(?:ht|f)tps?:/|[a-z0-9._%+-]+@[a-z0-9.-]+)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300001,rev:24,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Abusive or Spam Domain detected in argument',chain,logdata:'%{TX.2}'"
|
|
SecRule ARGS "!@pmFromFile domain-spam-whitelist.txt" "chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
|
|
SecRule ARGS|!ARGS:gltr_page_content|!ARGS:/admin/|!ARGS:/censor/|!ARGS:block "@pmFromFile domain-blacklist.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
|
|
|
|
#
|
|
#SecRule REQUEST_HEADERS:Referer "!@pmFromFile domain-spam-whitelist.txt" # "chain,id:300000,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Blacklist Referer Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
#SecRule REQUEST_HEADERS:Referer "@pmFromFile domain-blacklist.txt"
|
|
|
|
# Rule 300034:
|
|
# Spammers posting spam into blog/forum software temp & cache
|
|
#SecRule ARGS|!ARGS:/comment/|!ARGS:loc|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:msg_body|!ARGS:/text/|!ARGS:/txt/|!ARGS:Post|!ARGS:link_href|!ARGS:src|!ARGS:message|!ARGS:/department/|!ARGS:/reply/|!ARGS:filename|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/ "http://.*[a-z0-9]{2,}\.[a-z]{2,}(?:(/blog)?/wp-content(?:/uploads/|themes|gallery)/|/blogs?/templates/)" # "phase:2,deny,status:403,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300034,rev:19,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam or Malware: URL to temporary directory',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
#SecRule REQUEST_URI "!(casetracker)"
|
|
|
|
# Rule 300052:
|
|
#SecRule ARGS "href.*http.*\{@\domain}\.*\{\@url\}.*\{\@anchor\}" # "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300052,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Broken spambot',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300054: Comment Spam
|
|
#SecRule ARGS|!ARGS:/email/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:description|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:/web/|!ARGS:/host/ "(?:ht|f)tps?://.*[0-9]{7,}(web\.)?\.(?:com|net|org)" # "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300054,rev:6,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Bad URL',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300036:
|
|
#SecRule ARGS|!ARGS:/page_content/ "(?:[0-9]+(books|epson|fang|flower|tour)\.com|d+x?\.(?:fate\.se|aus\.cc|bilsay\.com|lov3\.net|plorp\.com|top\.tc|us\.to|a\.la|dnip\.net|ig3\.net|mercedesazcona\.com\.ar|mooo\.com|myserver\.org|static\.net|uk\.to|weedns\.com)|\.ltdcr\.(?:com|net|org|cn)|\.hkce\.(?:org|net)|\.cegcr\.(?:com|net)|\b51hc\.(?:com|net)|club[1-4]?\.blog-city\.com|wifi(?:-world|-planet|guide)\.org|(?:au-(?:feminin|masculin)|(?:casino|slots|car-?insurance).*)\.blogspot\.com|yahotels\.(?:net|eu)|gundam(?:wing|seed)\.de|\.more\.(?:at|by)|\.notrix\.(?:at|ch|de|net)|shurl\.(?:net|org)|tiny(?:click|link)\.com)/" # "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300036,rev:5,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Spammy Domain detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300014:
|
|
# needs more testing
|
|
# /^([a-z0-9]([-a-z0-9]*[a-z0-9])?\\.)+((a[cdefgilmnoqrstuwxz]|aero|arpa)|(b[abdefghijmnorstvwyz]|biz)|(c[acdfghiklmnorsuvxyz]|cat|com|coop)|d[ejkmoz]|(e[ceghrstu]|edu)|f[ijkmor]|(g[abdefghilmnpqrstuwy]|gov)|h[kmnrtu]|(i[delmnoqrst]|info|int)|(j[emop]|jobs)|k[eghimnprwyz]|l[abcikrstuvy]|(m[acdghklmnopqrstuvwxyz]|mil|mobi|museum)|(n[acefgilopruz]|name|net)|(om|org)|(p[aefghklmnrstwy]|pro)|qa|r[eouw]|s[abcdeghijklmnortvyz]|(t[cdfghjklmnoprtvwz]|travel)|u[agkmsyz]|v[aceginu]|w[fs]|y[etu]|z[amw])$/
|
|
#
|
|
#SecRule REQUEST_URI "!(?:/imp/compose\.php|/node/(([0-9]+)/edit|add/news-story)|^/news/add$)" # "capture,id:300014,rev:5,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Possible Random Nonsensical URL detected',chain,logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
#SecRule REQUEST_HEADERS:Referer "!(?:/imp/login\.php)" chain
|
|
#SecRule ARGS "http://(?:[a-z]*[x-z][a-z]*q[^u][a-z]*|[a-z]*q[^u][a-z]*[x-z][a-z]*).*\.[a-z]{2,}/"
|
|
#
|
|
#rjblhwqgarriawtjkubz, http://www.menopausetreatmentblog.com/ menopause symptoms, IkoLrvM, http://www.cankersoresinfo.com/ canker sore, gfsyaAM, http://www.yourinsomniablog.com/ sleep aid, qXNbhEE, http://www.yoursexualhealthblog.com/ Sexual Health, ITuZoif, http://www.bladder-cancer-info.com/ Bladder Cancer, DumMdUm, http://www.braininjuryinfoblog.com/ Traumatic Brain Injury, gHlyTzw, http://www.goutmatter.com/ Gout symptoms and treatment, XxBqkFf, http://www.crohnsdiseaseblog247.com/ crohns disease, sSNGXhk.
|
|
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:ban|!ARGS:/admin/|!ARGS:/sql/|!ARGS:/query/ "^[a-z]{16,} , < ?a href ?= \"? ?http://[a-z\.0-9/]+/ [a-z]+ [a-z]+, [a-z]{6,}, http://[a-z\.0-9/]+/ [a-z]+" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300299,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Link Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:ban|!ARGS:/admin/|!ARGS:/sql/|!ARGS:/query/ "^[a-z0-9]{4,32} ?, ?< ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*> ?[a-z0-9]{4,32} ?.*< ?/ ?a ?> ?, ?[a-z0-9]{4,32} ?.*, ?< ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*< ?/ ?a ?> ?, ?[a-z0-9]{4,32} ?, < ?a href ?= ?\" ?http://[a-z\.0-9/]+/.*< ?/ ?a ?> ?, [a-z0-9]{4,32} ?," #"phase:2,deny,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300300,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Link Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#Spamming wiki urls
|
|
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "\[" "id:333900,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333723,t:none,pass,nolog,noauditlog,skipAfter:END_SPAMMY_URLS"
|
|
|
|
#Rule 300079:
|
|
SecRule ARGS|!ARGS:item_value|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:homepage|!ARGS:mode|!ARGS:data[About][content]|!ARGS:data[Contact][content]|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:template|!ARGS:/header/|!ARGS:/footer/ "(?:\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?://.*\[ ?(url|link) ?= ?\"? ?https?:/|(\[ ?(url|link) ?\]https?://.*\[ ?/ ?(url|link) ?\].*){4,})" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300079,rev:18,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#Multiple URLs in a wiki post
|
|
SecRule ARGS|!ARGS:suffix|!ARGS:ban|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/search/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:homepage|!ARGS:mode|!ARGS:config|!ARGS:signature|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/|!ARGS:/template/|!ARGS:/header/|!ARGS:/footer/ "(\[ ?http://.*){4,}" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300023,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#
|
|
SecRule ARGS "(\[ ?url ?= ?\"? ?https?://.*\[ ?link ?= ?\"? ?https?://.*|\[ ?link ?= ?\"? ?https?://.*\[ ?url ?= ?\"? ?https?://)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300182,rev:18,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Mixed URL posting types - possible spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#[url=http://example.com/foo/bar/+]junk[/url]+&location=USA&occupation=Real&interests=Religion,+spiritual&signature=[url=[url=http://www.example.com+]spam phrase[/url]+]another spam phrase[/url][url=[url=http://www.example.com]more spam phrasesówek[/url]+]spam phrase[/url]
