SecFilterEngine On
SecAuditEngine Off
SecFilterCheckUnicodeEncoding Off
SecFilterCheckCookieFormat On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:503"
SecFilterSelective REMOTE_ADDR "^127\.0\.0\.1$" nolog,allow
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-00.00-whitelists.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilter "_vti_bin" allow
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/fpremadm\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/orders\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/authors\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/administrators\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/register\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/service\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/users\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/dvwssr\.dll" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/register\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_bin/" "nolog,pass"
SecFilterSelective REQUEST_URI "/mailman/admin/" "pass,nolog"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-00.general.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|posix.pwd|dl|phpinfo)\(.*\).*php*\>"
SecFilter "wget\x20" "rev:1,severity:5,msg:'Attempted use of wGet'"
SecFilter "uname\x20-a" "rev:1,severity:5,msg:'Attempted use of uname -a'"
SecFilterSelective REQUEST_URI "gcc\x20" "rev:1,severity:5,msg:'Attempted use of gcc'"
SecFilter "Bcc:" "rev:1,severity:5,msg:'Attempted BCC spam'"
SecFilter "Bcc:\x20" "rev:1,severity:5,msg:'Attempted BCC spam'"
SecFilterSelective ARG_server_inc "(\.\.|(http|https|ftp)\:/)" "rev:1,severity:5,msg:'Attempted RFI'"
SecFilterSelective THE_REQUEST "system\(" "rev:1,severity:5,msg:'Attempted use of system()'"
SecFilterSelective THE_REQUEST "exec\(" "rev:1,severity:5,msg:'Attempted use of exec()'"
SecFilterSelective THE_REQUEST "popen\(" "rev:1,severity:5,msg:'Attempted use of popen()'"
SecFilterSelective THE_REQUEST "passthru\(" "rev:1,severity:5,msg:'Attempted use of passthru()'"
SecFilterSelective THE_REQUEST "albacrew"
SecFilterSelective ARG_dir[inc] "(\.\.|(http|https|ftp)\:/)" "rev:1,severity:5,msg:'RFI: dir[inc]=http'"
SecFilterSelective ARG__PHPLIB[libdir] "(\.\.|(http|https|ftp)\:/)" "rev:1,severity:5,msg:'RFI: PHPLIB[libdir]'"
SecFilterSelective REQUEST_URI "/\.htgroup" "rev:1,severity:5,msg:'Direct read of .htgroup'"
SecFilterSelective REQUEST_URI "/\.htaccess" "rev:1,severity:5,msg:'Direct read of .htaccess'"
SecFilterSelective REQUEST_URI "cd\.\." "rev:1,severity:5,msg:'Possible directory traversal attempt'"
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective REQUEST_URI "/~root" "rev:1,severity:5,msg:'Restricted userdir: root'"
SecFilterSelective REQUEST_URI "/~ftp" "rev:1,severity:5,msg:'Restricted userdir: root'"
SecFilterSelective REQUEST_URI "/htgrep" log,pass
SecFilterSelective REQUEST_URI "/\.history" "rev:1,severity:5,msg:'Restricted file: .history'"
SecFilterSelective REQUEST_URI "/\.bash_history" "rev:1,severity:5,msg:'Restricted file: .bash_history'"
SecFilterSelective REQUEST_URI "/~nobody" "rev:1,severity:5,msg:'Restricted homedir: nobody'"
SecFilterSelective THE_REQUEST "<script"
SecFilterSelective REQUEST_URI "cmd=cd\x20/var"
SecFilterSelective ARG_dir "(http|https|ftp)\:/" "rev:1,severity:5,msg:'RFI dir'"
SecFilterSelective REQUEST_URI "\?STRENGUR"
SecFilterSelective REQUEST_URI "/etc/motd"
SecFilterSelective REQUEST_URI "/etc/passwd"
SecFilterSelective THE_REQUEST "/conf/httpd\.conf"
SecFilterSelective REQUEST_URI "/bin/ps"
SecFilterSelective THE_REQUEST "bin/tclsh"
SecFilterSelective THE_REQUEST "tclsh8\x20"
SecFilterSelective THE_REQUEST "udp\.pl"
SecFilterSelective THE_REQUEST "linuxdaybot\.txt"
SecFilterSelective REQUEST_URI "wget\x20"
SecFilterSelective THE_REQUEST "bin/nasm"
SecFilterSelective THE_REQUEST "nasm\x20"
SecFilterSelective REQUEST_URI "/usr/bin/perl"
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-(charset|width) "
SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective REQUEST_URI "/~named/"
SecFilterSelective REQUEST_URI "/~guest/"
SecFilterSelective REQUEST_URI "/~logs/"
SecFilterSelective REQUEST_URI "/~sshd/"
SecFilterSelective REQUEST_URI "/~ftp/"
SecFilterSelective REQUEST_URI "/~bin/"
SecFilterSelective REQUEST_URI "/~nobody/"
SecFilterSelective REQUEST_URI "/\.history"
SecFilterSelective REQUEST_URI "/\.bash_history"
SecFilterSelective REQUEST_URI "/nessus_is_probing_you_"
SecFilterSelective REQUEST_URI "/NessusTest"
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilter "hdr=/"
SecFilterSelective REQUEST_METHOD "^POST$" "chain,rev:1,severity:5,msg:'POST with no Content-Length'"
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective THE_REQUEST "\<IMG.*/\bonerror\b[\s]*=/Ri"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecFilterSelective THE_REQUEST "<!\[CDATA\[<\]\]>SCRIPT"
SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "rev:1,severity:5,msg:'XSS: Content-Type'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-00.useragents.conf: 2008-05-12 11:55:38.000000000
SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\." "rev:1,deny,id:HGUA200701,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2" "rev:1,deny,id:HGUA200702,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Kenjin Spider" "rev:1,deny,id:HGUA200703,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "WebVulnScan" "rev:1,deny,id:HGUA200704,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Internet-exprorer" "rev:1,deny,id:HGUA200705,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Mozilla.*Nessus" "rev:1,deny,id:HGUA200706,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Indy Library" "rev:1,deny,id:HGUA200707,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Faxobot" "rev:1,deny,id:HGUA200708,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL" "rev:1,deny,id:HGUA200709,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "^libwww-perl/.*" "chain,rev:1,id:HG2007072020,deny:503,severity:5,msg:'HG: libwww UA with RFI'"
SecFilterSelective REQUEST_URI "=(\.\.|http|https|ftp)\:"
SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX" "rev:1,deny,id:HGUA200710,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent" "rev:1,deny,id:HGUA200711,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "PMAFind" "rev:1,deny,id:HGUA200712,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak" "rev:1,deny,id:HGUA200713,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "CopyRightCheck" "rev:1,deny,id:HGUA200714,severity:2,msg:'Copyright Bots'"
SecFilterSelective HTTP_USER_AGENT "CopyGuard" "rev:1,deny,id:HGUA200715,severity:2,msg:'Copyright Bots'"
SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader" "rev:1,deny,id:HGUA200716,severity:2,msg:'Copyright Bots'"
