Mini File Manager

Edit File

# ---------------------------------------------------------------
# Imunify360 ModSecurity Rules
# Copyright (C) 2021 CloudLinux Inc All right reserved
# The Imunify360 ModSecurity Rules is distributed under
# IMUNIFY360 LICENSE AGREEMENT
# Please see the enclosed IM360-LICENSE.txt file for full details.
# ---------------------------------------------------------------
# Imunify360 ModSecurity Generic Ruleset

# Track missing User-Agent header
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "id:77135155,msg:'IM360 WAF: Missing User Agent Header||T:APACHE||',phase:request,pass,nolog,t:none,severity:7,setvar:TX.miss_ua=+1,tag:'service_i360',tag:'noshow',tag:'service_gen'"

# DEFA-2611
SecRule REQUEST_FILENAME "@endsWith .suspected" "id:77140165,phase:2,block,t:none,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: Block .suspected files||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'i360custom'"

# DEFA-5297
SecRule REQUEST_HEADERS:Content-Length "@rx ^([56789]\d{6,}|\d{8,})$" "id:77350155,pass,severity:5,phase:2,skipAfter:big_request_body,t:none,msg:'IM360 WAF: Huge request size||T:APACHE||MV:%{MATCHED_VAR}||',tag:'noshow',tag:'i360custom'"

# DEFA-2692
SecRule ARGS|REQUEST_URI|REQUEST_HEADERS:/Cookie/ "@rx \.\.\/" "id:77140166,chain,msg:'IM360 WAF: Blocking directory traversal attempt||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'"
SecRule MATCHED_VAR "@pmFromFile bl_os_files" "t:none,t:normalizePath"

SecRule REQUEST_FILENAME "!@pm /upgrade.php /sitemaps" "id:77210801,chain,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:lowercase,t:normalizePath,severity:2,tag:'service_gen'"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bl_scanners" "t:none,t:lowercase"

SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pm acunetix -agreement vulnerability scanner myvar=1234 x-ratproxy-loop bytes=0-,5-0 X-Scanner" "id:77210810,chain,phase:2,pass,t:none,severity:2,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_gen'"
SecRule MATCHED_VAR "@rx (?:\(?acunetix(?:-(?:scanning|product|user)(?:-agreement)?)?(?: web vulnerability scanner)?)|(?:myvar=1234)|(?:x-ratproxy-loop)|(?:bytes=0-,5-0,5-1,5-2,5-3)|(?:X-Scanner)" "t:none,t:lowercase"

SecRule REQUEST_FILENAME "@pm nessustest appscan_fingerprint" "id:77210820,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:lowercase,severity:2,tag:'service_gen'"

