لخبراء الـMod Security

محروم.كوم · #1 09-20-2009, 05:10 PM

<div>السلام عليكم

لدي بعض السكربتات على السيرفر لاتعمل

وأشك في Mod Security

وهذا هو الـ Mod Security الموجود على سيرفري

أريد ملاحظاتكم عليه وماهو الذي تسبب في تعطل بعض السكربتات !!

<div style="margin:20px; margin-top:5px"> رمز Code:
# Server masking is optional
#fake server banner no one needs to know what we are using
SecServerSignature "Secured By : XXXXX.COM"

#And now* the rules
#Remove any of these Include lines you do not use or have rules for.

#First* add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf

#Application protection rules
Include /etc/modsecurity/rules.conf

#Known bad software* rootkits and other malware
Include /etc/modsecurity/rootkits.conf

#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf

#None
Include /etc/modsecurity/recons.conf

#Spam WordPress
Include /etc/modsecurity/hidden_spam_patch.conf

SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I ".htaccess"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "sql_passwd"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "public_html"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/etc"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/root"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/boot"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/var"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/bin"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_UR I "/cgi-bin"
SecRule REQUEST_FILENAME "\.pl"
SecRule REQUEST_FILENAME "\.ch"
SecRule REQUEST_FILENAME "\.cgi-bin"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl"
SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"

SecRule ARGS|HTTP_Content-Length|REQUEST_COOKIES "/etc"

#Don't accept chunked encodings
#modsecurity can not look at these* so this is a hole
#that can bypass your rules* the rule before this one
#should cover this* but hey paranoia is cheap
SecRule HTTP_Transfer-Encoding "chunked" "id:300003*rev:1*severity:2*msg:'Chunked Transfer Encoding denied'"

#Code injection via content length
SecRule HTTP_Content-Length "\;(system|passthru|exec)$" "id:330003*rev:1*severity:2*msg:'Code Injection in Content-Length header'"

##generic recursion signatures
SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain*id:300004*rev:2*severity:2*msg:'Generic Path Recursion denied'"
SecRule REQUEST_URI "\.\./\.\./"
#generic path recurision sig

#generic bogus path sigs
SecRule REQUEST_URI "\.\.\./" "id:300006*rev:1*severity:2*msg:'Bogus Path denied'"

#Generic PHP exploit signatures
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|pro c_open|shell_exec|exec|proc_nice|proc_terminate|pr oc_get_status|proc_close|pfsockopen|leak|apache_ch ild_terminate|posix_kill|posix_mkfifo|posix_setpgi d|posix_setsid|posix_setuid|phpinfo)\(.*$\;" "id:330001*rev:1*severity:2*msg:'Generic PHP exploit pattern denied'"

#Generic PHP exploit signatures
SecRule REQUEST_BODY|REQUEST_URI ""

#XSS in referrer and UA headers
SecRule HTTP_REFERER|HTTP_USER_AGENT ".*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php" chain
SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|con tent|dir|name|menu|pm_path|path|pathtoroot|cat|pag ina|path|include_location|root|page|gorumDir|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|actio n|content|dir|name|menu|pm_path|pagina|path|pathto root|cat|include_location|gorumDir|root|page|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"

#Generic PHP remote file inclusion attack signature
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file inclusion attack signature with command
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#really broad furl_fopen attack sig
#tune this for your system
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300018*rev:3*severity:2*msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/"
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300040*rev:1*severity:2*msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"

#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc _open|shell_exec|exec|proc_nice|proc_terminate|pro c_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid |posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="

#script* perl* etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"

#generic command line attack
SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"

#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root| page|open)=(http|https|ftp)|(cmd|command|inc)=)"

#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|n ame)="

#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="

#Bogus file extensions generic signature
SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"

#PHP remote path attach generic signature
SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/"

#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a"

#Generic argument protection rule against bad meta characters

#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;* -]*$"

#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command) =|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(c md|command)=|\.php\?&(cmd|command)=)"

# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"

# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"

# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"

# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI "/usr/bin/id" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI "/bin/echo" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI "/bin/kill" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI "/bin/chmod" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI "/usr/bin/chsh"

# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI "gcc" chain
SecRule REQUEST_URI "x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI "g\+\+\x20" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI "bin/python" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS python access attempt
#SecRule "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"

# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI "/bin/ping" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"

# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI "/bin/mail" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI "/etc/inetd\.conf"

# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI "conf/httpd\.conf"

# WEB-MISC .htpasswd access
SecRule REQUEST_URI "\.htpasswd"

# WEB-MISC /etc/passwd access
SecRule REQUEST_URI "/etc/passwd"

# WEB-MISC nessus 1.X 404 probe
SecRule REQUEST_URI "/nessus_is_probing_you_"

# WEB-MISC nessus 2.x 404 probe
SecRule REQUEST_URI "/NessusTest"

# WEB-MISC ls%20-l
SecRule REQUEST_URI "ls" chain
SecRule REQUEST_URI "\x20-l"

# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////"

#musicat empower attempt
SecRule REQUEST_URI "/empower\?DB="

# WEB-MISC *%0a.pl access
SecRule REQUEST_URI "/*\x0a\.pl"

#PHPBB worm sigs
SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#PHP defenses
SecRule ARGS:PHPSESSID "!^[0-9a-z]*$"

#PHP defenses
SecRule ARGS "^(globals($|\[)|php:/)"

#PHP defenses
SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"

#PHP defenses
SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"

# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"

# TIKIWIKI
SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./"

#SMTP redirects
SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25

#These are VERY experiemental* please report false positives/negatives* etc.
#very experimental generic remote download sig
#foo IP or FQDN* or foo http/https/ftp://whatever
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)| wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20 ((http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#Command inline detection
SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[A-Za-z|0-9]\.[a-zA-Z]{2*4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#Commands* also need a major rework* these also have issues
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;"
#SecRule REQUEST_URI "echo\x20"
SecRule REQUEST_URI "links -dump "
SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20"
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"

SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$"

#generic block for fwrite fopen uploads
SecRule REQUEST_URI "fwrite" chain
SecRule REQUEST_URI "fopen"

#generic sig for more bad PHP functions
SecRule REQUEST_URI "chr$([0-9]{1*3})$"
SecRule ARGS_NAMES "^php:/"

# WEB-MISC Tomcat view source attempt
SecRule REQUEST_URI "\x252ejsp"

# WEB-MISC whisker HEAD/./
#SecRule "HEAD/./"

# WEB-FRONTPAGE .... request
SecRule REQUEST_URI "\.\.\.\./"

#experimental CSS rule
#SecRule REQUEST_URI "/(\x3C|)"

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI "\]expression[\s]*$"

#cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*"

# cross site scripting attempt using XML
SecRule REQUEST_URI "SCRIPT"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*$"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "window\.execScript[\s]*\("

#cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[$]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"

#Apache /server-info accessible
SecRule REQUEST_URI "/server-info" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#Apache /server-status accessible
#Modified so apache-protect can run
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#generic Common HTTP vulnerability
SecRule REQUEST_URI "/\?cwd=/"

#General [url] php forum protections (phpbb and others* to protect against script injection attacks in url links)
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex )\:/.*\].*\[/url\]"

#Experimental XML-RPC generic attack sigs
SecRule REQUEST_BODY "\'\*\'\'$\)\;"
SecRule REQUEST_BODY "\\.*\'\)\;"

#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\"

#Specific XML-RPC attacks on xmlrpc.php
SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
SecRule REQUEST_BODY "(\"

#generic remote file inclusion vulns
SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"

#catch smuggling attacks
#SecRule "^(GET|POST).*Host:.*^(GET|POST)"

#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature* but just in case you leave it out* here it is
#again with a slightly tigher regexp
SecRule REQUEST_BODY "\"
#Slightly stronger version of the above
SecRule REQUEST_BODY "\"