|
|
SecRule ARGS "\[ ?url ?= ?\[ ?url ?= ?\"? ?https?://.*url ?\]" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300282,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Broken URL posting type - possible spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
|
|
#>>>+Technical+Jobs+In+Spamland+<<<
|
|
SecRule ARGS|!ARGS:/html/|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "\[ ?http://.*>>> ?[a-z0-9 -_.,\"\'\|]+ ?<<<.*\]" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300302,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam Link',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#Known wiki spam pattern
|
|
#==<center>[http://example.com/stuff<big>'''<u>morestuff</u>'''</big>]</center>==
|
|
SecRule ARGS|!ARGS:/css/|!ARGS:email|!ARGS:/ajax/|!ARGS:/template/|!ARGS:/code/|!ARGS:/sql/|!ARGS:/query/ "< ?center.*\[ ?http://.*big ?>.*'' ?[a-z0-9 -_.,\"\'\| ].*big.*\]" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:300313,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam Link',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_SPAMMY_URLS
|
|
|
|
|
|
#Spam signups
|
|
SecRule REQUEST_URI "/ucp\.php" "phase:2,deny,log,auditlog,status:403,chain,t:none,t:urlDecodeUni,t:compressWhiteSpace,id:391100,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spammer signup for forum',chain,logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
SecRule ARGS:occupation "(?:^,,,,,|Здравоохранение|Реклама|пластика)"
|
|
|
|
############ SPAMMER TRICKS ##############
|
|
SecRule ARGS "@pm font height hidden auto width position absolute overflow style display px" "id:353901,phase:2,t:none,t:urlDecodeUni,t:replaceComments,t:htmlEntityDecode,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333734,t:none,pass,nolog,noauditlog,skipAfter:END_HIDDEN_TEXT"
|
|
|
|
SecRule ARGS:send_mail "^true$" "id:375111,rev:1,phase:2,t:none,t:urlDecodeUni,t:lowercase,skipAfter:END_HIDDEN_TEXT,nolog,noauditlog,pass"
|
|
|
|
SecRule ARGS:text "^< ?\? ?php" "id:375141,rev:1,phase:2,t:none,t:lowercase,t:compressWhiteSpace,skipAfter:END_HIDDEN_TEXT,nolog,noauditlog,pass"
|
|
|
|
|
|
#Rule 300056: Hidden spam links
|
|
#examples:
|
|
#<font style=position:absolute;overflow:hidden;height:1px;width:1px;>
|
|
#overflow:auto;width:0;height:0
|
|
SecRule ARGS|!ARGS:field_id_2|!ARGS:/email/|!ARGS:/milestone/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:/^Store_OUI_/|!ARGS:grid_html|!ARGS:/code/|!ARGS:/tt_content/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:/^we_/|!ARGS:tmpl|!ARGS:/^elements/|!ARGS:formData|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/css/|!ARGS:/^widget-text/|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/template/|!ARGS:entire_file "<.{,200}style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).{1,200} (?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300056,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Exploit',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#Hidden wiki text using a negative pixel size
|
|
#example
|
|
#{CODE(ishtml="1")}<div class="dnn_dnnContent" style="margin-left: -1500px;"><a href="http://otimizacao-de-websites.com">otimização de sites</a> <a href="http://desentupidorasanehidro.com.br">desentupidora</a> <a href="http://www.graficavendahoje.com.br">grafica</a> <a href="http://www.deeplaser.com.br">clinica de estetica</a> <a href="http://asacompanhantessp.com.br">acompanhantes sao paulo</a> <a href="http://pactotransportes.com.br">transportadora</a> <a href="http://www.mtksistemas.com.br">relogio de ponto</a> <a href="http://www.dentistaespecialista.com.br">dentista</a></div>{CODE}
|
|
#SecRule ARGS|!ARGS:/field_id_2/|!ARGS:search|!ARGS:/email/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:entire_file|!ARGS:pdf|!ARGS:/code/|!ARGS:formData "(?:height|width) ?(?:=|\:) ?(?:\"|\')? ?-[0-9]+ ?(?:\"|\')? ?px ?;" SecRule ARGS|!ARGS:/field_id_2/|!ARGS:search|!ARGS:/email/|!ARGS:/^admin/|!ARGS:/^jform/|!ARGS:entire_file|!ARGS:pdf|!ARGS:grid_html|!ARGS:/tt_content/|!ARGS:/code/|!ARGS:optional_head|!ARGS:formData|!ARGS:/^we_/|!ARGS:/^elements/ "< ?div.{1,200}style=\-[0-9]+ ?px ?;.{1,200}< ?/ ?div ?>" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300058,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Hidden Text Using Negative Pixel Size',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 30076
|
|
# This matches against height:0-4px (most CSS hidden spam) (regardless of whitespace on either side of the colon)
|
|
# This matches against overflow:auto (regardless of whitespace on either side of the colon)
|
|
SecRule ARGS|!ARGS:document|!ARGS:/field_id_2/|!ARGS:/milestone/|!ARGS:/^admin/|!ARGS:/email/|!ARGS:/^jform/|!ARGS:facebookiframe|!ARGS:editor|!ARGS:/tt_content/|!ARGS:objectToLike|!ARGS:grid_html|!ARGS:/previewdata/|!ARGS:optional_head|!ARGS:customized|!ARGS:/^grid_html$/!ARGS:/scrollstyle/|!ARGS:statichtml|!ARGS:/^elements/|!ARGS:/^we_/|!ARGS:html|!ARGS:formData|!ARGS:/code/|!ARGS:body_html|!ARGS:/^Store_OUI_/|!ARGS:_message|!ARGS:pdf|!ARGS:/img_style/|!ARGS:field_description|!ARGS:code|!ARGS:emailmessage|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/^emtext/|!ARGS:htmlPreview|!ARGS:file_content|!ARGS:/department/|!ARGS:filecontent|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:resumoDetalhe|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/css/|!ARGS:code|!ARGS:/^widget-text/|!ARGS:/^header/|!ARGS:/^footer/|!ARGS:/^wpTextbox/|!ARGS:product_description|!ARGS:sitead|!ARGS:/template/|!ARGS:entire_file "(?: (?:height|width) ?(?:=|\:) ?[0-9] ?px|overflow ?: ?(?:auto|hidden)|style ?= ?\"? ?display ?: ?none ?)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,id:300076,rev:31,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Hidden Text Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_HIDDEN_TEXT
|
|
|
|
#####SKIP ALL SPAM RULES BY KEYWORD#########
|
|
#SecRule ARGS "@pmFromFile spam.data" # "phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
# SecAction phase:2,pass,nolog,noauditlog,skipAfter:END_SPAM
|
|
|
|
#skip spam rules for content about spam
|
|
SecRule ARGS "@pm spamassassin qmail smapdyke postfix clamav clamd modsecurity mod_security ossec" "phase:2,id:333902,t:none,pass,nolog,noauditlog,skipAfter:END_SPAM"
|
|
|
|
############ GAMBLING SPAM ##############
|
|
SecRule ARGS "@pm casino poker roulette slot pacific hold texas royal bet" "phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,id:333903,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333735,t:none,pass,nolog,noauditlog,skipAfter:END_GAMBLING_SPAM"
|
|
|
|
# Rule 300032:
|
|
SecRule ARGS|!ARGS:/token/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:pacific[ -_.,\"\'\|].{1,100}poker|[ -_.,\"\'\|].{1,100}casino[ -_.,\"\'\|]|slot[ -_.,\"\'\|].{1,100}machines|(?:random|free|internet)+[ -_.,\"\'\|].{1,100}slots|poker|casino[ -_.,\"\'\|](?:games|action)|bet(ting)?[ -_.,\"\'\|](?:at|on)[ -_.,\"\'\|](?:home|horse))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,chain,id:300032,rev:11,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Gambling or Poker Content (Disable this rule if you wish to allow that content)',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
