SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'900033',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated script tags and XML wrapped HTML',id:'900033',tag:'WEB_ATTACK/XSS'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<\w*:?\s(?:[^\>]*)t(?!rong))|(?:\<scri)|(<\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[^\w\s=]on(?!g\>)\w+[^=_+-]*=[^$]+(?:\W|\>)?)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'900032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible event handlers',id:'900032',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[^\w\s=]on(?!g\>)\w+[^=_+-]*=[^$]+(?:\W|\>)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common mail header injections',id:'900063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common mail header injections',id:'900063',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/SPAM'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[\w.-]+@[\w.-]+%(?:[01][\db-ce-f])+\w+:)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects very basic XSS probings',id:'900021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects very basic XSS probings',id:'900021',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?<![a-z\/_@])(\s*return\s*)?(?:(?:document\s*\.)?(?:.+\/)?(?:alert|eval|msgbox|showmodaldialog|prompt|write(?:ln)?|confirm|dialog|open))\s*(?:[^a-z\s]|(?:\s*[^\s\w,.@\/+-]))|(?:java[\s\/]*\.[\s\/]*lang)|(?:\w\s*=\s*new\s+\w+)|(?:&\s*\w+\s*\)[^,])|(?:\+[\W\d]*new\s+\w+[\W\d]*\+)|(?:document\.\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'90007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript with(), ternary operators and XML predicate attacks',id:'90007',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:=]+:[^;]+(;|$))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'900026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript cookie stealing and redirection attempts',id:'900026',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[^:\s\w]+\s*[^\w\/](href|protocol|host|hostname|pathname|hash|port|cookie)[^\w])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'900018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript array properties and methods',id:'900018',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:join|pop|push|reverse|reduce|concat|map|shift|sp?lice|sort|unshift)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'900016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes and typical script methods',id:'900016',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*\s\w,.\/?+-]\s*)?(?<![a-mo-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:alert|inputbox|showmodaldialog|infinity|isnan|isnull|msgbox|expression|prompt|write(?:ln)?|confirm|dialog|urn|(?:un)?eval|exec|execscript|tostring|status|execute|window|unescape|navigate|jquery|getscript|extend|prototype)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.:\/+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'900044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 1/3',id:'900044',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\d\"\s+\"\s+\d)|(?:^admin\s*\"|(\/\*)+\"+\s?(?:--|#|\/\*|{)?)|(?:\"\s*or[\w\s-]+\s*[+<>=(),-]\s*[\d\"])|(?:\"\s*[^\w\s]?=\s*\")|(?:\"\W*[+=]+\W*\")|(?:\"\s*[!=|][\d\s!=+-]+.*[\"(].*$)|(?:\"\s*[!=|][\d\s!=]+.*\d+$)|(?:\"\s*like\W+[\w\"(])|(?:\sis\s*0\W)|(?:where\s[\s\w\.,-]+\s=)|(?:\"[<>~]+\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:\";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'900055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MSSQL code execution and information gathering attempts',id:'900055',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"\s*!\s*[\"\w])|(?:from\s+information_schema\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\s*\([^\)]*)|(?:\";?\s*(?:select|union|having)\s*[^\s)|(?:\wiif\s*\()|(?:exec\s+master\.)|(?:union select @)|(?:union[\w(\s]*select)|(?:select.*\w?user\()|(?:into[\s+]+(?:dump|out)file\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'900027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects data: URL injections, VBS injections and common URI schemes',id:'900027',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:data:.*,)|(?:\w+\s*=\W*(?!https?)\w+:)|(jar:\w+:)|(=\s*\"?\s*vbs(?:ript)?:)|(language\s*=\s?\"?\s*vbs(?:ript)?)|on\w+\s*=\*\w+\-\"?" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections',id:'900057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comment-/space-obfuscated injections',id:'900057',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:select\s*\*\s*from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*\(\s*space\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'900061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url injections and RFE attempts',id:'900061',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\w+]?(?<!href)(?<!src)(?<!longdesc)(?<!returnurl)=(?:https?|ftp):)|(?:\{\s*\$\s*\{)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'900020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript language constructs',id:'900020',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z_@>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|location|settimeout|setinterval|void|setexpression|namespace|while)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:\/|\\\\)?\.+(\/|\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic directory traversal',id:'900010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic directory traversal',id:'900010',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:\/|\\\\\\\\)?\.+(\/|\\\\\\\\)(?:\.+)?)|(?:\w+\.exe\??\s)|(?:;\s*\w+\s*\/[\w*-]+\/)|(?:\d\.\dx\|)|(?:%(?:c0\.|af\.|5c\.))|(?:\/(?:%2e){2})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'900031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 2/2',id:'900031',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:=\s*\d*\.\d*\?\d*\.\d*)|(?:[|&]{2,}\s*\")|(?:!\d+\.\d*\?\")|(?:\/:[\w.]+,)|(?:=[\d\W\s]*\[[^]]+\])|(?:\?\w+:\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common comment types',id:'900035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common comment types',id:'900035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:--[^\n]*$)|(?:\<!-|-->)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:<!\[\W)|(?:\]!>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:%c0%ae\/)|(?:(?:\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\))|(?:(?:\/|\\\\)inetpub|localstart\.asp|boot\.ini)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'900011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'900011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:%c0%ae\/)|(?:(?:\/|\\\\\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\\\\\))|(?:(?:\/|\\\\\\\\)inetpub|localstart\.asp|boot\.ini)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*[\"=(])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'900048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'900048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+\w+[!=+]+[\s\d]*[\"=(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'900065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'900065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'900029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'900029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\\\\\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'900050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'900050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(select|;)\s+(?:benchmark|if|sleep)\s?\(\s?\(?\s?\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'900039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'900039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\\\\\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:&#[01fe][\db-ce-f])|(?:\\\\\\\\[01fe][\db-ce-f])|(?:&#x[01fe][\db-ce-f])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'900064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'900064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'900058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'900058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'900041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'900041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:etc\/\W*passwd)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'900012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'900012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:etc\/\W*passwd)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'900015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'900015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'900052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'900052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'900060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'900060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'900056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'900056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'900045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'900045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'900019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'900019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'900062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'900062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)\W+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'900054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'900054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'900067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'900067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\s\/\"]+[-\w\/\\\\\*]+\s*=.+(?:\/\s*>))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'900068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'900068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[\s\/\"]+[-\w\/\\\\\\\\\*]+\s*=.+(?:\/\s*>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'90002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'90002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%,.+\-]))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'900017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'900017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'90001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'90001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'900030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'900030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'900025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'900025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'900028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'900028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%&#xu\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'900040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'900040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'900014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'900014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'900069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'900069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'900059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'900059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'900049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'900049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'900024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'900024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'900053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'900053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'900022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'900022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?<!\\\\)\")|(?:(?:^[\"\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'900042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 1/2',id:'900042',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\\\\\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\\\\\".+(?<!\\\\\\\\)\")|(?:(?:^[\"\\\\\\\\]*(?:[\d\"]+|[^\"]+\"))+\s*(?:n?and|x?or|not|\|\||\&\&)\s*[\w\"[+&!@(),.-])|(?:[^\w\s]\w+\s*[|-]\s*\"\s*\w)|(?:@\w+\s+(and|or)\s*[\"\d]+)|(?:@[\w-]+\s(and|or)\s*[^\w\s])|(?:[^\w\s:]\s*\d\W+[^\w\s]\s*\".)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'900046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'900046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'900023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'900023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'900013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'900013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'90006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'90006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:^>[\w\s]*<\/?\w{2,}>)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'90003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'90003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:^>[\w\s]*<\/?\w{2,}>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\d{2,3})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'90009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'90009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\\\\\\\\u00[a-f0-9]{2})|(?:\\\\\\\\x0*[a-f0-9]{2})|(?:\\\\\\\\\d{2,3})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'900051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'900051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'900047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'900047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'90008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects self-executing JavaScript functions',id:'90008',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?<!(?:mozilla\/\d\.\d\s))\([^)[]+\[[^\]]+\][^)]*\))|(?:[^\s!][{([][^({[]+[{([][^}\])]+[}\])][\s+\",\d]*[}\])])|(?:\"\)?\]\W*\[)|(?:=\s*[^\s:;]+\s*[{([][^}\])]+[}\])];)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'900038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects possibly malicious html elements including some attributes',id:'900038',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<[\/]?(?:[i]?frame|applet|isindex|marquee|keygen|script|audio|video|input|button|textarea|style|base|body|meta|link|object|embed|param|plaintext|xm\w+|image|im(?:g|port)))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'90004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'90004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'900034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'900034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'900037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects base href injections and XML entity injections',id:'900037',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\<base\s+)|(?:<!(?:element|entity|\[CDATA))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'900043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'900043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "phase:2,capture,t:none,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'90005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,logdata:'%{TX.0}',severity:'2',ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects hash-contained xss payload attacks, setter usage and property overloading',id:'90005',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
SecRule REQUEST_BODY|REQUEST_URI_RAW|TX:HPP_DATA "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?<!\/)__[a-z]+__)|(?:(?:^|[\s)\]\}])(?:s|g)etter\s*=)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.%{tx.msg}-WEB_ATTACK/INJECTION-%{matched_var_name}=%{tx.0}"