#Generic PHP attack sig
SecRule REQUEST_BODY|REQUEST_URI "system$getenv\(HTTP_PHP$\)"

#Generic Nessus request filter
SecRule REQUEST_URI "NessusTest*\.html"

#Generic PHP payload command injection and upload vulnerabilities
SecRule REQUEST_BODY ""

#Fake image file shell attacvk
SecRule REQUEST_HEADERS:Content-Type "image/.*"
SecRule REQUEST_BODY "chr\("

#bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"

#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"

#Special account protection
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"

#Generic PHP fopen sig
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("

SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390144*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390145*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\?"

SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.( c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm |html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\ .(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|h tm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tm l)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"

#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"

#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|comm and)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|c ommand)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd |command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&? (cmd|command)="

#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"

#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\ w)"

#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="

#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"

#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

#new unknown kit
SecRule REQUEST_URI "/oops?&"

# known PHP attack shells
#value of these sigs* pretty low* but here to catch
# any lose threads* honeypoting* etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI "/phpterm"

#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

#new unknown kits
SecRule REQUEST_URI "/iblis\.htm\?"
SecRule REQUEST_URI "/gif\.gif\?"
SecRule REQUEST_URI "/go\.php\.txt\?"
SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/zehir\.asp"
SecRule REQUEST_URI "/aflast\.txt\?"
SecRule REQUEST_URI "/sikat\.txt\?&cmd"

SecRule REQUEST_URI "/t\.gif\?"
SecRule REQUEST_URI "/phpbb_patch\?&"
SecRule REQUEST_URI "/phpbb2_patch\?&"
SecRule REQUEST_URI "/lukka\?&"

#new kit
SecRule REQUEST_URI "/c99shell\.txt"
SecRule REQUEST_URI "/c99\.txt\?"

#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="

#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="

#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"

#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\"

#XSS in referrer and UA headers
SecRule HTTP_REFERER|HTTP_USER_AGENT ".*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php" chain
SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|con tent|dir|name|menu|pm_path|path|pathtoroot|cat|pag ina|path|include_location|root|page|gorumDir|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

#PHP Injection Attack generic signature
SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|actio n|content|dir|name|menu|pm_path|pagina|path|pathto root|cat|include_location|gorumDir|root|page|site| topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"

#Generic PHP remote file inclusion attack signature
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file inclusion attack signature with command
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI "(http|https|ftp)\:/" chain
SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#really broad furl_fopen attack sig
#tune this for your system
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300018*rev:3*severity:2*msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/"
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain*id:300040*rev:1*severity:2*msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"

#Genenric PHP body attack
SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc _open|shell_exec|exec|proc_nice|proc_terminate|pro c_get_status|proc_close|pfsockopen|leak|apache_chi ld_terminate|posix_kill|posix_mkfifo|posix_setpgid |posix_setsid|posix_setuid|phpinfo)" chain
SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file injection
SecRule REQUEST_URI "!(/do_command)" chain
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="

#script* perl* etc. code in HTTP_Referer string
SecRule HTTP_Referer "\#\!.*/"

#generic command line attack
SecRule REQUEST_URI|ARGS "\|*id\;echo*\|"

#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root| page|open)=(http|https|ftp)|(cmd|command|inc)=)"

#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecRule ARGS "\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|n ame)="

#remote file inclusion generic attack signature
SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="

#Bogus file extensions generic signature
SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"

#PHP remote path attach generic signature
SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/"

#generic attack sig
SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

# WEB-ATTACKS uname -a command attempt
SecRule REQUEST_URI "uname" chain
SecRule REQUEST_URI "\x20-a"

#Generic argument protection rule against bad meta characters
#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;* -]*$"

#generic php attack sigs
SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command) =|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(c md|command)=|\.php\?&(cmd|command)=)"

