File Manager
Upload
Current Directory: /home/lartcid/public_html/journal.lartc.id
[Back]
..
[Open]
Hapus
Rename
.htaccess
[Edit]
Hapus
Rename
.well-known
[Open]
Hapus
Rename
README.md
[Edit]
Hapus
Rename
api
[Open]
Hapus
Rename
cache
[Open]
Hapus
Rename
cgi-bin
[Open]
Hapus
Rename
classes
[Open]
Hapus
Rename
config.TEMPLATE.inc.php
[Edit]
Hapus
Rename
config.inc.php
[Edit]
Hapus
Rename
controllers
[Open]
Hapus
Rename
cypress.json
[Edit]
Hapus
Rename
dbscripts
[Open]
Hapus
Rename
docs
[Open]
Hapus
Rename
error_log
[Edit]
Hapus
Rename
favicon.ico
[Edit]
Hapus
Rename
index.php
[Edit]
Hapus
Rename
js
[Open]
Hapus
Rename
lib
[Open]
Hapus
Rename
locale
[Open]
Hapus
Rename
mini.php
[Edit]
Hapus
Rename
pages
[Open]
Hapus
Rename
php.ini
[Edit]
Hapus
Rename
plugins
[Open]
Hapus
Rename
public
[Open]
Hapus
Rename
registry
[Open]
Hapus
Rename
scheduledTaskLogs
[Open]
Hapus
Rename
schemas
[Open]
Hapus
Rename
styles
[Open]
Hapus
Rename
templates
[Open]
Hapus
Rename
tools
[Open]
Hapus
Rename
Edit File
# ------------------------------------------------------ # Imunify360 ModSecurity Rules # Copyright (C) 2024 CloudLinux Inc All right reserved # The Imunify360 ModSecurity Rules is distributed under # IMUNIFY360 LICENSE AGREEMENT # ------------------------------------------------------ # Imunify360 ModSecurity Generic Ruleset # DEFA-2611 SecRule REQUEST_FILENAME "@endsWith .suspected" "id:77140165,phase:2,block,t:none,t:urlDecodeUni,t:normalizePath,severity:2,msg:'IM360 WAF: Block .suspected files||T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||',tag:'service_im360'" # DEFA-5297 SecRule REQUEST_HEADERS:Content-Length "@rx ^([56789]\d{6,}|\d{8,})$" "id:77350155,pass,severity:5,phase:2,skipAfter:big_request_body,t:none,msg:'IM360 WAF: Huge request size||T:APACHE||MV:%{MATCHED_VAR}||',tag:'service_im360',tag:'noshow'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS:/Cookie/ "@rx (\.\\\\\.\/|\.\.[\\\/])([^\/]+\/)" "chain,id:77140166,phase:2,pass,nolog,auditlog,severity:5,t:none,capture,t:urlDecode,msg:'IM360 WAF: Track directory traversal attempt||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_im360'" SecRule TX:2 "@streq fonts/" "t:none,setvar:'tx.bl_file_flag=1'" SecRule TX:bl_file_flag "@gt 0" "id:77350312,chain,block,log,severity:2,t:none,msg:'IM360 WAF: Block system file path in request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_im360'" SecRule ARGS|REQUEST_URI|REQUEST_HEADERS:/Cookie/ "@pmFromFile bl_os_files" "t:none,t:normalizePath" SecRule REQUEST_FILENAME "!@pm /upgrade.php /sitemaps" "id:77210801,chain,msg:'IM360 WAF: Request Indicates a Security Scanner Scanned the Site||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,t:none,t:lowercase,t:normalizePath,severity:2,tag:'service_gen'" SecRule REQUEST_HEADERS:User-Agent "@pmFromFile bl_scanners" "t:none,t:lowercase" SecRule REQUEST_FILENAME "!@pm /upgrade.php /sitemaps" "id:77350396,chain,msg:'IM360 WAF: Request indicates a Headless browser||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,t:lowercase,t:normalizePath,severity:5,tag:'service_gen'" SecRule TX:rbl_whitelist_check "!@eq 1" "chain,t:none" SecRule REQUEST_HEADERS:User-Agent "@rx (?i)headless" "t:none" SecRule REQUEST_PROTOCOL "!@rx HTTP\/\d+(?:\.