SecFilterSelective HTTP_USER_AGENT "Web Downloader" "rev:1,deny,id:HGUA200717,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebZIP "rev:1,deny,id:HGUA200718,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebCopier "rev:1,deny,id:HGUA200719,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT Webster "rev:1,deny,id:HGUA200720,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebZIP "rev:1,deny,id:HGUA200721,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebStripper "rev:1,deny,id:HGUA200722,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "teleport pro" "rev:1,deny,id:HGUA200723,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT combine "rev:1,deny,id:HGUA200724,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "Black Hole" "rev:1,deny,id:HGUA200725,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "SiteSnagger" "rev:1,deny,id:HGUA200726,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "ProWebWalker" "rev:1,deny,id:HGUA200727,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "CheeseBot" "rev:1,deny,id:HGUA200728,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "hl_ftien_spider" "rev:1,deny,id:HGUA200729,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" "rev:1,deny,id:HGUA200730,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WebBandit" "rev:1,deny,id:HGUA200731,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE" "rev:1,deny,id:HGUA200732,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Telesoft*" "rev:1,deny,id:HGUA200733,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor" "rev:1,deny,id:HGUA200734,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*" "rev:1,deny,id:HGUA200735,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT NICErsPRO "rev:1,deny,id:HGUA200736,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*" "rev:1,id:HGUA200737,deny,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT EmailSiphon "rev:1,deny,id:HGUA200738,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT Extractorpro "rev:1,deny,id:HGUA200739,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT webbandit "rev:1,deny,id:HGUA200740,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT EmailCollector "rev:1,deny,id:HGUA200741,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*" "rev:1,deny,id:HGUA200742,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT EmailWolf "rev:1,deny,id:HGUA200743,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "8484 Boston Project" "rev:1,deny,id:HGUA200734,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser" "rev:1,deny,severity:2,id:HGUA200744,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser" "rev:1,deny,id:HGUA200745,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "DTS Agent" "rev:1,deny,id:HGUA200746,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "POE-Component-Client" "rev:1,deny,id:HGUA200747,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WISEbot" "rev:1,deny,id:HGUA200748,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "^Shockwave Flash" "rev:1,deny,id:HGUA200749,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Missigua" "rev:1,deny,id:HGUA200750,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "^www\.weblogs\.com" "rev:1,deny,id:HGUA200751,severity:2,msg:'Comment/Referrer Spam UA'"
SecFilterSelective HTTP_USER_AGENT "compatible \; MSIE" "rev:1,deny,id:HGUA200752,severity:2,msg:'Comment/Referrer Spam UA'"
SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" "rev:1,deny,severity:2,msg:'UA Field XSS Exploit Attempt'"
SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)" "rev:1,deny,id:HGUA200754,severity:2,msg:'UA Field Exploit Attempt'"
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS" "rev:1,deny,severity:2,id:HGUA200755,msg:'UA Field Exploit Attempt'"
SecFilterSelective HTTP_USER_AGENT "\.\./\.\." "rev:1,deny,severity:2,id:HGUA200756,msg:'UA Field Recusion Attack'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-01.forms.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@" "rev:1,id:HG2007063002,severity:5,msg:'HG: php Mail Injection attempt'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-01.fraud.conf: 2008-03-30 18:39:36.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/(.+)online\.lloydstsb\.co\.uk/" "rev:1,id:HG2007070601,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "CentroDeSeguridadVisa_Particulares\.com" "rev:1,id:HG2007070602,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/wellsfargo.com\.htm" "rev:1,id:HG2007070603,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)royalbank\.com/" "rev:1,id:HG2007070606,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)online\.lloydstsb\.co\.uk/" "rev:1,id:HG2007070607,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)bankofamerica\.com/" "rev:1,id:HG2007070608,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)paypal\.com/" "rev:1,id:HG2008030101,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REMOTE_ADDR "195\.161\.119\.{1,3}$" "rev:1,msg:'Russian chat.ru fraud'"
SecFilterSelective REMOTE_HOST "\.chat\.ru$" "rev:1,msg:'Russian chat.ru fraud'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-01.iframes.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective HTTP_REFERER|REMOTE_HOST "simocrogger\.ws" "rev:1,severity:5,deny:503,msg:'IFRAME: Malicious (flash)'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-01.shells.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecFilterSelective REQUEST_URI "/\.it/viewde"
SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
SecFilterSelective REQUEST_URI "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective REQUEST_URI "/mampus\?&(cmd|command)"
SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecFilterSelective REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)="
SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
SecFilterSelective REQUEST_URI "/oops?&"
SecFilterSelective THE_REQUEST "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI "/phpterm"
SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
SecFilterSelective REQUEST_URI "/iblis\.htm\?"
SecFilterSelective REQUEST_URI "/gif\.gif\?"
SecFilterSelective REQUEST_URI "/go\.php\.txt\?"
SecFilterSelective REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/zehir\.asp"
SecFilterSelective REQUEST_URI "/aflast\.txt\?"
SecFilterSelective REQUEST_URI "/sikat\.txt\?&cmd"
SecFilterSelective REQUEST_URI "/t\.gif\?"
SecFilterSelective REQUEST_URI "/phpbb_patch\?&"
SecFilterSelective REQUEST_URI "/phpbb2_patch\?&"
SecFilterSelective REQUEST_URI "/lukka\?&"
SecFilterSelective REQUEST_URI "/c99shell\.txt"
SecFilterSelective REQUEST_URI "/c99\.txt\?"
SecFilterSelective REQUEST_URI "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="
SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system\("
SecFilterSelective THE_REQUEST "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu="
SecFilterSelective REQUEST_URI "/docLib/cmd\.asp"
SecFilterSelective REQUEST_URI "\.asp\?pageName=AppFileExplorer"
SecFilterSelective REQUEST_URI "\.asp\?.*showUpload&thePath="
SecFilterSelective REQUEST_URI "\.asp\?.*theAct=inject&thePath="
SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
SecFilterSelective REQUEST_URI "shell\.txt"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@"
SecFilterSelective THE_REQUEST "trojan\.htm"
SecFilterSelective REQUEST_URI "/r57en\.php"
SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "dsoul/tool\?"
SecFilterSelective REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/vsf\.vsf\?&"
SecFilterSelective REQUEST_URI "/scan1\.0/scan/"
SecFilterSelective REQUEST_URI "test\.txt\?&"
SecFilterSelective REQUEST_URI "\.k4ka\.txt\?"
SecFilterSelective REQUEST_URI "/php\.txt\?"
SecFilterSelective REQUEST_URI "/sql\.txt\?"