SecRule MATCHED_VAR "!(poker flat|casino royale|un casino di)"
|
|
|
|
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "!(poker flat|casino royale)"
|
|
|
|
# Rule 300028:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/token/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:texas[ -_.,\"\'\|].{1,100}hold[ -_.,\"\'\|]?em|texas[ -_.,\"\'\|]?hold[ -_.,\"\'\|]?em|casino[ -_.,\"\'\|]?online)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300028,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Gambling',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
SecMarker END_GAMBLING_SPAM
|
|
|
|
############ WEIGHT LOSS SPAM ############
|
|
# Rule 300042:
|
|
SecRule ARGS "@pm weight loss" "id:353904,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333736,t:none,pass,nolog,noauditlog,skipAfter:END_WEIGHTLOSS_SPAM"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:username|!ARGS:server_name|!ARGS:/filename/|!ARGS:/email/ "(?:lose[ -_.,\"\'\|]?weight[ -_.,\"\'\|]?quick|weight[ -_.,\"\'\|]?loss[ -_.,\"\'\|]?pills?|(?:rapid|quick)[ -_.,\"\'\|]?weight[ -_.,\"\'\|]?loss)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300042,rev:4,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Weight Loss',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_WEIGHTLOSS_SPAM
|
|
############ GENERIC SPAM ################
|
|
SecRule ARGS "@pm bulk sysco jagk knloony cam sysrem lemon exit defunct commie andrew music miccel rooo rowdd colkk fortune magazine finder netfirms rolex z0rder fargo weight virility pills squirrel online lezaquin golden mortgage pill hyphen force fast laser fuel cheap phone hontak lasik huojia jinx telemati diamond horo oa274 star exicornt afmbb. cragrats. brook stars eblija liuhecai szilva96 insurance star exicornt afmbb. cragrats. brook stars eblija liuhecai szilva96 insurance loan follow tprehj license ushummingirds credit divorce forever video ganzaoji geurtstagskarten imwithoy liuhecai pharm myzenegra netftplya netguy degree oyoulders payday sonnerie calculator" "phase:2,pass,t:none,t:urlDecodeUni,pass,id:363905,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333737,t:none,pass,nolog,noauditlog,skipAfter:END_GENERIC_SPAM"
|
|
|
|
# Rule 300051:
|
|
SecRule ARGS|!ARGS:/dnssearch/|!ARGS:/pf.pass/|!ARGS:/pf.user/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:magazine[ -_.,\"\'\|]?(?:finder|netfirms)|rolex[ -_.,\"\'\|]|z0rder|well-fargo|phvonline|weight-watcher|virility[ -_.,\"\'\|]pills|squirrelht|sams-club-online|nexium-online|levaquin-500|golden-coins|gmac-mortgage-corp|enlarge(ment)?pill|crestor[ -_.,\"\'\|]online|3hyphens|forcedvid|fastpayd|spycam|laser[ -_.,\"\'\|]?eye|eye[ -_.,\"\'\|]?laser|fuelcellmarket|fuel-dispenser|fueling-dispenser|cheapest[ -_.,\"\'\|]?i?phone|kontaktlinsen|lasikclinic|huojia|jinxinghj|telemati[ck]sone|a-mortgage|diamondabrasives|-horoskop|oa274|exicornt|afmbb\.|cragrats\.|reuterbrook|lazy-stars|szilva96|(?:mortgage|home loan) calculator|fast loan)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300051,rev:10,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: General',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
|
|
# Rule 300009:
|
|
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:cash[ -_.,\"\'\|]?advance|pay[ -_.,\"\'\|]?day[ -_.,\"\'\|]?loan|(?:i|la)-sonneries?[ -_.,\"\'\|]*\.[a-z]{2,})" # "phase:2,deny,status:403,t:none,t:lowercase,t:compressWhitespace,id:300009,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Possible Loan Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_GENERIC_SPAM
|
|
############ MALE ENHANCEMENT ##############
|
|
SecRule ARGS "@pm penis male enlarg enhanc natural surgery pill traction pump diet member rod cock dick shaft bigger larger increase" "id:333906,phase:2,t:none,t:urlDecodeUni,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333738,t:none,pass,nolog,noauditlog,skipAfter:END_MALEENHANCE_SPAM"
|
|
# Rule 300056:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:male|penis)[ -_.,\"\'\|]?(?:en(?:larg|hanc)|natural|pill|surgery|traction|pump)|(?:diet|penis|male)[ -_.,\"\'\|]?(?:pills|en(?:larg|hanc))|(?:en(larg|hanc)).{0,10}(?:male|penis)|pills? x [0-9]+ ?mg|enlarge[ -_.,\"\'\|]?yourself[ -_.,\"\'\|]?now|advanced[ -_.,\"\'\|]?gain[ -_.,\"\'\|]?pro|(?:bigger|larger|increase[ -_.,\"\'\|]?your)[ -_.,\"\'\|]?(?:member|rod|shaft|cock|dick|penis)\b[ -_.,\"\'\|])" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300010,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Male Enhancement Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_MALEENHANCE_SPAM
|
|
############ PHARMACY SPAM ################
|
|
SecRule ARGS|!ARGS:/medical/|!ARGS:/drug/ "@pm adipex allegra ambien amitriptyline bontril buy canadian carisoprodol celexa cheap cialis didrex diet diethylpropion hormone discount drug steroid effexor ephedra ephedrine ewilla extra fioricet flonase free gluclosamine glucosamine hgh hydrocodone ionamin levitra lexapro lipitor lisinopril lostr lsotr medic meridia mexic neurontin nexium nullnix online order ortho oxycodone paxil penicillin pharm phendimetrazine phentermine pheromone pill pimrim plavix plongs ponagansetpost prednisone prescript prevacid price propecia protonix provigil prozac pseudovent ragazze ritalin seroquel silagra startseek store strattera suboxone synthroid tadalafil tenuate topamax toprol tramadol trazodone tricyclen ultracet ultram valium valtex valtrex abilify premarin viagra impotence lithobid keflex terbinafine lamisil gleevec aztrin azithromycin desyrel oleptro beneficat desirel molipaxin thombran trazorel trialodine trittico mesyrel trazodone lamictal purim salbutamol flovent flonase phentrimine aciphex cimetidine ranitidine omeprazole pantoprazole zantac prilosec citalopram lorazepam vicodin vigrx vig-rx vioxx voltaren vytorin wellbutrin xanax xenical zithromax zocor zoloft zyban zyprexa zyrtec doxycycline alli supplements methylphenidate prescription augmentin amoxil outlet dapoxetine" "id:333907,rev:2,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333739,t:none,pass,nolog,noauditlog,skipAfter:END_PHARM_SPAM"
|
|
|
|
# Rule 300040:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/email/!ARGS:Mensaje|!ARGS:/product/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/medical/|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/medication/|!ARGS:/ajax/ "(?:(?:nullnix|plongs|pimrim|ewilla|startseek|ponagansetpost|prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil!l|vioxx|celexa|valtrex|zyrtec| hgh |!(t)ambien |carisoprodol|dapoxetine|flonase|allegra|didrex|bontril|nexium)+[ -_.,\"\'\|].{1,100} -_.,\"\'\|](?:l(?:so|os)tr)|ragazze-? ?|(?:prices|pills|buy|diet.{1,100}medic(?:ine|ation|al)|drug).{1,10}pharma|[ -_.,\"\'\|]meridia[ -_.,\"\'\|]|(?:wellbutrin|tenuate|tramadol|pheromones|phendimetrazine|ionamin|ultram |ortho.?tricyclen)+[ -_.,\"\'\|])\.[a-z]{2,}" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300040,rev:10,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300057:
|
|
# stacked spam rule - levitra-levitra-levitra or leviTrA retila_prosac etc.
|
|
SecRule ARGS|!ARGS:/page_content/|!ARGS:file|!ARGS:Mensaje|!ARGS:/product/|!ARGS:/medical/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/medication/|!ARGS:/ajax/|!ARGS:/email/ "[-_ ]?\b(?:adipex|suboxone|pseudovent|topamax|trazodone|prevacid|zyrtec|xenical|toprol|zoloft|synthroid|valtrex|wellbutrin|valium|protonix|vytorin|ritalin|zocor|seroquel|ultracet|plavix|voltaren|zyprexa|xanax|vicodin|penicillin|tramadol|provigil|prednisone|vioxx|zithromax|strattera|ultram!(a)|prozac|abilify|terbinafine|premarin|viagra|male impotence|lithobid\b|keflex\b|amoxil\b|augmentin\b|lamisil|gleevec|aztrin|azithromycin|desyrel|oleptro|beneficat|desirel|molipaxin|thombran|trazorel|trialodine|trittico|mesyrel|trazodone|methylphenidate|sertraline|lamictal|purim|salbutamol|flovent|dapoxetine|flonase|phentrimine|aciphex|cimetidine|pantoprazole|omeprazole|ranitidine|zantac|prilosec|citalopram|lorazepam|doxycycline|propecia|natural[-_ ]?hormone[-_ ]?replacement|levitra|phentermine|cialis\b |fioricet|ephedra|ambien\b|carisoprodol)\b[-_ ]?" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300061,rev:25,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam or Restricted content: Pharmacy and/or Drug content detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300011:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/medical/|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:(?:online|canadian|mexic(?:an|o))[ -_.,\"\'\|]?(?:pharmacy|drug[ -_.,\"\'\|]?store|medication)|(?:cheap(?:est)?|free)[ -_.,\"\'\|]?(?:pill|drug|steroid)s|order(?:ing)?[ -_.,\"\'\|]?(?:drug|pill|steroid)s[ -_.,\"\'\|]?online|extra [0-9][0-9]\% (?:pill|drug|steroid)|[ -_.,\"\'\|]?discounted[ -_.,\"\'\|]?(?:prescriptions?|drug|steroid)|no[ -_.,\"\'\|]?(?:prior)?[ -_.,\"\'\|]?prescription[ -_.,\"\'\|]?needed|online[ -_.,\"\'\|]?phentermine|phentermine[ -_.,\"\'\|].{1,100}online|online[ -_.,\"\'\|](?:prescription|pharmacy|drug[ -_.,\"\'\|]?store)[ -_.,\"\'\|]|muscle supplements and free stuff|free supplements|purchase[ -_.,\"\'\|]?[a-z]+[ -_.,\"\'\|]?prescription[ -_.,\"\'\|]?on[ -_.,\"\'\|]?line|buy[ -_.,\"\'\|]?generic[ -_.,\"\'\|]?[a-z0-9]+[ -_.,\"\'\|]?online)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300011,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300038:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/!ARGS:/page_content/|!ARGS:/medical/ "\b(?:silagra|ritalin|levitra|carisoprodol|oxycodone|phentermine|amitriptyline|diethylpropion|abilify|terbinafine|premarin|viagra|male impotence|lithobid\b|keflex\b|lamisil|desyrel|oleptro|beneficat|desirel|molipaxin|thombran|trazorel|trialodine|dapoxetine|trittico|mesyrel|trazodone|aztrin|azithromycin|lamictal|purim|salbutamol|flovent|flonase|phentrimine|aciphex|cimetidine|pantoprazole|cimetidine|protonix|ranitidine|zantac|prilosec|citalopram|omeprazole|lorazepam|doxycycline|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|tadalafil|ephedrine|neurontin|glucosamine|cialis\b |lipitor|effexor|propecia|celebrex|gluclosamine|lexapro|ephedra|levitra| alli weight)[ \-_.,<>\|\"\']" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300038,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Pharmacy',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_PHARM_SPAM
|
|
########## ADULT SPAM#################
|
|
SecRule ARGS "@pm 9sekund abuse adult alicia amateur anal animal anime apparatus asia ass assauly audition bang barn bdsm beast bestial big blow bondage boob boy brother bukakke bung butt buy bynes c0ck cam camel celeb chat cheat cheer child club cock comic costume counch cuck cuff cum cunt d1ck dad dailyorbit daughter dick dildo dirty dog doll door dress ebony exotic face femdom femsub fetish filth fist fresh fuck furniture gang gay giant girl golden grann hairy hand hannigan hardcore homo horny horse hot hub hudgens hunter huojia husband hyke incent incest japanese jinxinghj kink l1ck large latex lesbian lick leashed little live lolita love maledom malesub man manga mature member men milf mom mouth movie naked natural niece nude nudity nurse pair paris penis photo pic pig plug pony petgirl porn pussies pussy queen rod russian scat scene schoolgirl schoolboy seduce sex s-e-x shabby shaft shag shaved shemale shower silver sister slave sleep slut small son spank spy still story strapon strip submissive suck sultry swap swinger talk tape tease teen tied top torture tounge toy trailer tran tube twink uncle under vagina vibrat vid virgin voyeur whip wife wive woman women xxx young zone zoo orgasm rape illegal date ptch model pantyhose pantyhouse hentai cuckold" "id:353908,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333740,t:none,pass,nolog,noauditlog,skipAfter:END_ADULT_SPAM"
|
|
|
|
# Rule 300065:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:[ -_.,\"\'\|]+brutal[ -_.,\"\'\|]+dild(?:oes|o|os)[ -_.,\"\'\|]|[ -_.,\"\'\|]cum[ -_.,\"\'\|]shots?[ -_.,\"\'\|]|(?:hairy|shaved|leashed|under[ -_.,\"\'\|]?age|lolitas?|teens?) (?:[a-z]+ puss(?:y|ies)|puss(?:y|ies))|[ -_.,\"\'\|]+(?:naked|porn|adult|school(?:girl|boy)|(?:gay|anal) sex)[ -_.,\"\'\|]+movies?[ -_.,\"\'\|]|[ -_.,\"\'\|](?:hudgens|free)[ -_.,\"\'\|]+naked[ -_.,\"\'\|]|9sekund|find-it-buy-it|bukakke|(?:incest|amat(?:eur|ure)|horny|bondage|bestiall?ity|slave|submissive|femdom|maledom|femsub|malesub|gay|lesbian|bi(?:-| )?sexual|lolitas?|shemales?|(?:g|t)rann(?:ys?|ies)|swingers?|milfs?|(?:hot|slut)[ -_.,\"\'\|]?wi(?:v|f)es?|under[ -_.,\"\'\|]?age|sex[ -_.,\"\'\|]?doll|fisting|child|lolitas?|preteens?)[ -_.,\"\'\|]?\b(?:boys|sex|porn|video|mpe?g|avi|wmv|fuck|shag|xxx)\b|teen[ -_.,\"\'\|]?(?:lesbian|gay|girls?|boys?)[ -_.,\"\'\|]?orgasm|porno?[ -_.,\"\'\|]?(?:film|video)|video porno|girls[ -_.,\"\'\|]?in[ -_.,\"\'\|]?pantyhou?se|school(?:boy|girl)[ -_.,\"\'\|]cumshot|sexx?y teen model|teen model sexx?y|/wporn/w gay)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300065,rev:11,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult Content Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300068:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:silver[ -_.,\"\'\|]foxes|sex[ -_.,\"\'\|]?toys?[ -_.,\"\'\|]?(?:for[ -_.,\"\'\|]?sale|online|store)|free[ -_.,\"\'\|]?adult|sex-position|fake[ -_.,\"\'\|]?vagina|lovehoney ?sex|adult[ -_.,\"\'\|]?(?:shop|store)|anal[ -_.,\"\'\|]?(?:sex)?[ -_.,\"\'\|]?toy|dildos|strapon|butt[ -_.,\"\'\|]?plug|vibrators|official[ -_.,\"\'\|]?pornstar|[ -_.,\"\'\|]inch(?:es)? .{0,10}(?:cock|dick)\b|(?:bdsm|bondage)[ -_.,\"\'\|]?apparatus|(?:sex|fuck|shag|bondage|bdsm)[ -_.,\"\'\|]?(?:furniture|couch)|[ -_.,\"\'\|](?:suck|l[i1]ck).