palserv
asked on
Mod Security and PHP Language
Hello
I install the Mod Security on My Linux Server .. but after that i faced some problem with some php scripts example the Visitor Counter Scripts and the Statics Scripts that there is no any visits are calculated on the scripts and the Total of visitors always zero ..
here is the Configuration of the Mod Security .. can any body help me for it please ?
and here is the Statics Scripts that i Face the Problem the scripts name is I-Stats
i upload it to my site because i cann't attach it by using the attach files
http://www.ifady.com/stat.zip
I install the Mod Security on My Linux Server .. but after that i faced some problem with some php scripts example the Visitor Counter Scripts and the Statics Scripts that there is no any visits are calculated on the scripts and the Total of visitors always zero ..
here is the Configuration of the Mod Security .. can any body help me for it please ?
and here is the Statics Scripts that i Face the Problem the scripts name is I-Stats
i upload it to my site because i cann't attach it by using the attach files
http://www.ifady.com/stat.zip
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "config"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/home"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "public_html"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/etc"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/usr"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/bin"
SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"
SecRule ARGS|HTTP_Content-Length|REQUEST_COOKIES "/etc"
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Server Secured By PalServ.Net"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecDebugLogLevel 0
SecDebugLog logs/modsec_debug_log
SecDataDir /tmp
SecTmpDir /tmp
#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"
#Code injection via content length
SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"
##generic recursion signatures
SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecRule REQUEST_URI "\.\./\.\./"
#generic path recurision sig
#generic bogus path sigs
SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#slightly tighter rules with narrower focus
SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
#Prevent command injection through cookies
SecRule REQUEST_COOKIES "\; cmd="
#Prevent SQL injection in UA
SecRule HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"
# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult
# to prevent false postives and negatives.
# Pplease report false positives/negatives to mike@gotroot.com
SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"
#Generic SQL sigs
SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'"
#Generic SQL sigs
SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
#Generic SQL sigs
SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'"
SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)"
#Meta character SQL injection
SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)" "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"
#Generic command line attack filter
SecRule REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'"
SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|"
#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecRule ARGS compress\.zlib:
#Generic XSS filter
#please report false positives
SecRule REQUEST_URI "!/mt\.cgi" chain
SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
#XSS in referrer and UA headers
SecRule HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php" chain
SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"
#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"
#Generic PHP remote file inclusion attack signature
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file inclusion attack signature with command
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#really broad furl_fopen attack sig
#tune this for your system
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/"
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#script, perl, etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"
#generic command line attack
SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"
#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#Bogus file extensions generic signature
SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"
#PHP remote path attach generic signature
SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a"
#Generic argument protection rule against bad meta characters
#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI "/usr/bin/id" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI "/bin/echo" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI "/bin/kill" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI "/bin/chmod" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI "gcc" chain
SecRule REQUEST_URI "x20-o"
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI "g\+\+\x20" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI "bin/python" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI "/bin/ping" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI "/bin/mail" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI "\.htpasswd"
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI "/etc/passwd"
# WEB-MISC nessus 1.X 404 probe
SecRule REQUEST_URI "/nessus_is_probing_you_"
# WEB-MISC nessus 2.x 404 probe
SecRule REQUEST_URI "/NessusTest"
# WEB-MISC ls%20-l
SecRule REQUEST_URI "ls" chain
SecRule REQUEST_URI "\x20-l"
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////"
#musicat empower attempt
SecRule REQUEST_URI "/empower\?DB="