# WEB-ATTACKS xterm command attempt
SecRule REQUEST_URI "/usr/X11R6/bin/xterm"

# WEB-ATTACKS /etc/shadow access
SecRule REQUEST_URI "/etc/shadow"

# WEB-ATTACKS /bin/ps command attempt
SecRule REQUEST_URI "/bin/ps"

# WEB-ATTACKS /usr/bin/id command attempt
SecRule REQUEST_URI "/usr/bin/id" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS echo command attempt
SecRule REQUEST_URI "/bin/echo" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS kill command attempt
SecRule REQUEST_URI "/bin/kill" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS chmod command attempt
SecRule REQUEST_URI "/bin/chmod" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS chsh command attempt
SecRule REQUEST_URI "/usr/bin/chsh"

# WEB-ATTACKS gcc command attempt
SecRule REQUEST_URI "gcc" chain
SecRule REQUEST_URI "x20-o"

# WEB-ATTACKS /usr/bin/cc command attempt
SecRule REQUEST_URI "/usr/bin/cc" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /usr/bin/cpp command attempt
SecRule REQUEST_URI "/usr/bin/cpp" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /usr/bin/g++ command attempt
SecRule REQUEST_URI "/usr/bin/g\+\+" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS g++ command attempt
SecRule REQUEST_URI "g\+\+\x20" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS bin/python access attempt
SecRule REQUEST_URI "bin/python" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS python access attempt
#SecRule "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecRule REQUEST_URI "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecRule REQUEST_URI "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecRule REQUEST_URI "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecRule REQUEST_URI "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecRule REQUEST_URI "/usr/bin/perl"

# WEB-ATTACKS traceroute command attempt
SecRule REQUEST_URI "traceroute" chain
SecRule REQUEST_URI "\x20([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

# WEB-ATTACKS ping command attempt
SecRule REQUEST_URI "/bin/ping" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS X application to remote host attempt
SecRule REQUEST_URI "\x20-display\x20"

# WEB-ATTACKS mail command attempt
SecRule REQUEST_URI "/bin/mail" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /bin/ls command attempt
SecRule REQUEST_URI "/bin/ls" chain
SecRule REQUEST_URI "\x20"

# WEB-ATTACKS /etc/inetd.conf access
SecRule REQUEST_URI "/etc/inetd\.conf"

# WEB-ATTACKS /etc/motd access
SecRule REQUEST_URI "/etc/motd"

# WEB-ATTACKS conf/httpd.conf attempt
SecRule REQUEST_URI "conf/httpd\.conf"

# WEB-MISC .htpasswd access
SecRule REQUEST_URI "\.htpasswd"

# WEB-MISC /etc/passwd access
SecRule REQUEST_URI "/etc/passwd"

# WEB-MISC nessus 1.X 404 probe
SecRule REQUEST_URI "/nessus_is_probing_you_"

# WEB-MISC nessus 2.x 404 probe
SecRule REQUEST_URI "/NessusTest"

# WEB-MISC ls%20-l
SecRule REQUEST_URI "ls" chain
SecRule REQUEST_URI "\x20-l"

# WEB-MISC apache directory disclosure attempt
SecRule REQUEST_URI "////////"

#musicat empower attempt
SecRule REQUEST_URI "/empower\?DB="

# WEB-MISC *%0a.pl access
SecRule REQUEST_URI "/*\x0a\.pl"

#PHPBB worm sigs
SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#PHP defenses
SecRule ARGS:PHPSESSID "!^[0-9a-z]*$"

#PHP defenses
SecRule ARGS "^(globals($|\[)|php:/)"

#PHP defenses
SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$"

#PHP defenses
SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$"