SecFilterSelective REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/c99shell"
SecFilterSelective THE_REQUEST "/shell\.php\&cmd="
SecFilterSelective THE_REQUEST "\act=ls\&d=" chain
SecFilterSelective THE_REQUEST "\&sort=0a" "msg:'c99shell'"
SecFilterSelective THE_REQUEST "\act=(search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|
update|feedback)\&d=" "msg:'c99shell'"
SecFilter "/tmp/cmdtemp"
SecFilterSelective THE_REQUEST "cmdtemp"
SecFilter "/tmp/back"
SecFilter "/tmp/pi.pl"
SecFilterSelective THE_REQUEST "sess31002"
SecFilterSelective THE_REQUEST "ssh-scan"
SecFilterSelective THE_REQUEST "/<\?php\x20"
SecFilterSelective THE_REQUEST "r57shell"
SecFilterSelective THE_REQUEST "step57.info"
SecFilterSelective POST_PAYLOAD "step57.info"
SecFilterSelective THE_REQUEST "\&cmd=/usr/bin/pe"
SecFilterSelective THE_REQUEST "cmd=echo\x20"
SecFilterSelective POST_PAYLOAD "cmd=" chain
SecFilterSelective POST_PAYLOAD "dir=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 1'"
SecFilterSelective THE_REQUEST "wh4.whsrv.com" "msg:'r57shell 2'"
SecFilterSelective POST_PAYLOAD "wh4.whsrv.com" "msg:'r57shell 2'"
SecFilterSelective THE_REQUEST "rst.void.ru" "msg:'r57shell 3'"
SecFilterSelective POST_PAYLOAD "rst.void.ru" "msg:'r57shell 3'"
SecFilterSelective POST_PAYLOAD "alias=(find|list|show|ls|uname|who|pwd|uptime)" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 5'"
SecFilterSelective POST_PAYLOAD "cmd=(find|list|show|ls|uname|who|pwd|uptime|wget|GET|gcc|links|lynx|fetch|curl)" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 6'"
SecFilterSelective POST_PAYLOAD "s_text=" chain
SecFilterSelective POST_PAYLOAD "s_dir=" chain
SecFilterSelective POST_PAYLOAD "s_mask=" chain
SecFilterSelective POST_PAYLOAD "cmd=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 7'"
SecFilterSelective POST_PAYLOAD "with=" chain
SecFilterSelective POST_PAYLOAD "rem_file=" chain
SecFilterSelective POST_PAYLOAD "loc_file=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 8'"
SecFilterSelective POST_PAYLOAD "bind_pass=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 9'"
SecFilterSelective POST_PAYLOAD "use=(C|Perl)" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 10'"
SecFilterSelective THE_REQUEST "\act=f\&f=" chain
SecFilterSelective THE_REQUEST "\&d=" "msg:'c99shell'"
SecFilterSelective THE_REQUEST "\act=f\&f=" chain
SecFilterSelective THE_REQUEST "\&ft=(info|edit|download)\&d=" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "\actarcbuff_path=" chain
SecFilterSelective POST_PAYLOAD "\act=" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "act=cmd\&d=" chain
SecFilterSelective POST_PAYLOAD "\&cmd=" chain
SecFilterSelective POST_PAYLOAD "\&submit=Execute" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "act=(search|upload|mkdir|mkfile|ls|gofile)" chain
SecFilterSelective POST_PAYLOAD "search_name_regexp=" chain
SecFilterSelective POST_PAYLOAD "search_name=" chain
SecFilterSelective POST_PAYLOAD "d=" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "dir" chain
SecFilterSelective POST_PAYLOAD "new_name" chain
SecFilterSelective POST_PAYLOAD "submit" "msg:'r57shell upload'"
SecFilterSelective POST_PAYLOAD "d_name=" chain
SecFilterSelective POST_PAYLOAD "cmd=" chain
SecFilterSelective POST_PAYLOAD "dir=" chain
SecFilterSelective POST_PAYLOAD "submit" "msg:'r57shell 4'"
SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" "rev:1,log,deny,msg:'Mallicious Activity'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-02.dos.conf: 2008-04-16 18:15:07.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
SecFilterSelective THE_REQUEST "select.*from.*information_schema\.tables"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-4images.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/config\.dist\.php\?" "rev:1,id:HG2007071401,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/index\.php\?template=\.\." "rev:1,id:HG2007071402,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/(top\.php|member\.php|search\.php)\?" "chain,rev:1,id:HG2007071403,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-2214 CVE-2006-5236'"
SecFilterSelective REQUEST_URI "(search_user=|sessionid=)" chain
SecFilterSelective REQUEST_URI "(JOIN|SELECT|\*\*|DROP|OR|union|user_password|user_name|images_users|where)"
SecFilterSelective REQUEST_URI "/search\.php\?" "chain,rev:1,id:HG2007071201,deny,severity:5,msg:'SQLi: 4Images 1.7.x CVE-2006-5236'"
SecFilterSelective REQUEST_URI "search_user=.*(user_password|user_name|images_users|union|concat)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-advancedguestbook.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-auctionsphp.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/includes/errors\.php\?" "chain,rev:1,id:HG2007111601,deny,severity:5,msg:'AuctionPHP RFI: error='"
SecFilterSelective ARG_error "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/includes/(settings|messages)\.inc\.php\?" "chain,rev:1,id:HG2007111602,deny,severity:5,msg:'AuctionPHP RFI: include_path='"
SecFilterSelective ARG_include_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-awstats.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective THE_REQUEST "awstats" chain
SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|"
SecFilterSelective REQUEST_URI "/awstats\.pl\?configdir="
SecFilterSelective REQUEST_URI "awstats\.pl\?" chain
SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)"
SecFilterSelective THE_REQUEST "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$" "rev:1,deny,msg:'AWStats Exploit Probe'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-bosclassifieds.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/index\.php\?" chain
SecFilterSelective ARG_insPath "(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-confixxserver.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/admin/business_inc/saveserver\.php\?" "chain,rev:1,deny,log,msg:'Confixx RFI'"
SecFilterSelective ARG_thisdir "(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-coppermine.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/albmgr\.php\?" "chain,rev:1,id:HG2007063006,deny:503,severity:5,msg:'HG: SQLi: CopperMine'"
SecFilterSelective ARG_cat "(user_name|user_password|union|drop|select|truncate|from|concat)"
SecFilterSelective REQUEST_URI "/relocate_server\.php"
SecFilterSelective REQUEST_URI "/theme\.php\?" "chain,rev:1,id:HG2007102010,deny:503,severity:5,msg:'HG: RFI: CopperMine'"
SecFilterSelective ARG_THEME_DIR "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007102601,deny,log,msg:'Coppermine XSS'"
SecFilterSelective ARG_lang "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-cubecart.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/index\.php\?&PHPSESSID=\'"
SecFilterSelective REQUEST_URI "/tellafriend\.php\?&product=\'"
SecFilterSelective REQUEST_URI "/view_cart\.php\?add=\'"
SecFilterSelective REQUEST_URI "/view_product\.php\?product=\'"
SecFilterSelective REQUEST_URI "/orderSuccess\.inc\.php\?" chain
SecFilterSelective ARG_[rootDir] "(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-dotproject.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/index\.php\?m=(companies|projects)" "chain,rev:1,id:HG2007101881,deny,severity:5,msg:'dotProject AuthBypass'"
SecFilterSelective "ARG_user_cookie" "1"
SecFilterSelective "ARG_baseDir" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101880,deny,severity:5,msg:'dotProject RFI'"