# WEB-MISC *%0a.pl access
SecRule REQUEST_URI "/*\x0a\.pl"
#PHPBB worm sigs
SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
#PHP defenses
SecRule ARGS:PHPSESSID "!^[0-9a-z]*$"
#PHP defenses
SecRule ARGS "^(globals($|\[)|php:/)"
#PHP defenses
SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"
#PHP defenses
SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
# TIKIWIKI
SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./"
#SMTP redirects
SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25
#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
#Command inline detection
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
#Commands, also need a major rework, these also have issues
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;"
#SecRule REQUEST_URI "echo\x20"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20"
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$"
#generic block for fwrite fopen uploads
SecRule REQUEST_URI "fwrite" chain
SecRule REQUEST_URI "fopen"
#generic sig for more bad PHP functions
SecRule REQUEST_URI "chr\(([0-9]{1,3})\)"
SecRule ARGS_NAMES "^php:/"
# WEB-MISC Tomcat view source attempt
SecRule REQUEST_URI "\x252ejsp"
# WEB-MISC whisker HEAD/./
#SecRule "HEAD/./"
# WEB-FRONTPAGE .... request
SecRule REQUEST_URI "\.\.\.\./"
#experimental CSS rule
#SecRule REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)"
#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*="
#cross site scripting attempt TYPE + JAVASCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript"
#cross site scripting attempt STYLE + JAVASCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript"
#cross site scripting attempt STYLE + JSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript"
# cross site scripting attempt STYLE + VBSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript"
#cross site scripting attempt STYLE + VBSCRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript"
#cross site scripting attempt STYLE + ECMACRIPT
SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript"
# cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\("
#cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>"
# cross site scripting attempt using XML
SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT"
#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"
#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "window\.execScript[\s]*\("
#cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"
#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
#Apache /server-info accessible
SecRule REQUEST_URI "/server-info" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
#Apache /server-status accessible
#Modified so apache-protect can run
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
#generic Common HTTP vulnerability
SecRule REQUEST_URI "/\?cwd=/"
#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"
#Experimental XML-RPC generic attack sigs
SecRule REQUEST_BODY "\'\,\'\'\)\)\;"
SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;"
#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
SecRule REQUEST_BODY "methodCall\>"
#Specific XML-RPC attacks on xmlrpc.php
SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain
SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
#SecRule REQUEST_URI "/xmlrpc\.php" chain
#SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
#XML-RPC SQL injection generic signature
SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain
SecRule REQUEST_BODY "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"
#generic remote file inclusion vulns
SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"
#catch smuggling attacks
#SecRule "^(GET|POST).*Host:.*^(GET|POST)"
#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
#Slightly stronger version of the above
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
#Generic PHP attack sig
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
#Generic Nessus request filter
SecRule REQUEST_URI "NessusTest*\.html"
#Generic PHP payload command injection and upload vulnerabilities
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
#Generic XML RPC attack sig
SecRule REQUEST_BODY "\'(______BEGIN______|_____FIM_____)\'\;"
#HTTP header PHP code injection attacks
SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"
#wormsign
SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"
#phpbb wormsign
SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_"
#Generic PHP avatar upload exploits
SecRule REQUEST_URI "\.php" chain
SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecRule REQUEST_BODY "\<\?php" chain
SecRule REQUEST_BODY "\?>"
#Fake image file shell attacvk
SecRule REQUEST_HEADERS:Content-Type "image/.*"
SecRule REQUEST_BODY "chr\("
#bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"
#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"
#Special account protection
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
#Generic PHP fopen sig
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI "/iblis\.htm\?"
SecRule REQUEST_URI "/gif\.gif\?"
SecRule REQUEST_URI "/go\.php\.txt\?"
SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/zehir\.asp"
SecRule REQUEST_URI "/aflast\.txt\?"
SecRule REQUEST_URI "/sikat\.txt\?&cmd"
SecRule REQUEST_URI "/t\.gif\?"
SecRule REQUEST_URI "/phpbb_patch\?&"
SecRule REQUEST_URI "/phpbb2_patch\?&"
SecRule REQUEST_URI "/lukka\?&"
#new kit
SecRule REQUEST_URI "/c99shell\.txt"
SecRule REQUEST_URI "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI "/scan1\.0/scan/"
SecRule REQUEST_URI "test\.txt\?&"
#30dec
SecRule REQUEST_URI "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI "/php\.txt\?"