\d+)?" "id:77210720,msg:'IM360 WAF: HTTP protocol version is not allowed by policy||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:2,tag:'service_gen'" SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "id:77211070,msg:'IM360 WAF: HTTP Request Smuggling Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,capture,pass,t:none,severity:2,tag:'service_gen'" SecRule FILES_NAMES "@rx \.(?:tpl|p(h(l|p(r|s|t)?|\d|p\d|tml?|ar)))$" "id:77218400,msg:'IM360 WAF: Stop upload of PHP files||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:lowercase,severity:2,tag:'service_gen'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(std(in|out|err)|(in|out)put|fd|memory|temp|filter)" "id:77218420,msg:'IM360 WAF: PHP Injection Attack: I/O Stream Found||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'" # GLOBAL GENERIC SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd echo exec include printenv" "id:77211040,chain,msg:'IM360 WAF: SSI injection Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,setvar:'tx.matched_var_name=%{MATCHED_VAR_NAME}',ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx <\!--[^a-zA-Z0-9_]{0,}?#[^a-zA-Z0-9_]{0,}?(?:cmd|e(?:cho|xec)|include|printenv)" "capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecRule QUERY_STRING|REQUEST_BODY "@pm =http =ftp" "id:77211110,chain,msg:'IM360 WAF: Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'" SecRule QUERY_STRING|REQUEST_BODY "@rx (?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" "t:none,t:urlDecodeUni" SecRule REQUEST_FILENAME "!@endsWith /modules/paypal/express_checkout/payment.php" "id:77211120,pass,chain,msg:'IM360 WAF: Remote File Inclusion Attack||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,t:none,t:lowercase,t:normalizePath,severity:5,tag:'service_gen',tag:'noshow'" SecRule ARGS|!REQUEST_FILENAME|!ARGS:jform[params][yt_link] "@rx ^(?i)(?:ft|htt)ps?([^\?]*)\?+$" "t:none,t:lowercase,t:htmlEntityDecode,capture,ctl:auditLogParts=+E" SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session-id cfid cftoken cfsid jservsession jwsession" "id:77211170,chain,msg:'IM360 WAF: Session Fixation: SessionID Parameter Name with Off-Domain Referer||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,ctl:auditLogParts=+E,t:none,t:lowercase,severity:2,tag:'service_gen'" SecRule REQUEST_HEADERS:Referer "!@contains %{SERVER_NAME}" "t:none" SecRule REQUEST_URI "!@pm cpanel AdminTranslations /manager/ supportkb.php /etc/designs/ updraftplus /staff/addonmodules.php /cpsess /ispmgr /whm /mdb-api/ /connectors/index.php /wp-json/ /wp-load.php" "id:77211190,chain,phase:2,block,log,ctl:auditLogParts=+E,severity:2,t:none,t:normalizePath,msg:'IM360 WAF: Remote File Access Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_gen',tag:'service_rbl_infectors'" SecRule REQUEST_HEADERS:Referer "!@contains action=elementor" "chain,t:none" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/data/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1|!ARGS:force|!REQUEST_COOKIES:/^ph_/|!ARGS:images[]|!ARGS:/^misc-htaccess_/|!ARGS:aiowps_save_htaccess|!ARGS:submithtaccess|!ARGS:site_details|!ARGS:contextpath|!ARGS:response "(?:([\W\S])(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf\S)\b|\.