{1,30}(?:c[o0]ck|d[i1]ck|pussy)[ -_.,\"\'\|]|sultryserver|cock[ -_.,\"\'\|]?ring !(nano )|group[ -_.,\"\'\|]?sex|(?:nude|naked|xxx)[ -_.,\"\'\|]?(?:celebs|cheerleaders|girls|boys|teens|nymph)|(?:illegal|rape|fetish|latex|slave|bdsm|leashed|bondage|bestiall?ita?y|farm)[ -_.,\"\'\|]?(?:porn|xxx)|(?:pony|pet)[ -_.,\"\'\|]?(?:girl|boy)|date[ -_.,\"\'\|]?rape[ -_.,\"\'\|]?drug[ -_.,\"\'\|]?video)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300068,rev:9,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam: Adult Content Detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300057: Comment Spam
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:amember_pass|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:back[ -_.,\"\'\|]?seat[ -_.,\"\'\|]?bangers?|gang[ -_.,\"\'\|]?bang(?:ed|ing)?)[ -_.,\"\'\|]|(?:fuck|shag)[ -_.,\"\'\|]?giant[ -_.,\"\'\|]?cock\b|(?:mouth|face)[ -_.,\"\'\|]?(?:fuck|shag)|(?:huge|massive|monster)[ -_.,\"\'\|]?(?:cock|dick|strapon)\b[ -_.,\"\'\|]?(?:small|tiny|little)[ -_.,\"\'\|]?(?:wom(?:a|e)n|girl|boy|twink)|girls[ -_.,\"\'\|]?next[ -_.,\"\'\|]?door[ -_.,\"\'\|]?on[ -_.,\"\'\|]?e|(?:top|biggest|hottest|sexiest|teen)[ -_.,\"\'\|]?porn[ -_.,\"\'\|]?stars|(?:hannigan|nymphets?|bynes|alicia[ -_.,\"\'\|]silverstone)[ -_.,\"\'\|]?(?:nude|nudi(?:es|ty)|american[ -_.,\"\'\|]pie)[ -_.,\"\'\|]|(?:blow[ -_.,\"\'\|]?(?:jobs?)[ -_.,\"\'\|]|jennas[ -_.,\"\'\|]?myspace | i kissed a girl|(?:mature|teen|au ?pair)[ -_.,\"\'\|]?(?:sex|porn|xxx|club)[ -_.,\"\'\|]?(?:sex|club|porn|xxx)))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300057,rev:8,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300003: Comment Spam
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:g(?:a|u)y|homosexual|bi-?sex(?:ual)?|shemales?|lolitas?|manga|virgins?|teens?|porno?)[ -_.,\"\'\|](?:beastiality|bestiallity|sex[ -_.,\"\'\|]scenes?|video|slut|trailer|(?:boy|girl)[ -_.,\"\'\|](?:pic|video)s?|(?:fuck|shag)ing)|(?:naked|vivid|xxx)[ -_.,\"\'\|](?:boys|girls|child[ -_.,\"\'\|]sex)|anime[ -_.,\"\'\|]boobs?|shabby[ -_.,\"\'\|]virgins?|(?:cunt|pussy|vagina|cock|trann?(?:y|ie)s?|shemales?)[ -_.,\"\'\|]?abuse|cock[ -_.,\"\'\|]?(?:and)?[ -_.,\"\'\|]?ball[ -_.,\"\'\|]?torture|sleep[ -_.,\"\'\|]?assault|my[ -_.,\"\'\|]?gay[ -_.,\"\'\|]?(?:tale|story|porn)|camel[ -_.,\"\'\|]?toe[ -_.,\"\'\|]?auditions?|teen[ -_.,\"\'\|]?anal[ -_.,\"\'\|]?queen|[ -_.,\"\'\|]ebony[ -_.,\"\'\|]porn)[ -_.,\"\'\|]" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300003,rev:12,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult Video',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300004: Comment Spam
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:(?:beastilality|bestiallity)[ -_.,\"\'\|]?stor(?:y|ies)|bounce[ -_.,\"\'\|]?your[ -_.,\"\'\|]?boob|\bshow[ -_.,\"\'\|]?your[ -_.,\"\'\|]?(?:pussy|cunt|cock)\b|dailyorbit|i-horny|filthserver|milf[ -_.,\"\'\|].{1,100}(?:hunter|cruiser|mom)|(?:fuck|shag|anal)(ing)? lessons?|mikes?[ -_.,\"\'\|]apartment|sexy[ -_.,\"\'\|](?:moms|lingerie|teens?)|(?:horse|animal|dog|farm)[ -_.,\"\'\|].{1,100}\b(?:porn|cocks?|dicks?|sex|penis|blowjob)\b[ -_.,\"\'\|]?|free[ -_.,\"\'\|]?(?:sex|beastiality|bestiallity|extreme|(gay|(?:bi|tran)sex(ual)?)? ?porn|xxx|adult|bondage|bdsm|femdom|sex|femsub|maledom|malesub|fuck|shag)[ -_.,\"\'\|]|(?:sex|beastiality|bestiallity|porn(o|s)?|xxx|adult|bondage|bdsm|femdom|femsub|maledom|malesub|fuck|shag)[ -_.,\"\'\|]?free|camfun24|(?:fresh|dirty)[ -_.,\"\'\|]?(?:girls|comics|boys|teens)|dirty[ -_.,\"\'\|]sex[ -_.,\"\'\|]comic|top model links|teenmodel club)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300004,rev:7,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 30074
|
|
SecRule ARGS|!ARGS:/saml/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail|!ARGS:/ajax/ "(?:s-e-x|zoo(?:ph|f)ilia|giant cock\b|porn(?:hub|tube)|sexyongpin|(?:wi(?:f|v)es?|slaves?|strippers?|whores?|prostitutes?|under[ -_.,\"\'\|]?age|teeners?|lolitas?|animal|dog|couples?|bisexuals?|bicurious|anal|ass|fisting|rimming|pussy[ -_.,\"\'\|]?(?:(?:li|fu)cking|sex)|barnyard|lesbians?|dykes?|horses?|zoo|nurses?|cheerleaders?|costume|dressup|topless|exotic[ -_.,\"\'\|]?dancer)[ -_.,\"\'\|]?(?:sex|porn|video|xxx)|sex-with|(?:cam|chat|online)sex|live[ -_.,\"\'\|](?:sex|nude|girls)|sexchat|(?:adult|free)[ -_.,\"\'\|]?porn|adult[ -_.,\"\'\|]?video|adultweb|hardcore(?:sex|porn)|(?:teen|lolitas?|xxx|core)porn|cam(?:girl|live|lolita)|(:?animal|cam|chat|dog|hardcore|live|online|voyeur)sex|(?:paris[ -_.,\"\'\|]?hilton|kardashian)[ -_.,\"\'\|]?sex[ -_.,\"\'\|]?tape|huojia|jinxinghj|sex[ -_.,\"\'\|]?(?:plugin|zone)|boy-and-girl-kiss|naughty[ -_.,\"\'\|]?high[ -_.,\"\'\|]?school|(?:horny|sexy|under[ -_.,\"\'\|]?age|amateur)[ -_.,\"\'\|]?(?:teen|porn|xxx|l(?:esbian|olita|ingerie)|bisexual|shemale)|adult[ -_.,\"\'\|]?buy[ -_.,\"\'\|]?sex|sex[ -_.,\"\'\|]?toy[ -_.,\"\'\|]?store|adult[ -_.,\"\'\|]?shopping|(?:under[ -_.,\"\'\|]?age|asian|lesbian|incest|girls?|lolitas?|shemale|(?:g|t)rann(?:y|ie))[ -_.,\"\'\|]?(?:sex|porn)|!(be)slut|sex[ -_.,\"\'\|]?(?:\bcam\b|chat|plugin|zone)|adult(?:chat|live|porn|web|friend|xxx)|porn(?:all|m|sex|zone|web|link)|(?:mail[ -_.,\"\'\|]?order|russian)[ -_.,\"\'\|]?bride|dominatrix|maledom|femdom|femsub|malesub|cuckold|(?:ass|butt)[ -_.,\"\'\|]?(?:fuck|shag)|scatology|girl[ -_.,\"\'\|]?girl|foot[ -_.,\"\'\|]?fetish|golden[ -_.,\"\'\|]?shower|submissive[ -_.,\"\'\|]?(?:male|female|husband|wife|girl|boy|dyke|lesbian|twink)|lolita (?:(?:erotica|beauty|model|young|lolita) (?:pic|nude|blue)|underage)|(?:ukraine|russian?|underaged?|asian?|great|little|forbidden|lesbian|teens?|preteens?) lolita|(?:pedo|underage|babies|content) pthc|pthc (?:megaupload|bbs|kasumi)|aqua teen porn|(?:preteen(age)?|underage|lolita) mod(?:el|le))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300074,rev:23,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300078:
|
|
SecRule ARGS|!ARGS:/saml/|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:/refer/|!ARGS:/url/|!ARGS:/saml/|!ARGS:/dnssearch/|!ARGS:file|!ARGS:/token/ "[ -_.,\"\'\|](?:sister cartoons|couples? (?:seduce|fuck|bang|shag) (?:teen|young|girl|boy|little)|(?:sister|milf|gay|lesbian|lolitas?|under[ -_.,\"\'\|]?age|teen(?:er)?s?|hardcore|porn)s? (?:sex|fuck|shag)|cumming[ -_.,\"\'\|]?on[ -_.,\"\'\|]?(each[ -_.,\"\'\|]?other|(?:her|his)[ -_.,\"\'\|]?face)|(?:cheating|slut|swapp?(?:ing)?)[ -_.,\"\'\|]?wi(?:v|f)e|free[ -_.,\"\'\|]?movies?[ -_.,\"\'\|]?of|sexy[ -_.,\"\'\|]?strip[ -_.,\"\'\|]?tease|(porno?|sex|gay|lesbian|under[ -_.,\"\'\|]?age|lolita)[ -_.,\"\'\|]?(?:movie|video|picture|still|photo)s?|hardcore[ -_.,\"\'\|]?(?:porn|xxx|movies|teen|lolita)|hentai|(great|fuck|shag)[ -_.,\"\'\|]?penis(?:es)?|(?:real|cute|atk|extreme|ugly|crazy|free|local)[ -_.,\"\'\|]?hairy[ -_.,\"\'\|]?girls?|(?:little|young|underage)[ -_.,\"\'\|]?(?:girl|boy)s?[ -_.,\"\'\|]?(?:naked|sex|fuck|shag|xxx|porn)|large[ -_.,\"\'\|]?natural[ -_.,\"\'\|]?(?:tit|boob)(?:ie)?s?|naked[ -_.,\"\'\|]?(?:boys|girls)[ -_.,\"\'\|]?young|hentai[ -_.,\"\'\|]|(?:big[ -_.,\"\'\|]?tits?|\bporn\b|anal|cuckold|school(?:girl|boy))[ -_.,\"\'\|]?gall?er(?:y|ies))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300078,rev:6,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Adult',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_ADULT_SPAM