#1 jan
SecRule REQUEST_URI "/sql\.txt\?"
SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI "/docLib/cmd\.asp"
SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
SecRule REQUEST_URI "files/.*\.php\.menu\?cmd="
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"
#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"
#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"
#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
SecRule REQUEST_URI|REQUEST_BASENAME|REQUEST_FILENAME|REQUEST_HEADERS|RESPONSE_BODY|REQUEST_BODY "/(r0nin|m0rtix|r57shell|too20|phpshell|shell|sniper_sa|sniper_sa2|64|c99|r57|xp|.xp|mohajer|mysql|cgitelnet|Locus7|msql|safe|symlink|sym4|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute)\.ph(p(3|4)?|tml)" log,redirect:http://www.palserv.net/security.html
#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
#new unknown kit
SecRule REQUEST_URI "/oops?&"
# known PHP attack shells
#value of these sigs, pretty low, but here to catch
# any lose threads, honeypoting, etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI "/phpterm"
#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
#new unknown kits
SecRule REQUEST_URI "/iblis\.htm\?"
SecRule REQUEST_URI "/gif\.gif\?"
SecRule REQUEST_URI "/go\.php\.txt\?"
SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/zehir\.asp"
SecRule REQUEST_URI "/aflast\.txt\?"
SecRule REQUEST_URI "/sikat\.txt\?&cmd"
SecRule REQUEST_URI "/t\.gif\?"
SecRule REQUEST_URI "/phpbb_patch\?&"
SecRule REQUEST_URI "/phpbb2_patch\?&"
SecRule REQUEST_URI "/lukka\?&"
#new kit
SecRule REQUEST_URI "/c99shell\.txt"
SecRule REQUEST_URI "/c99\.txt\?"
#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="
#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="
#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"
#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\<\?php system\("
SecRule REQUEST_URI|REQUEST_BODY "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecRule REQUEST_URI "help_text_vars\.php\?suntzu="
#25dec new one
SecRule REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?"
#26dec new kit
SecRule REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/vsf\.vsf\?&"
#27dec
SecRule REQUEST_URI "/scan1\.0/scan/"
SecRule REQUEST_URI "test\.txt\?&"
#30dec
SecRule REQUEST_URI "\.k4ka\.txt\?"
#31dec
SecRule REQUEST_URI "/php\.txt\?"
#1 jan
SecRule REQUEST_URI "/sql\.txt\?"
SecRule REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?"
#22feb
SecRule REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
#24mar
SecRule REQUEST_URI "/docLib/cmd\.asp"
SecRule REQUEST_URI "\.asp\?pageName=AppFileExplorer"
SecRule REQUEST_URI "\.asp\?.*showUpload&thePath="
SecRule REQUEST_URI "\.asp\?.*theAct=inject&thePath="
#some broken attack program
SecRule REQUEST_URI|REQUEST_BODY "PUT /.*_@@RNDSTR@@"
SecRule REQUEST_URI|REQUEST_BODY "trojan\.htm"
SecRule REQUEST_URI "/r57en\.php"
SecRule REQUEST_URI "\.htaccess"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
#c99 rootshell
SecRule REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=|tools|ftpquickbrute|mkdir|phpinfo|upload|delete|eval|)"
#generic shell
SecRule REQUEST_URI "shell\.txt"
#bad scanner
SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
#wormsign
SecRule REQUEST_BODY "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
#New SEL attack seen
SecRule REQUEST_URI|REQUEST_BODY "select.*from.*information_schema\.tables"
#New SQL attack seen
SecRule REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"