# Web-attacks chdir
SecRule REQUEST_URI "&(cmd|command)=chdir\x20"

# TIKIWIKI
SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./"

#SMTP redirects
SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25

#These are VERY experiemental* please report false positives/negatives* etc.
#very experimental generic remote download sig
#foo IP or FQDN* or foo http/https/ftp://whatever
SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)| wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20 ((http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#Command inline detection
SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2*4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#very experimental connect command sig
SecRule REQUEST_URI "( |\;|/|\'|*|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}\.[0-9]{1*3}|[A-Za-z|0-9]\.[a-zA-Z]{2*4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#Commands* also need a major rework* these also have issues
SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;"
#SecRule REQUEST_URI "echo\x20"
SecRule REQUEST_URI "links -dump "

SecRule REQUEST_URI "links -dump-(charset|width) "
SecRule REQUEST_URI "links (http|https|ftp)\:/"
SecRule REQUEST_URI "links -source "
#SecRule REQUEST_URI "mkdir\x20"
SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)"
SecRule REQUEST_URI "cd \.\."
SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$"

#generic block for fwrite fopen uploads
SecRule REQUEST_URI "fwrite" chain
SecRule REQUEST_URI "fopen"

#generic sig for more bad PHP functions
SecRule REQUEST_URI "chr$([0-9]{1*3})$"
SecRule ARGS_NAMES "^php:/"

# WEB-MISC Tomcat view source attempt
SecRule REQUEST_URI "\x252ejsp"

# WEB-MISC whisker HEAD/./
#SecRule "HEAD/./"

# WEB-FRONTPAGE .... request
SecRule REQUEST_URI "\.\.\.\./"

#experimental CSS rule
#SecRule REQUEST_URI "/(\x3C|)"

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecRule REQUEST_URI "\]expression[\s]*$"

#cross site scripting attempt STYLE + EXPRESSION
SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*"

# cross site scripting attempt using XML
SecRule REQUEST_URI "SCRIPT"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*$"

#cross site scripting attempt executing hidden Javascript
SecRule REQUEST_URI "window\.execScript[\s]*\("

#cross site scripting attempt to execute Javascript code
SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[$]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"

#Apache /server-info accessible
SecRule REQUEST_URI "/server-info" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#Apache /server-status accessible
#Modified so apache-protect can run
SecRule REQUEST_URI "^/server-status/$" chain
SecRule REMOTE_ADDR "!^127\.0\.0\.1$"

#generic Common HTTP vulnerability
SecRule REQUEST_URI "/\?cwd=/"

#General [url] php forum protections (phpbb and others* to protect against script injection attacks in url links)
SecRule REQUEST_URI "\.php\?" chain
SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex )\:/.*\].*\[/url\]"

#Experimental XML-RPC generic attack sigs
SecRule REQUEST_BODY "\'\*\'\'$\)\;"
SecRule REQUEST_BODY "\\.*\'\)\;"

#MTS
#XML-RPC generic attack sigs
SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain
SecRule REQUEST_BODY "(\"
#Specific XML-RPC attacks on xmlrpc.php
SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain
SecRule REQUEST_BODY "(\"

#generic remote file inclusion vulns
SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx"
SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"

#catch smuggling attacks

#SecRule "^(GET|POST).*Host:.*^(GET|POST)"

#Drupal remote command execution vulnerability exploit signature

#This is already covered in another generic signature* but just in case you leave it out* here it is

#again with a slightly tigher regexp
SecRule REQUEST_BODY "\"

#Slightly stronger version of the above
SecRule REQUEST_BODY "\"

#Generic PHP attack sig
SecRule REQUEST_BODY|REQUEST_URI "system$getenv\(HTTP_PHP$\)"

#Generic Nessus request filter
SecRule REQUEST_URI "NessusTest*\.html"

#Generic PHP payload command injection and upload vulnerabilities
SecRule REQUEST_BODY ""

#Fake image file shell attacvk
SecRule REQUEST_HEADERS:Content-Type "image/.*"
SecRule REQUEST_BODY "chr\("

#bogus graphics file
SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain
SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)"

#wormsign
SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC"

#Special account protection
SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"