SecFilterSelective "ARG_dPconfig[root_dir]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101883,deny,severity:5,msg:'dotProject RFI'"
SecFilterSelective REQUEST_URI "/docs/(check|phpinfo)\.php" "rev:1,id:HG2007101882,deny,severity:5,msg:'dotProject Info Disclosure'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-drupal.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-esupport.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/autoclose\.php\?" chain
SecFilterSelective ARG_subd "(http|https|ftp)\:/"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-fantastico.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/config\.dist\.php\?" "rev:1,id:HG2007071401,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/index\.php\?template=\.\." "rev:1,id:HG2007071402,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/(top\.php|member\.php|search\.php)\?" "chain,rev:1,id:HG2007071403,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-2214 CVE-2006-5236'"
SecFilterSelective REQUEST_URI "(search_user=|sessionid=)" chain
SecFilterSelective REQUEST_URI "(JOIN|SELECT|\*\*|DROP|OR|union|user_password|user_name|images_users|where)"
SecFilterSelective REQUEST_URI "(common\.inc\.php|comments\.php|booth\.php|page\.php|png\.php|poll_ssi\.php|popup\.php)" "chain,rev:1,id:HG2007071403,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-2214 '"
SecFilterSelective REQUEST_URI "(base_path|template_set|id|action)=" "chain"
SecFilterSelective REQUEST_URI "\;"
SecFilterSelective REQUEST_URI "/import-mt\.php\?" "chain,rev:1,id:HG2007071810,deny,severity:5,msg:'RFI: b2Evolution: CVE-2006-6417'"
SecFilterSelective REQUEST_URI "(basepath|inc_path)=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(init\.inc\.php|theme\.php)\?" "chain,rev:1,id:HG2007071811,deny,severity:5,msg:'RFI: CopperMine SA11524'"
SecFilterSelective REQUEST_URI "(CPG_M_DIR|THEME_DIR)=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/init\.inc\.php\?" "chain,rev:1,id:HG2007071812,deny,severity:5,msg:'RFI: CopperMine SA11524'"
SecFilterSelective REQUEST_URI "(JOIN|SELECT|\*\*|DROP|OR|union|user_password|user_name|images_users|where)
SecFilterSelective REQUEST_URI "/relocate_server\.php" "rev:1,id:HG2007071813,deny,severity:5,msg:'CVE-2005-3979: CopperMine config exposure'"
SecFilterSelective REQUEST_URI "/thumbnails\.php\?=" "chain,rev:1,id:HG2007071814,deny,severity:5,msg:'CVE-2006-0872/3: CopperMine Shellcode Exec'"
SecFilterSelective REQUEST_URI "\.\.|(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index\.php\?file=" "chain,rev:1,id:HG2007071815,deny,severity:5,msg:'CVE-2006-1909: CopperMine RFI'"
SecFilterSelective REQUEST_URI "(\.\.|\./)"
SecFilterSelective REQUEST_URI "/(usermgr\.php|db_ecard\.php|albmgr\.php)\?" "chain,rev:1,id:HG2007071816,deny,severity:5,msg:'CVE-2006-3064: CopperMine RFI'"
SecFilterSelective REQUEST_URI "(SELECT|FROM|WHERE|ORDER BY|LIMIT|JOIN|SELECT|DROP|union)"
SecFilterSelective REQUEST_URI "/picmgr\.php\?" "chain,rev:1,id:HG2007071817,deny,severity:5,msg:'CVE-2006-5622: CopperMine RFI'"
SecFilterSelective REQUEST_URI "aid=" "chain"
SecFilterSelective REQUEST_URI "(SELECT|FROM|WHERE|ORDER BY|LIMIT|JOIN|SELECT|DROP|UNION)"
SecFilterSelective REQUEST_URI "/E2_header\.inc\.php\?" "chain,rev:1,id:HG2007071818,deny,severity:5,msg:'CVE-2007-0835: CopperMine RFI'"
SecFilterSelective REQUEST_URI "boarddir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/slides\.php\?" "chain,rev:1,id:HG2007071819,deny,severity:5,msg:'SA11789: Crafty Syntax'"
SecFilterSelective REQUEST_URI "limitquery_s=" "chain"
SecFilterSelective REQUEST_URI "%5cx61%5cx6e%5cx64%5cx20%5cx31%5cx3d%5cx30%5cx20%5cx75%5cx6e%5cx69%5cx6f%5cx6e%5cx20"
SecFilterSelective REQUEST_URI "/orderSuccess\.inc\.php\?" "chain,rev:1,id:HG2007071820,deny,severity:5,msg:'CVE-2004-1580: CubeCart RFI'"
SecFilterSelective REQUEST_URI "&glob\[rootDir\]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/orderSuccess\.inc\.php\?" "chain,rev:1,id:HG2007071821,deny,severity:5,msg:'CVE-2006-4525/6/7: CubeCart RFI'"
SecFilterSelective REQUEST_URI "oid=" "chain"
SecFilterSelective REQUEST_URI "(SELECT|FROM|WHERE|ORDER BY|LIMIT|JOIN|SELECT|DROP|UNION|SUBSTRING|admin_users)"
SecFilterSelective REQUEST_URI "(/admin/header\.inc\.php|/admin/footer\.inc\.php)\?" "chain,rev:1,id:HG2007071822,deny,severity:5,msg:'CVE-2006-5107: CubeCart RFI'"
SecFilterSelective REQUEST_URI "(la_adm_header|la_pow_by|site_name)=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/core\.php|/modules/index_table\.php|/modules/addedit\.php|/modules/view\.php|/modules/vw_files\.php|/modules/viewgantt\.php)\?" "chain,rev:1,id:HG2007071901,deny,severity:5,msg:'SA7961: RFI: dotProject'"
SecFilterSelective REQUEST_URI "root_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/classes/query\.class\.php|/includes/db_adodb\.php|/includes/db_connect\.php|/includes/session\.php|/modules/admin/vw_usr_roles\.php|/modules/public/calendar\.php|/modules/public/date_format\.php)\?" "chain,rev:1,id:HG2007071902,deny,severity:5,msg:'CVE-2006-0754: dotProject RFI'"
SecFilterSelective REQUEST_URI "baseDir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/modules/projects/gantt\.php|/modules/projects/vw_files\.php|/modules/projects/gantt2\.php)\?" "chain,rev:1,id:HG2007071903,deny,severity:5,msg:'CVE-2006-0754: dotProject RFI'"
SecFilterSelective REQUEST_URI "dPconfig\[root_dir\]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/docs/phpinfo\.php|/docs/check\.php)" "rev:1,id:HG2007071904,deny,severity:5,msg:'CVE-2006-5107: dotProject info disclosure'"
SecFilterSelective ARG_mosConfig_live_site "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101701,deny,severity:5,msg:'Joomla: Reg Globals mosConfig_live_site RFI'"
SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101702,deny,severity:5,msg:'Joomla: Reg Globals mosConfig_absolute_path RFI'"
SecFilterSelective REQUEST_URI "/components/com_restaurante/img_original/\..*" "rev:1,id:HG2007101710,deny,severity:5,msg:'RFI: Joomla Restaurante Upload'"
SecFilterSelective REQUEST_URI "/components/com_content/models/(archive|category|section)\.php" "chain,rev:1,id:HG2007101711,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective ARGS "(UNION|SELECT|password|username|FROM|concat|jos_users)"
SecFilterSelective REQUEST_URI "index\.php\?" "chain,rev:1,id:HG2007101712,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective REQUEST_URI "option=com_(eventlist|ezine|frontpage|gmaps|jombib|neorecruit|nicetalk|philaform|ponygallery|resman|rwcards|search)" chain
SecFilterSelective REQUEST_URI "(concat|jos_users|password|select|union|username|usertype)"
SecFilterSelective REQUEST_URI "index\.php\?option=com_rsfiles" "chain,rev:1,id:HG2007101714,deny,severity:5,msg:'RFI: Joomla RSFiles DL'"
SecFilterSelective REQUEST_URI "path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/libraries/pcl/pcltar\.php\?" "chain,rev:1,id:HG2007101720,deny,severity:5,msg:'RFI: Joomla 1.5'"
SecFilterSelective REQUEST_URI "g_pcltar_lib_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/com_articles\.php\?" "chain,rev:1,id:HG2007101723,deny,severity:5,msg:'RFI: Joomla Article 1.1'"
SecFilterSelective REQUEST_URI "absolute_path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_joomlaboard/file_upload\.php\?" "chain,rev:1,id:HG2007101731,deny,severity:5,msg:'RFI: Joomla Joomlaboard 1.1.1'"
SecFilterSelective REQUEST_URI "sbp=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_webring/admin\.webring\.docs\.php\?" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'RFI: Joomla WebRing'"