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bl_agents" "id:77210831,chain,msg:'IM360 WAF: Rogue web site crawler||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,t:none,severity:5,tag:'service_gen'"
SecRule REQUEST_HEADERS:User-Agent "(?i:(?:^(?:microsoft url|user-Agent|www\.weblogs\.com|(?:jakart|vi)a|(google|i{0,1}explorer{0,1}\.exe|(ms){0,1}ie( [0-9.]{1,}){0,1} {0,1}(compatible( browser){0,1}){0,1})$)|\bdatacha0s\b|; widows|\\\r|a(?: href=|d(?:sarobot|vanced email extractor)|gdm79@mail\.ru|miga-aweb/3\.4|t(?:hens|tache|(?:omic_email_hunt|spid)er)|utoemailspider)|b(?:ackdoor|lack hole|utch__2\.1\.1|wh3_user_agent)|c(?:h(?:e(?:esebot|rrypicker)|ina(?: local browse 2\.|claw))|o(?:mpatible(?: ;(?: msie|\.)|-)|n(?:cealed defense|t(?:actbot/|entsmartz)|veracrawler)|py(?:guard|rightcheck)|re-project/1.0)|rescent internet toolpak)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|e(?:ducate search vxb|mail(?:siphon|wolf|(?: extracto|reape)r|(siphon|spider)|(?:collec|harves|magne)t)|o browse|xtractorpro|(?:collecto|irgrabbe)r)|f(?:a(?:xobot|(?:ntombrows|stlwspid)er)|loodgate|oobar/|ull web bot|(?:iddle|ranklin locato)r)|g(?:ameBoy, powered by nintendo|ecko/25|rub(?: crawler|-client))|h(?:anzoweb|hjhj@yahoo|l_ftien_spider)|i(?:n(?:dy library|ternet(?: (?:exploiter sux|ninja)|-exprorer))|sc systems irc search 2\.1)|kenjin spider|larbin@unspecified|m(?:ailto:craftbot@yahoo\.com|i(?:crosoft (?:internet explorer/5\.0$|url control)|ssigua)|o(?:r(?:feus fucking scanner|zilla)|siac 1.|zilla/3\.mozilla/2\.01$)|urzillo compatible)|n(?:ameofagent|e(?:ssus|(?:uralbot/0\.|wt activeX; win3)2)|ikto|o(?: browser|kia-waptoolkit.{0,} googlebot.{0,}googlebot))|p(?:a(?:ckrat|nscient\.com)|cbrowser|e 1\.4|leasecrawl/1\.|mafind|oe-component-client|ro(?:duction bot|gram shareware 1\.0\.|webwalker)|s(?:urf|ycheclone))|rsync|s(?:\.t\.a\.l\.k\.e\.r\.|afexplorer tl|e(?:archbot admin@google.com|curity scan)|hai|itesnagger|(?:tress tes|urveybo)t)|t(?:ele(?:port pro|soft)|oata dragostea mea pentru diavola|uring machine|(?: {0,1}h {0,1}a {0,1}t {0,1}' {0,1}s g {0,1}o {0,1}t {0,1}t {0,1}a {0,1} h {0,1}u {0,1}r {0,1}|akeou|his is an exploi)t)|u(?:nder the rainbow 2\.|ser-agent:)|v(?:adixbot|oideye)|w(?:3mir|e(?:b(?: (?:by mail|downloader)|emailextract{0,1}|mole|vulnscan|(?:bandi|(?:altb|ro)o)t)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent)|se(?:nut){0,1}bot)|ordpress(?: hash grabber|/4\.01))|zeus(?: .{0,}webster pro){0,1}|[a-z]surf[0-9][0-9]|(?:$botname/$botvers|(script|sql) inject)ion|(compatible ; msie|msie .{1,}; .{0,}windows xp)|(?:8484 boston projec|xmlrpc exploi)t|(sogou develop spider|sohu agent)|(?:demo bot|(?:d|e)browse)|(libwen-us|myie2|murzillo compatible|webaltbot|wisenutbot)))" "capture"

SecRule ARGS|REQUEST_FILENAME "@pm /.adSensepostnottherenonobook /<invalid>hello.html /actSensepostnottherenonotive /acunetix-wvs-test-for-some-inexistent-file /antidisestablishmentarianism /appscan_fingerprint/mac_address /arachni- /cybercop /nessus_is_probing_you_ /nessustest /netsparker- /rfiinc.txt /thereisnowaythat-you-canbethere /w3af/remotefileinclude.html appscan_fingerprint w00tw00t.at.ISC.SANS.DFind w00tw00t.at.blackhats.romanian.anti-sec" "id:77211010,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:2,tag:'service_gen'"

SecRule REQUEST_PROTOCOL "!@rx HTTP\/\d+(?:\.\d+)?" "id:77210720,msg:'IM360 WAF: HTTP protocol version is not allowed by policy||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:2,tag:'service_gen'"

SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "id:77211070,msg:'IM360 WAF: HTTP Request Smuggling Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,capture,pass,t:none,severity:2,tag:'service_gen'"

SecRule FILES_NAMES "@rx \.(?:tpl|p(h(l|p(r|s|t)?|\d|p\d|tml?|ar)))$" "id:77218400,msg:'IM360 WAF: Stop upload of PHP files||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:lowercase,severity:2,tag:'service_gen'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(std(in|out|err)|(in|out)put|fd|memory|temp|filter)" "id:77218420,msg:'IM360 WAF: PHP Injection Attack: I/O Stream Found||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'"

# GLOBAL GENERIC

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd echo exec include printenv" "id:77211040,chain,msg:'IM360 WAF: SSI injection Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <\!--[^a-zA-Z0-9_]{0,}?#[^a-zA-Z0-9_]{0,}?(?:cmd|e(?:cho|xec)|include|printenv)" "capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