#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="
#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="
#PHP remote path attach generic signature
SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/"
#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"
# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a"
#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"
# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"
# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"
# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"
# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI "/usr/bin/id" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI "/bin/echo" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI "/bin/kill" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI "/bin/chmod" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI "/usr/bin/chsh"
# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI "gcc" chain
SecRule REQUEST_URI "x20-o"
# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI "g\+\+\x20" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI "bin/python" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS python access attempt
#SecRule "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"
# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI "/bin/ping" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"
# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI "/bin/mail" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20"
# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI "/etc/inetd\.conf"
# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI "conf/httpd\.conf"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI "\.htpasswd"
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI "/etc/passwd"
# WEB-MISC ls%20-l
SecRule REQUEST_URI "ls" chain
SecRule REQUEST_URI "\x20-l"
# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////"
# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;"
#SecRule REQUEST_URI "echo\x20"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20"
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "fopen"
SecRule REQUEST_URI "\.\.\.\./"
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"
SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)"
SecRule REQUEST_BODY "<\?php" chain
SecRule REQUEST_BODY "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecRule REQUEST_BODY "\<\?php"
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" t:normalisePathWin
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
SecRule REQUEST_LINE "wget "
SecRule REQUEST_LINE "lynx "
SecRule REQUEST_LINE "Fhome"
SecRule REQUEST_LINE "ftp "
SecRule REQUEST_LINE "cvs"
SecRule REQUEST_LINE "php?phpinfo"
SecRule REQUEST_LINE "php?phpini"
SecRule REQUEST_LINE "php?mem"
SecRule REQUEST_LINE "php?cpu"
SecRule REQUEST_LINE "php?users"
SecRule REQUEST_LINE "php?tmp"
SecRule REQUEST_LINE "php?delete"
SecRule REQUEST_LINE "cmd"
SecRule REQUEST_LINE "curl "
SecRule REQUEST_LINE "act=sql&"
SecRule REQUEST_LINE "ssh "
SecRule REQUEST_LINE "echo "
SecRule REQUEST_LINE "links -dump "
SecRule REQUEST_LINE "links -dump-charset "
SecRule REQUEST_LINE "links -dump-width "
SecRule REQUEST_LINE "links http:// "
SecRule REQUEST_LINE "links ftp:// "
SecRule REQUEST_LINE "links -source "
SecRule REQUEST_LINE "mkdir "
SecRule REQUEST_LINE "cd /tmp "
SecRule REQUEST_LINE "cd /var/tmp "
SecRule REQUEST_LINE "cd /etc/httpd/proxy "
SecRule REQUEST_LINE "/config.php?v=1&DIR "