|
|
|
|
############ COMMERCIAL SPAM #############
|
|
SecRule ARGS "@pm free survey cheap discount sale ipod iphone dumps cvv nkoia phone music mp3 player plasma flat screen xbox play payment station ps3 ps2 superfood fuel vaction time share named number increase guarantee advice rollx rollex diet pill vacation percent off buy rumer online leads google ranking limited itune zune wii ipad brass cable broad cigarette phone gifts spells office purchase graduation money shop hand shoulder gucci vuitton oakley" "id:333909,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,t:none,id:333741,pass,nolog,noauditlog,skipAfter:END_COMMERCIAL_SPAM"
|
|
|
|
#SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:description|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:brass(?:fast|-parts-india|-nuts-screws-fasteners|-inserts|-fittings-india|-fastener-india|-copper-castings|-components-india|turnedcomponents|terminalconnectors|-screws-bolts-nuts|precisionparts|partsindia|nuts-brassbolts|neutrallinks|-inserts-fasteners-india|insertsbrassnutsbrassbolts|buildinghardware|cableglands|electrical|electricalaccessories|electricalcomponents|fastenersindia|-fasteners|-fasteners-india|fittingcomponents)|cable(glandsworldwide|-glands-asia|glands-india)|serve(?:beer|blog|counterstrike|ftp|game|halflife|mp3|pics|quake)|broad(?:-band-phone|band-phone-future\.blogspot|band-phone-info|bandphoneservices)|\.cable(?:accs|glandsindia)|\.conex(?:india|metals|techno)|diamond-(rings-india|ring-diamond-rings|pendants-india|earrings-india|jewellery-india|ring-rings\.tripod)|electrical(?:-brass-components|brass\.f2s))\.com" # "t:none,t:lowercase,t:compressWhitespace,id:300067,rev:13,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial spammer URL',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300069:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "\b(?:free|cheap|discount|shop|for[ -_.,\"\'\|]?sale)\b[ -_.,\"\'\|](?:crocs|nokia|north ?face|canada ?goose|cell[ -_.,\"\'\|]?i?phone|(?:mp3|music|ip(?:od|hone)[ -_.,\"\'\|]?player)|ip(?:od|hone)|plasma|flat[ -_.,\"\'\|]?screen|\bxbox\b|play[ -_.,\"\'\|]?station|ps(?:4|3|2)|game[ -_.,\"\'\|]?boy|\bpsp\b|louis[ -_.,\"\'\|]?vuitton|(?:hand|shoulder)[ -_.,\"\'\|]?bag|roll?ex|diet[ -_.,\"\'\|]?pill|vacation|time[ -_.,\"\'\|]?share|free online games)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300069,rev:26,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:named[ -_.,\"\'\|]?(?:\#1|number[ -_.,\"\'\|]?(?:1|one))[ -_.,\"\'\|]?superfood|fuel[ -_.,\"\'\|]?increase[ -_.,\"\'\|]?guarante|advice[ -_.,\"\'\|]?and[ -_.,\"\'\|]?payment[ -_.,\"\'\|]?notification|(?:louis[ -_.,\"\'\|]?vuitton|factory|north ?face|canada ?goose)[ -_.,\"\'\|]?\b(?:outlet|online|stores?)\b|(?:vacation|time[ -_.,\"\'\|]?share)[ -_.,\"\'\|]?(?:discount|for[ -_.,\"\'\|]?sale|free|[0-9][0-9](?:\%|percent)[ -_.,\"\'\|]?off|cheap)|aggressive[ -_.,\"\'\|]?buying[ -_.,\"\'\|]?equipment|get a discount of up to 50% for|x-?rumer |increase your online leads|1st page google ranking|attract free shipment|yiacoumis z limited|for[ -_.,\"\'\|]?s(?:a|e)ll[ -_.,\"\'\|]?i?(?:phone|tune|pod|xbox|wii|ipad|zune)|cheap[ -_.,\"\'\|]?(?:abercrombie|\buggs?\b)|i sell dumps|interactive survey panel|surveys?[ -_.,\"\'\|]?(?:for|4)[ -_.,\"\'\|]?(?:money|cash)|electronic cigarette|reverse[ -_.,\"\'\|]c?e?l?l? ?[ -_.,\"\'\|]phone[ -_.,\"\'\|]lookup|(?:(?:basket|foot)ball|soccer)[ -_.,\"\'\|]coach[ -_.,\"\'\|]gifts|love spells.{1,100}financial help|microsoft office term 20[0-1][0-9]|can purchase a spinner bicycle|picking a good graduation gifts|quickly earn money|make money fast|(?:uggs?|coach|vitton|factory|michael kors|gucci|oakley|handbags?) outlet|oakley x squared )" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300066,rev:26,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Commercial',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_COMMERCIAL_SPAM
|
|
############# SEO SPAM #################
|
|
SecRule ARGS "@pm traffic mass rankings post thread forum blog cheat guest seo google bing captcha register break web site cool helpful understand nice good rock design search engine optim first rank xrunner xroomer xrumer xruumer xrummer portal website board paralleled matchless otimiza link gold" "id:333910,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333743,t:none,pass,nolog,noauditlog,skipAfter:END_SEO_SPAM"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:utm_term|!ARGS:/ticket/|!ARGS:/banned/|!ARGS:ban_user|!ARGS:/casetrack/|!ARGS:block|!ARGS:ban|!ARGS:setting[banemail]|!ARGS:/password/ "(?:generator cheats? 202|cheats 202. working|(?:cheat|gem)s? generator|cheatmod\.org|(?:gold|diamonds?) generator no (?:jailbreak|human)|go cheats? code|lives generator and cheat)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300073,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Game cheat spam content detected',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
# Rule 300071:
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/filter/!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:xr(?:unn|oom|uu?m)er |mass post threads and messages on forums, blogs, guestbooks,|this forum has captcha on registering, but it's was breaked|break (?:captchas?|anti-?bot (?:protections?)?) automa(?:t|g)icall?y |did you hear about best software for promo and seo|search[ -_.,\"\'\|]engine[ -_.,\"\'\|]optimiz|hello[ -_.,\"\'\|]?cool[ -_.,\"\'\|]?site|xciting[ -_.,\"\'\|]?website|cool[ -_.,\"\'\|]?guest[ -_.,\"\'\|]?book|really[ -_.,\"\'\|]?helpful[ -_.,\"\'\|]?for[ -_.,\"\'\|]?understand|!(very)[ -_.,\"\'\|]?(?:nice|good)[ -_.,\"\'\|]?