SecRule QUERY_STRING|REQUEST_BODY "@pm =http =ftp" "id:77211110,chain,msg:'IM360 WAF: Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'"
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" "t:none,t:urlDecodeUni"

SecRule REQUEST_FILENAME "!@endsWith /modules/paypal/express_checkout/payment.php" "id:77211120,pass,chain,msg:'IM360 WAF: Remote File Inclusion Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,t:none,t:lowercase,t:normalizePath,severity:5,tag:'service_gen',tag:'noshow'"
SecRule ARGS|!REQUEST_FILENAME|!ARGS:jform[params][yt_link] "@rx ^(?i)(?:ft|htt)ps?(.*?)\?+$" "t:none,t:lowercase,t:htmlEntityDecode,capture,ctl:auditLogParts=+E"

# DEFA-3491
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm expires domain set-cookie" "id:77211160,chain,msg:'IM360 WAF: Session Fixation Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,ctl:auditLogParts=+E,t:none,t:lowercase,severity:5,tag:'service_gen',tag:'noshow'"
SecRule MATCHED_VAR "@rx (?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" "capture,t:none,t:urlDecodeUni"

SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session-id cfid cftoken cfsid jservsession jwsession" "id:77211170,chain,msg:'IM360 WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,ctl:auditLogParts=+E,t:none,t:lowercase,severity:2,tag:'service_gen'"
SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none"

SecRule REQUEST_URI "!@pm cpanel AdminTranslations /manager/ supportkb.php /etc/designs/ updraftplus /staff/addonmodules.php /cpsess /ispmgr /whm /mdb-api/ /connectors/index.php /wp-json/" "id:77211190,chain,phase:2,deny,log,ctl:auditLogParts=+E,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Remote File Access Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_gen',tag:'service_rbl_infectors'"
SecRule REQUEST_HEADERS:Referer "!@contains action=elementor" "chain,t:none"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/data/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1|!ARGS:force|!REQUEST_COOKIES:/^ph_/|!ARGS:images[]|!ARGS:/^misc-htaccess_/|!ARGS:aiowps_save_htaccess|!ARGS:submithtaccess|!ARGS:site_details|!ARGS:contextpath|!ARGS:response "(?:(?<![\w\s])(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf\S)\b|\.\/etc\/|^\/etc\/)" "t:none,t:cmdLine,t:urlDecodeUni,t:normalizePath,capture"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd .exe" "id:77211200,chain,msg:'IM360 WAF: System Command Access||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,ctl:auditLogParts=+E,t:none,t:cmdLine,severity:2,tag:'service_gen'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx \b(?:cmd(?:\b[^a-zA-Z0-9_]{0,}?\/c|(?:32){0,1}\.exe\b)|(?:ftp|n(?:c|et|map)|rcmd|telnet|w(?:guest|sh))\.exe\b)" "capture,t:none,t:urlDecodeUni,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:__INSIDE_setLock|!ARGS:action_name|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:imgdata2|!ARGS:inparam_dop|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cd chmod cmd .exe echo net tclsh telnet tftp traceroute tracert g++ gcc chgrp chown chsh cpp finger ftp id ls lsof nasm nc nmap passwd perl ping ps python telnet uname xterm rm kill mail" "id:77211210,chain,msg:'IM360 WAF: System Command Injection Attempt||T:APACHE||',phase:2,pass,log,ctl:auditLogParts=+E,t:none,t:cmdLine,severity:5,tag:'service_gen',tag:'noshow',tag:'service_rbl_infectors'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,}?[\/]|[^a-zA-Z0-9_]{0,}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,}?\/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,}?\by{1,}|n(?:et(?:\b[^a-zA-Z0-9_]{1,}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:clsh8{0,1}|elnet\.exe|ftp|racer(?:oute|t))|(?:ftp|rcmd|w(?:guest|sh))\.exe)\b)|[;`|][^a-zA-Z0-9_]{0,}?\b(?:g(?:\+\+|cc\b)|(?:c(?:h(?:grp|mod|own|sh)|md|pp)|echo|f(?:inger|tp)|id|ls(?:of){0,1}|n(?:asm|c|map)|p(?:asswd|erl|ing|s|ython)|telnet|uname|(?:xte){0,1}rm|(?:kil|mai)l)\b))" "capture,t:none,t:cmdLine,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:textarea|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" "id:77211230,msg:'IM360 WAF: PHP Injection Attack||T:APACHE||',phase:2,capture,pass,log,ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'"