SecFilterSelective REQUEST_URI "component_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index2\.php\?option=com_rss" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'DOS: Joomla 1.0.7'"
SecFilterSelective REQUEST_URI "feed=test\\\/>"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-formtools.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/global/templates/(admin_page_open\.php\?|/client_page_open\.php\?) chain,id:HG2007121601,deny,msg:'RFI: Form Tools'"
SecFilterSelective ARG_g_root_dir "(\.\./\.\.|'|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-horde.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "go\.php\?.*(http|ftp)" "id:HG2008011001,rev:1,severity:2,msg:'Horde: go.php exploit'"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-invisionpowerboard.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/ad_member\.php\?" "chain,rev:1,id:HG2007102005,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilter "emailer\.php"
SecFilterSelective REQUEST_URI "/ipchat\.php\?" "chain,rev:1,id:HG2007102006,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilterSelective ARG_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?act=" "chain,rev:1,id:HG2007102007,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilterSelective ARG_st "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe|union)"
SecFilterSelective REQUEST_URI "/ipchat\.php\?" chain
SecFilter "conf_global\.php"
SecFilterSelective REQUEST_URI "/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT|DROP|CONCAT|TRUNCATE)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007102007,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilterSelective "ARG_comment|ARG_mid" "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" "
SecFilterSelective REQUEST_URI "/index\.php\?act=Login&CODE=autologin" chain
SecFilterSelective REQUEST_URI "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|r
ename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)"
SecFilterSelective REQUEST_URI "index\.php\?" chain
SecFilterSelective ARG_st "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rena
me|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007072025,deny:503,severity:5,msg:'HG: Invision RFI'"
SecFilterSelective ARG_showuser "(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-joomla.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/admin_settings\.php\?" "chain,rev:1,id:HG2007120901,deny,severity:5,msg:'RFI: Joomla ARG: CONFIG_EXT[ADMIN_PATH]'"
SecFilterSelective "ARG_CONFIG_EXT[ADMIN_PATH]" "(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007111515,deny,severity:5,msg:'RFI: Mambo ARG: options'"
SecFilterSelective ARG_option "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective ARG_ff_compath "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007111501,deny,severity:5,msg:'Joomla: ff_compath RFI'"
SecFilterSelective REQUEST_URI "/(.+\.php)\.{1,4}" "rev:1,id:HG2007101746,deny,severity:5,msg:'PHP: Double File Extensions'"
SecFilterSelective REQUEST_URI "index\.php\?" "chain,rev:1,id:HG_SQL_JOOMLA01,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective REQUEST_URI "option=com_(eventlist|ezine|frontpage|gmaps|jombib|mambads|neorecruit|nicet
alk|philaform|ponygallery|resman|remository|rwcards|search)" chain
SecFilterSelective REQUEST_URI "(select|union|username)[[:space:]]|(concat|jos_users|mos_users|password|sel
ect|union|username|usertype)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective ARG_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA01,deny,severity:5,msg:'Generic absolute_path RFI'"
SecFilterSelective ARG_mosConfig_live_site "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA02,deny,severity:5,msg:'Generic mosConfig_live_site RFI'"
SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA03,deny,severity:5,msg:'Generic mosConfig_absolute_path RFI'"
SecFilterSelective ARG_GlobalSettings[templatesDirectory] "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA04,deny,severity:5,msg:'Generic GlobalSettings RFI'"
SecFilterSelective REQUEST_URI "/(.+\.php)\.{1,4}$"
SecFilterSelective REQUEST_URI "/components/com_content/models/(archive|category|section)\.php" "chain,rev:1,id:HG2007101711,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective ARGS "(union|select|password|username|from|concat|jos_users|mos_users|passwd|user
s)"
SecFilterSelective REQUEST_URI "index\.php\?option=com_rsfiles" "chain,rev:1,id:HG2007101714,deny,severity:5,msg:'RFI: Joomla RSFiles DL'"
SecFilterSelective REQUEST_URI "path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_cropimage/admin\.cropcanvas\.php?" "chain,rev:1,id:HG2007101734,deny,severity:5,msg:'RFI: Mambo CropImage 1.0'"
SecFilterSelective REQUEST_URI "cropimagedir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_mambowiki/MamboLogin\.php\?" "chain,rev:1,id:HG2007101735,deny,severity:5,msg:'RFI: Mambo MamboWiki 0.9.6'"
SecFilterSelective REQUEST_URI "IP=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_mospray/scripts/admin\.php\?" "chain,rev:1,id:HG2007101736,deny,severity:5,msg:'RFI: Mambo MoSpray 18RC1'"
SecFilterSelective REQUEST_URI "basedir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_extcalendar/admin_events\.php\?" "rev:1,id:HG2007101738,deny,severity:5,msg:'RFI: Mambo ExtCalendar'"
SecFilterSelective REQUEST_URI "CONFIG_EXT[LANGUAGES_DIR]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_forum/download\.php\?" "rev:1,id:HG2007101739,deny,severity:5,msg:'RFI: Mambo phpBB'"
SecFilterSelective REQUEST_URI "phpbb_root_path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_simpleboard/image_upload\.php\?" "rev:1,id:HG2007101740,deny,severity:5,msg:'RFI: Mambo SimpleBoard'"
SecFilterSelective REQUEST_URI "sbp=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/includes/functions_cms\.php\?" "chain,rev:1,id:HG2007101741,deny,severity:5,msg:'RFI: Mambo phpBB'"
SecFilterSelective REQUEST_URI "phpbb_root_path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/libraries/pcl/pcltar\.php\?" "chain,rev:1,id:HG2007101720,deny,severity:5,msg:'RFI: Joomla 1.5'"
SecFilterSelective REQUEST_URI "g_pcltar_lib_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_joomlaboard/file_upload\.php\?" "chain,rev:1,id:HG2007101731,deny,severity:5,msg:'RFI: Joomla Joomlaboard 1.1.1'"
SecFilterSelective REQUEST_URI "sbp=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_flyspray/startdown\.php\?" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'Mambo FlySpray Info Leak'
SecFilterSelective REQUEST_URI "(file=config\.inc\.php|/etc/passwd)"
SecFilterSelective REQUEST_URI "/components/com_webring/admin\.webring\.docs\.php\?" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'RFI: Joomla WebRing'"
SecFilterSelective REQUEST_URI "component_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index2\.php\?option=com_rss" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'DOS: Joomla 1.0.7'"
SecFilterSelective REQUEST_URI "feed=test\\\/>"
SecFilterSelective REQUEST_URI "/components/com_content/content\.php\?" "chain,rev:1,id:HG2007101744,deny,severity:5,msg:'RFI: Mambo PW Hash'"
SecFilterSelective ARGS "rating_sum" chain
SecFilterSelective ARGS "(concat|jos_users|mos_users|password|select|union|username|usertype)"
SecFilterSelective REQUEST_URI "/index\.php\?option=com_content" "chain,rev:1,id:HG2007101745,deny,severity:5,msg:'RFI: Mambo PW Hash'"