\/etc\/|^\/etc\/)" "t:none,t:cmdLine,t:urlDecodeUni,t:normalizePath,capture" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cmd .exe" "id:77211200,chain,msg:'IM360 WAF: System Command Access||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,t:cmdLine,severity:2,tag:'service_gen'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx \b(?:cmd(?:\b[^a-zA-Z0-9_]{0,}?\/c|(?:32){0,1}\.exe\b)|(?:ftp|n(?:c|et|map)|rcmd|telnet|w(?:guest|sh))\.exe\b)" "capture,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:__INSIDE_setLock|!ARGS:action_name|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:imgdata2|!ARGS:inparam_dop|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@pm cd chmod cmd .exe echo net tclsh telnet tftp traceroute tracert g++ gcc chgrp chown chsh cpp finger ftp id ls lsof nasm nc nmap passwd perl ping ps python telnet uname xterm rm kill mail" "id:77211210,chain,msg:'IM360 WAF: System Command Injection Attempt||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:cmdLine,severity:5,tag:'service_gen',tag:'noshow',tag:'service_rbl_infectors'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:prev_sql_query|!ARGS:sql_query|!ARGS:text|!ARGS:/^where_clause(?:\[\d*])?$/|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:\b(?:c(?:d(?:\b[^a-zA-Z0-9_]{0,}?[\/]|[^a-zA-Z0-9_]{0,}?\.\.)|hmod.{0,40}?\+.{0,3}x|md(?:\b[^a-zA-Z0-9_]{0,}?\/c|(?:\.exe|32)\b))|(?:echo\b[^a-zA-Z0-9_]{0,}?\by{1,}|n(?:et(?:\b[^a-zA-Z0-9_]{1,}?\blocalgroup|\.exe)|(?:c|map)\.exe)|t(?:clsh8{0,1}|elnet\.exe|ftp|racer(?:oute|t))|(?:ftp|rcmd|w(?:guest|sh))\.exe)\b)|[;\x60|][^a-zA-Z0-9_]{0,}?\b(?:g(?:\+\+|cc\b)|(?:c(?:h(?:grp|mod|own|sh)|md|pp)|echo|f(?:inger|tp)|id[^=]|ls(?:of){0,1}|n(?:asm|c|map)|p(?:asswd|erl|ing|s|ython)|telnet|uname|(?:xte){0,1}rm|(?:kil|mai)l)\b))" "capture,t:none,t:cmdLine,t:lowercase" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!ARGS:textarea|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" "id:77211230,msg:'IM360 WAF: PHP Injection Attack||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,severity:2,tag:'service_gen'" SecRule REQUEST_HEADERS:Cookie "@rx (^|;)=(;|$)" "chain,id:77220020,phase:1,block,log,severity:2,msg:'IM360 WAF: DoS vulnerability in Apache 2.2.17 - 2.2.21 (CVE-2012-0021)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_gen'" SecRule REQUEST_URI "!@rx \/exchange_1C_Opencart\.php" "t:none,t:urlDecodeUni" SecRule QUERY_STRING|REQUEST_FILENAME|REQUEST_HEADERS:Accept|REQUEST_HEADERS:Content-Type|REQUEST_HEADERS:Cookie|REQUEST_HEADERS:Host|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:WWW-Authenticate "@rx ^(?:\'\w+?=)?\(\)\s{" "id:77221260,msg:'IM360 WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187 CVE-2014-7186 CVE-2014-7169 CVE-2014-6278 CVE-2014-6277 CVE-2014-6271)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,severity:2,tag:'service_im360'" SecRule REQUEST_FILENAME "!@contains /images/stories/virtuemart/product/resized/" "id:77211270,chain,phase:2,pass,nolog,auditlog,severity:5,t:none,t:normalizePath,msg:'IM360 WAF: Arbitrary code execution vulnerability in Request URI||T:APACHE||',tag:'service_gen',tag:'noshow',tag:'service_rbl_infectors'" SecRule ARGS|ARGS_NAMES|REQUEST_URI|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@rx (?:print|echo|eval|exec)\(" "t:none,t:urlDecodeUni,t:removeWhitespace,t:lowercase,capture" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "@contains [!!]" "id:77211320,msg:'IM360 WAF: XSS vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,severity:5,tag:'service_gen',tag:'noshow'" SecRule RESPONSE_STATUS "@streq 406" "id:77210100,phase:3,pass,nolog,ctl:responseBodyAccess=On,severity:5,tag:'service_im360'" SecRule RESPONSE_STATUS "@streq 406" "id:77210101,chain,msg:'IM360 WAF: Multiple XSS vulnerabilities in the Apache HTTP Server 2.4.x before 2.4.3 (CVE-2012-2687)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:4,block,log,severity:2,tag:'service_gen'" SecRule RESPONSE_BODY "@contains Available variants:" # HTTP PROTOCOL SecRule REQBODY_ERROR "!@eq 0" "id:77210231,chain,msg:'IM360 WAF: XMLRPC protection||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,auditlog,severity:5,tag:'service_gen'" SecRule REQUEST_HEADERS:Content-Type "xml" "chain,t:none,t:lowercase" SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" "t:none,t:lowercase" SecRule REQUEST_METHOD "@streq HEAD" "id:77210270,chain,msg:'IM360 WAF: HEAD Request with Body Content||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:1,pass,t:none,severity:2,tag:'service_gen'" SecRule REQUEST_HEADERS:Content-Length "!^0{0,1}$" "t:none" SecRule REQUEST_BASENAME "@endsWith .pdf" "id:77210341,chain,msg:'IM360 WAF: Range: Too many fields for pdf request (35 or more)||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,severity:2,tag:'service_gen'" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){35}" "t:none" SecRule REQUEST_HEADERS:Content-Type "@rx ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" "id:77210380,chain,msg:'IM360 WAF: URL Encoding Abuse Attack Attempt||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen'" SecRule &ARGS:message_backup "@eq 0" "chain,t:none" SecRule REQUEST_BODY|XML:/* "@rx \%([\S\W]|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain" SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "t:none" # DEFA-1877 SecRule REQUEST_URI "@rx \%([\S\W]|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "id:77210381,chain,msg:'IM360 WAF: URL Encoding Abuse Attack Attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,t:none,severity:5,tag:'service_gen',tag:'noshow'" SecRule REQUEST_URI "@validateUrlEncoding" "t:none" # DEFA-2098 SecRule REQUEST_URI "!@rx \/wc-api\/KCO_WC_Validation\/" "chain,id:77217210,msg:'IM360 WAF: Invalid HTTP Request Line||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:urlDecode,t:normalizePath,severity:5,tag:'service_gen'" SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#]*)?(?:#[\S]*)?)$" "t:none,t:urlDecode,t:normalizePath" # Rule 211080 corrected after FP. DEFA-1043 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm type length set-cookie location" "id:77211080,chain,msg:'IM360 WAF: HTTP Response Splitting Attack||MV:%{MATCHED_VAR}||MVN:%{MATCHED_VAR_NAME}||T:APACHE||',phase:2,capture,pass,ctl:auditLogParts=+E,t:none,severity:2,tag:'service_gen'" SecRule REQUEST_FILENAME "!@pm /wp-comments-post.php /wp-admin/admin-ajax.php fckeditor/editor/filemanager/connectors/asp/connector.asp /dav.php/calendars/shared/" "chain,t:none,t:normalizePath" SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|!ARGS:/^description/|!ARGS:/^text$/|!ARGS:/^message$/|!ARGS:/^replymessage$/|!ARGS:/^notes$/|!ARGS:/^adminnotes$/|XML:/* "@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):" "t:none,t:urlDecodeUni,t:lowercase" # SQL SecRule &REQUEST_COOKIES:/^WHMCS/|&REQUEST_COOKIES:phpMyAdmin "!