SecRule REQUEST_HEADERS:Cookie "@rx (^|;)=(;|$)" "chain,id:77220020,phase:1,block,log,severity:2,msg:'IM360 WAF: DoS vulnerability in Apache 2.2.17 - 2.2.21 (CVE-2012-0021)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_gen'"
SecRule REQUEST_URI "!@rx \/exchange_1C_Opencart\.php" "t:none,t:urlDecodeUni"

SecRule QUERY_STRING|REQUEST_FILENAME|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Cookie|REQUEST_HEADERS:Host|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:WWW-Authenticate "@contains () {" "id:77221260,chain,msg:'IM360 WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187 CVE-2014-7186 CVE-2014-7169 CVE-2014-6278 CVE-2014-6277 CVE-2014-6271)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,severity:2,tag:'service_gen'"
SecRule QUERY_STRING|REQUEST_FILENAME|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Cookie|REQUEST_HEADERS:Host|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:WWW-Authenticate "@rx ^(?:\'\w+?=)?\s{"

SecRule REQUEST_FILENAME "!@contains /images/stories/virtuemart/product/resized/" "id:77211270,chain,phase:2,pass,log,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Arbitrary code execution vulnerability in Request URI||T:APACHE||',tag:'service_gen',tag:'noshow',tag:'service_rbl_infectors'"
SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:print|echo|eval|exec)\(" "t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase,capture"

SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@contains [!!]" "id:77211320,msg:'IM360 WAF: XSS vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,severity:5,tag:'service_gen',tag:'noshow'"

SecRule RESPONSE_STATUS "@streq 406" "id:77210100,phase:3,pass,nolog,ctl:responseBodyAccess=On,severity:2,tag:'service_gen'"

SecRule RESPONSE_STATUS "@streq 406" "id:77210101,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Apache HTTP Server 2.4.x before 2.4.3 (CVE-2012-2687)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:4,deny,status:403,log,severity:2,tag:'service_gen'"
SecRule RESPONSE_BODY "@contains Available variants:"

# HTTP PROTOCOL

SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "id:77210210,msg:'IM360 WAF: Apache Error: Invalid URI in Request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:5,pass,t:none,severity:5,tag:'service_gen',tag:'noshow'"

SecRule REQBODY_ERROR "!@eq 0" "id:77210231,chain,msg:'IM360 WAF: XMLRPC protection||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,severity:5,tag:'service_gen'"
SecRule REQUEST_HEADERS:Content-Type "xml" "chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,t:lowercase"

SecRule REQUEST_HEADERS:Content-Length "!^[0-9]{1,}$" "id:77210260,msg:'IM360 WAF: Content-Length HTTP header is not numeric or Integer overflow in CGit before 0.12 (CVE-2016-1901)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,pass,t:none,severity:2,tag:'service_gen'"

SecRule REQUEST_METHOD "@streq HEAD" "id:77210270,chain,msg:'IM360 WAF: HEAD Request with Body Content||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,pass,t:none,severity:2,tag:'service_gen'"
SecRule REQUEST_HEADERS:Content-Length "!^0{0,1}$" "t:none"

SecRule REQUEST_METHOD "@streq POST" "id:77210280,chain,msg:'IM360 WAF: HTTP/1.0 POST request missing Content-Length Header||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,pass,t:none,severity:5,tag:'service_gen',tag:'im360_req_post'"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "chain"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none"

SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" "id:77210290,msg:'IM360 WAF: Invalid Use of Identity Encoding||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,pass,t:none,severity:5,tag:'service_gen'"

SecRule REQUEST_HEADERS:Expect "@contains 100-continue" "id:77210300,chain,msg:'IM360 WAF: Expect Header Not Allowed for HTTP 1.0||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,pass,t:none,severity:5,tag:'service_gen',tag:'noshow'"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "t:none"

SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "([0-9]{1,})-([0-9]{1,})," "id:77210330,chain,msg:'IM360 WAF: Range: Invalid Last Byte Value||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,t:none,severity:5,tag:'service_gen'"
SecRule TX:2 "!@ge %{tx.1}"

SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" "id:77210340,chain,msg:'IM360 WAF: Range: Too many fields (6 or more)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,t:none,severity:5,tag:'service_gen'"
SecRule REQUEST_BASENAME "!@endsWith .pdf" "t:none"