SecRule REQUEST_LINE "&highlight=%2527%252E "
SecRule REQUEST_LINE "changedir=%2Ftmp%2F.php "
SecRule REQUEST_LINE "arta\.zip "
SecRule REQUEST_LINE "cmd=cd\x20/var "
SecRule REQUEST_LINE "HCL_path=http "
SecRule REQUEST_LINE "clamav-partial "
SecRule REQUEST_LINE "vi\.recover "
SecRule REQUEST_LINE "netenberg "
SecRule REQUEST_LINE "psybnc "
SecRule REQUEST_LINE "fantastico_de_luxe "
SecRule REQUEST_LINE "2Fpublic_html&"
SecRule REQUEST_LINE ".htaccess"
SecRule REQUEST_LINE "sql_passwd"
SecRule REQUEST_LINE "c99sh_datapipe.pl"
SecRule REQUEST_LINE "listDBs"
SecRule REQUEST_LINE "%2home%2"
SecRule REQUEST_LINE "%2home%"
SecRule REQUEST_LINE "%home%"
SecRule REQUEST_LINE "%home"
SecRule REQUEST_LINE "home%"
SecRule REQUEST_LINE "%2Fhome%2"
SecRule REQUEST_LINE "%2Fhome%"
SecRule REQUEST_LINE "%Fhome%"
SecRule REQUEST_LINE "%Fhome"
SecRule REQUEST_LINE "Fhome%"
SecRule REQUEST_LINE "2Fpublic_html&"
SecRule REQUEST_LINE "/etc/"
SecRule REQUEST_LINE "bcc:"
SecRule REQUEST_LINE "bcc\x3a"
SecRule REQUEST_LINE "cc:"
SecRule REQUEST_LINE "cc\x3a"
SecRule REQUEST_LINE "bcc:|Bcc:|BCC:" chain
SecRule REQUEST_BODY "Bcc:"
SecRule REQUEST_BODY "Bcc:\x20"
SecRule REQUEST_BODY "cc:"
SecRule REQUEST_BODY "cc:\x20"
SecRule REQUEST_BODY "bcc:"
SecRule REQUEST_BODY "bcc:\x20"
SecRule REQUEST_BODY "bcc: "
SecRule REQUEST_LINE "Bcc:"
SecRule REQUEST_LINE "Bcc:\x20"
SecRule REQUEST_LINE "cc:"
SecRule REQUEST_LINE "cc:\x20"
SecRule REQUEST_LINE "bcc:"
SecRule REQUEST_LINE "bcc:\x20"
SecRule REQUEST_LINE "bcc: "
SecRule REQUEST_LINE "cd "
#SecRule REQUEST_LINE "cat "
#SecRule REQUEST_LINE "ls "
SecRule REQUEST_LINE "id "
#SecRule REQUEST_URI "/admincp/user\.php" chain
#WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecRule REQUEST_LINE "/quick-reply\.php" chain
SecRule REQUEST_BODY "wget "
SecRule REQUEST_BODY "lynx "
SecRule REQUEST_BODY "Fhome"
SecRule REQUEST_BODY "ftp "
SecRule REQUEST_BODY "cvs "
#SecRule REQUEST_BODY "cmd"
SecRule REQUEST_BODY "curl "
SecRule REQUEST_BODY "act=sql&"
SecRule REQUEST_BODY "ssh "
SecRule REQUEST_BODY "echo "
SecRule REQUEST_BODY "links -dump "
SecRule REQUEST_BODY "links -dump-charset "
SecRule REQUEST_BODY "links -dump-width "
SecRule REQUEST_BODY "links http:// "
SecRule REQUEST_BODY "links ftp:// "
SecRule REQUEST_BODY "links -source "
SecRule REQUEST_BODY "mkdir "
SecRule REQUEST_BODY "cd /tmp "
SecRule REQUEST_BODY "cd /var/tmp "
SecRule REQUEST_BODY "cd /etc/httpd/proxy "
SecRule REQUEST_BODY "/config.php?v=1&DIR "
SecRule REQUEST_BODY "&highlight=%2527%252E "
SecRule REQUEST_BODY "changedir=%2Ftmp%2F.php "
SecRule REQUEST_BODY "arta\.zip "
SecRule REQUEST_BODY "cmd=cd\x20/var "
SecRule REQUEST_BODY "HCL_path=http "
SecRule REQUEST_BODY "clamav-partial "
SecRule REQUEST_BODY "vi\.recover "
SecRule REQUEST_BODY "netenberg "
SecRule REQUEST_BODY "psybnc "
SecRule REQUEST_BODY "fantastico_de_luxe "
SecRule REQUEST_BODY ".htaccess"
#SecRule REQUEST_BODY "sql_passwd"
SecRule REQUEST_BODY "c99sh_datapipe.pl"
SecRule REQUEST_BODY "listDBs"
SecRule REQUEST_BODY "%2home%2"
SecRule REQUEST_BODY "%2home%"
SecRule REQUEST_BODY "%home%"
SecRule REQUEST_BODY "%home"
SecRule REQUEST_BODY "home%"
SecRule REQUEST_BODY "%2Fhome%2"
SecRule REQUEST_BODY "%2Fhome%"
SecRule REQUEST_BODY "%Fhome%"
SecRule REQUEST_BODY "%Fhome"
SecRule REQUEST_BODY "Fhome%"
SecRule REQUEST_BODY "2Fpublic_html&"
SecRule REQUEST_BODY "/etc/"
SecRule REQUEST_BODY "db_server"
SecRule REQUEST_BODY "SHOW DATABASES "
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.