(?:(?:web)?site|design)|this[ -_.,\"\'\|]?site[ -_.,\"\'\|]?rocks|wonderful(?: that site wonderful|(?:wonderful this|your) portal (?:incomparable|nice))|super your site nice |(?:otimização|otimização) de sites|(?:seo|search engine optimization) services?:? get free evaluation of your (?:(web)?site|blog|forum)|we (?:are interested to|can) increase (?:traffic|rankings?) (?:to|of) your website|free website analysis and ranking report for|p to ten times your targeted traffic|(?:seo|search engine optimization|link[ -_.,\"\'\|]?building) service|drive mass traffic to your site|top of the search engine)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300071,rev:14,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:w(?:o(?:nderful (?:your(?:'s (?:portal (?:incomparable|unparalleled)|board unparalleled|site incomparable)| (?:portal incomparable|board unparalleled))|th(?:at (?:board (?:matchless|unmatched)|site wonderful)|is portal (?:peerless|nice))|it's portal unequalled)|w (?:th(?:is (?:b(?:oard wonderful|log peerless)|portal nonpareil)|at (?:site (?:matchless|wonderful)|board unmatched))|your(?: portal unparalleled|'s portal nice)|it's (?:portal|blog) class))|hant to say (?:your(?: b(?:oard (?:un(?:parallel|match)ed|wonderful)|log unparalleled)|'s board (?:incomparable|cool))|th(?:is (?:b(?:oard unparalle|log unequal)led|portal matchless|site cool)|at site (?:unmatched|class))|it's (?:portal matchle|site cla)ss)|a(?:nna say (?:your(?: (?:(?:blog unparallel|portal unmatch)ed|site nonpareil)|'s site cool)|th(?:is (?:board unapproachable|portal nonpareil)|at site unparalleled)|it's b(?:oard unapproach|log incompar)able)|r doesn't make boys men)|e all agree that your theory is crazy)|i (?:say (?:your(?:'s (?:site (?:unapproachable|peerless)|portal wonderful|blog unmatched)| (?:portal (?:incomparable|wonderful)|(?:board matchle|site cla)ss))|th(?:at (?:blog (?:unmatched|wonderful)|site unapproachable)|is board (?:unparalleled|nonpareil|peerless))|it's (?:site matchless|portal nice))|think (?:your(?:'s (?:portal (?:(?:matchle|cla)s|have 5 star)s|site (?:unparalleled|class))| (?:site have 5 star|blog clas)s)|this site peerless)|know (?:your(?:'s (?:portal (?:wonderful|nice)|site incomparable)| portal (?:unparalleled|wonderful))|this (?:site have 5 star|board peerles)s))|yes (?:th(?:is (?:blog (?:un(?:approachable|equalled)|matchless)|site unparalleled|portal nonpareil)|at (?:board nonpareil|site nice))|it's (?:b(?:oard (?:unapproachable|class)|log incomparable)|site incomparable|portal matchless)|your(?: (?:b(?:log wonderful|oard nice)|portal matchless|site nice)|'s portal have 5 stars))|amazing (?:your(?:'s (?:blog (?:unapproachable|nonpareil|class)|site incomparable)| b(?:oard|log) nonpareil)|th(?:is portal unapproachable|at portal unequalled)|it's (?:board unapproachable|portal peerless))|gorgeous (?:th(?:at (?:b(?:log (?:unequalled|cool)|oard incomparable)|site unequalled)|is board peerless)|your(?:'s b(?:oard nonpareil|log unmatched)| portal matchless)|it's site (?:have 5 stars|unmatched))|super (?:th(?:at (?:board incomparable|portal matchless)|is board matchless)|it's (?:blog (?:incomparable|unequalled)|portal peerless)|your (?:(?:portal|site) nice|board cool)))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300049,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible SEO or spamware content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_SEO_SPAM
|
|
|
|
############# SEO SPAM #################
|
|
SecRule ARGS "@pm hello dear membery forum secretsline everyone name devils shows traffic princess wonderful brilliant knowing" "id:353911,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333744,t:none,pass,nolog,noauditlog,skipAfter:END_FORUM_SPAM"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:hello dear membery? forum|anonymous downloading movies, music and surfing on the internet|secretsline|devils icebox|high quality wire shows|methods for generating youtube traffic)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300035,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecRule ARGS "(?:what is up everyone\? my name is .{1,50}am new to the forum and just wanted to say hi|friend.s princess|wonderful beat \!|broadcast provided brilliant clear idea|my knowing has)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300186,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Generic Forum Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_FORUM_SPAM
|
|
|
|
############# TRAVEL SPAM #################
|
|
SecRule ARGS "@pm visit saopaulo paris bahamas island eleuthera" "id:333912,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333745,t:none,pass,nolog,noauditlog,skipAfter:END_TRAVEL_SPAM"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "visit(?:(?:afghanistan|armenia|azerbaijan|bahrain|bangladesh|bhutan|bosnia|brunei|cambodia|china|christmasisland|centralasia|cocosislands|croatia|cyprus|egypt|india|indonesia|iran|israel|jordan|kiev|korea|kosovo|kuwait|kyrgyzstan|laos|latvia|macedonia|malaysia|maldives|mongolia|nepal|northkorea|oman|pakistan|philippines|russia|saudiarabia|southkorea|switzerland|tajikistan|turkmenistan|uae|uzbekistan)|(?:chn|capena|car|esp|solomonislands)\.com|(?:bombay|world)\.info|visit-london\.eu)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300030,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:saopaulo(?:aero|artes|autos|bares|bus|channel|cidades|cinemas|estradas|eventos|gallery|gallery|gaytravel|invest|links|mall|mapas|market|metro|moda|museus|night|noticias|parques|photo|praias|relax|restaurantes|ruas|shuttle|sites|suites|teatros|town|work)|bahamas(-beach-rental|-bookstore|-diving|-honeymoon|-rental|-store|-travel|-villa-rental|homesite)|cat-island(?:-rental\.com|\.net)|eleuthera-(?:bahamas|bahamas-rental|rental))\.com" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300031,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "paris(?:officedetourisme|tennessenews|roller|texasnewspaper)\.info" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300033,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Travel spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_TRAVEL_SPAM
|
|
###########DEGREE MILL#############
|
|
# Rule 300072:
|
|
SecRule ARGS "@pm degree diploma" "id:333913,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333746,t:none,pass,nolog,noauditlog,skipAfter:END_DIPLOMA_SPAM"
|
|
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/|!ARGS:/search/|!ARGS:toemail|!ARGS:fromemail "(?:degree|diploma) in radiology" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300072,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Degree Mill',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_DIPLOMA_SPAM
|
|
############FAKE AV SPAM##################
|
|
SecRule ARGS "@pm virus malware spy greeting" "id:333914,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333747,t:none,pass,nolog,noauditlog,skipAfter:END_ANTIVIRUS_SPAM"
|
|
|
|
#Rule 300080