SecFilterSelective ARGS "(concat|jos_users|mos_users|password|select|union|username|usertype)"
SecFilterSelective REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|r
ename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/content\.php" chain
SecFilterSelective ARG_user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|
rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index(2?)\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/"
SecFilterSelective REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\<script|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-jportal.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/jportal/banner\.php" chain
SecFilterSelective REQUEST_URI "(UNION|SELECT|DELETE|INSERT)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-modernbill.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/samples/news\.php\?DIR=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/order/orderwiz\.php\?" "chain,rev:1,log,deny,msg:'ModernBill RFI'"
SecFilterSelective ARG_aid "(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-moodle.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "(/iplookup/ipatlas/plot|/course/category)\.php\?" "chain,rev:1,id:HG_SQL_MOODLE01,deny,severity:5,msg:'Moodle SQL'"
SecFilterSelective ARGS "(mdl_course|mdl_user|into dumpfile|union select)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-movabletype.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/skel\.php\?" "chain,rev:1,id:HG2007122801,deny:503,severity:5,msg:'HG: RFI: MovableType'"
SecFilterSelective ARG_page "(http|https|ftp)\:/"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-myspaceresource.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective ARG_rootBase "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007110501,deny,severity:5,msg:'MySpace Resource RFI'"
SecFilterSelective REQUEST_URI "/index\.php\?pg=forums" "chain,rev:1,id:HG2007111605,deny,severity:5,msg:'MySpace Clone SQLi'"
SecFilterSelective REQUEST_URI "union|\*\*|from.*admin"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-noahsclassifieds.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/classifieds/index\.php\?" "chain,rev:1,id:HG2007101830,deny,severity:5,msg:'Noah Classifieds SQL'"
SecFilterSelective REQUEST_URI "(union |select |classifieds_classifiedsuser|drop |insert into)"
SecFilterSelective REQUEST_URI "/classifieds/index\.php\?" "chain,rev:1,id:HG2007101830,deny,severity:5,msg:'Noah Classifieds SQL'"
SecFilterSelective ARG_otherTemplate "(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-nucleus.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/nucleus/libs/PLUGINADMIN\.php\?" "chain,rev:1,id:HG2007101832,deny,severity:5,msg:'Noah Classifieds SQL'"
SecFilterSelective REQUEST_URI "GLOBALS[DIR_LIBS]=(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-open-realty.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-oscommerce.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/extras/update\.php\?" "chain,rev:1,id:HG2007101841,deny,severity:5,msg:'osCommerce RFI'"
SecFilterSelective ARG_readme_file "(\.\./\.\.|\.\./catalog/|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/default\.php\?" chain
SecFilterSelective "ARG_error_message|ARG_info_message" "((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/product_info\.php" chain
SecFilterSelective ARG_products_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/product_info\.php\?" "chain,rev:1,id:HG200711181001,deny,severity:5,msg:'osCommerce RFI'
SecFilterSelective ARG_products_id "(\.\./\.\.|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-osticket.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/(include/main\.php|view\.php)\?" "chain,rev:1,id:HG2007101833,deny,severity:5,msg:'osTicket RFI'"
SecFilterSelective "ARG_inc|ARG_include_dir" "(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/view\.php\?" "chain,rev:1,id:HG2007101833,deny,severity:5,msg:'osTicket SQL'"
SecFilterSelective REQUEST_URI "(concat|union select|password|username|ticket_messages)"
SecFilterSelective REQUEST_URI "/(attachments|module)\.php\?" "chain,rev:1,id:HG2007101834,deny,severity:5,msg:'osTicket RFI'"
SecFilterSelective REQUEST_URI "file=(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/include/(admin_login|header|open_submit|user_login)\.php\?" "chain,rev:1,id:HG2007101834,deny,severity:5,msg:'osTicket SQL'"
SecFilterSelective REQUEST_URI "(concat|union select|password|username|ticket_messages)"
SecFilterSelective REQUEST_URI "/(admin|include/main|view)\.php\?" "chain,rev:1,id:HG2007101910,deny,severity:5,msg:'osTicket SQL'"
SecFilterSelective "ARG_t|ARG_cat" "(concat|drop|select|password|username|union|ticket_messages|truncate)"
SecFilterSelective ARG_inc "(\.\./\.\.|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-perldesk.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/kb\.cgi\?" "chain,rev:1,id:HG2007101840,deny,severity:5,msg:'osTicket RFI'"
SecFilterSelective REQUEST_URI "(union select|password|username|from users)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpadsnew.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective ARG_phpAds_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101860,deny,severity:5,msg:'phpAdsNew RFI'"
SecFilterSelective REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-activation\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-cleantables\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-autotargeting\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-reports\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/click\.php"
SecFilterSelective REQUEST_URI "/adframe\.php\?refresh=(.+)\'\>"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpauction.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpbb.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective ARG_phpbb_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101861,deny,severity:5,msg:'phpBB phpbb_root_path RFI'"
SecFilterSelective REQUEST_URI "/bbcodeSource\.php\?" "chain,rev:1,id:HG2007111603,deny,severity:5,msg:'phpBB bbCode RFI'"
SecFilterSelective ARG_example "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?module=PNphpBB2" "chain,rev:1,id:HG2007101870,deny,severity:5,msg:'phpBB SQL'"
SecFilterSelective REQUEST_URI "(user_password|from.+phpbb_users|union|where.+user_id|user_password)"
SecFilterSelective REQUEST_URI "/admin/admin_acronyms\.php\?" "chain,rev:1,id:HG2007101862,deny,severity:5,msg:'phpBB SQL'"
SecFilterSelective REQUEST_URI "(user_password|from.+phpbb_users|union|user_password|where.+user_id)"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
SecFilterSelective ARG_highlight "(x27|%27|x2527|%2527|'\.mysql_query\(|system\()"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc
_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_term
inate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(([
0-9a-fA-Fx]{1,3}))"
SecFilterSelective REQUEST_URI "admin/admin_styles\.php\?" chain
SecFilterSelective ARG_install_to "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/downloads\.php\?" chain
SecFilterSelective REQUEST_URI "(UNION|SELECT|DELETE|INSERT)*user_password.*phpbb_users"
SecFilterSelective REQUEST_URI "/cal_view_month\.php\?" chain
SecFilterSelective REQUEST_URI "(UNION|SELECT|DELETE|INSERT)"
SecFilterSelective REQUEST_URI "/links\.php\?" chain
SecFilterSelective ARG_id "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/dlman\.php\?"