SecRule REQUEST_BASENAME "@endsWith .pdf" "id:77210341,chain,msg:'IM360 WAF: Range: Too many fields for pdf request (35 or more)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,log,t:none,severity:2,tag:'service_gen'"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){35}" "t:none"

# DEFA-3095
SecRule REQUEST_HEADERS:Connection "\b(close|keep-alive),[\t\n\r ]{0,1}(close|keep-alive)\b" "id:77210350,msg:'IM360 WAF: Multiple/Conflicting Connection Header Data Found||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen',tag:'noshow'"

SecRule REQUEST_HEADERS:Content-Type "@rx ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" "id:77210380,chain,msg:'IM360 WAF: URL Encoding Abuse Attack Attempt||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen'"
SecRule &ARGS:message_backup "@eq 0" "chain,t:none"
SecRule REQUEST_BODY|XML:/* "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "t:none"

# DEFA-1877
SecRule REQUEST_URI "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "id:77210381,chain,msg:'IM360 WAF: URL Encoding Abuse Attack Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen',tag:'noshow'"
SecRule REQUEST_URI "@validateUrlEncoding" "t:none"

SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" "id:77210400,msg:'IM360 WAF: Unicode Full/Half Width Abuse Attack Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen'"

# DEFA-2098
SecRule REQUEST_URI "!@rx \/wc-api\/KCO_WC_Validation\/" "chain,id:77217210,msg:'IM360 WAF: Invalid HTTP Request Line||T:APACHE||',phase:2,pass,log,t:none,t:urlDecode,t:normalizePath,severity:5,tag:'service_gen'"
SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#]*)?(?:#[\S]*)?)$" "t:none,t:urlDecode,t:normalizePath"

SecRule REQUEST_HEADERS:Host "@rx ^$" "id:77217230,msg:'IM360 WAF: Empty Host Header||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'service_gen'"

SecRule REQUEST_HEADERS:User-Agent "@rx ^$" "id:77217240,msg:'IM360 WAF: Empty User Agent Header||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:5,setvar:TX.miss_ua=+1,tag:'service_gen',tag:'noshow'"

SecRule REQUEST_HEADERS:Accept "@rx ^$" "id:77217260,chain,msg:'IM360 WAF: Request Has an Empty Accept Header||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen',tag:'noshow'"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" "chain,t:none"
SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" "t:none"

SecRule REQUEST_HEADERS:Accept "@rx ^$" "id:77217261,chain,msg:'IM360 WAF: Request Has an Empty Accept Header||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen',tag:'noshow'"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" "chain,t:none"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"

# Rule 211080 corrected after FP. DEFA-1043
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm type length set-cookie location" "id:77211080,chain,msg:'IM360 WAF: HTTP Response Splitting Attack||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'"
SecRule REQUEST_FILENAME "!@pm /wp-comments-post.php /wp-admin/admin-ajax.php fckeditor/editor/filemanager/connectors/asp/connector.asp /dav.php/calendars/shared/" "chain,t:none,t:normalizePath"
SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):" "t:none,t:urlDecodeUni,t:lowercase"

# SQL

SecRule &REQUEST_COOKIES:/^WHMCS/|&REQUEST_COOKIES:phpMyAdmin "!@eq 0" "id:77211500,msg:'IM360 WAF: Ignore WHMCS and phpMyAdmin from base SQLi Attack Detection||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,skipAfter:'IGNORE_CRS_SQLi',severity:5,tag:'service_gen'"

