# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# OS Command Injection Attacks
#
# -=[ Rule Logic ]=-
# These rules look for attempts to access OS commands such as curl, wget and cc
# These commands are often used in injection attacks to force the victim web
# application to initiate a connection out to a hacker site to download, compile
# and install malicious toolkits such as those to participate in Botnets.
#
# -=[ References ]=-
# http://projects.webappsec.org/OS-Commanding
# http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"phase:2,rev:'2.0.5',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
"(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_COMMAND_INJECTION1
#
# Coldfusion Injection
#
# -=[ Rule Logic ]=-
# These rules look for the existence of undocumented ColdFusion Admin functions on input
#
# -=[ References ]=-
# http://www.adobe.com/devnet/security/security_zone/asb99-10.html
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
"capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_CF_INJECTION
#
# LDAP Injection
#
# -=[ Rule Logic ]=-
# These rules look for common LDAP data constructions.
#
# -=[ References ]=-
# http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,id:'950912',severity:'4',msg:'LDAP Injection Attack',logdata:'%{TX.0}',tag:WEB_ATTACK/LDAP_INJECTION,ctl:auditLogParts=+E,pass,nolog,auditlog"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
"capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_LDAP_INJECTION
#
# SSI injection
#
# -=[ Rule Logic ]=-
# These rules look for common Server-Site Include format data on input.
#
# -=[ References ]=-
# http://projects.webappsec.org/SSI-Injection
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',tag:'WASCTC/WASC-36',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ssi_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,id:'950913',severity:'4',msg:'SSI Injection Attack',logdata:'%{TX.0}',tag:WEB_ATTACK/SSI_INJECTION,ctl:auditLogParts=+E,pass,nolog,auditlog"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
"capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ssi_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_SSI_INJECTION
#
# UPDF XSS
#
# -=[ Rule Logic ]=-
# This rule looks for a link being submitted that contains the # fragment in a query_string.
#
# -=[ References ]=-
# http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,id:'950018',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.updf_xss_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}"
#
# Email Injection
#
# -=[ References ]=-
# http://projects.webappsec.org/Mail-Command-Injection
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.email_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}"
#
# HTTP Request Smuggling
#
# -=[ Rule Logic ]=-
# This rule looks for a comma character in either the Content-Length or Transfer-Encoding
# request headers. This character would indicate that there were more than one request header
# with this same name. In these instances, Apache treats the data in a similar manner as
# multiple cookie values.
#
# -=[ References ]=-
# http://projects.webappsec.org/HTTP-Request-Smuggling
# http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
#
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,rev:'2.0.5',t:none,capture,pass,nolog,auditlog,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.request_smuggling_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
#
# HTTP Response Splitting
#
# -=[ Rule Logic ]=-
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
# These characters may cause problems if the data is returned in a respones header and
# may be interpreted by an intermediary proxy server and treated as two separate
# responses.
#
# -=[ References ]=-
# http://projects.webappsec.org/HTTP-Response-Splitting
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "%0[ad]content-(type|length):" \
"phase:2,rev:'2.0.5',t:none,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.response_splitting_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.response_splitting_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
#
# RFI Attack
#
# -=[ Rule Logic ]=-
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
# - URL Contains an IP Address
# - The PHP "include()" Function
# - RFI Data Ends with Question Mark(s) (?)
# - RFI Host Doesn't Match Local Host
#
# -=[ References ]=-
# http://projects.webappsec.org/Remote-File-Inclusion
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
#
SecRule ARGS "^(?:ht|f)tps?:\/\/([\d\.]+)" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.rfi_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule ARGS "(?:\binclude\s*\([^)]*(ht|f)tps?:\/\/)" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950118',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.rfi_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule ARGS "(?:ft|htt)ps?.*\?+$" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950119',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.rfi_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
SecRule ARGS "^(?:ht|f)tps?://(.*)\?$" \
"chain,phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950120',severity:'2'"
SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.rfi_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
#
# Prequalify Request Matches
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,nolog,pass"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "@pmFromFile modsecurity_40_generic_attacks.data" \
"t:none,t:urlDecode,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:tx.pm_score=+1"
SecRule TX:PM_SCORE "@eq 0" "phase:2,rev:'2.0.5',t:none,pass,skipAfter:END_PM_CHECK,nolog"
#
# Begin RegEx Checks for target locations that matched the prequalifier checks
#
#
# Session fixation
#
# -=[ References ]=-
# http://projects.webappsec.org/Session-Fixation
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\.cookie\b.*?\;\W*?expires\W*?\=" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950301',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\.cookie\b.*?\;\W*?domain\W*?\=" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950300',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bhttp-equiv\W+set-cookie\b" \
"phase:2,rev:'2.0.5',t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950302',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "!@eq 1" "phase:2,t:none,nolog,pass,skipAfter:END_SESSION_FIXATION"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\.cookie\b.*?\;\W*?expires\W*?\=" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950304',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\.cookie\b.*?\;\W*?domain\W*?\=" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950303',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bhttp-equiv\W+set-cookie\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Session Fixation',id:'950305',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
SecMarker END_SESSION_FIXATION
#
# File Injection
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bboot\.ini\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958711',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\/etc\/" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958700',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b\.htaccess\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958706',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b\.htpasswd\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958708',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bhttpd\.conf\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958705',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bglobal\.asa\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958712',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b\.wwwacl\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958710',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b\.www_acl\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958709',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b\.htgroup\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958707',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "!@eq 1" "phase:2,t:none,nolog,pass,skipAfter:END_FILE_INJECTION"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bboot\.ini\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958721',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\/etc\/" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958710',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\b\.htaccess\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958716',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\b\.htpasswd\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958718',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bhttpd\.conf\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958715',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bglobal\.asa\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958722',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\b\.wwwacl\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958720',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\b\.www_acl\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958719',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\b\.htgroup\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Remote File Access Attempt',id:'958717',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.file_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_FILE_INJECTION
#
# Command access
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnc\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958503',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcmd\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958500',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnet\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958504',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btelnet\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972022',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bwsh\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972032',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958502',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcmd\b\W*?\/c" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972030',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnmap\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972029',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bwguest\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972031',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcmd32\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958501',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\brcmd\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958505',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "!@eq 1" "phase:2,t:none,nolog,pass,skipAfter:END_COMMAND_ACCESS"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bnc\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958514',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcmd\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958511',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bnet\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958515',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\btelnet\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972033',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bwsh\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972043',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bftp\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958513',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcmd\b\W*?\/c" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972041',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bnmap\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972040',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bwguest\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'972042',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcmd32\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958512',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\brcmd\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Access',id:'958516',tag:'WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_access_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
SecMarker END_COMMAND_ACCESS