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "(?:free|discount)[ -_.,\"\'\|]?anti[ -_.,\"\'\|]?(?:virus|(?:spy|mal)ware)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300080,rev:5,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Free antivirus/spyware Link/Content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
#Rule 300080
|
|
SecRule ARGS|!ARGS:/domain/|!ARGS:/^utm_/|!ARGS:/new_messages/|!ARGS:utm_term|!ARGS:/bigdescription/|!ARGS:/orgname/|!ARGS:/query/|!ARGS:/ticket/|!ARGS:/navcat/|!ARGS:/banned/|!ARGS:offer_article|!ARGS:action_name|!ARGS:ban_user|!ARGS:short_story|!ARGS:UserData|!ARGS:/process_chats/|!ARGS:embed|!ARGS:tmpl|!ARGS:business|!ARGS:/milestone/|!ARGS:/product_name/|!ARGS:/AD_ITEM/|!ARGS:/drug/|!ARGS:/^payer_/|!ARGS:/billing/|!ARGS:/casetrack/|!ARGS:block|!ARGS:imapuser|!ARGS:ban|!ARGS:/department/|!ARGS:redirect_to|!ARGS:p_profile_pictures|!ARGS:return|!ARGS:setting[banemail]|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/|!ARGS:/user_name/|!ARGS:/page_content/ "pick[ -_.,\"\'\|]?up[ -_.,\"\'\|]?your[ -_.,\"\'\|]?greeting[ -_.,\"\'\|]?card" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300060,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Spam/Malware Link/Content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_ANTIVIRUS_SPAM
|
|
############WOW/GOLD FARMING SPAM###########
|
|
SecRule ARGS "@pm gold farm making make hour tip likes" "id:353915,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333748,t:none,pass,nolog,noauditlog,skipAfter:END_WOW_SPAM"
|
|
|
|
#Rule 300184
|
|
SecRule ARGS "(?:gold[ -_.,\"\'\|](?:making|farmers)|game[ -_.,\"\'\|]tip[ -_.,\"\'\|]wow[ -_.,\"\'\|]gold|gold[ -_.,\"\'\|]an[ -_.,\"\'\|]hour[ -_.,\"\'\|]farm|farming[ -_.,\"\'\|]gold|runescape[ -_.,\"\'\|]?gold|buy (?:instagram|facebook|twitter) likes)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300184,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_WOW_SPAM
|
|
|
|
############ESSAY SPAM###########
|
|
SecRule ARGS "@pm essay paper best term dissertations writing custom resume editing proofreading research video custom" "id:333916,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333749,t:none,pass,nolog,noauditlog,skipAfter:END_ESSAY_SPAM"
|
|
|
|
SecRule ARGS|!ARGS:/username/|!ARGS:oaparams|!ARGS:/password/ "(?:best (?:term|college) (?:papers|essays)|best essays|academic writing assistance for term papers|(?:custom|essay|resume|paper|book report|video|research paper|dissertation|book and report) (?:writ|edit)ing (?:website|service)|(?:proofreading|custom writing) services|custom (?:research papers|paper writing)|original custom research paper for you|essay editing|custom (?:paper|writing))" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300185,rev:4,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Essay spam content',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_ESSAY_SPAM
|
|
|
|
|
|
|
|
|
|
############# GENERAL FORUM SPAM ###################
|
|
SecRule ARGS "@pm dumps cvv verified unlimited ebay heinchuini@ymail.com fullz atm" "id:333917,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333750,t:none,pass,nolog,noauditlog,skipAfter:END_HACK_SPAM"
|
|
|
|
SecRule ARGS "(?:fresh and verified and unlimited ebay|atm pin database|heinchuini@ymail.com|fullz and uk fullz|cvv\+full info|i sell dumps)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300188,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_HACK_SPAM
|
|
|
|
#Movies spam
|
|
SecRule ARGS "@pm movies capital rapidshare hollywood" "id:353918,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333751,t:none,pass,nolog,noauditlog,skipAfter:END_MOVIES_SPAM"
|
|
|
|
SecRule ARGS "(?:movies capital (?:has an|scam)|rapidshare premium link generator|huge collection of photos of hollywood stars)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300189,rev:3,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible Illegal Activity Forum Spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_MOVIES_SPAM
|
|
|
|
SecRule ARGS "@streq unlimited" "id:333919,phase:2,t:none,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333752,t:none,pass,nolog,noauditlog,skipAfter:END_HOSTING_SPAM"
|
|
|
|
SecRule ARGS "business of unlimited reseller hosting" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300301,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Reseller spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
|
|
SecMarker END_HOSTING_SPAM
|
|
|
|
SecRule ARGS "@pm visa fiance spouse spousal green" "id:333920,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333755,t:none,pass,nolog,noauditlog,skipAfter:END_VISA_SPAM"
|
|
|
|
SecRule ARGS "(?:k(?:1|3) (?:fiancee?|spous(?:e|al)) (?:visa|green ?card)|k(?:1|2|3) visa)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300303,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible visa spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
|
|
SecMarker END_VISA_SPAM
|
|
|
|
#job search spam
|
|
#job search faster
|
|
SecRule ARGS "@pm job search" "id:333921,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333756,t:none,pass,nolog,noauditlog,skipAfter:END_JOBS_SPAM"
|
|
|
|
SecRule ARGS "(?:job search faster|find perfect jobs|free enterprise jobs)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300304,rev:1,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible job search spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
|
|
SecMarker END_JOBS_SPAM
|
|
|
|
SecRule ARGS "@pm loan checking money cash" "id:333922,phase:2,t:none,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333757,t:none,pass,nolog,noauditlog,skipAfter:END_LOAN_SPAM"
|
|
|
|
SecRule ARGS "(?:second chance checking|pay ?day ?loan|money site url|cash[ -_.,\"\'\|]?advance)" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,t:compressWhitespace,id:300311,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Possible loan spam',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
|
|
SecMarker END_LOAN_SPAM
|
|
|
|
SecRule REQUEST_URI "@pm result: ++++" "id:333923,phase:2,t:none,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333758,t:none,pass,nolog,noauditlog,skipAfter:END_SPLIT_SPAM"
|
|
|
|
SecRule REQUEST_URI "\+\+\+\+\+\+\+\+\+\+\+.{1,100}result\:" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:301311,rev:2,severity:4,msg:'Atomicorp.com WAF AntiSpam Rules: Spam: Session Splitting Spam Attempt',logdata:' %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
|
|
|
|
SecMarker END_SPLIT_SPAM
|
|
|
|
|
|
#All spam end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#anti hotlinking
|
|
# SecRule REQUEST_HEADERS:Referer # "!@beginsWith %{request_headers.host}" # phase:1,t:none,log,drop,chain
|
|
# SecRule REQUEST_FILENAME "!\.(?:gif|png|jpe?g|ico)$" # t:none,t:lowercase
|
|
SecMarker END_SPAM
|