SecRule REQUEST_URI|ARGS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|XML:/*|!REQUEST_COOKIES:/__utm/ "@pm sleep( benchmark( " "id:77211630,chain,msg:'IM360 WAF: Detects blind sqli tests using sleep() or benchmark()||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,severity:2,tag:'service_gen'"
SecRule REQUEST_URI|ARGS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|XML:/* "@rx [^-\w](benchmark|sleep)\(." "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:emailMsg|!ARGS:/message/|!ARGS:/tx_lang_tools_langlanguage/|!ARGS:Post|!ARGS:desc|!ARGS:nav-menu-data|!ARGS:selectedItemsJson|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:accommodations|!ARGS:/^et_pb_contact_email_fields_/ "@pm xp_cmdshell `Â´ â information_schema user database schema connection_id select union having iif master union select dump out" "id:77211650,chain,msg:'IM360 WAF: Detects MSSQL code execution and information gathering attempts||T:APACHE||',phase:2,pass,log,t:none,severity:5,tag:'service_gen',tag:'noshow',tag:'service_rbl_infectors'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:emailMsg|!ARGS:/message/|!ARGS:/tx_lang_tools_langlanguage/|!ARGS:Post|!ARGS:desc|!ARGS:nav-menu-data|!ARGS:selectedItemsJson|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "@rx (?i:(?:\sexec\s+xp_cmdshell)|(?:[\x22'`Â´ââ]\s*?!\s*?[\x22'`Â´ââ\w])|(?:from\W+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*?$[^$]*?)|(?:[\x22'`Â´ââ];?\s*?(?:select|union|having)\s*?[^\s])|(?:\wiif\s*?\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*?select)|(?:select[^\w]?\w?user\()|(?:into[\s+]+(?:dump|out)file\s*?[\x22'`Â´ââ]))" "t:none,t:urlDecodeUni"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword|!ARGS:/acf_fields/ "@pm case like having if" "chain,id:77211700,msg:'IM360 WAF: Detects conditional SQL injection attempts||T:APACHE||',phase:2,capture,pass,log,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'"
SecRule MATCHED_VAR "@rx (?i:[ ()]case ?$|$ ?like ?\(|\bhaving(?![-<,\w]\w)\s?[^\s]+ ?[^\w ]|\bif ?\([\d\w] ?[=<>~])" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeNulls,t:compressWhitespace"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm alter waitfor goto" "id:77211710,chain,msg:'IM360 WAF: Detects MySQL charset switch and MSSQL DoS attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:2,tag:'service_gen'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\x22'`](?:;*? ?waitfor (?:delay|time) [\x22'`]|;.{0,999}?: ?goto)|\balter\s*?\w+.{0,999}?\bcha(?:racte)?r set \w+))" "t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm merge execute match" "id:77211720,chain,msg:'IM360 WAF: Detects MATCH AGAINST MERGE EXECUTE IMMEDIATE injections||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:2,tag:'service_gen'"
SecRule MATCHED_VAR "@rx (?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\x22'`])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" "t:none,t:urlDecodeUni"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select waitfor shutdown" "id:77211750,chain,msg:'IM360 WAF: Detects Postgres pg_sleep injection waitfor delay attacks and database shutdown attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,log,t:none,severity:2,tag:'service_gen'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\x22'`]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "t:none,t:urlDecodeUni"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "(?i:(?:\[\$(?:all|and|between|div|eq|exists|gte{0,1}|lte{0,1}|like|mod|ne|n{0,1}in|size|slice|type|x{0,1}or)])|(iteams\.find\s?$\{\s?quantity:\s?\d+?\s?},\s?callback$;))" "id:77211760,msg:'IM360 WAF: Finds basic MongoDB SQL injection attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,log,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "(?i:(?:procedure[\t\n\r ]{1,}analyse[\t\n\r ]{0,}?$)|(?:;[\t\n\r ]{0,}?(declare|open)[\t\n\r ]{1,}[a-zA-Z0-9\-_]{1,})|(?:create[\t\n\r ]{1,}(function|procedure)[\t\n\r ]{0,}?[a-zA-Z0-9_]{1,}[\t\n\r ]{0,}?\([\t\n\r ]{0,}?$[\t\n\r ]{0,}?-)|(?:declare[^a-zA-Z0-9_]{1,}[#@][\t\n\r ]{0,}?[a-zA-Z0-9_]{1,})|(exec[\t\n\r ]{0,}?\([\t\n\r ]{0,}?@))" "id:77211790,msg:'IM360 WAF: Detects MySQL and PostgreSQL stored procedure/function injections||T:APACHE||',phase:2,capture,pass,log,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "(?i:(?:create[\t\n\r ]{1,}function[\t\n\r ]{1,}[a-zA-Z0-9_]{1,}[\t\n\r ]{1,}returns)|(?:;[\t\n\r ]{0,}?(?:alter|create|delete|desc|insert|load|rename|select|truncate|update)[\t\n\r ]{0,}?[(\[]{0,1}[a-zA-Z0-9_]{2,}))" "id:77211820,msg:'IM360 WAF: Detects MySQL UDF injection and other data/structure manipulation attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,log,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'"