SecFilterSelective ARG_file_id "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective ARG_sid "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*'"
SecFilterSelective REQUEST_URI "/portal\.php\?" chain
SecFilterSelective ARG_article "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/album_search\.php\?" chain
SecFilterSelective ARG_mode "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/moddb/mod\.php\?" chain
SecFilterSelective ARG_id "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/auction_rating\.php\?mode=.*&u=.*'"
SecFilterSelective REQUEST_URI "/auction_offer\.php\?mode=.*&ar=.*'"
SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?*" chain
SecFilterSelective ARG_highlight "((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/posting_notes\.php\?mode=editpost" chain
SecFilterSelective REQUEST_URI "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe
|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpclassifieds.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective ARG_path_escape "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2008012401,deny,severity:5,msg:'phpClassifieds RFI'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpcoin.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/(api|common|constants|core|custom|db|redirect|session_set)\.php\?" "chain,rev:1,id:HG2007101890,deny,severity:5,msg:'phpCoin RFI'"
SecFilterSelective "ARG__CCFG[_PKG_PATH_INCL]" "(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpesp.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpformgenerator.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phplist.conf: 2008-04-02 17:01:45.000000000 -0500: jshanley@
SecFilterSelective "ARG_GLOBALS[database_module]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101870,deny,severity:5,msg:'phpList RFI'"
SecFilterSelective "ARG_GLOBALS[language_module]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007102201,deny,severity:5,msg:'phpList RFI'"
SecFilterSelective REQUEST_URI "/(addsite|config|editsite|in)\.php\?" "chain,rev:1,id:HG2008040101,msg:'phpList RFI'"
SecFilterSelective ARG_returnpath "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/lists/admin/\?page=admin&id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create
|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phplive.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/phplive/help\.php\?" "chain,rev:1,id:HG2007111812,deny,severity:5,msg:'phpLive RFI'"
SecFilterSelective ARG_css_path "(\.\./\.\.|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpmyadmin.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|
t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."
SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*<=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpnuke.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/modules\.php" "chain,rev:1,id:HG2008012301,deny,severity:5,msg:'phpNuke SQLi'"
SecFilterSelective ARG_sid "(union|select|concat|radminsuper)"
SecFilterSelective ARG_nuke_bb_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007102501,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "/modules\.php\?" "chain,rev:1,id:HG2007101855,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "ACCEPT_FILE[?]=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "(/\?module=PNphpBB2|/index\.php\?)" "chain,rev:1,id:HG2007101855,deny,severity:5,msg:'phpNuke SQL'"
SecFilterSelective REQUEST_URI "(concat|user_password|union select|pn_phpbb_users)"
SecFilterSelective REQUEST_URI "/modules\.php\?" "chain,rev:1,id:HG2007101856,deny,severity:5,msg:'phpNuke SQL'"
SecFilterSelective ARG_url "(concat|user_password|union select|pn_phpbb_users|insert into)"
SecFilterSelective REQUEST_URI "/modules/vwar/convert/mvcw_conver\.php\?" "chain,rev:1,id:HG2007101850,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "vwar_root=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/(modules/Web_Links/index|modules)\.php\?" "chain,rev:1,id:HG2007101860,deny,severity:5,msg:'phpNuke SQL'"
SecFilterSelective ARG_l_op "(viewlinkcomments|viewlinkeditorial|ratelink)" chain
SecFilterSelective ARG_lid "(concat|user_password|union select|pn_phpbb_users|insert into)"
SecFilterSelective REQUEST_URI "/modules/vwar/extra/online\.php\?" "chain,rev:1,id:HG2007101859,deny,severity:5,msg:'phpNuke RFI Virtual War'"
SecFilterSelective REQUEST_URI "(concat|user_password|union select|pn_phpbb_users|insert into|union.+select|vwar_member/|nuke_users/)"
SecFilterSelective REQUEST_URI "/iframe\.php\?" "chain,rev:1,id:HG2007101851,deny,severity:5,msg:'phpNuke iFrame RFI'"
SecFilterSelective REQUEST_URI "file=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/gallery/displayCategory\.php\?" "chain,rev:1,id:HG2007101852,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective ARG_basepath "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/master\.php\?" "chain,rev:1,id:HG2007101853,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective ARG_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules/vWar_Account/includes/functions_common\.php\?" "chain,rev:1,id:HG2007101854,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective ARG_vwar_root2 "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php.*func=*(\.\./|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename)"
SecFilterSelective REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain
SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]]"
SecFilterSelective REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>"
SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=Search*instory="
SecFilterSelective REQUEST_URI "/modules\.php\?*name=(Search|Web_Links).*\'"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=<[[:space:]]*script"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
SecFilterSelective REQUEST_URI "/index\.php\?" chain
SecFilterSelective ARG_file "(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=Search*instory="
SecFilterSelective REQUEST_URI "/modules\.php\?*name=Forums.*file=viewtopic*/forum=.*\'/"
SecFilterSelective REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1<r=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective ARG_nuke_bb_root_path "(\.\.|/|http|https|ftp)\:" "rev:1,id:HG2007102701,severity:5,deny:503,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "/modules\.php\?" "chain,rev:1,id:HG2007102702,severity:5,deny:503,msg:'phpNuke RFI'"
SecFilterSelective ARG_name "(\.\.|/|http|https|ftp)\:"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpprojeckt.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/(cm_navigation|cm_navigation-33|cm_summary)\.inc\.php\?" "chain,rev:1,id:HG2007101901,deny,severity:5,msg:'phpProjeckt RFI'"
SecFilterSelective REQUEST_URI "path_pre=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/lib/(dbman_filter\.inc|specialdays)\.php\?" "chain,rev:1,id:HG2007101902,deny,severity:5,msg:'phpProjeckt RFI'"
SecFilterSelective REQUEST_URI "path_pre=(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phprealestate.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/fullnews\.php\?" "chain,rev:1,id:HG20071211205,deny,severity:5,msg:'phpRealEstate RFI'"
SecFilterSelective ARG_id "((union|select|concat|username|password).* from )|(http|ftp|\.\.)\:"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpsurveyor.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/admin/classes/pear/OLE/(PPS/File|PPS/Root|PPS)\.php\?" "chain,rev:1,id:HG2007101905,deny,severity:5,msg:'phpSurveyor RFI'"
SecFilterSelective ARG_homedir "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/admin/classes/pear/OLE/Spreadsheet/Excel/(Writer/Worksheet|Writer/Parser|Writer/Workbook|Writer/Format|Writer/BIFFwriter)\.php\?" "chain,rev:1,id:HG2007101906,deny,severity:5,msg:'phpSurveyor RFI'"
SecFilterSelective ARG_homedir "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/admin/" "chain,rev:1,id:HG2007110101,deny,severity:5,msg:'phpSurveyor SQLi'"
SecFilterSelective "ARG_sid|ARG_start|ARG_id|ARG_lid" "(alter|create|delete|describe|drop|grant|insert|rename|replace|select|trunc
ate|update)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-phpthumb.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective ARG_album "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2008030101,deny,severity:5,msg:'phpThumb album RFI'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-roundcube.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-soholaunch.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective "ARG__SESSION[docroot_path]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101895,deny,severity:5,msg:'SoHoAdmin RFI'"
SecFilterSelective REQUEST_URI "/login\.php\?" "chain,rev:1,id:HG2007071202,deny,severity:5,msg:'RFI: SohoAdmin CVE-2006-5236'"
SecFilterSelective REQUEST_URI "_SESSION\[docroot_path\]=(\.\.|/|http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/login\.php\?" "chain,rev:1,id:HG2007071202,deny,severity:5,msg:'RFI: SohoAdmin CVE-2006-5236'"
SecFilterSelective REQUEST_URI "_SESSION\[docroot_path\]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index\.php\?page=(http|https|ftp)\:" "rev:1,id:HG2007071801,deny,severity:5,msg:'RFI: CVE-2006-5590 ArticleBeach'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-squirrelmail.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-tinywebgallery.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/examples/image\.php\?" chain
SecFilterSelective REQUEST_URI "=(\.\./\.\.|/|(http|https|ftp)\:/)"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-topsites.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/join\.php\?" "chain,rev:1,id:HG2007071101,severity:5,msg:'RFI: TopSites 4.x'"
SecFilterSelective REQUEST_URI "CONFIG\[path\]=(http|https|ftp)\:/"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-vbulletin.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/joinrequests\.php\?" chain
SecFilterSelective REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9]"
SecFilterSelective REQUEST_URI "/admincp/(admincalendar|email|help|language|phrase|user|usertitle|usertools)\.php\?" chain
SecFilterSelective REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9]"
SecFilterSelective REQUEST_URI "/modcp/announcement\.php\?" chain
SecFilterSelective REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9]"
SecFilterSelective REQUEST_URI "/calendar\.php\?" chain
SecFilterSelective REQUEST_URI "comma=\x22;"
SecFilterSelective REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?" chain
SecFilter "\.system\(.+\)\."