#Generic PHP fopen sig
SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\("
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390144*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\x20?\?"
SecRule REQUEST_URI "!(horde/services/go\.php)" "chain*id:390145*rev:1*severity:2*msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecRule REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat |txt|js|html?|tmp|asp)\?"
SecRule REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp)\?"
SecRule REQUEST_URI|REQUEST_BODY "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|da t|txt|js|html?|tmp|php|asp) "
SecRule REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecRule REQUEST_URI "/\.it/viewde"
SecRule REQUEST_URI "/cmd\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecRule REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecRule REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.( c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm |html|tmp|php|asp).\?&(cmd|command)="
SecRule REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\ .(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|h tm|html|tmp|php|asp)\?"
SecRule REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tm l)\?"
SecRule REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"

#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecRule REQUEST_URI|REQUEST_BODY "\./xkernel\;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten\.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus\?&(cmd|command)"

#Generic remote perl execution with .pl extension
SecRule REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecRule REQUEST_URI "\;(\s|\t)*perl .*\.pl"

#Known rootkit Defacing Tool 2.0
SecRule REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|comm and)="
SecRule REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|c ommand)="
SecRule REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd |command)="
SecRule REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&? (cmd|command)="

#other known tools
SecRule REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecRule REQUEST_URI "/(ssh2?|sfdg2)\.php"

#New kit
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)(\;|\w)"
SecRule REQUEST_URI|REQUEST_BODY "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\ w)"

#new kir
SecRule REQUEST_URI "/dblib\.php\?&(cmd|command)="

#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="

#proxysx.gif?
SecRule REQUEST_URI|REQUEST_BODY "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"

#phpbackdoor
SecRule REQUEST_URI|REQUEST_BODY "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="

#new unknown kit
SecRule REQUEST_URI "/oops?&"

# known PHP attack shells
#value of these sigs* pretty low* but here to catch
# any lose threads* honeypoting* etc.
SecRule REQUEST_URI|REQUEST_BODY "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecRule REQUEST_URI|REQUEST_BODY "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI|REQUEST_BODY "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecRule REQUEST_URI "/phpterm"

#Frantastico worm
SecRule REQUEST_URI|REQUEST_BODY "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"

#new unknown kits
SecRule REQUEST_URI "/iblis\.htm\?"
SecRule REQUEST_URI "/gif\.gif\?"
SecRule REQUEST_URI "/go\.php\.txt\?"
SecRule REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "/zehir\.asp"
SecRule REQUEST_URI "/aflast\.txt\?"
SecRule REQUEST_URI "/sikat\.txt\?&cmd"
SecRule REQUEST_URI "/t\.gif\?"
SecRule REQUEST_URI "/phpbb_patch\?&"
SecRule REQUEST_URI "/phpbb2_patch\?&"
SecRule REQUEST_URI "/lukka\?&"

#new kit
SecRule REQUEST_URI "/c99shell\.txt"
SecRule REQUEST_URI "/c99\.txt\?"

#remote bash shell
SecRule REQUEST_URI "/shell\.php\&cmd="
SecRule ARGS "/shell\.php\&cmd="

#zencart exploit
SecRule REQUEST_URI "/ipn\.php\?cmd="

#new pattern
SecRule REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecRule REQUEST_URI "dsoul/tool\?"

#generic suntzu payload
SecRule REQUEST_URI|REQUEST_BODY "HiMaster\!\ __DEFINE_LIKE_SHARE__

المواضيع المتشابهه
الموضوع	كاتب الموضوع	المنتدى	مشاركات	آخر مشاركة
payed Security Fix Releases instead of free Security Patches	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	03-23-2010 08:40 PM
لخبراء n97	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	08-03-2009 09:50 PM
لخبراء النوفي 760	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	06-30-2009 12:00 PM
لخبراء الدوس فقط	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	05-27-2009 08:50 PM
لخبراء 4x4	محروم.كوم	منتدى أخبار المواقع والمنتديات العربية والأجنبية	0	05-23-2009 06:10 PM