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:db "@pm msysaccessobjects msysaces msysobjects msysqueries msysrelationships msysaccessstorage msysaccessxml msysmodules msysmodules2 msdb master..sysdatabases mysql.db sys.database_name sysaux schema( schema_name sqlite_temp_master database( db_name( information_schema pg_catalog pg_toast northwind tempdb" "chain,id:77218530,msg:'IM360 WAF: SQL Injection Attack: Common DB Names Detected||T:APACHE||',phase:2,capture,pass,log,t:none,t:urlDecode,severity:2,tag:'service_gen'"
SecRule MATCHED_VAR "@rx (?i:\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(?:ys(?:\.database_name|aux)\b|chema(?:\W*\(|_name\b)|qlite(_temp)?_master\b)|d(?:atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))" "t:none,t:urlDecode"

SecMarker IGNORE_CRS_SQLi

SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword "@rx '(?:AND|OR)\d+?(?:\*\d+?){0,4}=\d+?(?:AND|OR)(\d+?)=\1" "id:77218570,msg:'IM360 WAF: SQLi vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,severity:2,tag:'service_gen'"

# DEFA-3411
SecRule ARGS "@rx [\x27\x22](?:and|or)(\d+?)=\1" "id:77316746,pass,status:200,log,phase:2,severity:2,t:none,t:lowercase,t:htmlEntityDecode,t:removeWhitespace,msg:'IM360 WAF: Generic SQLi attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_gen'"

# DEFA-5297
SecMarker big_request_body

# DEFA-5176
SecRule UNIQUE_ID "@rx fff[7-9a-d]$" "id:77316842,phase:5,capture,pass,log,severity:5,t:none,t:md5,t:hexEncode,t:lowercase,msg:'IM360 WAF: Performance measurement||Perf all:%{PERF_ALL}||Py scan:%{TX.py_scan_start}||Lua scan:%{TX.lua_scan_start}||RBL:%{TX.rbl_perf}||T:APACHE||',tag:'service_i360',tag:'noshow'"

# Block requests to stnadalone malware files (hashes)
SecRule SCRIPT_FILENAME "!@endsWith /index.php" "id:33344,chain,phase:2,block,log,severity:2,t:none,t:normalizePath,severity:2,msg:'IM360 WAF: Standalone malware access attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||SC:%{SCRIPT_FILENAME}||',tag:'service_i360'"
SecRule SCRIPT_FILENAME "@pmFromFile malware_standalone.list" "t:none,capture,t:sha1,t:hexEncode,t:lowercase"

# WPT-203
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:/query|!ARGS:keyword|!ARGS:/acf_fields/|!ARGS:/title|!ARGS:full_story|!ARGS:actions|!ARGS:wpTextbox1|!ARGS:detalii|!ARGS:originals|!ARGS:/data/|!ARGS:/url/|!ARGS:experience|!ARGS:/input_/|!ARGS:/textarea/|!ARGS:/wpforms\[fields\]/|!ARGS:/comment/|!ARGS:form|!ARGS:/page_sections/|!ARGS:snippet "@rx (?i)union\s.*?\sselect\s.*?\sfrom" "id:77350223,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:removeComments,severity:2,msg:'IM360 WAF: Common SQLi||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'"

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:/query|!ARGS:keyword|!ARGS:/acf_fields/|!ARGS:/title|!ARGS:full_story|!ARGS:actions|!ARGS:wpTextbox1|!ARGS:detalii|!ARGS:originals|!ARGS:/data/|!ARGS:/url/|!ARGS:experience|!ARGS:/input_/|!ARGS:/textarea/|!ARGS:/wpforms\[fields\]/|!ARGS:/comment/|!ARGS:form|!ARGS:/page_sections/|!ARGS:snippet|!ARGS:/^field_id_\d+$/ "@rx (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|tempdb)\b|s(?:(?:ys(?:\.database_name|aux)|qlite(?:_temp)?_master)\b|chema(?:_name\b|\W*\())|d(?:atabas|b_nam)e\W*\())" "id:77350224,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:removeComments,severity:2,msg:'IM360 WAF: Common DB Name in Request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_i360'"