@eq 0" "id:77211500,msg:'IM360 WAF: Ignore WHMCS and phpMyAdmin from base SQLi Attack Detection||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,skipAfter:'IGNORE_CRS_SQLi',severity:5,tag:'service_im360'" SecRule REQUEST_URI|ARGS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|XML:/*|!REQUEST_COOKIES:/__utm/ "@pm sleep( benchmark( " "id:77211630,chain,msg:'IM360 WAF: Detects blind sqli tests using sleep() or benchmark()||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,severity:2,tag:'service_gen'" SecRule REQUEST_URI|ARGS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|XML:/* "@rx [^-\w](benchmark|sleep)\(." "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeComments,t:removeWhitespace,t:lowercase" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm alter waitfor goto" "id:77211710,chain,msg:'IM360 WAF: Detects MySQL charset switch and MSSQL DoS attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:2,tag:'service_gen'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\x22'\x60](?:;*? ?waitfor (?:delay|time) [\x22'\x60]|;.{0,999}?: ?goto)|\balter\s*?\w+.{0,999}?\bcha(?:racte)?r set \w+))" "t:none,t:urlDecodeUni" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm merge execute match" "id:77211720,chain,msg:'IM360 WAF: Detects MATCH AGAINST MERGE EXECUTE IMMEDIATE injections||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:2,tag:'service_gen'" SecRule MATCHED_VAR "@rx (?i:(?:merge.{0,999}using[^\(]*\()|(execute\s{0,512}immediate[^'\x60\x22]*[\x22'\x60])|(?:match\s{0,512}[\w(),+-]+\s{0,512}against[^\(]*\())" "t:none,t:urlDecodeUni" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm select waitfor shutdown" "id:77211750,chain,msg:'IM360 WAF: Detects Postgres pg_sleep injection waitfor delay attacks and database shutdown attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,pass,nolog,auditlog,t:none,severity:2,tag:'service_gen'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:select\s*?pg_sleep)|(?:waitfor\s*?delay\s?[\x22'\x60]+\s?\d)|(?:;\s*?shutdown\s*?(?:;|--|#|\/\*|{)))" "t:none,t:urlDecodeUni" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "(?i:(?:\[\$(?:all|and|between|div|eq|exists|gte{0,1}|lte{0,1}|like|mod|ne|n{0,1}in|size|slice|type|x{0,1}or)])|(iteams\.find\s?\(\{\s?quantity:\s?\d+?\s?},\s?callback\);))" "id:77211760,msg:'IM360 WAF: Finds basic MongoDB SQL injection attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "(?i:(?:procedure[\t\n\r ]{1,}analyse[\t\n\r ]{0,}?\()|(?:;[\t\n\r ]{0,}?(declare|open)[\t\n\r ]{1,}[a-zA-Z0-9\-_]{1,})|(?:create[\t\n\r ]{1,}(function|procedure)[\t\n\r ]{0,}?[a-zA-Z0-9_]{1,}[\t\n\r ]{0,}?\([\t\n\r ]{0,}?\)[\t\n\r ]{0,}?-)|(?:declare[^a-zA-Z0-9_]{1,}[#@][\t\n\r ]{0,}?[a-zA-Z0-9_]{1,})|(exec[\t\n\r ]{0,}?\([\t\n\r ]{0,}?@))" "id:77211790,msg:'IM360 WAF: Detects MySQL and PostgreSQL stored procedure/function injections||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query "(?i:(?:create[\t\n\r ]{1,}function[\t\n\r ]{1,}[a-zA-Z0-9_]{1,}[\t\n\r ]{1,}returns)|(?:;[\t\n\r ]{0,}?(?:alter|create\b|delete|desc|insert|load|rename|select|truncate|update\b)[\t\n\r ]{0,}?[(\[]{0,1}[a-zA-Z0-9_]{2,}))" "id:77211820,msg:'IM360 WAF: Detects MySQL UDF injection and other data/structure manipulation attempts||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,t:urlDecodeUni,severity:2,tag:'service_gen'" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:db "@pm msysaccessobjects msysaces msysobjects msysqueries msysrelationships msysaccessstorage msysaccessxml msysmodules msysmodules2 msdb master..sysdatabases mysql.db sys.database_name sysaux schema( schema_name sqlite_temp_master database( db_name( information_schema pg_catalog pg_toast northwind tempdb" "chain,id:77218530,msg:'IM360 WAF: SQL Injection Attack: Common DB Names Detected||T:APACHE||',phase:2,capture,pass,nolog,auditlog,t:none,t:urlDecode,severity:2,tag:'service_gen'" SecRule MATCHED_VAR "@rx (?i:\b(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysdatabases|ysql\.db)\b|s(?:ys(?:\.database_name|aux)\b|chema(?:\W*\(|_name\b)|qlite(_temp)?_master\b)|d(?:atabas|b_nam)e\W*\(|information_schema\b|pg_(catalog|toast)\b|northwind\b|tempdb\b))" "t:none,t:urlDecode" SecMarker IGNORE_CRS_SQLi SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:commentText|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:sql_query|!ARGS:keyword "@rx [\x27\x22\x60](?:AND|OR)\d+?(?:\*\d+?){0,4}=\d+?(?:AND|OR)\d+=\d+" "id:77218570,msg:'IM360 WAF: SQLi vulnerability||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',phase:2,block,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,severity:2,tag:'service_gen'" # DEFA-3411 SecRule ARGS "@rx [\x27\x22\x60](?:and|or)(\d+?)=\d+" "id:77316746,pass,nolog,auditlog,status:200,phase:2,severity:2,t:none,t:lowercase,t:htmlEntityDecode,t:removeWhitespace,msg:'IM360 WAF: Generic SQLi attempt||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_gen'" # DEFA-5297 SecMarker big_request_body # WPT-203 #WPT-356 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:/query|!ARGS:keyword|!ARGS:/acf_fields/|!ARGS:/title|!ARGS:full_story|!ARGS:actions|!ARGS:wpTextbox1|!ARGS:detalii|!ARGS:originals|!ARGS:/data/|!ARGS:/url/|!ARGS:experience|!ARGS:/input_/|!ARGS:/textarea/|!ARGS:/wpforms\[fields\]/|!ARGS:/comment/|!ARGS:form|!ARGS:/page_sections/|!ARGS:snippet "@rx (?i)union\s[^\s]*\sselect\s[^\s]*\sfrom" "id:77350223,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:removeComments,msg:'IM360 WAF: Common SQLi||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_URI "!@rx \/php[Mm]y[Aa]dmin\/" "chain,id:77350224,phase:2,block,log,severity:2,t:none,t:urlDecodeUni,t:removeComments,msg:'IM360 WAF: Common DB Name in Request||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||T:APACHE||',tag:'service_im360'" SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|!ARGS:_xfRequestUri|!ARGS:/body/|!ARGS:/content/|!ARGS:desc|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:/query|!ARGS:keyword|!ARGS:/acf_fields/|!ARGS:/title|!ARGS:full_story|!ARGS:actions|!ARGS:wpTextbox1|!ARGS:detalii|!ARGS:originals|!ARGS:/data/|!ARGS:/url/|!ARGS:experience|!ARGS:/input_/|!ARGS:/textarea/|!ARGS:/wpforms\[fields\]/|!ARGS:/comment/|!ARGS:form|!ARGS:/page_sections/|!ARGS:snippet|!ARGS:/^field_id_\d+$/ "@rx (?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|tempdb)\b|s(?:(?:ys(?:\.database_name|aux)|qlite(?:_temp)?_master)\b|chema(?:_name\b|\W*\())|d(?:atabas|b_nam)e\W*\())"
Simpan