#
# Command injection
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btclsh8\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958929',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnmap\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958870',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bperl\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958873',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bcpp\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958928',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bpython\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958887',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnc\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958828',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\buname\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958898',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bpasswd\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958888',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnet\b\W+?\blocalgroup\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958830',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bls\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958883',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bchown\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958877',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\brcmd\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958832',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bnc\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958891',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\brm\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958894',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bwsh\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958839',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bfinger\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958881',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bftp\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958890',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\becho\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958872',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bxterm\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958879',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bkill\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958884',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bchsh\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958927',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bping\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958893',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcd\b\W*?[\\/]" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958821',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\btelnet\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958889',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bchmod\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958876',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bwguest\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958838',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcmd\b\W*?\/c" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958871',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bnet\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958829',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bg\+\+" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958875',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bnasm\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958882',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcmd32\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958824',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\blsof\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958897',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bid\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958885',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btelnet\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958834',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btracert\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958926',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bnmap\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958896',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\becho\b\W*?\by+\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958826',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btraceroute\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958837',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btftp\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958836',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bgcc\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958874',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bchmod.{0,40}?\+.{0,3}x" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958822',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bps\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958886',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958827',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bcmd\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958892',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\btclsh\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958833',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bchgrp\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958878',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcd\W*?\.\." \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958925',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcmd\.exe\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958823',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "!@eq 1" "phase:2,t:none,nolog,pass,skipAfter:END_COMMAND_INJECTION"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\btclsh8\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958929',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bnmap\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958870',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bperl\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958873',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bcpp\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958928',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bpython\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958887',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bnc\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958828',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\buname\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958898',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bpasswd\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958888',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bnet\b\W+?\blocalgroup\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958830',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bls\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958883',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bchown\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958877',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\brcmd\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958832',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bnc\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958891',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\brm\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958894',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bwsh\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958839',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bfinger\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958881',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bftp\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958890',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\becho\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958872',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bxterm\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958879',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bkill\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958884',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bchsh\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958927',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bping\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958893',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bcd\b\W*?[\\/]" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958821',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\btelnet\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958889',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bchmod\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958876',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bwguest\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958838',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bcmd\b\W*?\/c" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958871',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bnet\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958829',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bg\+\+" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958875',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bnasm\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958882',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bcmd32\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958824',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\blsof\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958897',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bid\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958885',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\btelnet\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958834',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\btracert\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958926',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bnmap\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958896',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\becho\b\W*?\by+\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958826',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\btraceroute\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958837',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\btftp\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958836',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bgcc\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958874',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bchmod.{0,40}?\+.{0,3}x" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958822',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bps\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958886',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bftp\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958827',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bcmd\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958892',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\btclsh\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958833',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bmail\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "[\;\|\`]\W*?\bchgrp\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958878',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bcd\W*?\.\." \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958925',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "\bcmd\.exe\b" \
"phase:2,rev:'2.0.5',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'System Command Injection',id:'958823',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_COMMAND_INJECTION
#
# PHP injection
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "<\?(?!xml)" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,status:501,msg:'PHP Injection Attack',id:'959151',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bproc_open\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958976',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgzread\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958972',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_nb_fget\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958963',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_nb_get\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958965',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bfscanf\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958959',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\breadfile\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958978',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bfgetss\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958955',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\$_post\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958941',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsession_start\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958982',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\breaddir\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958977',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgzwrite\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958973',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bscandir\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958981',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_get\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958962',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bfread\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958958',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\breadgzfile\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958979',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_put\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958967',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bfwrite\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958968',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgzencode\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958970',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bfopen\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958957',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\$_session\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958942',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_nb_fput\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958964',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_fput\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958961',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgzcompress\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958969',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bbzopen\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958946',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgzopen\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958971',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bfgetc\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958953',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bmove_uploaded_file\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958975',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_nb_put\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958966',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcall_user_func\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958983',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\$_get\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958940',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bfgets\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958954',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bftp_fget\b" \
"phase:2,rev:'2.0.5',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'PHP Injection Attack',id:'958960',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.php_code_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
SecMarker END_PM_CHECK