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?*comma="
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-webcalendar.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/day\.php\?" "chain,rev:1,deny,msg:'RFI: WebCalendar'"
SecFilterSelective ARG_date "(\.\./\.\.|(http|https|ftp)\:/):"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-wordpress.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective ARG_wpPATH "(\.\.|http|https|ftp)\:" "rev:1,id:HG2008012403,deny,severity:5,msg:'RFI: WP: WordTube RFI'"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,id:HG2007121203,severity:5,msg:'SQLi: WP < 2.3.1'"
SecFilterSelective ARG_s "(select.*wp_users|select.*user_pass)"
SecFilterSelective ARG_bkpwp_plugin_path "(\.\.|/|http|https|ftp)\:" "rev:1,id:HG2007120501,deny,severity:5,msg:'RFI: WP: BackupWordPress Plugin'"
SecFilterSelective REQUEST_URI "/wp-trackback\.php" "chain,id:HG2008011330,deny,severity:5,msg:'SQLi: WP'"
SecFilterSelective ARG_tb_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,id:HG2008011331,deny,severity:5,msg:'SQLi: WP'"
SecFilterSelective ARG_cat= "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/wordpress/" "chain,id:HG2008011332,deny,severity:5,msg:'Wordpress vulrenability'"
SecFilterSelective ARG_cat "!^[0-9]*$"
SecFilterSelective ARG_cache_lastpostdate "<\?php" "id:HG2008011334,deny,severity:5,msg:'PHPi: WP'"
SecFilterSelective REQUEST_URI "/index\.php" "chain,id:HG2008011333,deny,severity:5,msg:'SQLi: WP'"
SecFilterSelective ARG_poll|ARG_category|ARG_ctg "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rena
me|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI "/mygallerybrowser\.php\?" "chain,rev:1,id:HG2007071802,deny,severity:5,msg:'RFI: CVE-2007-2426 WordPress'"
SecFilterSelective ARG_myPath "(\.\.|/|http|https|ftp)\:"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-xmlrpc.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" "chain,rev:1,id:HG2008011340,deny,msg:'XML rpc exploit'"
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|pro
c_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_ter
minate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-xoops.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/init_basic\.php\?" "chain,rev:1,id:HG2008011002,deny,severity:5,msg:'Xoops GALLERY_BASEDIR RFI'"
SecFilterSelective ARG_GALLERY_BASEDIR "(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective REQUEST_URI "/spaw_control\.class\.php\?" "chain,rev:1,id:HG_RFI_SPAW01,deny,severity:5,msg:'Xoops/SPAW: RFI'"
SecFilterSelective REQUEST_URI "spaw_root=(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective "ARG_xoopsConfig[root_path]" "(\.\./\.\.|/|(http|https|ftp)\:/):" "rev:1,id:HG_RFI_XoopsConfig,deny,severity:5,msg:'Xoops RFI'"
SecFilterSelective ARG_sid "(\.\./\.\.|/|xoops_users|(http|https|ftp)\:/):" "rev:1,id:HG_RFI_XoopsSID,deny,severity:5,msg:'Xoops RFI/SQL: SID var'"
SecFilterSelective REQUEST_URI "/xfsection/modify\.php\?" "chain,rev:1,id:HG2007101810,deny,severity:5,msg:'Xoops RFI: XFSection'"
SecFilterSelective ARG_dir_module "(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective REQUEST_URI "/modules/(camportail/show|core/viewcat|debaser/genre|ecal/display|flashgames/game|friendfinder/view|kshop/product_details|library/viewcat|lykos_reviews/index|myAds/index|myalbum/viewcat|popnupblog/index|repository/viewcat|rmgallery/categos|wflinks/viewcat|rha7downloads/visit|tinyevent/index|wfquotes/index|wfsnippets/index|wfsection/print|xfsection/print|zmagazine/print)\.php\?" "chain,rev:1,id:HG2007101815,deny,severity:5,msg:'Xoops SQL'"
SecFilterSelective REQUEST_URI "(delete[[:space:]]+from|insert[[:space:]]+into|select.+from|union|xoops_use
rs)"
SecFilterSelective REQUEST_URI "/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2\.php\?" "chain,rev:1,id:HG2007101816,deny,severity:5,msg:'Xoops RFI'"
SecFilterSelective ARG_xoops_url "(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective REQUEST_URI "/modules/jobs/index\.php\?" "chain,rev:1,id:HG2007101817,deny,severity:5,msg:'Xoops RFI'"
SecFilterSelective REQUEST_URI "(delete[[:space:]]+from|insert[[:space:]]+into|select.+from|union|xoops_use
rs)"
SecFilterSelective REQUEST_URI "(/xmlrpc|.*xmlrpc_services)\.php" "chain,rev:1,id:HG_XOOPS_RPCXML,deny,severity:5,msg:'Xoops XMLRPC SQL'"
SecFilterSelective POST_PAYLOAD "<methodName>blogger\.getUsersBlogs</methodName>" chain
SecFilter ".*\' AND ascii\(substring\(pass"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-zencart.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
SecFilterSelective REQUEST_URI "/admin/(password_forgotten|login)\.php\?" "chain,rev:1,id:HG2007071807,deny,severity:5,msg:'Zen Cart: SQL Injection'"
SecFilterSelective REQUEST_URI "(union select|into outfile|from admin)"
SecFilterSelective ARG_[loadFile] "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG20071809,deny,severity:5,msg:'Zen Cart [loadFile] RFI'"
SecFilterSelective REQUEST_URI "/ipn\.php\?cmd=" "rev:1,id:HG2008011335,deny,severity:5,msg:'Zen Cart Exploit'"
# ---------------------------------------------------------------
# ---------------------------------------------------------------
# modsec-zz.exclusions.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@
<LocationMatch "/rss.php?url=*p=.*">
SecFilterRemove 390144
</LocationMatch>
SecFilterSelective REMOTE_ADDR "^127\.0\.0\.1$" nolog,allow
SecFilterSelective REQUEST_URI "/whm-server-status" nolog,allow
<LocationMatch "/store/squirrelcart/paypal_ipn.php">
SecFilterRemove HG2007082202
</LocationMatch>
<LocationMatch "/wp-content/plugins/addrecords.php">
SecFilterRemove 390144
SecFilterRemove 390145
</LocationMatch>
<LocationMatch /item.php>
SecFilterRemove 390144
SecFilterRemove 390145
</LocationMatch>
[/CODE]
Thursday, November 25, 2010
blue host mod sec
# modsec-00.00-defaults.conf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment